Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp5024073pxu; Tue, 22 Dec 2020 06:41:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOhCXh32mYYK5CTqSJ/BGPOpGpHEhXQIqMkWQmC6RPrVlhyKKNrDuaRNgBqa0OcuzhmM+v X-Received: by 2002:a05:6402:3049:: with SMTP id bu9mr20549748edb.127.1608648089097; Tue, 22 Dec 2020 06:41:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608648089; cv=none; d=google.com; s=arc-20160816; b=KH85lDDQhaG8RUb0By62R/oI6bmrv+rMN5TRDubEdbsvTsPB8hrjDnap8enXQ7Q89p fAQAsJe3VdRzUtRS3h4/t2lsVdozUa8TOGzZK/5QjV5dDuI9Xb5r8S5pkLkstpWs/Nho pt3B8sU3o+tTBwzgbKeq0els/X+hHynctH1skR0YTMjqpowvnPhL3fULMyV4DqV+Lgx0 Q0PAXvjOPNfLcTIS8PXPTO90qP75RgC6B1Nr7VPJliLM8HqAX8/KlGGidfbcYcegIMPr r9mFjW4oDToYYfEklODEC7z2dngJ9QVHXMrLDAL4c91aSF04hW3hUUGLmPCEzsL8mkqp b+DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:user-agent:date:message-id:subject:from:cc:to; bh=XRQz15Jt7fANdxp7MxeoaepMaHtdJ0fDmN2VpYU7OiQ=; b=QDaXwDwEjwI63qYEERq5s14c6lcbHjXNI8oM/K8QrZpjrdvSt4wzcBbH6qHeA0qfWs wlUmnNA1IWTjjZeJE3aBfDV/6oWHyHKBxRZ1rQQSHTiwjFw4fwitHYIlFZeXoQY3zkk1 b0slKOSdrznzfCrpEAgpyAu/bodpztJBu6LYqgo9XsqZbhfMvJ+otHst2OkCbfsSV1Oc scufNHbhvbSHqb2xLgLszZ0st+5lO6GPvgv70aMuEQ/qh/AEftbb4UFrU0rk5yrEvans BZT4By5iQitislR9NUMp07fA+2tCx1ydrkHDfeIipDxcYj/6VlpcXy1DGHX6fJR6xdL6 t4Dw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f20si12288330edy.12.2020.12.22.06.40.58; Tue, 22 Dec 2020 06:41:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727301AbgLVOkE (ORCPT + 99 others); Tue, 22 Dec 2020 09:40:04 -0500 Received: from www262.sakura.ne.jp ([202.181.97.72]:65284 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727019AbgLVOkD (ORCPT ); Tue, 22 Dec 2020 09:40:03 -0500 Received: from fsav105.sakura.ne.jp (fsav105.sakura.ne.jp [27.133.134.232]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 0BMEd8CK006238; Tue, 22 Dec 2020 23:39:08 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav105.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav105.sakura.ne.jp); Tue, 22 Dec 2020 23:39:08 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav105.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 0BMEd7o5006232 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Tue, 22 Dec 2020 23:39:08 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) To: Al Viro , "Eric W. Biederman" , Jens Axboe , Christoph Hellwig , Kees Cook Cc: LKML From: Tetsuo Handa Subject: Does uaccess_kernel() work for detecting kernel thread? Message-ID: <0bcc0c63-31a3-26fd-bccb-b28af0375c34@i-love.sakura.ne.jp> Date: Tue, 22 Dec 2020 23:39:08 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit db68ce10c4f0a27c ("new helper: uaccess_kernel()") replaced segment_eq(get_fs(), KERNEL_DS) with uaccess_kernel(). But uaccess_kernel() became an unconditional "false" for some architectures due to commit 5e6e9852d6f76e01 ("uaccess: add infrastructure for kernel builds with set_fs()") and follow up changes in Linux 5.10. As a result, I guess that uaccess_kernel() can no longer be used as a condition for checking whether current thread is a kernel thread or not. For example, if uaccess_kernel() is "false" due to CONFIG_SET_FS=n, isn't sg_check_file_access() failing to detect kernel context? static int sg_check_file_access(struct file *filp, const char *caller) { if (filp->f_cred != current_real_cred()) { pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", caller, task_tgid_vnr(current), current->comm); return -EPERM; } if (uaccess_kernel()) { pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", caller, task_tgid_vnr(current), current->comm); return -EACCES; } return 0; } For another example, if uaccess_kernel() is "false" due to CONFIG_SET_FS=n, isn't TOMOYO unexpectedly checking permissions for socket operations? static bool tomoyo_kernel_service(void) { /* Nothing to do if I am a kernel service. */ return uaccess_kernel(); } static u8 tomoyo_sock_family(struct sock *sk) { u8 family; if (tomoyo_kernel_service()) return 0; family = sk->sk_family; switch (family) { case PF_INET: case PF_INET6: case PF_UNIX: return family; default: return 0; } } Don't we need to replace such usage with something like (current->flags & PF_KTHREAD) ? I don't know about io_uring, but according to https://lkml.kernel.org/r/dacfb329-de66-d0cf-dcf9-f030ea1370de@schaufler-ca.com , should (current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD be used instead?