Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp116945ybg; Tue, 2 Jun 2020 18:17:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwy2pOmTuJkNI0X0nDCuUO8NM2FoXAfcYMJqGn8DuUfVpdXrP3ciIgO3A4z2WJBEM5fo1DN X-Received: by 2002:a05:6402:1604:: with SMTP id f4mr19169165edv.379.1591147028002; Tue, 02 Jun 2020 18:17:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591147027; cv=none; d=google.com; s=arc-20160816; b=J0Zt5LAGc9HGWapIVjcLR6/hRJRVBiwGbWaL6A+v4s9T0XsPovd1nZAedu+PVIVJQ2 wTYRsbkub6zbdv3em3p86U8jErpPBiPE1XP93OED5BEpVSY1XyKdxn8t26gz6hp5Lem5 UEpGbUO82yaZwFvBp14C77FM5nTKY7vslaHBlEiRaVAV7Z9tDochOw+/ecBLDXIMWn1a Trmbd6+OW5QuXh9c3EZxlI5jQkyXhhjcMDlCalhHaeKVPX3IAqOXa3Xde5aQv+ZFpFd5 af5LfEuE6Dw5Rn7rlsV9SBJYXpS8PuHBJyTyMUsYjq6dswjSc63s5g+XzT4GPD31Ak4T O7aA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+59owfc1kfwUQmXrWsFZ88Gj/vvbkDCiHlNMmcCSSdQ=; b=QqXxcTeoqQo9zSNmGO2t3ifU5IX60OfmdJ9ncoCTeRRYpKs7D3/W/OKQSEFHuacnWa oyN7QJmEsMTurWBrvFA9Ag5+5AGUZV5GxO9p7rHn+BGCo9Lgn/cONoXCGaTt1T35XFQY YI5Lf3mHle9EUqP2/V1WmqoVGl7gk5V2mZKlIiFxx1MP459Dhu+HAracXFbuCmXiv5i6 IhfMMPRm4g6n5ezx+ttlk3DV9L73SFIMLfZiwllA3+2pi0dzvI1fDUp2eCPYXQWN0Z1g yTvfZT1PEV4gjB9uV0mYB5Ar0wQEfvZAKt5VYVh6yaJ4OVRwv0hbkuTlwiVIQCJXPUec X8zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=MA3GSCsw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u20si246032edq.15.2020.06.02.18.16.45; Tue, 02 Jun 2020 18:17:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=MA3GSCsw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728388AbgFCBNl (ORCPT + 99 others); Tue, 2 Jun 2020 21:13:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728344AbgFCBNj (ORCPT ); Tue, 2 Jun 2020 21:13:39 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4183FC08C5C3 for ; Tue, 2 Jun 2020 18:13:39 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id f3so401255pfd.11 for ; Tue, 02 Jun 2020 18:13:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+59owfc1kfwUQmXrWsFZ88Gj/vvbkDCiHlNMmcCSSdQ=; b=MA3GSCswyu++/KSXfQucWqe3bPqVm8H1OFBAVHdQh7mSpdt2pIR9Y+zSy8rF4+NbtM 67cgLBLE1vYftoxcOJnOyO/mveyZq3yilJEQDJyKcLozP7t80+XbN1tCQj6x6pQLt25P PzSIMc529vLERmNd52ke0S4GvnPPkytABZ5SE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+59owfc1kfwUQmXrWsFZ88Gj/vvbkDCiHlNMmcCSSdQ=; b=KYZ6F9aQnRukpZcT2uUzKUA1dypo9rFygl2B0b9VIg+Eg1zD30NNKLetpKm7ojUSPs WiLH0lKvwatqjsSwCGFhhTAYLbb7c/+vByQXVEjAwklKOWUEYYlFmW85yp2XcayaITIZ AXXB99jcoPAytLX03sqbAeuVJBLrkEyApSxmAMdUCK5XKz0FCv6lB0AEPxbl6ad6KqpE r6qWxlgYbVj9OzNTpgoOt6WRZwoq+GW/3z5HH9I5z4r2rIN0XYStk/pANZvc0Rnxw/q5 mdCTtkxJ+A66KsAjwkzEYWankPEgD7W1BRao03VHRRGEkExCvWLpUNUQLqYL5VasSzkP 7Ayw== X-Gm-Message-State: AOAM532AoNbgPZYgfbgD3jVchFAxz8lQ4oJuPR9p1j5rZg2d+DSGJGNH U4J7c6lgOcr7rPeVW4hYAZ1dWg== X-Received: by 2002:a17:90a:b949:: with SMTP id f9mr2185235pjw.79.1591146817924; Tue, 02 Jun 2020 18:13:37 -0700 (PDT) Received: from ubuntu.netflix.com (203.20.25.136.in-addr.arpa. [136.25.20.203]) by smtp.gmail.com with ESMTPSA id a12sm263222pjw.35.2020.06.02.18.13.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jun 2020 18:13:37 -0700 (PDT) From: Sargun Dhillon To: Kees Cook , linux-kernel@vger.kernel.org Cc: Sargun Dhillon , Tycho Andersen , Matt Denton , Jann Horn , Chris Palmer , Aleksa Sarai , Robert Sesek , Christian Brauner , containers@lists.linux-foundation.org, Giuseppe Scrivano , Greg Kroah-Hartman , Al Viro , Daniel Wagner , "David S . Miller" , John Fastabend , Tejun Heo , stable@vger.kernel.org, cgroups@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes Date: Tue, 2 Jun 2020 18:10:41 -0700 Message-Id: <20200603011044.7972-2-sargun@sargun.me> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200603011044.7972-1-sargun@sargun.me> References: <20200603011044.7972-1-sargun@sargun.me> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Previously there were two chunks of code where the logic to receive file descriptors was duplicated in net. The compat version of copying file descriptors via SCM_RIGHTS did not have logic to update cgroups. Logic to change the cgroup data was added in: commit 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly") commit d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly") This was not copied to the compat path. This commit fixes that, and thus should be cherry-picked into stable. This introduces a helper (file_receive) which encapsulates the logic for handling calling security hooks as well as manipulating cgroup information. This helper can then be used other places in the kernel where file descriptors are copied between processes I tested cgroup classid setting on both the compat (x32) path, and the native path to ensure that when moving the file descriptor the classid is set. Signed-off-by: Sargun Dhillon Suggested-by: Kees Cook Cc: Al Viro Cc: Christian Brauner Cc: Daniel Wagner Cc: David S. Miller Cc: Jann Horn , Cc: John Fastabend Cc: Tejun Heo Cc: Tycho Andersen Cc: stable@vger.kernel.org Cc: cgroups@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org --- fs/file.c | 35 +++++++++++++++++++++++++++++++++++ include/linux/file.h | 1 + net/compat.c | 10 +++++----- net/core/scm.c | 14 ++++---------- 4 files changed, 45 insertions(+), 15 deletions(-) diff --git a/fs/file.c b/fs/file.c index abb8b7081d7a..5afd76fca8c2 100644 --- a/fs/file.c +++ b/fs/file.c @@ -18,6 +18,9 @@ #include #include #include +#include +#include +#include unsigned int sysctl_nr_open __read_mostly = 1024*1024; unsigned int sysctl_nr_open_min = BITS_PER_LONG; @@ -931,6 +934,38 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags) return err; } +/* + * File Receive - Receive a file from another process + * + * This function is designed to receive files from other tasks. It encapsulates + * logic around security and cgroups. The file descriptor provided must be a + * freshly allocated (unused) file descriptor. + * + * This helper does not consume a reference to the file, so the caller must put + * their reference. + * + * Returns 0 upon success. + */ +int file_receive(int fd, struct file *file) +{ + struct socket *sock; + int err; + + err = security_file_receive(file); + if (err) + return err; + + fd_install(fd, get_file(file)); + + sock = sock_from_file(file, &err); + if (sock) { + sock_update_netprioidx(&sock->sk->sk_cgrp_data); + sock_update_classid(&sock->sk->sk_cgrp_data); + } + + return 0; +} + static int ksys_dup3(unsigned int oldfd, unsigned int newfd, int flags) { int err = -EBADF; diff --git a/include/linux/file.h b/include/linux/file.h index 142d102f285e..7b56dc23e560 100644 --- a/include/linux/file.h +++ b/include/linux/file.h @@ -94,4 +94,5 @@ extern void fd_install(unsigned int fd, struct file *file); extern void flush_delayed_fput(void); extern void __fput_sync(struct file *); +extern int file_receive(int fd, struct file *file); #endif /* __LINUX_FILE_H */ diff --git a/net/compat.c b/net/compat.c index 4bed96e84d9a..8ac0e7e09208 100644 --- a/net/compat.c +++ b/net/compat.c @@ -293,9 +293,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) for (i = 0, cmfptr = (int __user *) CMSG_COMPAT_DATA(cm); i < fdmax; i++, cmfptr++) { int new_fd; - err = security_file_receive(fp[i]); - if (err) - break; err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & kmsg->msg_flags ? O_CLOEXEC : 0); if (err < 0) @@ -306,8 +303,11 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) put_unused_fd(new_fd); break; } - /* Bump the usage count and install the file. */ - fd_install(new_fd, get_file(fp[i])); + err = file_receive(new_fd, fp[i]); + if (err) { + put_unused_fd(new_fd); + break; + } } if (i > 0) { diff --git a/net/core/scm.c b/net/core/scm.c index dc6fed1f221c..ba93abf2881b 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -303,11 +303,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); imsg_flags ? O_CLOEXEC : 0); if (err < 0) @@ -318,13 +314,11 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) put_unused_fd(new_fd); break; } - /* Bump the usage count and install the file. */ - sock = sock_from_file(fp[i], &err); - if (sock) { - sock_update_netprioidx(&sock->sk->sk_cgrp_data); - sock_update_classid(&sock->sk->sk_cgrp_data); + err = file_receive(new_fd, fp[i]); + if (err) { + put_unused_fd(new_fd); + break; } - fd_install(new_fd, get_file(fp[i])); } if (i > 0) -- 2.25.1