| Message ID | 20231025094224.72858-1-michael.weiss@aisec.fraunhofer.de |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:ce89:0:b0:403:3b70:6f57 with SMTP id p9csp2479264vqx;
Wed, 25 Oct 2023 02:44:48 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IEPv0+dUKlhcop+G+uTP65TG0gGUwU7nqTPZ+HMlIbUy+2O6GasLD4NfQ44obI5NkyGdnc6
X-Received: by 2002:a05:6830:438e:b0:6ce:2c8e:7e31 with SMTP id
s14-20020a056830438e00b006ce2c8e7e31mr18329684otv.7.1698227088373;
Wed, 25 Oct 2023 02:44:48 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1698227088; cv=pass;
d=google.com; s=arc-20160816;
b=aHgrRYdT2nGPeLSFHRC8/oHk+XwdIFVF5KJECWy7GfqNYzZ/ab8q+iatefJEyQ4BlH
Y8KsrNZnP98k6f18Da9gkdVehVRodeQj25eTbyP9cjljZAvSeqBMWdPyw3yVLlUKOhKs
25Xpg1cyc9tiUKtZvA/CaSViI+UZQfevKPEIOmn8Zosx9uTwVliWFpjWZZn1GX0HwCh4
jOxFVidWtlFFH1uTnb6OKYd5cHkRXd+835TAj4WB/NiKozYZcbffKWPQkK0d4ePXrtsC
ROgV0xc0GazwIG5kQn8GXmXpjigX69cQqmJOKQKzuXvyoyiP68r4Y/QtrRZdo725KFrz
SGUw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:message-id:date:subject:cc:to:from:dkim-signature:ironport-hdrordr
:ironport-data:ironport-phdr:ironport-sdr:ironport-phdr
:dkim-signature;
bh=LtB1f8X+crv4H+zg0/84NmoGBdQIoT7tPlukM3fYTU0=;
fh=U9u/esc0XBb8N/pVu7kudxJPwEQ0AyrThcmR2LpYyxQ=;
b=DFvm+4D/I1Ho57NAINMYV+dYbS+n4AqhYTBXGmcTm9XlgU395ztLUd0oUKG9psH2Yy
ZtMCzS2/6yD7MITROD+19uLBqbZcZ7u7plpOr/lZc0Ev8Flh2EF3wPwI4MtNQk786GTe
joPjXmBCP3k9mVB+wpsxQ0f37j748E6kqVQcBQbF48I2ef19FoUvzVcpJ5gXPQg9mGBk
CyfkU1IuI5VDSY6pQDxrKOBG8L7CmSz8vYGrJbWINQ9BhcG6TCRuCB1FXgdVjIxpEIkn
pm52dzfBbsZFREpnueua+L39fgJx2dF8yp4M3tg6Gpnz937qxmp8Qd/sYTihdm7orfL6
cHfw==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=fail header.i=@aisec.fraunhofer.de header.s=emailbd1
header.b=UvFZmE0I;
dkim=pass header.i=@fraunhofer.onmicrosoft.com
header.s=selector2-fraunhofer-onmicrosoft-com header.b=N2qf3WF3;
arc=pass (i=1 spf=pass spfdomain=aisec.fraunhofer.de dkim=pass
dkdomain=aisec.fraunhofer.de dmarc=pass fromdomain=aisec.fraunhofer.de);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:8 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de
Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8])
by mx.google.com with ESMTPS id
h3-20020a0dc503000000b005a83dbf2775si9591946ywd.444.2023.10.25.02.44.48
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 25 Oct 2023 02:44:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:8 as permitted sender)
client-ip=2620:137:e000::3:8;
