Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CDEAC4332F for ; Wed, 8 Dec 2021 19:40:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239751AbhLHTni (ORCPT ); Wed, 8 Dec 2021 14:43:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58670 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239709AbhLHTnf (ORCPT ); Wed, 8 Dec 2021 14:43:35 -0500 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA206C061746 for ; Wed, 8 Dec 2021 11:40:02 -0800 (PST) Received: by mail-ed1-x52e.google.com with SMTP id t5so12179468edd.0 for ; Wed, 08 Dec 2021 11:40:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SSuTUaoWRkT8sF44dnJf0jK4LvvPfwkMU72mY4f5Ngs=; b=bh7MtAYmv+906sJufelChvHxeHFUnAiJ1qplujSffdHtxPmoYLuPEcRoqDVvor8fag e+PDVU0H2OcYLcvkRPZxEihXtB+ncnlkwcs71TQiat8GJN0uXSOG6aidzcMS9PXGss7I j8wOAbWs9eTfVZaTOIGplM5K3J3fT77CCUybE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SSuTUaoWRkT8sF44dnJf0jK4LvvPfwkMU72mY4f5Ngs=; b=irj+fZZ8EtQfTqwx8asfR2D0ayBHZ1qSMyGFZKKvs8mRchQVTnuTQ+1NKEkCpQyMHf PXdqmfFtKx67aeJFzg+EhUDVnxDDPtvI1b9YChnlF9XmzyR1SJHPD0jfBBRQ+8QeqD3z APfssSdNwK9FlC9ewFXOnQ/3hrx4GF0Yyrg3DjS/jJjdp9F8jP3j0vL9XOQnKU/GeTkM nEXS4IobHCCNzsLwxBwXY8isPkM7S4tzLPixjAuNkq4KlHrxdeBDGrk0Jde81WsVrdNy 5o7im6t7sYXMf/d+Ns67szTCfGDhhzGV7liVFbBdx6iev2NyEvzvazcoZ6S12FQ0TFXu 1WWQ== X-Gm-Message-State: AOAM533PJSr60+Qs1jtT0wUODnKV0Nz2GciwO9ywzV4M8VuIHYkEFoP2 99wgcHTBcly9L7RIIoj7/FtYN4uFaN6AdKtD X-Google-Smtp-Source: ABdhPJyXCwZMZkvBDE+QDBcYRU6GgDmS8jrghy1LY/1b857xQM++MyGS3qDcGz1VP2FgAK0NkWbSOg== X-Received: by 2002:a17:906:4d4a:: with SMTP id b10mr9964251ejv.89.1638992401050; Wed, 08 Dec 2021 11:40:01 -0800 (PST) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com. [209.85.221.42]) by smtp.gmail.com with ESMTPSA id hx14sm1863243ejc.92.2021.12.08.11.39.59 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Dec 2021 11:40:00 -0800 (PST) Received: by mail-wr1-f42.google.com with SMTP id v11so5883126wrw.10 for ; Wed, 08 Dec 2021 11:39:59 -0800 (PST) X-Received: by 2002:a05:6000:1c2:: with SMTP id t2mr811808wrx.378.1638992399608; Wed, 08 Dec 2021 11:39:59 -0800 (PST) MIME-Version: 1.0 References: <20211208180501.11969-1-mkoutny@suse.com> <87sfv3540t.fsf@email.froward.int.ebiederm.org> In-Reply-To: From: Linus Torvalds Date: Wed, 8 Dec 2021 11:39:43 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] exit: Retain nsproxy for exit_task_work() work entries To: Tejun Heo Cc: "Eric W. Biederman" , =?UTF-8?Q?Michal_Koutn=C3=BD?= , Linux Kernel Mailing List , Jens Axboe , Kees Cook , Oleg Nesterov , Peter Zijlstra , Thomas Gleixner , Jim Newsome , Alexey Gladkov , Security Officers , Andy Lutomirski , Jann Horn Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 8, 2021 at 11:06 AM Tejun Heo wrote: > > > That said I can't quite tell if the test should be moved into > > cgroup_file_open or if there is a permission entry that would work. > > It can't. Two options: (a) anybody doing "current process" permission checks at IO time should then also check that the credentials are still the same as when the file was opened. (b) alternatively, go ahead and do the permission check at IO time, but do it using "file->f_cred" (ie the open-time permission), not the current process ones. In the above, (a) and (b) are basically the same: it uses f_cred for permission checking. The only difference is that in (a) you may be using some function that _technically_ uses the implicit "current credentials" (there are many of them), and you just separately make sure that those current credentials are identical to what they were at open time. Obviously (b) is hugely preferred, but sometimes the code organization (ie "file or f_cred just isn't passed down deep enough") means that (a) might be the only realistic option. IOW, it's not *wrong* to do permission checking at IO time, but it absolutely needs to be done using the open-time credentials. Linus