From: ebiederm@xmission.com (Eric W. Biederman)
To: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Cc: "David S. Miller" <davem@davemloft.net>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
"Serge E. Hallyn" <serge@hallyn.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Casey Schaufler <casey@schaufler-ca.com>,
Christoph Hellwig <hch@lst.de>,
David Howells <dhowells@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Fabian Frederick <fabf@skynet.be>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@kernel.org>,
Ionut Alexa <ionut.m.alexa@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Jeff Layton <jlayton@primarydata.com>,
Joe Perches <joe@perches.com>, Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
Michal Hocko <mhocko@suse.cz>, Miklos Szeredi <miklos@szeredi.hu>,
Nick Kralevich <nnk@google.com>, Oleg Nesterov <oleg@redhat.com>,
Paul Moore <pmoore@redhat.com>,
Peter Hurley <peter@hurleysoftware.com>,
Peter Zijlstra <peterz@infradead.org>,
Rik van Riel <riel@redhat.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Stephen Smalley <sds@tycho.nsa.gov>, Tejun Heo <tj@kernel.org>,
Zefan Li <lizefan@huawei.com>, Rafal Krypa <r.krypa@samsung.com>,
linux-doc@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
containers@lists.linux-foundation.org,
Lukasz Pawelczyk <havner@gmail.com>
Subject: Re: [PATCH 1/8] kernel/exit.c: make sure current's nsproxy != NULL while checking caps
Date: Sat, 23 May 2015 12:49:27 -0500 [thread overview]
Message-ID: <878ucf2nh4.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <1432209222-8479-2-git-send-email-l.pawelczyk@samsung.com> (Lukasz Pawelczyk's message of "Thu, 21 May 2015 13:53:35 +0200")
Lukasz Pawelczyk <l.pawelczyk@samsung.com> writes:
> There is a rare case where current's nsproxy might be NULL but we are
> required to check for credentials and capabilities. It sometimes happens
> during an exit_group() syscall while destroying user's session (logging
> out).
>
> My understanding is that while we have to lock the task to get task's
> nsproxy and check whether it's NULL, for the 'current' we don't have to
> and it's expected not to be NULL. There is a code in the kernel
> currently that does current->nsproxy->user_ns without any checks.
> And include/linux/nsproxy.h confirms that:
>
> 2. when accessing (i.e. reading) current task's namespaces - no
> precautions should be taken - just dereference the pointers
>
> There seem to be no crash currently because of this, but with accessing
> nsproxy from LSM hooks there is. This is the backtrace:
>
> 0 smk_tskacc (task=0xffff88003b0b92e0, obj_known=0x2 <irq_stack_union+2>, mode=2, a=0xffff88003be53dd8) at security/smack/smack_access.c:261
> 1 0xffffffff8130e2aa in smk_curacc (obj_known=<optimized out>, mode=<optimized out>, a=<optimized out>) at security/smack/smack_access.c:318
> 2 0xffffffff8130a50d in smack_task_kill (p=0xffff88003b0b92e0, info=<optimized out>, sig=<optimized out>, secid=<optimized out>) at security/smack/smack_lsm.c:2071
> 3 0xffffffff812ea4f6 in security_task_kill (p=<optimized out>, info=<optimized out>, sig=<optimized out>, secid=<optimized out>) at security/security.c:952
> 4 0xffffffff8109ac80 in check_kill_permission (sig=15, info=0x0 <irq_stack_union>, t=0xffff88003b0b8000) at kernel/signal.c:796
> 5 0xffffffff8109d3ab in group_send_sig_info (sig=15, info=0x0 <irq_stack_union>, p=0xffff88003b0b8000) at kernel/signal.c:1296
> 6 0xffffffff8108e527 in forget_original_parent (father=<optimized out>) at kernel/exit.c:575
> 7 exit_notify (group_dead=<optimized out>, tsk=<optimized out>) at kernel/exit.c:606
> 8 do_exit (code=<optimized out>) at kernel/exit.c:775
> 9 0xffffffff8108ec0f in do_group_exit (exit_code=0) at kernel/exit.c:891
> 10 0xffffffff8108ec84 in SYSC_exit_group (error_code=<optimized out>) at kernel/exit.c:902
> 11 SyS_exit_group (error_code=<optimized out>) at kernel/exit.c:900
>
> This backtrace clearly shows that there is an LSM hook task_kill() that
> happens during an exit_group() syscall and that this happens after
> exit_task_namespaces(). LSM hooks with namespaces might need nsproxy to
> be able to check for capabilities. At this point this is impossible. The
> current's nsproxy is already NULL/destroyed.
