Re: Re: Re: Re: Re: Re: [PATCH 1/3] switch_creds: Syscall to switch creds for file server ops

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jim Lieb <jlieb@panasas.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: <luto@amacapital.net>, <linux-fsdevel@vger.kernel.org>,
	<ebiederm@xmission.com>, <viro@zeniv.linux.org.uk>,
	<tytso@mit.edu>, <linux-kernel@vger.kernel.org>,
	<bfields@redhat.com>, <jlayton@redhat.com>
Subject: Re: Re: Re: Re: Re: Re: [PATCH 1/3] switch_creds: Syscall to switch creds for file server ops
Date: Fri, 1 Nov 2013 10:16:16 -0700	[thread overview]
Message-ID: <3147223.fCkNs1sjAc@jlieb-e6410> (raw)
In-Reply-To: <201311020107.FDJ87003.SHJFMOOOtLVFQF@I-love.SAKURA.ne.jp>

On Saturday, November 02, 2013 01:07:59 Tetsuo Handa wrote:
> Jim Lieb wrote:
> > On Friday, November 01, 2013 22:24:12 Tetsuo Handa wrote:
> > > Jim Lieb wrote:
> > > > Subsequent uses look like:
> > > > 	use_creds(cached fd);
> > > > 
> > > > followed by
> > > > 
> > > > 	open/creat/mknod/write
> > > > 
> > > > followed by
> > > > 
> > > > 	use_creds(-1);
> > > 
> > > Are you aware that calling commit_creds() is prohibitted between
> > > override_creds() and revert_creds() ?
> > > 
> > > If the caller does some operation that calls commit_creds() (like
> > > example below), the kernel triggers BUG().
> > 
> > Yes, I do.  I caught this in an early pass.  I only use override_creds()
> > and revert_creds().
> 
> Excuse me, but even below example will trigger BUG(). You pack
> override_creds() + open() + revert_creds() into one system call so that the
> caller of this system call shall not do something that calls commit_creds()
> ?

Ok, I see your point here.  If I do a switch_creds and the userland does 
something like seteuid before I do the revert, we are toast.  Correct?

This is an issue.  Thanks for pointing this out.  It is certainly not in my 
use case but that doesn't mean someone else won't try it.  I have some more 
work to do.
> 
> ---------- example module start ----------
> #include <linux/module.h>
> #include <linux/cred.h>
> #include <linux/fs.h>
> #include <linux/file.h>
> 
> static int __init test_init(void)
> {
>         const struct cred *orig;
>         { /* switch_cred() syscall */
>                 struct fd f = fdget(0);
>                 if (!f.file)
>                         return -EBADF;
>                 orig = override_creds(f.file->f_cred);
>                 fdput(f);
>         }
>         { /* something that calls commit_creds() */
>                 struct cred *cred = prepare_creds();
>                 if (cred)
>                         commit_creds(cred);
>         }
>         { /* restore */
>                 revert_creds(orig);
>         }
>         return 0;
> }
> 
> static void test_exit(void)
> {
> }
> 
> module_init(test_init);
> module_exit(test_exit);
> MODULE_LICENSE("GPL");
> ---------- example module end ----------

-- 
Jim Lieb
Linux Systems Engineer
Panasas Inc.

"If ease of use was the only requirement, we would all be riding tricycles"
- Douglas Engelbart 1925–2013

next prev parent reply	other threads:[~2013-11-01 17:16 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-16 22:01 [RFC PATCH 0/3] System call to switch user credentials Jim Lieb
2013-10-16 22:01 ` [PATCH 1/3] switch_creds: Syscall to switch creds for file server ops Jim Lieb
2013-10-16 22:42   ` Al Viro
2013-10-17  1:18     ` Eric W. Biederman
2013-10-17  1:20       ` Al Viro
2013-10-17  3:35         ` Jim Lieb
2013-10-17  3:52         ` Eric W. Biederman
2013-10-24  1:14           ` Andy Lutomirski
2013-10-24  5:59             ` Eric W. Biederman
2013-10-24 19:04               ` Jim Lieb
2013-10-24 19:28               ` Andy Lutomirski
2013-10-24 20:24                 ` Jim Lieb
2013-10-31 19:09                   ` Andy Lutomirski
2013-10-31 19:43                     ` Jim Lieb
2013-10-31 19:48                       ` Andy Lutomirski
2013-10-31 20:39                         ` Jim Lieb
2013-11-01 13:24                           ` Tetsuo Handa
2013-11-01 15:49                             ` Jim Lieb
2013-11-01 16:07                               ` Tetsuo Handa
2013-11-01 17:16                                 ` Jim Lieb [this message]
2013-10-16 22:01 ` [PATCH 2/3] switch_creds: Add x86 syscall number Jim Lieb
2013-10-16 22:01 ` [PATCH 3/3] switch_creds: Assign x86_64 syscall number for switch_creds Jim Lieb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3147223.fCkNs1sjAc@jlieb-e6410 \
    --to=jlieb@panasas.com \
    --cc=bfields@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=jlayton@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox