Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp212746pxu; Tue, 5 Jan 2021 08:55:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJwA3sh+No2S96iUWpO+bUzGywEL4WM4Oz3WWJs9yMpYsvSoUyKa0ixuTGqgD0YzSdbRwH0J X-Received: by 2002:a05:6402:ca1:: with SMTP id cn1mr704897edb.128.1609865731353; Tue, 05 Jan 2021 08:55:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609865731; cv=none; d=google.com; s=arc-20160816; b=gzJL6/gKRCfhIncRqjTm1SmGQsjb5lZ6nWTzm3DWPfavzzJEafXjunFM0c4VZjJhnU /PzbzSJVh4Bx+GZ15pSLawcZ3lPu4UdNJXJYQoWWeA8HjgoqXuW63Zt4AVGDZ6q+et26 /pvMfC7yFGaMWN22xVQfNHjWPivfZVaWL6mdAxbeBDYe84vvttQ96TuQ1FoaMlqmjIGr o2OTEK/ngKRuEw9Q5qtpUnDs+ToqCr441mI3TStKLrdS2P2vPnaEKDQfP/rFzbVjIuyK IiBBnPhsUFv4ZKyrGVeFLlojROy2I4PZOod6lyUeWlHzGUbWoEcyB0tOem3VkW4lIQ28 wubA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=NIKha5qf99xiooIbDogBjJ+uHC4HQR/0rzwaxow6SLc=; b=Uvtkka+aNfMDDcqdB51+FULTyqDObdav/V4VvY7gVenwPZ8kLlrga0Arhm5+o0rT1W sMwUu6IygUZYmKbgYUtnEdctIY+ufsYRBJu3mo+v/3DxtRv5mYb2pR0fnUZMIfcNPauU jClI6qk6ENqYv0SLsuW5/AN3c1Yjr8997lfykAxkmoHZZ5VijYZXh2UzIukl8ruOOGmM qKseuzTjEyi9TI6aYXz8FW8xnPmhdgzT0dI0yESkzGZ9Htfv3D054uhSsdFmHHKNcw6X 8EBu4G+TPV+wocDa8y8mkrtb2dz5Ir9nuNDbHTRiWqRc3pyAZ83UdHSqRIz/MynrGdG1 RBvg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c11si76868edu.341.2021.01.05.08.55.07; Tue, 05 Jan 2021 08:55:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727414AbhAEQu7 (ORCPT + 99 others); Tue, 5 Jan 2021 11:50:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729518AbhAEQu6 (ORCPT ); Tue, 5 Jan 2021 11:50:58 -0500 Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA5E6C061793; Tue, 5 Jan 2021 08:50:17 -0800 (PST) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kwpX3-0076tQ-14; Tue, 05 Jan 2021 16:50:05 +0000 Date: Tue, 5 Jan 2021 16:50:05 +0000 From: Al Viro To: Stephen Brennan Cc: Alexey Dobriyan , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , selinux@vger.kernel.org, Casey Schaufler , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Matthew Wilcox Subject: Re: [PATCH v4] proc: Allow pid_revalidate() during LOOKUP_RCU Message-ID: <20210105165005.GV3579531@ZenIV.linux.org.uk> References: <20210104232123.31378-1-stephen.s.brennan@oracle.com> <20210105055935.GT3579531@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210105055935.GT3579531@ZenIV.linux.org.uk> Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 05, 2021 at 05:59:35AM +0000, Al Viro wrote: > Umm... I'm rather worried about the side effect you are removing here - > you are suddenly exposing a bunch of methods in there to RCU mode. > E.g. is proc_pid_permission() safe with MAY_NOT_BLOCK in the mask? > generic_permission() call in there is fine, but has_pid_permission() > doesn't even see the mask. Is that thing safe in RCU mode? AFAICS, > this > static int selinux_ptrace_access_check(struct task_struct *child, > unsigned int mode) > { > u32 sid = current_sid(); > u32 csid = task_sid(child); > > if (mode & PTRACE_MODE_READ) > return avc_has_perm(&selinux_state, > sid, csid, SECCLASS_FILE, FILE__READ, NULL); > > return avc_has_perm(&selinux_state, > sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); > } > is reachable and IIRC avc_has_perm() should *NOT* be called in RCU mode. > If nothing else, audit handling needs care... > > And LSM-related stuff is only a part of possible issues here. It does need > a careful code audit - you are taking a bunch of methods into the conditions > they'd never been tested in. ->permission(), ->get_link(), ->d_revalidate(), > ->d_hash() and ->d_compare() instances for objects that subtree. The last > two are not there in case of anything in /proc/, but the first 3 very > much are. FWIW, after looking through the selinux and smack I started to wonder whether we really need that "return -ECHILD rather than audit and fail" in case of ->inode_permission(). AFAICS, the reason we need it is that dump_common_audit_data() is not safe in RCU mode with LSM_AUDIT_DATA_DENTRY and even more so - with LSM_AUDIT_DATA_INODE (d_find_alias() + dput() there, and dput() can bloody well block). LSM_AUDIT_DATA_DENTRY is easy to handle - wrap audit_log_untrustedstring(ab, a->u.dentry->d_name.name); into grabbing/dropping a->u.dentry->d_lock and we are done. And as for the LSM_AUDIT_DATA_INODE... How about this: /* * Caller *MUST* hold rcu_read_lock() and be guaranteed that inode itself * will be around until that gets dropped. */ struct dentry *d_find_alias_rcu(struct inode *inode) { struct hlist_head *l = &inode->i_dentry; struct dentry *de = NULL; spin_lock(&inode->i_lock); // ->i_dentry and ->i_rcu are colocated, but the latter won't be // used without having I_FREEING set, which means no aliases left if (inode->i_state & I_FREEING) { spin_unlock(&inode->i_lock); return NULL; } // we can safely access inode->i_dentry if (hlist_empty(p)) { spin_unlock(&inode->i_lock); return NULL; } if (S_ISDIR(inode->i_mode)) { de = hlist_entry(l->first, struct dentry, d_u.d_alias); } else hlist_for_each_entry(de, l, d_u.d_alias) { if (d_unhashed(de)) continue; // hashed + nonrcu really shouldn't be possible if (WARN_ON(READ_ONCE(de->d_flags) & DCACE_NONRCU)) continue; break; } spin_unlock(&inode->i_lock); return de; } and have case LSM_AUDIT_DATA_INODE: { struct dentry *dentry; struct inode *inode; rcu_read_lock(); inode = a->u.inode; dentry = d_find_alias_rcu(inode); if (dentry) { audit_log_format(ab, " name="); spin_lock(&dentry->d_lock); audit_log_untrustedstring(ab, dentry->d_name.name); spin_unlock(&dentry->d_lock); } audit_log_format(ab, " dev="); audit_log_untrustedstring(ab, inode->i_sb->s_id); audit_log_format(ab, " ino=%lu", inode->i_ino); rcu_read_unlock(); break; } in dump_common_audit_data(). Would that be enough to stop bothering with the entire AVC_NONBLOCKING thing or is there anything else involved?