Authentication-Results: mx.google.com;
dkim=fail header.i=@aisec.fraunhofer.de header.s=emailbd1
header.b=UvFZmE0I;
dkim=pass header.i=@fraunhofer.onmicrosoft.com
header.s=selector2-fraunhofer-onmicrosoft-com header.b=N2qf3WF3;
arc=pass (i=1 spf=pass spfdomain=aisec.fraunhofer.de dkim=pass
dkdomain=aisec.fraunhofer.de dmarc=pass fromdomain=aisec.fraunhofer.de);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:8 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by fry.vger.email (Postfix) with ESMTP id 5E57880FC1AF;
Wed, 25 Oct 2023 02:44:42 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234687AbjJYJoS (ORCPT <rfc822;aposhian.dev@gmail.com>
+ 26 others); Wed, 25 Oct 2023 05:44:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39042 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229606AbjJYJoJ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 25 Oct 2023 05:44:09 -0400
X-Greylist: delayed 65 seconds by postgrey-1.37 at lindbergh.monkeyblade.net;
Wed, 25 Oct 2023 02:44:04 PDT
Received: from mail-edgeDD24.fraunhofer.de (mail-edgedd24.fraunhofer.de
[IPv6:2a03:db80:1504:d267::25:24])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20BD9B4;
Wed, 25 Oct 2023 02:44:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=aisec.fraunhofer.de; i=@aisec.fraunhofer.de;
q=dns/txt; s=emailbd1; t=1698227044; x=1729763044;
h=from:to:cc:subject:date:message-id:
content-transfer-encoding:mime-version;
bh=Up3YVuLKsGDdnBFQmhZhoKZMjl7vV68tAultxQbNSys=;
b=UvFZmE0Ii0vlQYiYmcDkcURDngOqhLZ+AdlOLKxs8k9scK8UFnIAqgod
hAcweGZkgg07XjJnuQC7k82yP6FsLzEhIlDPffblezwO3P4GfbkebZ1KB
fL3SCPmjtziXAde1oT0lTaLbwpv3qAwgWj4FvWQdA+wNA2I0fVVSYjwmo
9cum9Uvwb0VnylIcJz5KSnzZ3p95ROgdUrGYa9OhUyUb2Mko33m+4VV9q
52tLO14hxm4EC9xawDo8CJVrrwpTm0EGFc/eFAI5oG7zACEBy6UHT3u7a
3SPsfRMHSfpz+2P6U2czUXlfqNCtQ4sbGwfy4Xw6gtC5jMFKea54yqgF7
A==;
X-CSE-ConnectionGUID: I2U5gTPAQ9qQ4Lrbjfnuqg==
X-CSE-MsgGUID: v7vt5JqZQEipSqwlBobHoA==
Authentication-Results: mail-edgeDD24.fraunhofer.de;
dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com
X-IPAS-Result:
A2E2AABB4jhl/xoBYJlaHQEBAQEJARIBBQUBQIE7CAELAYI4eoFdhFOIHYlBnCoqgSyBJQNWDwEBAQEBAQEBAQcBATsJBAEBAwSEf4ccJzQJDgECAQMBAQEBAwIDAQEBAQEBAQIBAQYBAQEBAQEGBgKBGYUvOQ2EAIEeAQEBAQEBAQEBAQEBHQINKFYnDwENAQE3ATQCJgI0KwENBYJ+AYIqAzEUBrF+gTKBAYIJAQEGsB8YgSCBHgMGCQGBEC4Bg1uELgGENIEdhwSBSoMzhFiDRoJog3WFPAcygiKDLymLfoEBR1oWGwMHA1kqECsHBC0iBgkWLSUGUQQXFiQJExI+BIM4CoEDPw8OEYJCIgIHNjYZS4JbCRUMNQRJdhAqBBQXgRFuBRoVHjcREhcNAwh2HQIRIzwDBQMENAoVDQshBVcDRAZKCwMCGgUDAwSBNgUNHgIQLScDAxlNAhAUAzsDAwYDCzEDMFdHDFkDbB8aHAk8CwQMHwIbHg0yAwkDBwUsHUADCxgNSBEsNQYOG0QBcwecYG2CTRkHPVEBKwRJA18iCSMvHJJPLgyDCQGueQeCMYFejAGVCBozlyuSTy6YDiCLUIF1lHmFSgIEAgQFAg4IgWOCFjM+T4JnUhkPjiA4g0CFFIpndAIBOAIHAQoBAQMJgjmEFIR+AQE
