From: Christian Brauner <brauner@kernel.org>
To: Eric Dumazet <edumazet@google.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-fsdevel@vger.kernel.org, Jann Horn <jannh@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Daan De Meyer" <daan.j.demeyer@gmail.com>,
"David Rheinsberg" <david@readahead.eu>,
"Jakub Kicinski" <kuba@kernel.org>, "Jan Kara" <jack@suse.cz>,
"Lennart Poettering" <lennart@poettering.net>,
"Luca Boccassi" <bluca@debian.org>, "Mike Yuan" <me@yhndnzj.com>,
"Paolo Abeni" <pabeni@redhat.com>,
"Simon Horman" <horms@kernel.org>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
"Christian Brauner" <brauner@kernel.org>,
"Alexander Mikhalitsyn" <alexander@mihalicyn.com>
Subject: [PATCH RFC v3 08/10] net, pidfs, coredump: only allow coredumping tasks to connect to coredump socket
Date: Mon, 05 May 2025 13:13:46 +0200 [thread overview]
Message-ID: <20250505-work-coredump-socket-v3-8-e1832f0e1eae@kernel.org> (raw)
In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org>
Make sure that only tasks that actually coredumped may connect to the
coredump socket. This restriction may be loosened later in case
userspace processes would like to use it to generate their own
coredumps. Though it'd be wiser if userspace just exposed a separate
socket for that.
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
fs/coredump.c | 25 +++++++++++++++++++++++++
fs/pidfs.c | 13 +++++++++++++
include/linux/coredump.h | 12 ++++++++++++
include/linux/pidfs.h | 1 +
net/unix/af_unix.c | 19 +++++++++++++------
5 files changed, 64 insertions(+), 6 deletions(-)
diff --git a/fs/coredump.c b/fs/coredump.c
index a5f17aaeee32..8a9620ce4fd0 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -630,6 +630,31 @@ struct sockaddr_un coredump_unix_socket = {
#define COREDUMP_UNIX_SOCKET_ADDR_SIZE \
(offsetof(struct sockaddr_un, sun_path) + \
sizeof("\0linuxafsk/coredump.socket") - 1)
+
+static inline bool is_coredump_socket(const struct sockaddr_un *sunname,
+ unsigned int len)
+{
+ return (COREDUMP_UNIX_SOCKET_ADDR_SIZE == len) &&
+ !memcmp(&coredump_unix_socket, sunname, len);
+}
+
+/*
+ * For the coredump socket in the initial network namespace we only
+ * allow actual coredumping processes to connect to it, i.e., the kernel
+ * itself.
+ */
+bool unix_use_coredump_socket(const struct net *net, const struct pid *pid,
+ const struct sockaddr_un *sunname,
+ unsigned int len)
+{
+ if (net != &init_net)
+ return true;
+
+ if (!is_coredump_socket(sunname, len))
+ return true;
+
+ return pidfs_pid_coredumped(pid);
+}
#endif
void do_coredump(const kernel_siginfo_t *siginfo)
diff --git a/fs/pidfs.c b/fs/pidfs.c
index 8c4d83fb115b..e0a4c34ddc42 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -258,6 +258,19 @@ static __u32 pidfs_coredump_mask(unsigned long mm_flags)
return 0;
}
+bool pidfs_pid_coredumped(const struct pid *pid)
+{
+ struct inode *inode;
+
+ if (!pid)
+ return false;
+
+ /* We expect the caller to hold a reference to @pid->stashed. */
+ VFS_WARN_ON_ONCE(!pid->stashed);
+ inode = d_inode(pid->stashed);
+ return (READ_ONCE(pidfs_i(inode)->__pei.coredump_mask) & PIDFD_COREDUMPED);
+}
+
static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg)
{
struct pidfd_info __user *uinfo = (struct pidfd_info __user *)arg;
diff --git a/include/linux/coredump.h b/include/linux/coredump.h
index 76e41805b92d..2b2f0c016c16 100644
--- a/include/linux/coredump.h
+++ b/include/linux/coredump.h
@@ -7,6 +7,8 @@
#include <linux/fs.h>
#include <asm/siginfo.h>
+struct sockaddr_un;
+
#ifdef CONFIG_COREDUMP
struct core_vma_metadata {
unsigned long start, end;
@@ -44,6 +46,9 @@ extern int dump_align(struct coredump_params *cprm, int align);
int dump_user_range(struct coredump_params *cprm, unsigned long start,
unsigned long len);
extern void do_coredump(const kernel_siginfo_t *siginfo);
+bool unix_use_coredump_socket(const struct net *net, const struct pid *pid,
+ const struct sockaddr_un *sunname,
+ unsigned int len);
/*
* Logging for the coredump code, ratelimited.
