Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp1761207pxb; Sun, 10 Jan 2021 09:46:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJztwuigzNZm3LnO8YmFwui8fqP7HpYVhx9Xttg1jTahPBUOfIYtGZAsN0D+Th/3zdmMVGuw X-Received: by 2002:a17:906:400a:: with SMTP id v10mr8468267ejj.302.1610300774610; Sun, 10 Jan 2021 09:46:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610300774; cv=none; d=google.com; s=arc-20160816; b=eGH9LkFmrCxXyn+EYLrQQyxKwHWbdgaldgJIX/m68/nBBdaRqz9w779HqaIdt3rmRE 8NPngwFBoWdgiF6aNh+ItnEohigcQzJ5n/KzJFpuljonql5p4VsZyLZi37mOzROdyBGR n3EbQQhyB/BAOYnrpHLKuxlUfkZcz/0Sm/ChMwI5gya9wRDQFNYsfTXTVkbEQo3/0/hw +iJK8zAVY7h3/nVbDe34QT4pn0wa8mCgFJSJXpnQw+vJnSo6dbwcAivltUqE2JIxS78J LMPNsTQz1j8AcSyonmd138hoHdEeR9zG0NJcGQhiBjvqeIpHJa2ZjfW4yrLSuM1zth7Z Mshg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=p52bKU9B9NO0B7IJf8DVj4BvMTxvqMhx1wFP3622vYs=; b=mKimuPwFBCNX7wCVy8sfQpkng3WLLQNtkDEmoLjE6pBUU63sdpU/Zo0RC0TfItfR+z zQlC3HDHSsdDNhxrDcdFFhTWK1Mc+KT+XsIVVJ0z0eRD9wYGMwKip6v1ii05ZKf0JMrv 6GhtfPNs6mS15KWIFaztExkgx3f9DH4BkTxgSfcKYuEg8qXmKc+fEbsdaYX/FlggJUPT M1bRIXZMDsgC34ZldCBNl/HHMtseQAJgQYXcU6EHbU5xdEZFepL7laWGge3WEBj+0DSo T737g/u0bQiHOkrQyHzBRz5GB4JBo++SSVab3rlcnRyYOLU7QzyfX8uXO4+bxxM13Szb sJ0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f6si5905192edm.128.2021.01.10.09.45.51; Sun, 10 Jan 2021 09:46:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726460AbhAJRn1 (ORCPT + 99 others); Sun, 10 Jan 2021 12:43:27 -0500 Received: from raptor.unsafe.ru ([5.9.43.93]:38132 "EHLO raptor.unsafe.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726346AbhAJRn1 (ORCPT ); Sun, 10 Jan 2021 12:43:27 -0500 Received: from comp-core-i7-2640m-0182e6.redhat.com (ip-89-103-122-167.net.upcbroadband.cz [89.103.122.167]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by raptor.unsafe.ru (Postfix) with ESMTPSA id AADA620A1F; Sun, 10 Jan 2021 17:34:53 +0000 (UTC) From: Alexey Gladkov To: LKML , Linux Containers , Kernel Hardening Cc: Alexey Gladkov , "Eric W . Biederman" , Kees Cook , Christian Brauner , Linus Torvalds Subject: [RFC PATCH v2 8/8] Move RLIMIT_NPROC check to the place where we increment the counter Date: Sun, 10 Jan 2021 18:33:47 +0100 Message-Id: <54b0cf752c2c275a164aa980e2d8e4e464797ca1.1610299858.git.gladkov.alexey@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (raptor.unsafe.ru [5.9.43.93]); Sun, 10 Jan 2021 17:34:53 +0000 (UTC) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org After calling set_user(), we always have to call commit_creds() to apply new credentials upon the current task. There is no need to separate limit check and counter incrementing. Signed-off-by: Alexey Gladkov --- kernel/cred.c | 22 +++++++++++++++++----- kernel/sys.c | 13 ------------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index 89a945571533..770447b4f4de 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -488,14 +488,26 @@ int commit_creds(struct cred *new) if (!gid_eq(new->fsgid, old->fsgid)) key_fsgid_changed(new); - /* do it - * RLIMIT_NPROC limits on user->processes have already been checked - * in set_user(). - */ alter_cred_subscribers(new, 2); if (new->user != old->user || new->user_ns != old->user_ns) { + bool overlimit; + set_cred_ucounts(new, new->user_ns, new->euid); - inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1); + + overlimit = inc_rlimit_ucounts_and_test(new->ucounts, UCOUNT_RLIMIT_NPROC, + 1, rlimit(RLIMIT_NPROC)); + + /* + * We don't fail in case of NPROC limit excess here because too many + * poorly written programs don't check set*uid() return code, assuming + * it never fails if called by root. We may still enforce NPROC limit + * for programs doing set*uid()+execve() by harmlessly deferring the + * failure to the execve() stage. + */ + if (overlimit && new->user != INIT_USER) + current->flags |= PF_NPROC_EXCEEDED; + else + current->flags &= ~PF_NPROC_EXCEEDED; } rcu_assign_pointer(task->real_cred, new); rcu_assign_pointer(task->cred, new); diff --git a/kernel/sys.c b/kernel/sys.c index c2734ab9474e..180c4e06064f 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -467,19 +467,6 @@ static int set_user(struct cred *new) if (!new_user) return -EAGAIN; - /* - * We don't fail in case of NPROC limit excess here because too many - * poorly written programs don't check set*uid() return code, assuming - * it never fails if called by root. We may still enforce NPROC limit - * for programs doing set*uid()+execve() by harmlessly deferring the - * failure to the execve() stage. - */ - if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) && - new_user != INIT_USER) - current->flags |= PF_NPROC_EXCEEDED; - else - current->flags &= ~PF_NPROC_EXCEEDED; - free_uid(new->user); new->user = new_user; return 0; -- 2.29.2