* [PATCH] Smack: Handle io_uring kernel thread privileges. [not found] <dacfb329-de66-d0cf-dcf9-f030ea1370de.ref@schaufler-ca.com> @ 2020-12-18 1:12 ` Casey Schaufler 2020-12-21 19:55 ` Eric W. Biederman 2020-12-22 2:05 ` Jens Axboe 0 siblings, 2 replies; 3+ messages in thread From: Casey Schaufler @ 2020-12-18 1:12 UTC (permalink / raw) To: SMACK-discuss@lists.01.org, Linux Security Module list Cc: Jens Axboe, Eric W. Biederman, Casey Schaufler, LKML Smack assumes that kernel threads are privileged for smackfs operations. This was necessary because the credential of the kernel thread was not related to a user operation. With io_uring the credential does reflect a user's rights and can be used. Suggested-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- security/smack/smack_access.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index efe2406a3960..7eabb448acab 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -688,9 +688,10 @@ bool smack_privileged_cred(int cap, const struct cred *cred) bool smack_privileged(int cap) { /* - * All kernel tasks are privileged + * Kernel threads may not have credentials we can use. + * The io_uring kernel threads do have reliable credentials. */ - if (unlikely(current->flags & PF_KTHREAD)) + if ((current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD) return true; return smack_privileged_cred(cap, current_cred()); ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] Smack: Handle io_uring kernel thread privileges. 2020-12-18 1:12 ` [PATCH] Smack: Handle io_uring kernel thread privileges Casey Schaufler @ 2020-12-21 19:55 ` Eric W. Biederman 2020-12-22 2:05 ` Jens Axboe 1 sibling, 0 replies; 3+ messages in thread From: Eric W. Biederman @ 2020-12-21 19:55 UTC (permalink / raw) To: Casey Schaufler Cc: SMACK-discuss@lists.01.org, Linux Security Module list, Jens Axboe, LKML Casey Schaufler <casey@schaufler-ca.com> writes: > Smack assumes that kernel threads are privileged for smackfs > operations. This was necessary because the credential of the > kernel thread was not related to a user operation. With io_uring > the credential does reflect a user's rights and can be used. Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> > > Suggested-by: Jens Axboe <axboe@kernel.dk> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/smack/smack_access.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c > index efe2406a3960..7eabb448acab 100644 > --- a/security/smack/smack_access.c > +++ b/security/smack/smack_access.c > @@ -688,9 +688,10 @@ bool smack_privileged_cred(int cap, const struct cred *cred) > bool smack_privileged(int cap) > { > /* > - * All kernel tasks are privileged > + * Kernel threads may not have credentials we can use. > + * The io_uring kernel threads do have reliable credentials. > */ > - if (unlikely(current->flags & PF_KTHREAD)) > + if ((current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD) > return true; > > return smack_privileged_cred(cap, current_cred()); ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Smack: Handle io_uring kernel thread privileges. 2020-12-18 1:12 ` [PATCH] Smack: Handle io_uring kernel thread privileges Casey Schaufler 2020-12-21 19:55 ` Eric W. Biederman @ 2020-12-22 2:05 ` Jens Axboe 1 sibling, 0 replies; 3+ messages in thread From: Jens Axboe @ 2020-12-22 2:05 UTC (permalink / raw) To: Casey Schaufler, SMACK-discuss@lists.01.org, Linux Security Module list Cc: Eric W. Biederman, LKML On 12/17/20 6:12 PM, Casey Schaufler wrote: > Smack assumes that kernel threads are privileged for smackfs > operations. This was necessary because the credential of the > kernel thread was not related to a user operation. With io_uring > the credential does reflect a user's rights and can be used. Acked-by: Jens Axboe <axboe@kernel.dk> -- Jens Axboe ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-22 2:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <dacfb329-de66-d0cf-dcf9-f030ea1370de.ref@schaufler-ca.com>
2020-12-18 1:12 ` [PATCH] Smack: Handle io_uring kernel thread privileges Casey Schaufler
2020-12-21 19:55 ` Eric W. Biederman
2020-12-22 2:05 ` Jens Axboe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).