Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp184765iob; Tue, 3 May 2022 14:39:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzG0agUEOF0u3KRRPjJS5slSsjQYRo9wrVBbBn+pWxdGwz6xYZyZYnicsgypSjAHy+q4pSE X-Received: by 2002:a17:90b:3847:b0:1da:2e07:bb5a with SMTP id nl7-20020a17090b384700b001da2e07bb5amr6789397pjb.82.1651613947557; Tue, 03 May 2022 14:39:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651613947; cv=none; d=google.com; s=arc-20160816; b=zagyo+7mSI4QaFA2DUMHZzn7gNEt9e1jDIpdn2R3NRwfZsOEmGy5KJHypyaIc0vStX T948Jtdbx2jAwAJz0u2PN9SBpsyk9IsZunk/OYjP6qHNUUezSwK/MkTeQur86wu32xti e2wvsmP9FEQ9+s0kah5lE2vRC2lEhRMUuVw/WW2GdkwrTdp/f8uS1aQhVfU/iew7MOiF wOL75jQMZIKjZFB4FvnrCivYwcPQJz2KUcjMh+r6rfmBkfNYQ/E073Ynu8R/ftAnIPxt ACad0j00jWHluKucDBLty3bhdr28s7k13OWugHsrxuB9QhOvtNymDvDGpdTCs4f/Rbpa S6Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=dOYR8QjdZgATKA6UBwH/KUtW42G01p9yge1qLJhO4VA=; b=d32lf4FqhvCv/n+idFPtO72iQTo8FmgR+797fz1zKwk9yJDfOFpSr3oZPnUaHtmEjU Dxg0qnsJLp+YDRhBzbeaqPtBVew0Efm6rr3tJTHuOkG11SR3TpbGA6ohyQ3cPTzsKlr6 Sx97tWZleVKSAmH9jqON3u5Nn4WqwZHxTEjlrUu+x8kuKqgM8ouc4B6uJTRC1c6aYfey gf1q/qriGIbzZMGX9PF+jTjX8HoLt6He8n5q9BppLyWLM/ASvB7VP4cd7hGXzySUdEsE Gncv3Spy0xCOKI2sCyUc2tAINFBJoMq99IgOUAvZmTEvG0RsIIZyy+0vdmDgV/k0f4M8 ulpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=2G4ca3in; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ls16-20020a17090b351000b001dc5c1e2cb6si3609891pjb.60.2022.05.03.14.38.52; Tue, 03 May 2022 14:39:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=2G4ca3in; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240840AbiECSB5 (ORCPT + 99 others); Tue, 3 May 2022 14:01:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240829AbiECSBz (ORCPT ); Tue, 3 May 2022 14:01:55 -0400 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 335C63E5CB for ; Tue, 3 May 2022 10:58:22 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id ay11-20020a05600c1e0b00b0038eb92fa965so1838260wmb.4 for ; Tue, 03 May 2022 10:58:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=dOYR8QjdZgATKA6UBwH/KUtW42G01p9yge1qLJhO4VA=; b=2G4ca3indE4WVUVZdzi1VwxN9ZXpEdj5iSjR/bW/Dk3GfDHM6VgMlBgr+bujomwANF kaKEfiYYAdltxC4uzNsDflai41bm6ZSPjKfHsDRKMWJP/Ojc+g+rKwKOApmxcPaoaEBj inBaFX4IGDZUoBbPy586HuAusgYgd2YX+gilB2uEqqt9CXWegaQYPexUVpCXTP7BPPFW glYqlwpXQ3Q1IzV2JPZFOUT2M9morEg49dRWcHLmXrzx9QP+kqLqJwSZNBgAk/ezbIfk rJGb3h8GNM3oQBEampVRVimcWQ+a8WzM/PTU5eR0zIVm03JCPkuwoSjLB1XKF7LoIzKv YRCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=dOYR8QjdZgATKA6UBwH/KUtW42G01p9yge1qLJhO4VA=; b=gepy4wEwaQOei3exUhNnGOC7VqCZwbLlrTWZwz6jWX48Tqlye4vTGyvC0aS7rEq02/ Acjo7jHgcicSXffc8JjXukKrsh6+o+SLIp18fdjStx3k5wu41R4UW+ONgoMdKA4JsGMz ZjLtyNTJezZ2kyEN1pia6kYPzcoz43IkNwmZD7735MH4Swdhxp7NLv3IMdL4rZlJcl5f 9quIWS6oyQphFdnqTN9qOb10xPBoVLpU2ncUQs1EL/hDiVZY1RQfCjrhgjRURur1EBHe IPqWIVi99ZPqWTWB0ciMQxGi6MqAwi+QwI8/Of/CWIr34klJUlOcp6bOWZujqi8R0qBZ hT/g== X-Gm-Message-State: AOAM533aGcuYvfFv/TM9Mf0GvltHpmrO9bXnWofxNhOa3qtxdhuj14q8 JQSqZaSctb83oZinzJIX/1F6jf9KRiQsE7i2EsGD X-Received: by 2002:a7b:cf02:0:b0:393:fbb0:7189 with SMTP id l2-20020a7bcf02000000b00393fbb07189mr4247165wmg.197.1651600700690; Tue, 03 May 2022 10:58:20 -0700 (PDT) MIME-Version: 1.0 References: <20220502004952.3970800-1-tweek@google.com> In-Reply-To: <20220502004952.3970800-1-tweek@google.com> From: Paul Moore Date: Tue, 3 May 2022 13:58:09 -0400 Message-ID: Subject: Re: [PATCH v4] firmware_loader: use kernel credentials when reading firmware To: =?UTF-8?Q?Thi=C3=A9baud_Weksteen?= Cc: Luis Chamberlain , Greg Kroah-Hartman , Qian Cai , John Stultz , Jeffrey Vander Stoep , Saravana Kannan , Alistair Delva , Adam Shih , selinux@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 1, 2022 at 8:50 PM Thi=C3=A9baud Weksteen wr= ote: > > Device drivers may decide to not load firmware when probed to avoid > slowing down the boot process should the firmware filesystem not be > available yet. In this case, the firmware loading request may be done > when a device file associated with the driver is first accessed. The > credentials of the userspace process accessing the device file may be > used to validate access to the firmware files requested by the driver. > Ensure that the kernel assumes the responsibility of reading the > firmware. > > This was observed on Android for a graphic driver loading their firmware > when the device file (e.g. /dev/mali0) was first opened by userspace > (i.e. surfaceflinger). The security context of surfaceflinger was used > to validate the access to the firmware file (e.g. > /vendor/firmware/mali.bin). > > Previously, Android configurations were not setting up the > firmware_class.path command line argument and were relying on the > userspace fallback mechanism. In this case, the security context of the > userspace daemon (i.e. ueventd) was consistently used to read firmware > files. More Android devices are now found to set firmware_class.path > which gives the kernel the opportunity to read the firmware directly > (via kernel_read_file_from_path_initns). In this scenario, the current > process credentials were used, even if unrelated to the loading of the > firmware file. > > Signed-off-by: Thi=C3=A9baud Weksteen > Cc: # 5.10 > --- > v4: Add stable to Cc > v3: > - Add call to put_cred to avoid a memory leak. Confirmed that no = new > memory leak occurs on a Pixel 4a. > - Update commit log. > v2: Add comment > > drivers/base/firmware_loader/main.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) Reviewed-by: Paul Moore --=20 paul-moore.com