Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp14401787pxu;
        Tue, 5 Jan 2021 00:02:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJx3vxWjDKV+N4r2No0ivAWav3l8VzaznmtXngLhx5aWK+d7j8OihQSzjsL/KbZUz+T+Ynuf
X-Received: by 2002:a50:fc0d:: with SMTP id i13mr67334126edr.171.1609833763618;
        Tue, 05 Jan 2021 00:02:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1609833763; cv=none;
        d=google.com; s=arc-20160816;
        b=hQnQIOri/hkIj5kt7NbWbOdRJNEdHYf+1/RB/4ATM+CQIr8M8LoCmHRc8kxIYvxjC8
         w6Yj87n0jzWxnlvEMgOcCYBNeMLNDc577Lwn3DzgQAbFVh538I/RK9FQ9cSRd6VSlH6x
         90xHtyLPB1FSk9RxEcop8Fd5KV1ZJ9cqFX4MMZ7zXqVOhXA3hQYHTIboFxfzKF27Q7ei
         zTOFROiz7kIWHSUXvq5eyLwohcc9bohJ9aoMpxFhi9SgVsC4rF+2+Lxuug3VCYTM2o8i
         fZtxioJdtIXBECcwTXq/wr9zMECzhssQbOPP4/EY1fi/WROh+v5GVXZjSVt+a6qrS0g5
         PvYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=iUVQJe5WxH+2K8IQ5MMrv5V3ZMaOdaBeMVixoCCAtNI=;
        b=SCVp7y8MT/10XB4NpFIM8c5dwX1r8ZWVHsUDJwx23DvVRWoMJ7merJ2eQvJ2MrG+35
         hkDvZ3eBOl8HXD8dpnwi4yYtbA821xWlmbHzXE3t+T+LxnztumVJBHChGLOj6F76eUZE
         PfXWvb13Pquk7P6SHDpHbdf59GzEx5pgYPF8ZixlJX5/5qqgO511OUpgp9INsWv1lKBx
         sCkCJGo+lx2Hw8fQUMTLG/BvdRgKl5Oh/fK9JKBKeotDn8f2g16DyMx48QXb9pGVXL7a
         70IJpJyXrZMPvlSmkN52fkldZpvmmXp8RNNcx8uVt8MiePjPl1wrlIeG4HCVf8fPxa5I
         S/XQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i5si33390485edv.542.2021.01.05.00.02.20;
        Tue, 05 Jan 2021 00:02:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727341AbhAEIA3 (ORCPT
        <rfc822;linuxmailingsubscription@gmail.com> + 99 others);
        Tue, 5 Jan 2021 03:00:29 -0500
Received: from verein.lst.de ([213.95.11.211]:60433 "EHLO verein.lst.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726097AbhAEIA3 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Jan 2021 03:00:29 -0500
Received: by verein.lst.de (Postfix, from userid 2407)
        id 804D067373; Tue,  5 Jan 2021 08:59:46 +0100 (CET)
Date:   Tue, 5 Jan 2021 08:59:46 +0100
From:   Christoph Hellwig <hch@lst.de>
To:     Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc:     Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Jens Axboe <axboe@kernel.dk>,
        Kees Cook <keescook@chromium.org>,
        LKML <linux-kernel@vger.kernel.org>
Subject: Re: Does uaccess_kernel() work for detecting kernel thread?
Message-ID: <20210105075946.GC30414@lst.de>
References: <0bcc0c63-31a3-26fd-bccb-b28af0375c34@i-love.sakura.ne.jp> <20201223075307.GA4185@lst.de> <239a6775-c514-e752-2520-16668b8bc344@i-love.sakura.ne.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <239a6775-c514-e752-2520-16668b8bc344@i-love.sakura.ne.jp>
User-Agent: Mutt/1.5.17 (2007-11-01)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Dec 23, 2020 at 07:11:38PM +0900, Tetsuo Handa wrote:
> due to commit 5e6e9852d6f76e01 ("uaccess: add infrastructure for kernel
> builds with set_fs()") and follow up changes. Don't we need to change this
> "uaccess_kernel()" with "(current->flags & PF_KTHREAD)" ?

No.  The real problem here is that when a this funtion is called under
set_fs it allows kernel memory access for all user pointers, and due to
the indirection in the playload allows reading or changing kernel
memory.  A kthread does not have that issue.

> >> For another example, if uaccess_kernel() is "false" due to CONFIG_SET_FS=n,
> >> isn't TOMOYO unexpectedly checking permissions for socket operations?
> > 
> > Can someone explain WTF TOMOYO is even doing there?  A security module
> > has absolutely no business checking what context it is called from, but
> > must check the process credentials instead.
> > 
> 
> TOMOYO distinguishes userspace processes and kernel threads, and grants
> kernel threads implicit permissions to perform socket operations.

And this is the problem we need to fix.  A kernel thread can't just have
implicit permissions only because it is a kernel thread.  Think of e.g.
the io_uring service threads.