IronPort-PHdr: A9a23:lPrJrBKHcCYjC/1bwtmcuDdnWUAX0o4cQyYLv8N0w7sbaL+quo/iN
RaCu6YlhwrTUIHS+/9IzPDbt6nwVGBThPTJvCUMapVRUR8Ch8gM2QsmBc+OE0rgK/D2KSc9G
ZcKTwp+8nW2OlRSApy7aUfbv3uy6jAfAFD4Mw90Lf7yAYnck4G80OXhnv+bY1Bmnj24M597M
BjklhjbtMQdndlHJ70qwxTE51pkKc9Rw39lI07Wowfk65WV3btOthpdoekg8MgSYeDfROEVX
bdYBTIpPiUO6cvnuAPqYSCP63AfAQB02hBIVizZxkj0DqeyuTHk6so+yibCep2qa7Uzdh6u1
oZsdED0sCMaNBti/lDrt5Ql38c56Bj0gUZmzdXrTtq4KctBYvnGTewrRnFLQMB/VxJQBtjta
qlRDtgPP+ZCpJbP+3oEtED5DDKrBefdzxJO2W3R5fUY9N4gTS/qzU8DJ4lXsGyXld/ROaw8C
s+awon6wy6TcNNViC7suKrEfEAjmvzVUZNxIPjS4GMmPDOYqU6396XuJiOL8ecc61ew7LZNC
r6tmkMoiQBspym9xsgItYjWltstlGn25AYl+r4rP97oHR0zcZulCpxWryaAK85sT9g/R309o
C8h0e5uUf+TeSELzNEqyxHSR9DdL86G+Bv+UuaWLzpiwn5oK/qzhBe3pFCp0fa0FtK131BDs
jdfn5HSu2oM2R3e5onPSvZ08kq7nzfa/w7J4/xCIUc6mLCdLJgkw7UqkYEUv1iFFSjz8Hg=
X-Talos-CUID: 9a23:LqQY9Wwk6pEKX4iz866mBgU1QP14fUHl5U6BOnbkLXxjSrOTVEafrfY=
X-Talos-MUID: 9a23:sfUauwXMTB9aCLjq/CGzmi0/Ft5a2omvEHsUjpEsvMOkMgUlbg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.03,250,1694728800";
d="scan'208";a="71347880"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26])
by mail-edgeDD24.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
25 Oct 2023 11:42:55 +0200
IronPort-SDR: 6538e31d_h5/+007enWyWsNC8CU0HhGNvwg8wFuCTNOZWq59JBSXCaLB
VwG/AtCm+DOjrNxnIb9gBXASmQj3fJA6O1ZFOsQ==
X-IPAS-Result:
A0BYAABB4jhl/3+zYZlaHQEBAQEJARIBBQUBQAkcgRYIAQsBgWZSB3NYgQWEUoNNAQGETl+GQYIhOwGcGIEsgSUDVg8BAwEBAQEBBwEBOwkEAQGFBocZAic0CQ4BAgEBAgEBAQEDAgMBAQEBAQEDAQEFAQEBAgEBBgSBChOFaA2GTxYRDwENAQEUIwE0AiYCNAckAQ0FIoJcAYIqAzECAQEQBqUZAYFAAosigTKBAYIJAQEGBASwFxiBIIEeAwYJAYEQLgGDW4QuAYQ0gR2HBIFKgzOIHoJog3WFPAcygiKDLymLfoEBR1oWGwMHA1kqECsHBC0iBgkWLSUGUQQXFiQJExI+BIM4CoEDPw8OEYJCIgIHNjYZS4JbCRUMNQRJdhAqBBQXgRFuBRoVHjcREhcNAwh2HQIRIzwDBQMENAoVDQshBVcDRAZKCwMCGgUDAwSBNgUNHgIQLScDAxlNAhAUAzsDAwYDCzEDMFdHDFkDbB8WBBwJPAsEDB8CGx4NMgMJAwcFLB1AAwsYDUgRLDUGDhtEAXMHnGBtgk0ZBz1RASsESQNfIgkjLxySTy4MgwkBrnkHgjGBXowBlQgaM5crkk8umA4gjUWUeYVKAgQCBAUCDgEBBoFjPIFZMz5PgmdPAxkPjiA4g0CFFIpnQTMCATgCBwEKAQEDCYI5hBSEfQEB
IronPort-PHdr: A9a23:ITK+hhFT8I1cJG2jVMoxaZ1Gf29NhN3EVzX9l7I53usdOq325Y/re
