From: Ming Lei <ming.lei@redhat.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Josef Bacik <josef@toxicpanda.com>, Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org, nbd@other.debian.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH v2] nbd: override creds to kernel when calling sock_{send,recv}msg()
Date: Fri, 10 Oct 2025 16:42:41 +0800 [thread overview]
Message-ID: <aOjHAfviTrT5RIRi@fedora> (raw)
In-Reply-To: <20251010080900.1680512-1-omosnace@redhat.com>
On Fri, Oct 10, 2025 at 10:09:00AM +0200, Ondrej Mosnacek wrote:
> sock_{send,recv}msg() internally calls security_socket_{send,recv}msg(),
> which does security checks (e.g. SELinux) for socket access against the
> current task. However, _sock_xmit() in drivers/block/nbd.c may be called
> indirectly from a userspace syscall, where the NBD socket access would
> be incorrectly checked against the calling userspace task (which simply
> tries to read/write a file that happens to reside on an NBD device).
>
> To fix this, temporarily override creds to kernel ones before calling
> the sock_*() functions. This allows the security modules to recognize
> this as internal access by the kernel, which will normally be allowed.
>
> A way to trigger the issue is to do the following (on a system with
> SELinux set to enforcing):
>
> ### Create nbd device:
> truncate -s 256M /tmp/testfile
> nbd-server localhost:10809 /tmp/testfile
>
> ### Connect to the nbd server:
> nbd-client localhost
>
> ### Create mdraid array
> mdadm --create -l 1 -n 2 /dev/md/testarray /dev/nbd0 missing
>
> After these steps, assuming the SELinux policy doesn't allow the
> unexpected access pattern, errors will be visible on the kernel console:
>
> [ 142.204243] nbd0: detected capacity change from 0 to 524288
> [ 165.189967] md: async del_gendisk mode will be removed in future, please upgrade to mdadm-4.5+
> [ 165.252299] md/raid1:md127: active with 1 out of 2 mirrors
> [ 165.252725] md127: detected capacity change from 0 to 522240
> [ 165.255434] block nbd0: Send control failed (result -13)
> [ 165.255718] block nbd0: Request send failed, requeueing
> [ 165.256006] block nbd0: Dead connection, failed to find a fallback
> [ 165.256041] block nbd0: Receive control failed (result -32)
> [ 165.256423] block nbd0: shutting down sockets
> [ 165.257196] I/O error, dev nbd0, sector 2048 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.257736] Buffer I/O error on dev md127, logical block 0, async page read
> [ 165.258263] I/O error, dev nbd0, sector 2048 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.259376] Buffer I/O error on dev md127, logical block 0, async page read
> [ 165.259920] I/O error, dev nbd0, sector 2048 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.260628] Buffer I/O error on dev md127, logical block 0, async page read
> [ 165.261661] ldm_validate_partition_table(): Disk read failed.
> [ 165.262108] I/O error, dev nbd0, sector 2048 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.262769] Buffer I/O error on dev md127, logical block 0, async page read
> [ 165.263697] I/O error, dev nbd0, sector 2048 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.264412] Buffer I/O error on dev md127, logical block 0, async page read
> [ 165.265412] I/O error, dev nbd0, sector 2048 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.265872] Buffer I/O error on dev md127, logical block 0, async page read
> [ 165.266378] I/O error, dev nbd0, sector 2048 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.267168] Buffer I/O error on dev md127, logical block 0, async page read
> [ 165.267564] md127: unable to read partition table
> [ 165.269581] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.269960] Buffer I/O error on dev nbd0, logical block 0, async page read
> [ 165.270316] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.270913] Buffer I/O error on dev nbd0, logical block 0, async page read
> [ 165.271253] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> [ 165.271809] Buffer I/O error on dev nbd0, logical block 0, async page read
> [ 165.272074] ldm_validate_partition_table(): Disk read failed.
> [ 165.272360] nbd0: unable to read partition table
> [ 165.289004] ldm_validate_partition_table(): Disk read failed.
> [ 165.289614] nbd0: unable to read partition table
>
> The corresponding SELinux denial on Fedora/RHEL will look like this
> (assuming it's not silenced):
> type=AVC msg=audit(1758104872.510:116): avc: denied { write } for pid=1908 comm="mdadm" laddr=::1 lport=32772 faddr=::1 fport=10809 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=0
>
> The respective backtrace looks like this:
> @security[mdadm, -13,
> handshake_exit+221615650
> handshake_exit+221615650
> handshake_exit+221616465
> security_socket_sendmsg+5
> sock_sendmsg+106
> handshake_exit+221616150
> sock_sendmsg+5
> __sock_xmit+162
> nbd_send_cmd+597
> nbd_handle_cmd+377
> nbd_queue_rq+63
> blk_mq_dispatch_rq_list+653
> __blk_mq_do_dispatch_sched+184
> __blk_mq_sched_dispatch_requests+333
> blk_mq_sched_dispatch_requests+38
> blk_mq_run_hw_queue+239
> blk_mq_dispatch_plug_list+382
> blk_mq_flush_plug_list.part.0+55
> __blk_flush_plug+241
> __submit_bio+353
> submit_bio_noacct_nocheck+364
> submit_bio_wait+84
> __blkdev_direct_IO_simple+232
> blkdev_read_iter+162
> vfs_read+591
> ksys_read+95
> do_syscall_64+92
> entry_SYSCALL_64_after_hwframe+120
> ]: 1
>
> The issue has started to appear since commit 060406c61c7c ("block: add
> plug while submitting IO").
>
> Cc: Ming Lei <ming.lei@redhat.com>
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2348878
> Fixes: 060406c61c7c ("block: add plug while submitting IO")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Looks fine:
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Tested-by: Ming Lei <ming.lei@redhat.com>
Thanks,
Ming
next prev parent reply other threads:[~2025-10-10 8:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 8:09 [PATCH v2] nbd: override creds to kernel when calling sock_{send,recv}msg() Ondrej Mosnacek
2025-10-10 8:42 ` Ming Lei [this message]
2025-10-10 12:08 ` Stephen Smalley
2025-10-10 15:00 ` Paul Moore
2025-10-16 11:02 ` Ming Lei
2025-10-20 16:38 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aOjHAfviTrT5RIRi@fedora \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nbd@other.debian.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).