Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp970049ybl; Fri, 24 Jan 2020 12:56:33 -0800 (PST) X-Google-Smtp-Source: APXvYqy/qHYBE3n7Pjo9RL2e0dB/b6YWSouqCTt2LnCUE/0VPiRN7JnlHhLZ3hQh2Re87cckWM13 X-Received: by 2002:a9d:3bc4:: with SMTP id k62mr4354857otc.186.1579899392976; Fri, 24 Jan 2020 12:56:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579899392; cv=none; d=google.com; s=arc-20160816; b=wAJ5cBXVsoBNAjj+sMRxAj8LnVONLktfjs9K1/NFji3ncCPA14MyvOS6SBZZYENu9S wa7VfnwgfW9epXJppcrghwBszS2GTk8HpaotgxIwRRM2QoZXJE0aRKk2E58hBXLqY8yd vPFETPOG0dN6DJyzyf8DV8UH97QcSEbWyGAhHOinXiNZ9ICao1YaTIFUnJZfouvaEpqu tz7sTqRXyWC7qBnielOn8ZWMoI+SM4w3xcGnQ2FJpJo5di/QtqTa54iDO6BK90L+kjYD Ix+blfHTUyAAW0CWQcrd2Nv05xzDSm1Zl7uHjwuMuinIccNXGvG6LIhVOpjyqEaKk51H KeLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=GwXFqvDSv0U+LxmDUU5sHju4TMmZEZGW+kXhJe7jcJM=; b=dMm2smZP10HHj3FrODLLLoHyo0BqTKskbiuXdrvfchT3KNent/5ZsLQub+GykuX4BY 2FDWpyx+jEdSXsORLtFenTsOWds6RXFaXjEjva0nAHqiC/fYZMdZsts2BQ5uXWyECMif /s5C0M1A0JUlkmuAeiv2rTCKmAe1TOBIv1Xumz8qyMtbc26ufCIju9ZaB19TfJs1iirF La1y2SKC0Q/lLSeVl59Wac5PE3aatLR1HzqDJ8zKR8CIrNKVFDPdNXtE2EWMoIuPjhmA zkmY0nCYwDEsrzNCMl31Va+qw26V+GbSE6WpHzeNG4bBKMV7Qjf9mFFWAd9RTb63tFuN VA9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=Fm5e4ZVK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z66si291461oia.265.2020.01.24.12.56.21; Fri, 24 Jan 2020 12:56:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=Fm5e4ZVK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389784AbgAXQ6D (ORCPT + 99 others); Fri, 24 Jan 2020 11:58:03 -0500 Received: from mail-pl1-f195.google.com ([209.85.214.195]:44473 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726454AbgAXQ6D (ORCPT ); Fri, 24 Jan 2020 11:58:03 -0500 Received: by mail-pl1-f195.google.com with SMTP id d9so1018460plo.11 for ; Fri, 24 Jan 2020 08:58:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=GwXFqvDSv0U+LxmDUU5sHju4TMmZEZGW+kXhJe7jcJM=; b=Fm5e4ZVKDvM/voKueHczsL1nCVQpxWHLwo9cjV6HlHB2frlVdVdoriKCXXTzmV4rkG 0o3tZnyLDv1X/VrQl00k1LWd6o++FKLrm1twzoDKlSd0+KjH3OZkY7C62RKLE9bX0goa jsjhfs2mrLzAAZFvdutkomFlCIqK0dwTEW0/lym5NFc80jou+PGk636Zpga2gkOt+tlo Tm/33yA0e6NR03h4vZDbtzE/WUyh8RV5Vf76a24yU7e62obDt2Ek9eCUf0Xv5bNVwtJN lRflUQ0Z8PJuWmgjGakuR8F0+IiOoHlVdZw1SHj96nwST6mKEpCdAL36wUYYf3ZvpHru XGWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=GwXFqvDSv0U+LxmDUU5sHju4TMmZEZGW+kXhJe7jcJM=; b=RTOXr+5bCqyVAaM++Yv62chHi94vcy3yCI2JVNPNiz71UuR4V84Rs7lverYSNtY9lJ 42tvs3aV1kwb6zsH7pOigT4eQwNy3wetIlmIBs0NVe4AKK7MMUdUFT1Qz+fFacg9iGzN fmAy9evJDhmQQbaC35JpqZxdhe+Z8Iv0GxcEMNsabVbe/SjpbZt3fvoCsURNmC0H6igL 8vANUKC+w5UWkJX9YZ8kJnF03BVa0j7PxbSVTocX2wI2VZiCSOn3BlEYrFSBIrOxKH1Q e/dnIvLRVQBnp1Y20p5WRPQ9hPNTj9AhUz+JD8iji2U0vsSGyWwkDsg259p1B7tTeOzu cx9g== X-Gm-Message-State: APjAAAWQVMkdjRlxdyRkA6f0HB774fttNtXZ+n2Tu9zxkvmslMJoVO2P l2RbXseMLqxb29IIpg2tokxczQ== X-Received: by 2002:a17:902:8341:: with SMTP id z1mr4373355pln.178.1579885082557; Fri, 24 Jan 2020 08:58:02 -0800 (PST) Received: from [10.47.243.41] ([156.39.10.47]) by smtp.gmail.com with ESMTPSA id e16sm2801374pff.82.2020.01.24.08.58.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 24 Jan 2020 08:58:02 -0800 (PST) Subject: Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task To: Stefan Metzmacher , Greg Kroah-Hartman , linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, io-uring References: <20200122092833.339495161@linuxfoundation.org> <20200122092835.852416399@linuxfoundation.org> <1b4a79c1-6cda-12a8-219b-0c1c146faeff@samba.org> From: Jens Axboe Message-ID: Date: Fri, 24 Jan 2020 09:58:01 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <1b4a79c1-6cda-12a8-219b-0c1c146faeff@samba.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/24/20 3:38 AM, Stefan Metzmacher wrote: > Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman: >> From: Jens Axboe >> >> commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream. >> >> If the credentials or the mm doesn't match, don't allow the task to >> submit anything on behalf of this ring. The task that owns the ring can >> pass the file descriptor to another task, but we don't want to allow >> that task to submit an SQE that then assumes the ring mm and creds if >> it needs to go async. >> >> Cc: stable@vger.kernel.org >> Suggested-by: Stefan Metzmacher >> Signed-off-by: Jens Axboe >> Signed-off-by: Greg Kroah-Hartman >> >> >> --- >> fs/io_uring.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> --- a/fs/io_uring.c >> +++ b/fs/io_uring.c >> @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned >> wake_up(&ctx->sqo_wait); >> submitted = to_submit; >> } else if (to_submit) { >> + if (current->mm != ctx->sqo_mm || >> + current_cred() != ctx->creds) { >> + ret = -EPERM; >> + goto out; >> + } >> + > > I thought about this a bit more. > > I'm not sure if this is actually to restrictive, > because it means applications like Samba won't > be able to use io-uring at all. > > As even if current_cred() and ctx->creds describe the same > set of uid,gids the != won't ever match again and > makes the whole ring unuseable. > > I'm not sure about what the best short term solution could be... > > 1. May just doing the check for path based operations? > and fail individual requests with EPERM. > > 2. Or force REQ_F_FORCE_ASYNC for path based operations, > so that they're always executed from within the workqueue > with were ctx->creds is active. > > 3. Or (as proposed earlier) do the override_creds/revert_creds dance > (and similar for mm) if needed. > > To summaries the problem again: > > For path based operations like: > - IORING_OP_CONNECT (maybe also - IORING_OP_ACCEPT???) > - IORING_OP_SEND*, IORING_OP_RECV* on DGRAM sockets > - IORING_OP_OPENAT, IORING_OP_STATX, IORING_OP_OPENAT2 > it's important under which current_cred they are called. > > Are IORING_OP_MADVISE, IORING_OP_FADVISE and IORING_OP_FALLOCATE > are only bound to the credentials of the passed fd they operate on? > > The current assumption is that the io_uring_setup() syscall captures > the current_cred() to ctx->cred and all operations on the ring > are executed under the context of ctx->cred. > Therefore all helper threads do the override_creds/revert_creds dance. But it doesn't - we're expecting them to match, and with this change, we assert that it's the case or return -EPERM. > But the possible non-blocking line execution of operations in > the io_uring_enter() syscall doesn't do the override_creds/revert_creds > dance and execute the operations under current_cred(). > > This means it's random depending on filled cached under what > credentials an operation is executed. > > In order to prevent security problems the current patch is enough, > but as outlined above it will make io-uring complete unuseable > for applications using any syscall that changes current_cred(). > > Change 1. would be a little bit better, but still not really useful. > > I'd actually prefer solution 3. as it's still possible to make > use of non-blocking operations, while the security is the > same as solution 2. For your situation, we need to extend it anyway, and provide a way to swap between personalities. So yeah it won't work as-is for your use case, but we can work on making that the case. -- Jens Axboe