@@ -64,6 +69,13 @@ extern void do_coredump(const kernel_siginfo_t *siginfo);
#else
static inline void do_coredump(const kernel_siginfo_t *siginfo) {}
+static inline bool unix_use_coredump_socket(const struct net *net,
+ const struct pid *pid,
+ const struct sockaddr_un *sunname,
+ unsigned int len)
+{
+ return true;
+}
#define coredump_report(...)
#define coredump_report_failure(...)
diff --git a/include/linux/pidfs.h b/include/linux/pidfs.h
index f7729b9371bc..f9c287c0e0ff 100644
--- a/include/linux/pidfs.h
+++ b/include/linux/pidfs.h
@@ -14,5 +14,6 @@ extern const struct dentry_operations pidfs_dentry_operations;
int pidfs_register_pid(struct pid *pid);
void pidfs_get_pid(struct pid *pid);
void pidfs_put_pid(struct pid *pid);
+bool pidfs_pid_coredumped(const struct pid *pid);
#endif /* _LINUX_PID_FS_H */
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index edc2f143f401..613cf9225381 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -101,6 +101,7 @@
#include <linux/string.h>
#include <linux/uaccess.h>
#include <linux/pidfs.h>
+#include <linux/coredump.h>
#include <net/af_unix.h>
#include <net/net_namespace.h>
#include <net/scm.h>
@@ -1217,6 +1218,7 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
}
static struct sock *unix_find_abstract(struct net *net,
+ const struct pid *peer_pid,
struct sockaddr_un *sunaddr,
int addr_len, int type)
{
@@ -1224,6 +1226,9 @@ static struct sock *unix_find_abstract(struct net *net,
struct dentry *dentry;
struct sock *sk;
+ if (!unix_use_coredump_socket(net, peer_pid, sunaddr, addr_len))
+ return ERR_PTR(-ECONNREFUSED);
+
sk = unix_find_socket_byname(net, sunaddr, addr_len, hash);
if (!sk)
return ERR_PTR(-ECONNREFUSED);
@@ -1236,15 +1241,16 @@ static struct sock *unix_find_abstract(struct net *net,
}
static struct sock *unix_find_other(struct net *net,
- struct sockaddr_un *sunaddr,
- int addr_len, int type)
+ const struct pid *peer_pid,
+ struct sockaddr_un *sunaddr, int addr_len,
+ int type)
{
struct sock *sk;
if (sunaddr->sun_path[0])
sk = unix_find_bsd(sunaddr, addr_len, type);
else
- sk = unix_find_abstract(net, sunaddr, addr_len, type);
+ sk = unix_find_abstract(net, peer_pid, sunaddr, addr_len, type);
return sk;
}
@@ -1500,7 +1506,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
}
restart:
- other = unix_find_other(sock_net(sk), sunaddr, alen, sock->type);
+ other = unix_find_other(sock_net(sk), NULL, sunaddr, alen, sock->type);
if (IS_ERR(other)) {
err = PTR_ERR(other);
goto out;
@@ -1647,7 +1653,8 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
restart:
/* Find listening sock. */
- other = unix_find_other(net, sunaddr, addr_len, sk->sk_type);
+ other = unix_find_other(net, peercred.peer_pid, sunaddr, addr_len,
+ sk->sk_type);
if (IS_ERR(other)) {
err = PTR_ERR(other);
goto out_free_skb;
@@ -2115,7 +2122,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
if (msg->msg_namelen) {
lookup:
- other = unix_find_other(sock_net(sk), msg->msg_name,
+ other = unix_find_other(sock_net(sk), NULL, msg->msg_name,