Vff7K8w0gyBVtDB5vZNm+fa9LrtXWUQ7JrS1RJKfMlCTRYYj8URkQE6RsmDDEzwNvnxaCImW
s9FUQwt5CSgPExYE9r5fQeXrGe78DgSHRvyL09yIOH0EZTVlMO5y6W5/JiABmcAhG+Te7R3f
jm/sQiDjdQcg4ZpNvQUxwDSq3RFPsV6l0hvI06emQq52tao8cxG0gF9/sws7dVBVqOoT+Edd
vl1HD8mOmY66YjQuB/PQBGmylAcX24VwX8qSwLFuTXmdM7/4hu5vfBjhAnZL8KuCuBofzGlw
I1ncT7vtHgbDzok80SMhP1MsfoO83fD7xYq5dTNbtqqGqFTY5LiYYkBdVVwXd1bSSpvAr2ta
9BeCshfPNRWrYnnrEQ88Tq0HFLrDdjoyzt6g1Lwgr8d67wDNjvHgCIMDpEtiC+NrM22Da02X
Oubl4bnwxXxYegGxhf+uZHZIjItr6GOZr8pfevQmHssPinMpWXNjpfCYRqez/QTlGuKt9VLV
r6C1DIluix+gDmyw9Y+iobtuYMK2gn8qxxL0aVpH+WmUk0rNI3sAN5RrSacL4xsXoY4Tnp1v
Dpv0rQdos3TlEkizZ0mw1vad/WkWtLWpBz5XfuXITB2iWgjdL/szxqx8E310uTnTYH0y1dFq
CNZj8PB/m4AzR3d68WLC7N9806t1CzJ1lX75PtNPEY0kqTWMdgmxLsxnYAUqkPNAmn9n0Ces
Q==
IronPort-Data: A9a23:eT2GwKkSQZEKP0rP/4FhMKHo5gwEIkRdPkR7XQ2eYbSJt1+Wr1Gzt
xIdXW+PP/uPYGekc98ibY/n9xhXsZPdnNQ3QAY4qS89F1tH+JHPbTi7wugcHM8ywunrFh8PA
xA2M4GYRCwMZiaA4E3raNANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtcAbeORXUXV4
rsen+WFYAX+gmYubzpNg06+gEoHUMra6GtwUmMWOKgjUG/2zxE9EJ8ZLKetGHr0KqE88jmSH
rurIBmRpws1zj91Yj+Xuu+Tnn4iHtY+CTOzZk9+AMBOtPTiShsaic7XPNJEAateZq7gc9pZk
L2hvrToIesl0zGldOk1C3Fl/y9C0aJu36D4BjviocCq4FDKWlW0yqs1JUFvIthNkgp3KTkmG
f0wMzURdlaOl+m2hryhQ/RqhsMtIdOtMI53VnNIlGyCS6d5B8mcEuOTv4AwMDQY3qiiGd7bZ
sEZYDdrKgvNYgZUEl4WE5812umyj2T5czpWpUjTqadfD237klwtgOa3boC9ltqiQtl5hknD+
Gz6pmmoWB5LafqG7zCAyyf57gPItWahMG4IL5Wx8vN6iVufy3Y7DRwWXF+6qui/zEW5Xrp3I
VYd5ywjt4Ax+VatQ927WAe3yFaNpQI0WNdKFeA+rgaXxcL8+w+EAkAcRyNFLdkhs9U7Azct0
zehk9rvBDFrmLySRn+U7L2TvXW0NDR9BWYEaTUFTCMG7sPlrYV1iQjAJv5mGbSpj9uzHTjt6
zSLqjUuwbkek6YjzKK98njEjiiqq5yPSRQ6ji3GXnmN4Ak/b4mgD6Sq7ljdq/hJN5qQRFSHs
FALnsGf6KYFCpTlvC+VW+QLE7GB5PufNjDYx1l1EPEJ7Dij03Gkeo9U7Xd1I0IBGsYNfjv0Z
2fcvgRe4JIVN3yvBYd1ZIaqAuwpwLLmGNCjUerbBvJXf5V3aA6B1CB1YlCZ223rjA4nlqRXE
Ymaa8GEH3scCLohyDuwWvdb1qUkgD09rUvWRJP/yA+PyqiTfnOZSPEFLTOmZ+U49vzfoQH9/
NNWNs/MwBJaOMXlbzPY/KYTJFQOPH59Dpfzw+RdbuCrPAVrAiciBuXXzLdnfJZq94xRl+HV7
jS+V1VexV7Xm3LKM0OJZ2plZbepWoxwxVo/PCoxLROmwHQuf4urxLkQeoFxfrQ98uFni/luQ
JE4l96oW6kUD2WYvm1CPNyk9tMkahHtjkSAJSO4Zjg4cZN6AQDEkjP5QjbSGOA1JnPfneMwu
bS90APcT5cZAQNkCcfdcvW0yF2t+3ManYpPs4HgebG/oW29odQ4GD+7lfItPcAHJDPKwzbQh
U7cAg4VqaOJ68U5+cXAz/LM5Yq4MfpMLmwDFUni7JGyKXb7+EinytR+S+qmR23We17136SAX
t9r6c/AHscJp3t0lrZtMq1KyPs+7uT/prUBwQVDGm7KXmuRCbhhAyen2+9Tuo1k241puQm/c
R+K8dx0YL+MON3XFWAAAA8fasWCyvAmtT3A5tslIEjBxXFW/ZjWdW5wLhWzmChmA78tC7wcw
