From: Christian Brauner <brauner@kernel.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: Zicheng Qu <quzicheng@huawei.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
axboe@kernel.dk, joel.granados@kernel.org, tglx@linutronix.de,
viro@zeniv.linux.org.uk, hch@lst.de, len.brown@intel.com,
pavel@ucw.cz, pengfei.xu@intel.com, rafael@kernel.org,
tanghui20@huawei.com, zhangqiao22@huawei.com,
judy.chenhui@huawei.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
linux-pm@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH 0/2] acct: don't allow access to internal filesystems
Date: Wed, 12 Feb 2025 12:16:44 +0100 [thread overview]
Message-ID: <20250212-giert-spannend-8893f1eaba7d@brauner> (raw)
In-Reply-To: <c780964d17b908846f07d01f4020be7bc784ec8b.camel@kernel.org>
On Tue, Feb 11, 2025 at 01:56:41PM -0500, Jeff Layton wrote:
> On Tue, 2025-02-11 at 18:15 +0100, Christian Brauner wrote:
> > In [1] it was reported that the acct(2) system call can be used to
> > trigger a NULL deref in cases where it is set to write to a file that
> > triggers an internal lookup.
> >
> > This can e.g., happen when pointing acct(2) to /sys/power/resume. At the
> > point the where the write to this file happens the calling task has
> > already exited and called exit_fs() but an internal lookup might be
> > triggered through lookup_bdev(). This may trigger a NULL-deref
> > when accessing current->fs.
> >
> > This series does two things:
> >
> > - Reorganize the code so that the the final write happens from the
> > workqueue but with the caller's credentials. This preserves the
> > (strange) permission model and has almost no regression risk.
> >
> > - Block access to kernel internal filesystems as well as procfs and
> > sysfs in the first place.
> >
> > This api should stop to exist imho.
> >
>
> I wonder who uses it these days, and what would we suggest they replace
> it with? Maybe syscall auditing?
Someone pointed me to atop but that also works without it. Since this is
a privileged api I think the natural candidate to replace all of this is
bpf. I'm pretty sure that it's relatively straightforward to get a lot
more information out of it than with acct(2) and it will probably be
more performant too.
Without any limitations as it is right now, acct(2) can easily lockup
the system quite easily by pointing it to various things in sysfs and
I'm sure it can be abused in other ways. So I wouldn't enable it.
>
> config BSD_PROCESS_ACCT
> bool "BSD Process Accounting"
> depends on MULTIUSER
> help
> If you say Y here, a user level program will be able to instruct the
> kernel (via a special system call) to write process accounting
> information to a file: whenever a process exits, information about
> that process will be appended to the file by the kernel. The
> information includes things such as creation time, owning user,
> command name, memory usage, controlling terminal etc. (the complete
> list is in the struct acct in <file:include/linux/acct.h>). It is
> up to the user level program to do useful things with this
> information. This is generally a good idea, so say Y.
>
> Maybe at least time to replace that last sentence and make this default
> to 'n'?
I agree.
>
> > Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1]
> >
> > Signed-off-by: Christian Brauner <brauner@kernel.org>
> > ---
> > Christian Brauner (2):
> > acct: perform last write from workqueue
> > acct: block access to kernel internal filesystems
> >
> > kernel/acct.c | 134 ++++++++++++++++++++++++++++++++++++----------------------
> > 1 file changed, 84 insertions(+), 50 deletions(-)
> > ---
> > base-commit: af69e27b3c8240f7889b6c457d71084458984d8e
> > change-id: 20250211-work-acct-a6d8e92a5fe0
> >
>
> --
> Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2025-02-12 11:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250210-unordnung-petersilie-90e37411db18@brauner>
2025-02-11 17:15 ` [PATCH 0/2] acct: don't allow access to internal filesystems Christian Brauner
2025-02-11 17:15 ` [PATCH 1/2] acct: perform last write from workqueue Christian Brauner
2025-02-11 17:16 ` [PATCH 2/2] acct: block access to kernel internal filesystems Christian Brauner
2025-02-11 20:30 ` Amir Goldstein
2025-02-11 20:54 ` Al Viro
2025-02-12 10:32 ` Christian Brauner
2025-02-11 18:56 ` [PATCH 0/2] acct: don't allow access to " Jeff Layton
2025-02-12 11:16 ` Christian Brauner [this message]
2025-02-13 14:56 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250212-giert-spannend-8893f1eaba7d@brauner \
--to=brauner@kernel.org \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=jlayton@kernel.org \
--cc=joel.granados@kernel.org \
--cc=judy.chenhui@huawei.com \
--cc=len.brown@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=pengfei.xu@intel.com \
--cc=quzicheng@huawei.com \
--cc=rafael@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tanghui20@huawei.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zhangqiao22@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).