Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp861420pxb; Fri, 22 Apr 2022 12:52:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxH/Z3zauNjyEsuAL/C5zdE7PHBET89CkB+FZW1Sws38b6zsCHg3ThlV8nV+NmNFZL5cUtc X-Received: by 2002:a17:902:9887:b0:151:6e1c:7082 with SMTP id s7-20020a170902988700b001516e1c7082mr6110090plp.162.1650657172975; Fri, 22 Apr 2022 12:52:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650657172; cv=none; d=google.com; s=arc-20160816; b=Vu+R6EGNsNPJaG1Xn3c06Egto4p3aI2x7i0CbNnSvdw13NqE+r8R26Q4Rx3/yK9x3I FKjMYhSuVEQUZd1Q2wu2eF8HFVc1VQ4R8Zn4Hq5c79jKXHAyzj6QKP11/lUhM8Xv+adU fgT7pHj+WHoc9v71/7sykQs9+YtchaufN26woPdJU1Smorxp30CJG2YxGSPurCXiqBkH 6S621oShJHb4JDWTt4W4ENtUymjvZTMmrid7GkrMVuk2g8boKu+qLbRMzBPU+5A40lcp jZY6Hghj7CRwD9rTvb3Lcl6/hM/cCSY/fXAVcwuOHm9fSnisJ3IBERFEx2J9klQiFeGx zv2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=roXSkgp7AcHF/lcjOHhcpN8Xmx+GkKmLRVoKkTd+Adg=; b=mzKG00cC0VxhkPzbI/saK6U+KhCGFteHvdndPf+IFNnDlAFbuL6SEyavJWXefGuCyM 2AeIQG/Yg/bZk4d2waOfJj1kA837jXM9oGQxrtywvz3roGlb3aOIJJOYr01DMvTxk8Vk cnlDZiy7JwsAqx0FHaResvuBgZXBsKRnEdTcpB97YOQjvLHl4YF0ki6t/l9iMbqRHBAc 8bHT1S4y92ggYgoZGDX2AqHLtOi9ZZJ8Ylu8vXmGVCOSX5GSnHdCOys1IwwlBi7YSfb1 IOrQkM2T3aoGwqwaNPlv9EpNdqAoUQ7/G5twcZKtRrJNBEjPpA7fNPE3tyQIwBHoCHYg 6Y0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=tX4y9UPO; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id 194-20020a6300cb000000b003aa1ecf8d60si8569296pga.411.2022.04.22.12.52.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Apr 2022 12:52:52 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=tX4y9UPO; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 656D52215F8; Fri, 22 Apr 2022 11:54:12 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1448744AbiDVOkJ (ORCPT + 99 others); Fri, 22 Apr 2022 10:40:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54608 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1448731AbiDVOkF (ORCPT ); Fri, 22 Apr 2022 10:40:05 -0400 Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B30E05BD27; Fri, 22 Apr 2022 07:37:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:In-Reply-To: Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description; bh=roXSkgp7AcHF/lcjOHhcpN8Xmx+GkKmLRVoKkTd+Adg=; b=tX4y9UPOAPrnbbwo+/TBmRkSgf Cd+ngehcbDyo3TrDTO3BCcy391X73BF1SaPWigbX5EapQk26CDRz6dG0tPasYpTSLP1peYb0l4qoY AX98pK4gmSd5wkhfSS3AN14hwwtaQsUTgY7eOTw8BegTdF5/jf9nLkymP0poHrcfm/fxwSP3ihL8K G3Us+PEcBvBHfg3idr6YvVakesrsHKHuzeVh+AMsNjStnSCZksWcm2tHNaQ8fJkqtYsceAJlwji9U VETXSFsHDrB2gRtRHgnYzmOlCq8vY0ZoNoHICEcEzD1h2VknMwJQESlD8UJFJNxb3pLU6Fgf8BZDi hUfxK/hA==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhuPG-000qpU-B7; Fri, 22 Apr 2022 14:37:10 +0000 Date: Fri, 22 Apr 2022 07:37:10 -0700 From: Luis Chamberlain To: =?iso-8859-1?Q?Thi=E9baud?= Weksteen Cc: Greg Kroah-Hartman , Jeffrey Vander Stoep , Saravana Kannan , Alistair Delva , Adam Shih , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] firmware_loader: use kernel credentials when reading firmware Message-ID: References: <20220422013215.2301793-1-tweek@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220422013215.2301793-1-tweek@google.com> Sender: Luis Chamberlain X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 22, 2022 at 11:32:15AM +1000, Thi?baud Weksteen wrote: > Device drivers may decide to not load firmware when probed to avoid > slowing down the boot process should the firmware filesystem not be > available yet. In this case, the firmware loading request may be done > when a device file associated with the driver is first accessed. The > credentials of the userspace process accessing the device file may be > used to validate access to the firmware files requested by the driver. > Ensure that the kernel assumes the responsibility of reading the > firmware. > > This was observed on Android for a graphic driver loading their firmware > when the device file (e.g. /dev/mali0) was first opened by userspace > (i.e. surfaceflinger). The security context of surfaceflinger was used > to validate the access to the firmware file (e.g. > /vendor/firmware/mali.bin). > > Because previous configurations were relying on the userspace fallback > mechanism, the security context of the userspace daemon (i.e. ueventd) > was consistently used to read firmware files. More devices are found to > use the command line argument firmware_class.path which gives the kernel > the opportunity to read the firmware directly, hence surfacing this > misattribution. Can you elaborate on the last sentence? It's unclear how what you describe is used exactly to allow driver to use direct filesystem firmware loading. And, given the feedback from Android it would seem this is a fix which likely may be desirable to backport to some stable kernels? Otherwise looks good Reviewed-by: Luis Chamberlain > Signed-off-by: Thi?baud Weksteen > --- > v2: Add comment > > drivers/base/firmware_loader/main.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c > index 94d1789a233e..8f3c2b2cfc61 100644 > --- a/drivers/base/firmware_loader/main.c > +++ b/drivers/base/firmware_loader/main.c > @@ -735,6 +735,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name, > size_t offset, u32 opt_flags) > { > struct firmware *fw = NULL; > + struct cred *kern_cred = NULL; > + const struct cred *old_cred; > bool nondirect = false; > int ret; > > @@ -751,6 +753,18 @@ _request_firmware(const struct firmware **firmware_p, const char *name, > if (ret <= 0) /* error or already assigned */ > goto out; > > + /* > + * We are about to try to access the firmware file. Because we may have been > + * called by a driver when serving an unrelated request from userland, we use > + * the kernel credentials to read the file. > + */ > + kern_cred = prepare_kernel_cred(NULL); > + if (!kern_cred) { > + ret = -ENOMEM; > + goto out; > + } > + old_cred = override_creds(kern_cred); > + > ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL); > > /* Only full reads can support decompression, platform, and sysfs. */ > @@ -776,6 +790,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name, > } else > ret = assign_fw(fw, device); > > + revert_creds(old_cred); > + > out: > if (ret < 0) { > fw_abort_batch_reqs(fw); > -- > 2.36.0.rc2.479.g8af0fa9b8e-goog >