Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1763572pxm; Thu, 24 Feb 2022 08:56:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJz9m4WpbGCIF9KPOjmPlhg/2IHrfzsnSTp5wkPnpkHnfveDRRDAabCxwXFtHXrqxVbI4VGw X-Received: by 2002:a17:90a:6704:b0:1bc:6b66:b3db with SMTP id n4-20020a17090a670400b001bc6b66b3dbmr3684005pjj.90.1645721786090; Thu, 24 Feb 2022 08:56:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645721786; cv=none; d=google.com; s=arc-20160816; b=R1d7iT3Iq9uP+7PGd45tpTWo+apUx4M/mlJNwLOw7QZoVugORqtA2yxxV7Afjualkk s+ZMWvFJUuoVQryFCsiA5Wl30K20BTSQyfLX+oAeZALR0RySEYGEjSx3tfLzssJ960XI s+x82tgjqBXhxKDFSDSngJ7fTAzBSXS8D4pHEICPRmOTpUP+tFW2XLO0xA0iYf3ZEIAF hNGKYPfvlLre6AJHKYIG24SAF/gqbzuFKQ2ywu3D2ekzVEE9QVn8+mAAjPJm1/cmCLV7 V81/UTAkG2crGUT0SfPh7SZ2l3oGacK8dogvsrah0/WSfqX5nOjluZLxMMtlmkLibjaf 8MZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=3Hf6hDQrQo0yd5FSyKmljwnxvf8/XZ/eZW/Rsy8Pb3E=; b=m+c6Jrw/UHQ+1bbWh55UaHWbLyim5kIuwSxUbpar9ysq7CdUrYgcrH7HL27qwRKOVH e1rGxaqRNeahqqBTLa1/J1Ba5LZSU1H6VisJw2XheNU8/NNu+XqBoYOnldt283Q8Xw3N FJvDqcd6+Ya7LOBO5JvdzLQyiLSIn/Bb/QILLj/8F5udiZ3QMGRIrtdx8OfeEBVNBPpB fn3BFGHUxOsBLSBEAZeFXAq4GH95kNCc1jf/oYJPtQ/u3QXhNH4HuD8Zl8zRzLmAaNET DtuclmWBFcgmV2dZNxpDAISZSsKxsSw2vhxA1ZWY+O2pYDW/h3kEBr50l0aE4zTQSbb1 3H6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=SJh8VmSG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id j15-20020a17090a840f00b001bc4437df2asi5261258pjn.106.2022.02.24.08.56.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Feb 2022 08:56:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=SJh8VmSG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3A2EF1B4001; Thu, 24 Feb 2022 08:31:53 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229770AbiBXQ3O (ORCPT + 99 others); Thu, 24 Feb 2022 11:29:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229799AbiBXQ3N (ORCPT ); Thu, 24 Feb 2022 11:29:13 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D9F9198EC0 for ; Thu, 24 Feb 2022 08:28:43 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id em10-20020a17090b014a00b001bc3071f921so6136484pjb.5 for ; Thu, 24 Feb 2022 08:28:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=3Hf6hDQrQo0yd5FSyKmljwnxvf8/XZ/eZW/Rsy8Pb3E=; b=SJh8VmSGNPM8i914U4IL5W11hEVk7xkedBBZONGXzjOC6560xZvMOJkpfeolMJ92Zl ZP9/K/VdsKyM8xZPPbrf0bj6qepIRXNWVFeGJLF7RsAtfqo58iollilxF4vzM1B4XxtJ Or7TSY1FvQufMpUss+lezrloJdGxS8Sduhgso= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=3Hf6hDQrQo0yd5FSyKmljwnxvf8/XZ/eZW/Rsy8Pb3E=; b=49hn6m7d1IC/rKd3QuGJNLDj01xagxWczBqUs+TG827DMRo53xSezg9K5Ec3sV2L5Y Y3lNhly97FJBPbHXcU4mLxwah437hQatsMUbCIdtbqHB8CPaliDbLNlGvfzJegKph76/ OG/7oLwkwcQc85WuK10F6az+FPGXL3vacd6YqYfx96uoiEfFoasNjnfZ1NrTlALb84lk NTa0Gz3OjIjUk/S1FQcACxOT2NSB54kIE++OOyuH7k+M5g9VYlswvtfK6hXQd+cS2tVi WbcCQyqAcNe4STKNZZO58vbtPVn+o6WK1Hxh+h3Bcvmoo1kCX1yP5k2hiekROTCuxfvc UHoQ== X-Gm-Message-State: AOAM531hfaVNXRPtxuT6lv6Sf4WGJqZQUlChr/09EupFzsyRXi+j7BHg opUXNr113s/Yv527H0NrCU2Bcg== X-Received: by 2002:a17:902:c405:b0:14f:dff5:92a0 with SMTP id k5-20020a170902c40500b0014fdff592a0mr3633520plk.61.1645720122728; Thu, 24 Feb 2022 08:28:42 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id h34-20020a635322000000b003651e1ecb34sm44603pgb.25.2022.02.24.08.28.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Feb 2022 08:28:42 -0800 (PST) Date: Thu, 24 Feb 2022 08:28:41 -0800 From: Kees Cook To: "Eric W. Biederman" Cc: linux-kernel@vger.kernel.org, Linux API , Etienne Dechamps , Alexey Gladkov , Shuah Khan , Christian Brauner , Solar Designer , Ran Xiaokai , "open list:KERNEL SELFTEST FRAMEWORK" , Linux Containers , Michal =?iso-8859-1?Q?Koutn=FD?