msg->msg_namelen, sk->sk_type);
if (IS_ERR(other)) {
err = PTR_ERR(other);
--
2.47.2
next prev parent reply other threads:[~2025-05-05 11:14 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 11:13 [PATCH RFC v3 00/10] coredump: add coredump socket Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 01/10] coredump: massage format_corname() Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 02/10] coredump: massage do_coredump() Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 03/10] net: reserve prefix Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 04/10] coredump: add coredump socket Christian Brauner
2025-05-05 12:55 ` Jann Horn
2025-05-05 13:06 ` Luca Boccassi
2025-05-05 14:46 ` Christian Brauner
2025-05-05 18:48 ` Kuniyuki Iwashima
2025-05-06 8:24 ` Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 05/10] coredump: validate socket name as it is written Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 06/10] coredump: show supported coredump modes Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 07/10] pidfs, coredump: add PIDFD_INFO_COREDUMP Christian Brauner
2025-05-05 11:13 ` Christian Brauner [this message]
2025-05-05 13:08 ` [PATCH RFC v3 08/10] net, pidfs, coredump: only allow coredumping tasks to connect to coredump socket Jann Horn
2025-05-05 14:06 ` Christian Brauner
2025-05-05 18:40 ` Kuniyuki Iwashima
2025-05-05 19:10 ` Jann Horn
2025-05-05 19:35 ` Kuniyuki Iwashima
2025-05-05 19:44 ` Kuniyuki Iwashima
2025-05-05 19:55 ` Jann Horn
2025-05-05 20:41 ` Kuniyuki Iwashima
2025-05-06 7:39 ` Christian Brauner
2025-05-06 14:51 ` Jann Horn
2025-05-06 15:16 ` Christian Brauner
2025-05-06 19:28 ` Kuniyuki Iwashima
2025-05-07 11:50 ` Mickaël Salaün
2025-05-05 19:55 ` Jann Horn
2025-05-05 20:30 ` Kuniyuki Iwashima
2025-05-06 8:06 ` Christian Brauner
2025-05-06 14:37 ` Jann Horn
2025-05-06 19:18 ` Kuniyuki Iwashima
2025-05-07 11:51 ` Mickaël Salaün
2025-05-07 14:22 ` Lennart Poettering
2025-05-07 22:10 ` Paul Moore
2025-05-05 11:13 ` [PATCH RFC v3 09/10] selftests/pidfd: add PIDFD_INFO_COREDUMP infrastructure Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 10/10] selftests/coredump: add tests for AF_UNIX coredumps Christian Brauner
2025-05-05 14:41 ` [PATCH RFC v3 00/10] coredump: add coredump socket Mickaël Salaün
2025-05-05 14:56 ` Christian Brauner
2025-05-05 15:38 ` Mickaël Salaün
2025-05-05 14:59 ` Jann Horn
2025-05-05 15:39 ` Mickaël Salaün
2025-05-05 18:33 ` Kuniyuki Iwashima
2025-05-06 7:33 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250505-work-coredump-socket-v3-8-e1832f0e1eae@kernel.org \
--to=brauner@kernel.org \
--cc=alexander@mihalicyn.com \
--cc=bluca@debian.org \
--cc=daan.j.demeyer@gmail.com \
--cc=davem@davemloft.net \
--cc=david@readahead.eu \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=lennart@poettering.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@yhndnzj.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=pabeni@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.