MAlo98w1wyzrjEII+S2pHlY2ErUJ0NRTph9kI8RBbHarzYCy3ZAUMT6MTD36pTeUOd8GBAmD
RHMjZWTmokG4FTJdkcyMn3/3eB9o5AqkzISxX8gI2W5oPb0tsUV7jZwrwtuFh90yy9Z2d1dI
mJobk15BZuf9gdS2fRsYTqeJBFjNja4pGrK1Fo7pE/IRRKJV0vMDlEHF8SjwUQ7y19YLx9np
Oy26WC9Sjv7XtDD7g1rU25flvHTZ9hQ9ArDpcOZI/q4D6QKOTrIv6v/SlcL+j3GANwwjnLpv
eNF3vh9QoylOD8yo58UMZi717MReS+ANl59ZOxT+oEJEV6Bfzvo6zyFKh2ySPhsPN3Py1ezU
OZ1F/JMVjO/9SeAlS8aDqgyOI1JnOYlyd4BW7HzL0sEjuevlSVou5fu6STOvm8nbNFwm8IbK
ImKVTa9PkGPpHlTwUnhkdJlPzemXNw6ewHM5uC53+EXHZYlsus3U0UT0KOxjkqFIjlc4BOYk
wPSVZD4l9U459xXoLLtNaFfCyGfC9D5Dr2I+T/uleV+V4rENMOWuj4FrlXiAR9tAoIQfNZKj
pWIjs/82RLUnbQxUl2BoaK7KYty2ZyQUtZUY+XNF1sLuQuZWcTp3QkPxHDgF7xNj+Fmx5eGQ
ymWVZKOUOA7CvlhwE9bUSx8KyomKr/Wa/7grBytrv7XBRk61xfGHeyd9nToTD96cwEQMMfAC
Cvxieef1u5FpasdAS00JuxULKJ5BHTBWqIWUcL7mhfFL2uvg3KE4qDDkzh54x71K3C0KuTIy
rObeQrfLTOc4LrpyvNduKxM5iwnNm5327QMTxhM6uxIhCCfJ09YC+YkaLEtKIxeyw7237HGP
AD9VnMoU3jBbG4VYCfHwYrRWymEDbYzIfb/HDsi+n2UZwqQBI+tBLhA9D9q00xpewnMnf2WF
tUDxkLeZhSB4IllZeI21MyJhe1KwvD7xHVR3Wvfl8f0IQgVAJRU9XhHMTdOaxf6EJD2pB2WH
VQ2eGFKfhjqAwq5W8NtYGVcFxwlrSvihWdgJzuGxNHE/Z6X1qtcwfn4IPv+yaAHcN9MHrMVW
HfrXCGY1gh6AJDIVXcB4LrFWZNJNM8=
IronPort-HdrOrdr: A9a23:RLSEO6krXCH30wo76QE0GJCEA9vpDfIo3DAbv31ZSRFFG/Fw8P
re+sjztCWE7wr5PUtLpTnuAse9qB/nmqKdgrNhX4tKPjOW3FdARbsKheffKlvbak7DH4Zmvp
uIGJIeNDSfNzhHZJbBjTVRUb4bsby6zJw=
X-Talos-CUID:
9a23:kaTPr2u2IZBYPpUuHLyX6scz6IsCbUL6jyrAL3aXFGpAZuWcFwS5+Pp7xp8=
X-Talos-MUID: 9a23:xuXgVwgMG7XjZIR2g6LpgsMpM9tE+6v1Vk4xyJhX4cbVaAppHT2YtWHi
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.03,250,1694728800";
d="scan'208";a="68486262"
Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO
smtp.exch.fraunhofer.de) ([153.97.179.127])
by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
25 Oct 2023 11:42:52 +0200
Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by
XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1258.27; Wed, 25 Oct 2023 11:42:52 +0200
Received: from DEU01-FR2-obe.outbound.protection.outlook.com (104.47.11.168)
by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1258.27 via Frontend Transport; Wed, 25 Oct 2023 11:42:52 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=YJ2m4lJGd3mUhgIFNJB5Ri4Zn9XuLXk9o8IcUSuuwGiaJdCBxXH/8RclxwOPzvQwla5hVOk/b6Ls08JcmjHat3+0nO6kcYr5rzpRkIdUW54ygL67fLzEgjsvze85m1eLtOCeHrDvegMQkIrBQTPadXOrknzid1Vg/tXzmYf0zaAyUQSF5q8/PdGYQ2hVcWkz9V/noEtHKrJJQAC2orLqCQca5mGLNuOavxJjflz+77Aoy4IhluQRup5Rlnb/2RvLVqESjfo9QvDO4/WCcVTF3+DwO+C237C/RmMMbu76X+lXypHjP34wsRVtxj4t5rVo+00Rgk9FesSEhpdc72PXUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=LtB1f8X+crv4H+zg0/84NmoGBdQIoT7tPlukM3fYTU0=;