= , Security Officers , Neil Brown , NeilBrown , "Serge E. Hallyn" , Jann Horn , Andy Lutomirski , Willy Tarreau , Linus Torvalds Subject: Re: [PATCH] ucounts: Fix systemd LimigtNPROC with private users regression Message-ID: <202202240826.E31BADF@keescook> References: <20220207121800.5079-1-mkoutny@suse.com> <20220215101150.GD21589@blackbody.suse.cz> <87zgmi5rhm.fsf@email.froward.int.ebiederm.org> <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> <878ru1qcos.fsf@email.froward.int.ebiederm.org> <87tucpko7d.fsf@email.froward.int.ebiederm.org> <87sfs8jmpz.fsf_-_@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87sfs8jmpz.fsf_-_@email.froward.int.ebiederm.org> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org typo: Subject's LimigtNPROC -> LimitNPROC On Thu, Feb 24, 2022 at 09:41:44AM -0600, Eric W. Biederman wrote: > > Long story short recursively enforcing RLIMIT_NPROC when it is not > enforced on the process that creates a new user namespace, causes > currently working code to fail. There is no reason to enforce > RLIMIT_NPROC recursively when we don't enforce it normally so update > the code to detect this case. > > I would like to simply use capable(CAP_SYS_RESOURCE) to detect when > RLIMIT_NPROC is not enforced upon the caller. Unfortunately because > RLIMIT_NPROC is charged and checked for enforcement based upon the > real uid, using capable() wich is euid based is inconsistent with reality. typo: wich -> which > Come as close as possible to testing for capable(CAP_SYS_RESOURCE) by > testing for when the real uid would match the conditions when > CAP_SYS_RESOURCE would be present if the real uid was the effective > uid. > > Reported-by: Etienne Dechamps > Link: https://bugzilla.kernel.org/show_bug.cgi?id=215596 > Link: https://lkml.kernel.org/r/e9589141-cfeb-90cd-2d0e-83a62787239a@edechamps.fr > Fixes: 21d1c5e386bc ("Reimplement RLIMIT_NPROC on top of ucounts") > Signed-off-by: "Eric W. Biederman" > --- > > The previous conversation has given me enough clarity that I can see > which tests I am comfortable with use for this pending regression fix. > > I have tested this and it works for me. Does anyone have any concerns > with this change? I'd really love some kind of selftest that exercises the edge cases; do you have your tests in some form that could be converted? But otherwise, yes, this looks like the best option here. Reviewed-by: Kees Cook > > kernel/user_namespace.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c > index 6b2e3ca7ee99..5481ba44a8d6 100644 > --- a/kernel/user_namespace.c > +++ b/kernel/user_namespace.c > @@ -58,6 +58,18 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) > cred->user_ns = user_ns; > } > > +static unsigned long enforced_nproc_rlimit(void) > +{ > + unsigned long limit = RLIM_INFINITY; > + > + /* Is RLIMIT_NPROC currently enforced? */ > + if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) || > + (current_user_ns() != &init_user_ns)) > + limit = rlimit(RLIMIT_NPROC); > + > + return limit; > +} > + > /* > * Create a new user namespace, deriving the creator from the user in the > * passed credentials, and replacing that user with the new root user for the > @@ -122,7 +134,7 @@ int create_user_ns(struct cred *new) > for (i = 0; i < MAX_PER_NAMESPACE_UCOUNTS; i++) { > ns->ucount_max[i] = INT_MAX; > } > - set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)); > + set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_NPROC, enforced_nproc_rlimit()); > set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE)); > set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING)); > set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK)); > -- > 2.29.2 > -- Kees Cook