Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp5664473pxu; Wed, 23 Dec 2020 02:14:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJx9FnNKERhrb+vvQMKcLf2CFHu2e+xXPK/DE8Gn8pLLbIDDFhyX18g2kpxtM/eOPH3VfE3D X-Received: by 2002:a50:bf4a:: with SMTP id g10mr23722212edk.201.1608718469621; Wed, 23 Dec 2020 02:14:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608718469; cv=none; d=google.com; s=arc-20160816; b=BGaqivSsYXPCjdSRp90Ctv6+ZdQWZ2hTRI93MdnzOa6nnuBBiOZDoJiXZ2fQz3zugw pxw4tOezaQf3v1WVAQr6DzZNT8cc9YsmR4Tz0D/E2dE/gtTGM8MC4IFMnfEn61yxOn/M jlki8SFK9P1nzO3wjbRT2Ij1birFirjZupiem29LFqmirHgZ5YKM49UOysG9OIrapWaV 8e4hzXZbHdMif9D4EIF55sVYiNNr6ls61jBmJV4uMmGavDqzVkKlR66Tu83RWixSnlbt tFhJ1R2dJMNXugEb2Kc804ebZpiQqZCOVlHFVDZROk4pHPZYb3iY8tD1hRJcesxI8KXe QR8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=JKAQSBIpN7CdE2YeKuLMXOoIIwsGE4JNOQflHfbmfnY=; b=03ean/6smO5+ZWIYiRRMhOWXpbuxOr2TaZdfx39U0naG0k/iSyHu0i3hLmEmH1Empk Zsu54LwMjuqrxQmDqqUb4TaEDSp7y87iRmPCyWwDSgp7BmlO7IMSOo4ZsHAU/GMT0lXp YbFV/7hboP9wJ9GiV15mCTP14Ugold3ud7VkJdODY7Jt2UJ/gdNW+gLh8M9WLjA0pQkE /t5Lz3C5Z7ewnmUWth4sR2taBuHS/yT9i0t8loVNGV+jgY3YgBqtUknTFL7ELVIUH9nu i7T7SqT890fvxAoMJvmcF4DlCBENrflyhFD6FXOIoia83dc74RG5KYZNtT2/h0yIW8j0 SC+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v26si11896854ejg.723.2020.12.23.02.14.07; Wed, 23 Dec 2020 02:14:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728261AbgLWKMe (ORCPT + 99 others); Wed, 23 Dec 2020 05:12:34 -0500 Received: from www262.sakura.ne.jp ([202.181.97.72]:51200 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727158AbgLWKMe (ORCPT ); Wed, 23 Dec 2020 05:12:34 -0500 Received: from fsav305.sakura.ne.jp (fsav305.sakura.ne.jp [153.120.85.136]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 0BNABeL4021663; Wed, 23 Dec 2020 19:11:40 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav305.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav305.sakura.ne.jp); Wed, 23 Dec 2020 19:11:40 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav305.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 0BNABe05021659 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Wed, 23 Dec 2020 19:11:40 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: Does uaccess_kernel() work for detecting kernel thread? To: Christoph Hellwig Cc: Al Viro , "Eric W. Biederman" , Jens Axboe , Kees Cook , LKML References: <0bcc0c63-31a3-26fd-bccb-b28af0375c34@i-love.sakura.ne.jp> <20201223075307.GA4185@lst.de> From: Tetsuo Handa Message-ID: <239a6775-c514-e752-2520-16668b8bc344@i-love.sakura.ne.jp> Date: Wed, 23 Dec 2020 19:11:38 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <20201223075307.GA4185@lst.de> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/12/23 16:53, Christoph Hellwig wrote: > On Tue, Dec 22, 2020 at 11:39:08PM +0900, Tetsuo Handa wrote: >> For example, if uaccess_kernel() is "false" due to CONFIG_SET_FS=n, >> isn't sg_check_file_access() failing to detect kernel context? > > sg_check_file_access does exactly the right thing - fail for all kernel > threads as those can't support the magic it does. My question is, in Linux 5.10, sg_check_file_access() for x86 became static int sg_check_file_access(struct file *filp, const char *caller) { if (filp->f_cred != current_real_cred()) { pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", caller, task_tgid_vnr(current), current->comm); return -EPERM; } if (0) { pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", caller, task_tgid_vnr(current), current->comm); return -EACCES; } return 0; } due to commit 5e6e9852d6f76e01 ("uaccess: add infrastructure for kernel builds with set_fs()") and follow up changes. Don't we need to change this "uaccess_kernel()" with "(current->flags & PF_KTHREAD)" ? > >> For another example, if uaccess_kernel() is "false" due to CONFIG_SET_FS=n, >> isn't TOMOYO unexpectedly checking permissions for socket operations? > > Can someone explain WTF TOMOYO is even doing there? A security module > has absolutely no business checking what context it is called from, but > must check the process credentials instead. > TOMOYO distinguishes userspace processes and kernel threads, and grants kernel threads implicit permissions to perform socket operations. Since "uaccess_kernel()" became "0" for x86, TOMOYO is no longer able to grant kernel threads implicit permissions to perform socket operations. Since Eric says "For PF_IO_WORKER kernel threads which are running code on behalf of a user we want to perform the ordinary permission checks.", I think that TOMOYO wants to use "(current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD" instead.