b=BtZRcoALYlpNzOFQ04Gz1vrJvRXvxJRApHVymMp5fcxzj8LYl8UbGaxqGrY6hVevQllyJUVA8/Ismi15Mjt9BzbVfyg8jKx2A89pQt4hoqhArGMORBl01sz18iWhjbsjh/N7+mbFhfYAWhIOnhlyJOhe9Lv04ZTAQfVO9wn/VQ4vgdKlWmYJ7lvGLxw7gnr6YJvumfXtnHFoPvQftJlgRd83YAkZNbjHw2mEKkNRI4aNvfEPWC413vEM+UbW7IsXJ7UZORanwunpze3z1zBptHjL14JCfKCOSUK/HWJS6f7X91Te5j42/QOrRuSemLQYLvD6qR4b4xdNQeMc5BUWpA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=aisec.fraunhofer.de; dmarc=pass action=none
header.from=aisec.fraunhofer.de; dkim=pass header.d=aisec.fraunhofer.de;
arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=LtB1f8X+crv4H+zg0/84NmoGBdQIoT7tPlukM3fYTU0=;
b=N2qf3WF3EuYWt2sXWYksbvnFhVyl39mJ6iZfjhrcwZ4Ibq3/aSoilZmEn7zOP0JORi4FDy+KP31hp+QbLecF3GGfHZfs8wHk9qy8Jdf8jSe1dIi9ZkABaCX5OsO6AcqxvOky0WCk4E74jyEgJiumyzhgLWiwx1P6QZyK4RPvrk8=
Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:50::14)
by BEZP281MB1814.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:5a::5) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.33; Wed, 25 Oct
2023 09:42:51 +0000
Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM
([fe80::7330:78f8:1bf2:2f4d]) by BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM
([fe80::7330:78f8:1bf2:2f4d%5]) with mapi id 15.20.6933.019; Wed, 25 Oct 2023
09:42:51 +0000
From: =?utf-8?q?Michael_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>
To: Alexander Mikhalitsyn <alexander@mihalicyn.com>,
Christian Brauner <brauner@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Paul Moore <paul@paul-moore.com>
CC: Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>, KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Quentin Monnet <quentin@isovalent.com>,
Alexander Viro <viro@zeniv.linux.org.uk>, Miklos Szeredi <miklos@szeredi.hu>,
Amir Goldstein <amir73il@gmail.com>, "Serge E. Hallyn" <serge@hallyn.com>,
<bpf@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, <gyroidos@aisec.fraunhofer.de>,
=?utf-8?q?Michael_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>
Subject: [RESEND RFC PATCH v2 00/14] device_cgroup: guard mknod for
non-initial user namespace
Date: Wed, 25 Oct 2023 11:42:10 +0200
Message-Id: <20231025094224.72858-1-michael.weiss@aisec.fraunhofer.de>
X-Mailer: git-send-email 2.30.2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: FR4P281CA0420.DEUP281.PROD.OUTLOOK.COM
