Re: + bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch added to -mm tree

Re: + bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch added to -mm tree

[Serge E. Hallyn]

Quoting akpm@linux-foundation.org (akpm@linux-foundation.org):
> 
> The patch titled
>      bsdacct: switch credentials for writing to the accounting file
> has been added to the -mm tree.  Its filename is
>      bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch
> 
> Before you just go and hit "reply", please:
>    a) Consider who else should be cc'ed
>    b) Prefer to cc a suitable mailing list as well
>    c) Ideally: find the original patch on the mailing list and do a
>       reply-to-all to that, adding suitable additional cc's
> 
> *** Remember to use Documentation/SubmitChecklist when testing your code ***
> 
> See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
> out what to do about this
> 
> The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
> 
> ------------------------------------------------------
> Subject: bsdacct: switch credentials for writing to the accounting file
> From: Michal Schmidt <mschmidt@redhat.com>
> 
> When process accounting is enabled, every exiting process writes a log to
> the account file.  In addition, every once in a while one of the exiting
> processes checks whether there's enough free space for the log.
> 
> SELinux policy may or may not allow the exiting process to stat the fs. 
> So unsuspecting processes start generating AVC denials just because
> someone enabled process accounting.
> 
> For these filesystem operations, the exiting process's credentials should
> be temporarily switched to that of the process which enabled accounting,
> because it's really that process which wanted to have the accounting
> information logged.
> 
> Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
> Acked-by: David Howells <dhowells@redhat.com>

Acked-by: Serge Hallyn <serue@us.ibm.com>

> Cc: James Morris <jmorris@namei.org>
> Cc: Serge Hallyn <serue@us.ibm.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
> 
>  kernel/acct.c |    8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff -puN kernel/acct.c~bsdacct-switch-credentials-for-writing-to-the-accounting-file kernel/acct.c
> --- a/kernel/acct.c~bsdacct-switch-credentials-for-writing-to-the-accounting-file
> +++ a/kernel/acct.c
> @@ -491,13 +491,17 @@ static void do_acct_process(struct bsd_a
>  	u64 run_time;
>  	struct timespec uptime;
>  	struct tty_struct *tty;
> +	const struct cred *orig_cred;
> +
> +	/* Perform file operations on behalf of whoever enabled accounting */
> +	orig_cred = override_creds(file->f_cred);
> 
>  	/*
>  	 * First check to see if there is enough free_space to continue
>  	 * the process accounting system.
>  	 */
>  	if (!check_free_space(acct, file))
> -		return;
> +		goto out;
> 
>  	/*
>  	 * Fill the accounting struct with the needed info as recorded
> @@ -578,6 +582,8 @@ static void do_acct_process(struct bsd_a
>  			       sizeof(acct_t), &file->f_pos);
>  	current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
>  	set_fs(fs);
> +out:
> +	revert_creds(orig_cred);
>  }
> 
>  /**
> _
> 
> Patches currently in -mm which might be from mschmidt@redhat.com are
> 
> bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch
> 
> --
> To unsubscribe from this list: send the line "unsubscribe mm-commits" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: + bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch added to -mm tree

[James Morris]

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next


On Fri, 21 Aug 2009, Serge E. Hallyn wrote:
> Quoting akpm@linux-foundation.org (akpm@linux-foundation.org):
> > 
> > The patch titled
> >      bsdacct: switch credentials for writing to the accounting file
> > has been added to the -mm tree.  Its filename is
> >      bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch
> > 
> > Before you just go and hit "reply", please:
> >    a) Consider who else should be cc'ed
> >    b) Prefer to cc a suitable mailing list as well
> >    c) Ideally: find the original patch on the mailing list and do a
> >       reply-to-all to that, adding suitable additional cc's
> > 
> > *** Remember to use Documentation/SubmitChecklist when testing your code ***
> > 
> > See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
> > out what to do about this
> > 
> > The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
> > 
> > ------------------------------------------------------
> > Subject: bsdacct: switch credentials for writing to the accounting file
> > From: Michal Schmidt <mschmidt@redhat.com>
> > 
> > When process accounting is enabled, every exiting process writes a log to
> > the account file.  In addition, every once in a while one of the exiting
> > processes checks whether there's enough free space for the log.
> > 
> > SELinux policy may or may not allow the exiting process to stat the fs. 
> > So unsuspecting processes start generating AVC denials just because
> > someone enabled process accounting.
> > 
> > For these filesystem operations, the exiting process's credentials should
> > be temporarily switched to that of the process which enabled accounting,
> > because it's really that process which wanted to have the accounting
> > information logged.
> > 
> > Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
> > Acked-by: David Howells <dhowells@redhat.com>
> 
> Acked-by: Serge Hallyn <serue@us.ibm.com>
> 
> > Cc: James Morris <jmorris@namei.org>
> > Cc: Serge Hallyn <serue@us.ibm.com>
> > Cc: Stephen Smalley <sds@tycho.nsa.gov>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > ---
> > 
> >  kernel/acct.c |    8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> > diff -puN kernel/acct.c~bsdacct-switch-credentials-for-writing-to-the-accounting-file kernel/acct.c
> > --- a/kernel/acct.c~bsdacct-switch-credentials-for-writing-to-the-accounting-file
> > +++ a/kernel/acct.c
> > @@ -491,13 +491,17 @@ static void do_acct_process(struct bsd_a
> >  	u64 run_time;
> >  	struct timespec uptime;
> >  	struct tty_struct *tty;
> > +	const struct cred *orig_cred;
> > +
> > +	/* Perform file operations on behalf of whoever enabled accounting */
> > +	orig_cred = override_creds(file->f_cred);
> > 
> >  	/*
> >  	 * First check to see if there is enough free_space to continue
> >  	 * the process accounting system.
> >  	 */
> >  	if (!check_free_space(acct, file))
> > -		return;
> > +		goto out;
> > 
> >  	/*
> >  	 * Fill the accounting struct with the needed info as recorded
> > @@ -578,6 +582,8 @@ static void do_acct_process(struct bsd_a
> >  			       sizeof(acct_t), &file->f_pos);
> >  	current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
> >  	set_fs(fs);
> > +out:
> > +	revert_creds(orig_cred);
> >  }
> > 
> >  /**
> > _
> > 
> > Patches currently in -mm which might be from mschmidt@redhat.com are
> > 
> > bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch
> > 
> > --
> > To unsubscribe from this list: send the line "unsubscribe mm-commits" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

-- 
James Morris
<jmorris@namei.org>