>
> This is the case because exit_task_namespaces() is called before the
> exit_notify() where all of the above happens. This patch changes their
> order.
Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>
current->nsproxy->user_ns does not exist,
and changing where exit_task_namespaces is fragile and I am really not
interested in messing with it right now, to solve a problem that does
not exist.
>
> Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
> ---
> kernel/exit.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/exit.c b/kernel/exit.c
> index 22fcc05..da1bb18 100644
> --- a/kernel/exit.c
> +++ b/kernel/exit.c
> @@ -742,7 +742,6 @@ void do_exit(long code)
> exit_fs(tsk);
> if (group_dead)
> disassociate_ctty(1);
> - exit_task_namespaces(tsk);
> exit_task_work(tsk);
> exit_thread();
>
> @@ -763,6 +762,13 @@ void do_exit(long code)
>
> TASKS_RCU(tasks_rcu_i = __srcu_read_lock(&tasks_rcu_exit_srcu));
> exit_notify(tsk, group_dead);
> +
> + /*
> + * This should be after all things that potentially require
> + * process's namespaces (e.g. capability checks).
> + */
> + exit_task_namespaces(tsk);
> +
> proc_exit_connector(tsk);
> #ifdef CONFIG_NUMA
> task_lock(tsk);
next prev parent reply other threads:[~2015-05-23 17:54 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 11:53 [PATCH 0/8] Smack namespace Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 1/8] kernel/exit.c: make sure current's nsproxy != NULL while checking caps Lukasz Pawelczyk
2015-05-23 17:49 ` Eric W. Biederman [this message]
2015-05-25 11:33 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 2/8] user_ns: 3 new hooks for LSM namespace operations Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 3/8] smack: extend capability functions and fix 2 checks Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 4/8] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 5/8] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 6/8] smack: namespace groundwork Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 7/8] smack: namespace implementation Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 8/8] smack: documentation for the Smack namespace Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 0/7] " Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 1/7] user_ns: 3 new hooks for user namespace operations Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 2/7] smack: extend capability functions and fix 2 checks Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 3/7] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 4/7] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 5/7] smack: namespace groundwork Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 6/7] smack: namespace implementation Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 7/7] smack: documentation for the Smack namespace Lukasz Pawelczyk
2015-05-26 14:35 ` [PATCH v2 0/7] " Stephen Smalley
2015-05-26 16:27 ` Lukasz Pawelczyk
2015-05-26 16:34 ` Stephen Smalley
2015-05-26 16:42 ` Lukasz Pawelczyk
2015-05-27 9:36 ` Lukasz Pawelczyk
2015-05-27 13:33 ` Stephen Smalley
2015-05-27 1:04 ` Casey Schaufler
2015-05-27 9:29 ` Lukasz Pawelczyk
2015-05-27 13:05 ` Casey Schaufler
2015-05-27 3:13 ` Eric W. Biederman
2015-05-27 10:13 ` Lukasz Pawelczyk
2015-05-27 15:12 ` Eric W. Biederman
2015-05-27 17:15 ` Lukasz Pawelczyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878ucf2nh4.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=containers@lists.linux-foundation.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=fabf@skynet.be \
--cc=gregkh@linuxfoundation.org \
--cc=havner@gmail.com \
--cc=hch@lst.de \
--cc=ionut.m.alexa@gmail.com \
--cc=james.l.morris@oracle.com \
--cc=jlayton@primarydata.com \
--cc=joe@perches.com \
--cc=keescook@chromium.org \
--cc=kirill@shutemov.name \
--cc=l.pawelczyk@samsung.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@amacapital.net \
--cc=mchehab@osg.samsung.com \
--cc=mhocko@suse.cz \
--cc=miklos@szeredi.hu \
--cc=mingo@kernel.org \
--cc=nnk@google.com \
--cc=oleg@redhat.com \
--cc=peter@hurleysoftware.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=r.krypa@samsung.com \
--cc=riel@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=tj@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox