Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp740254ybb; Fri, 3 Apr 2020 10:56:58 -0700 (PDT) X-Google-Smtp-Source: APiQypIeaB+8Reb0L94gpml5QZGEwLpit1wIZ5OhOl1G7VNXfII8wlh2lIkANnWy/aahSxkjC62O X-Received: by 2002:a9d:949:: with SMTP id 67mr7381930otp.304.1585936618073; Fri, 03 Apr 2020 10:56:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585936618; cv=none; d=google.com; s=arc-20160816; b=Hga1EpsYigpbBdBCnVn/OdOkU+bZnJQyNwY6fSPmuRtRYnwZIRvNVNB2nZBOFlA9CD DmrhxxLXtuRvdln9O4oLspq5NRtFddBeVmFstubhob+nsA02DMoptHqv9rM1ObcHKUg8 Pj1XxiVCnxwVwSH6a/8b81RWGEkLYUFBTUqNX8Oft3Xsqj36fdyj+tZ7zAvCJSJNFac3 SK5PcKVKkMQZzP3B6Xxo3OoR/kgn/lHSvmzleOqUUj4SyYI1BEqCsp/d9n53nraaBhUC Iks6ZkVeX489f4IatLr1evR1lOzH1BkfeZIcROAM6664sL37fVrLQ6xv1S7tdR+yMfof HTZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=FPIH9Cepkvfx+qnRWFWOtOody6sfKssdMr1NGqEz4tY=; b=pzwo+KXYHYe2zBHJRTsK/i4RcaTMir0WezT/r8yZf/TdEQsIISQuRp5cq+AcFUewVY tc/bTUhZk2/Zdv/5DEeZi2o8F2kLVu+Mdj2smipYU92/8T9AcDBCIfSiwX2dtiJUVoEZ 6uHoBzxegOOPMu4Hj1ay+9TwOjE2SLL5g+FdioflkEE3FpHd1THWNXcGUHbBWNaEeR5r A/PHPeA8bRFaVUVGYijEbborHS1V+xQLgjYCZSMv6+J/AsvuHdk2WAi4GV+krfbjGQ0o 5znkn/fMOPYNGhRB6PhOYehaB6z5h1Z2Taf4H2sT8hAepWE239TukpluCQFVLvgBpiME H6Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ugedal.com header.s=google header.b=JYtJwflt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r205si4046228oig.174.2020.04.03.10.56.45; Fri, 03 Apr 2020 10:56:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ugedal.com header.s=google header.b=JYtJwflt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404158AbgDCRzm (ORCPT + 99 others); Fri, 3 Apr 2020 13:55:42 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:42025 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728140AbgDCRzm (ORCPT ); Fri, 3 Apr 2020 13:55:42 -0400 Received: by mail-lj1-f196.google.com with SMTP id q19so7804189ljp.9 for ; Fri, 03 Apr 2020 10:55:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ugedal.com; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FPIH9Cepkvfx+qnRWFWOtOody6sfKssdMr1NGqEz4tY=; b=JYtJwfltQr8Gy7OcS6GPL1nxZiPr6yZsZVksURjdfhhaIOMAvowZok4L/vE6sJ1+KT ux3maGBK7iXLCNElB/EPonnQYhUDwD1FjJ86tQSvKoVL98kTwWToj4VlflIvYTKUKd/L f3tuRC18LMu25zYYrYN1dU84yP41jsHanLBa/5k/P9nxOV/rM/vPmEgo0IulFCcHhwWG /rN4xbDZ2Wk7p6qik4ctf/3NBqy4Z0ee5iUPBwltKmFKYIh8ZCvsOszFGnWyv8aamKTU kXD0uwh5+NQCLnwXLupvvY/Ed3v+zQlkBHRVCntRbvdtBCpmaoe7nAtUh1AwNqKr8WZx UQFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FPIH9Cepkvfx+qnRWFWOtOody6sfKssdMr1NGqEz4tY=; b=GMz5qTNVDGw7HjDKG7nZ8V/Z5N8fbfQiEUwau3vmLCI8xCrB8vYomSa9aBHDZX/gWA eXe5N8BGT0T7LRKpiJrrBJoCO/xWTW5GYlgpIThaWqGxPKSWCu3K7NBTsIHh6HPbc7Qw LWRcQHbBHHnHKDdC8/JwlNSQKn1CLlWfLe5yi3wdBMz82h/u8csZ/Jl6l2tntu6Py7Vk 5FsHzIvFtWshpgWq3uaSYlXfU9CcJw68BZ3HGBsLWjVEQ6UFFZXvEFNpI/ahDrq+QMpO zMq1Ty3PGIEvf0Es63Od3tOH4NWrai09DW4f7TjmFZ1Jc37b9rmsyODFpHRF+5iZP26F y1LQ== X-Gm-Message-State: AGi0Pua/+cLU+qzVs1narfYhnjGadj5IArlX0ygauKpH3c+i1ZqEQg0B vygCCJALgwbL4wVYYvNy/HrClw== X-Received: by 2002:a2e:8612:: with SMTP id a18mr5165463lji.250.1585936538737; Fri, 03 Apr 2020 10:55:38 -0700 (PDT) Received: from xps13.lan (238.89-10-169.nextgentel.com. [89.10.169.238]) by smtp.gmail.com with ESMTPSA id q20sm5267600ljj.66.2020.04.03.10.55.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Apr 2020 10:55:37 -0700 (PDT) From: Odin Ugedal To: bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, tj@kernel.org, Harish.Kasiviswanathan@amd.com, guro@fb.com, amd-gfx@lists.freedesktop.org Cc: Odin Ugedal Subject: [PATCH] device_cgroup: Cleanup cgroup eBPF device filter code Date: Fri, 3 Apr 2020 19:55:28 +0200 Message-Id: <20200403175528.225990-1-odin@ugedal.com> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Original cgroup v2 eBPF code for filtering device access made it possible to compile with CONFIG_CGROUP_DEVICE=n and still use the eBPF filtering. Change commit 4b7d4d453fc4 ("device_cgroup: Export devcgroup_check_permission") reverted this, making it required to set it to y. Since the device filtering (and all the docs) for cgroup v2 is no longer a "device controller" like it was in v1, someone might compile their kernel with CONFIG_CGROUP_DEVICE=n. Then (for linux 5.5+) the eBPF filter will not be invoked, and all processes will be allowed access to all devices, no matter what the eBPF filter says. Signed-off-by: Odin Ugedal --- drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 2 +- include/linux/device_cgroup.h | 14 +++++--------- security/Makefile | 2 +- security/device_cgroup.c | 19 ++++++++++++++++--- 4 files changed, 23 insertions(+), 14 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h index 4a3049841086..c24cad3c64ed 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h @@ -1050,7 +1050,7 @@ void kfd_dec_compute_active(struct kfd_dev *dev); /* Check with device cgroup if @kfd device is accessible */ static inline int kfd_devcgroup_check_permission(struct kfd_dev *kfd) { -#if defined(CONFIG_CGROUP_DEVICE) +#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) struct drm_device *ddev = kfd->ddev; return devcgroup_check_permission(DEVCG_DEV_CHAR, ddev->driver->major, diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h index fa35b52e0002..9a72214496e5 100644 --- a/include/linux/device_cgroup.h +++ b/include/linux/device_cgroup.h @@ -1,6 +1,5 @@ /* SPDX-License-Identifier: GPL-2.0 */ #include -#include #define DEVCG_ACC_MKNOD 1 #define DEVCG_ACC_READ 2 @@ -11,16 +10,10 @@ #define DEVCG_DEV_CHAR 2 #define DEVCG_DEV_ALL 4 /* this represents all devices */ -#ifdef CONFIG_CGROUP_DEVICE -int devcgroup_check_permission(short type, u32 major, u32 minor, - short access); -#else -static inline int devcgroup_check_permission(short type, u32 major, u32 minor, - short access) -{ return 0; } -#endif #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) +int devcgroup_check_permission(short type, u32 major, u32 minor, + short access); static inline int devcgroup_inode_permission(struct inode *inode, int mask) { short type, access = 0; @@ -61,6 +54,9 @@ static inline int devcgroup_inode_mknod(int mode, dev_t dev) } #else +static inline int devcgroup_check_permission(short type, u32 major, u32 minor, + short access) +{ return 0; } static inline int devcgroup_inode_permission(struct inode *inode, int mask) { return 0; } static inline int devcgroup_inode_mknod(int mode, dev_t dev) diff --git a/security/Makefile b/security/Makefile index 22e73a3482bd..3baf435de541 100644 --- a/security/Makefile +++ b/security/Makefile @@ -30,7 +30,7 @@ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ -obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o +obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ # Object integrity file lists diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 7d0f8f7431ff..43ab0ad45c1b 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -15,6 +15,8 @@ #include #include +#ifdef CONFIG_CGROUP_DEVICE + static DEFINE_MUTEX(devcgroup_mutex); enum devcg_behavior { @@ -792,7 +794,7 @@ struct cgroup_subsys devices_cgrp_subsys = { }; /** - * __devcgroup_check_permission - checks if an inode operation is permitted + * devcgroup_legacy_check_permission - checks if an inode operation is permitted * @dev_cgroup: the dev cgroup to be tested against * @type: device type * @major: device major number @@ -801,7 +803,7 @@ struct cgroup_subsys devices_cgrp_subsys = { * * returns 0 on success, -EPERM case the operation is not permitted */ -static int __devcgroup_check_permission(short type, u32 major, u32 minor, +static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor, short access) { struct dev_cgroup *dev_cgroup; @@ -825,6 +827,10 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor, return 0; } +#endif /* CONFIG_CGROUP_DEVICE */ + +#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) + int devcgroup_check_permission(short type, u32 major, u32 minor, short access) { int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access); @@ -832,6 +838,13 @@ int devcgroup_check_permission(short type, u32 major, u32 minor, short access) if (rc) return -EPERM; - return __devcgroup_check_permission(type, major, minor, access); + #ifdef CONFIG_CGROUP_DEVICE + return devcgroup_legacy_check_permission(type, major, minor, access); + + #else /* CONFIG_CGROUP_DEVICE */ + return 0; + + #endif /* CONFIG_CGROUP_DEVICE */ } EXPORT_SYMBOL(devcgroup_check_permission); +#endif /* defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) */ -- 2.26.0