(2603:10a6:d10:d0::17) To BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM
(2603:10a6:b10:50::14)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BEZP281MB2791:EE_|BEZP281MB1814:EE_
X-MS-Office365-Filtering-Correlation-Id: cbf2ee99-853f-4346-4d3a-08dbd53ec166
X-LD-Processed: f930300c-c97d-4019-be03-add650a171c4,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
M71rx3AkW9OlJvs6OyvOcAZPOUsZkapbSNEGZbaivp/XBNOWyhzr26wYm7m8SZrROVn6opiKZl/ttiPnEKDrm7KeEq4Asbpkg/Sk9rQU2MNqZEuy8KUexOzh6yoiKrhKI6vKCLA54siKrVD0bOLvhm9x3JHosXDFGFuI4kdiRgRTpWVFOr2UtPr8g1QkgqMfAwAD/T694ot9SaORWTHn6kmPvDb8XuEYN9+fpVjVk5ZmhB0JIUy447pVCKAlLOhle2UQ+gjcq/7kSj2G/rERrzG7Y0NgAU+cYtRCFsOubpV9EBo0/Hvnc6LhJxeCGJWnCxz883NM0vqKhPmrwyMlrTMit8O2ugGbY79LvJgZ+JXopWTO5h2V07RoLtNGlbpPOn4Q2YZopboBoWiyacmqrjapjGG2LRIOi+/6scBaEg0WQqoV6MaGQe4J+Zu77T/TURM5tLhnrcFUQZykHGJGmurusdwgNF8RNchD72kUCqDqrldd3zwiSpK0dD3YfSBE8bzvhBDc4fVSbybPvWpOFF5oV+IVWP9RlCQ2mIwZYu0HIiEc1V+M8nqnqvfMs/Yg/BiS1wwHV9R0qJBmobo56SY8pz79XUa3k9RaEmzjB9Q=
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(136003)(376002)(346002)(396003)(366004)(39860400002)(230922051799003)(186009)(1800799009)(451199024)(64100799003)(110136005)(38100700002)(41300700001)(2906002)(7416002)(86362001)(5660300002)(8676002)(8936002)(4326008)(6666004)(6506007)(478600001)(107886003)(54906003)(1076003)(82960400001)(66476007)(66946007)(316002)(66556008)(2616005)(966005)(83380400001)(6512007)(6486002)(52116002);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?Z00XJpZBKfXGefEmEgJChMkRtOea?=
=?utf-8?q?N0KgtU1CN+NDdbAQsEv1ru025+ILJQiY/tplEOrVpuh8A52TBjN7iUCw8mMBEvLdF?=
=?utf-8?q?6xp5CSRchyICp7phxsFXLUW7Oi4IQaX0HGudROl6ULB5t76JSPa9CHc7IIesASGWg?=
=?utf-8?q?0sEf32KScMb8d1+ga05kKoLR100FMevkg415sHx1+sn3ZJAijeXWu+sr75i73oYKl?=
=?utf-8?q?/e6AnEEsEe62fZLN2BKpuwRHdW5ZNcDmAt2+1l6RGa8BZPRnQredXv9EHzz/n6Dff?=
=?utf-8?q?wKkiuiX43yZl1A5324qOSJptbn/ja6zZDK3Cnvxv3kk14kXKIzZYe2IPIoIVqGo+G?=
=?utf-8?q?lJgbv2loV39XdtoLrMldyWzJ4487zi2VgmiTjYbk0QNF/J+XAI2YAAPn/fzuRS2sy?=
=?utf-8?q?BnUr/RHRrJocWcYqWU2nkRmWGj79TjIOvGHOOiks5u4exLjeIyKtxfjqPNT1AI8ph?=
=?utf-8?q?ZwBKOqIos8zfPvv59yUsSBssgsQS8O5VE0LZ2GGDp3u2q1qCqHTcQn8GnuktE5w1e?=
=?utf-8?q?LRM5aXEjeyUn5BD87M2gq12ffPEdaGnYgc4KZqgFODkgTbd7b2vmtkZLFVAUuBjAJ?=
=?utf-8?q?ZFS5BIwilQKDXClsJQxDy3dNQKQawhdpRsj1fSXL3Q+ICgDnc0I2fwaNEm0uddVl1?=
=?utf-8?q?IFGTP1YUu53xvgaT5D4KOl8DRfCLAeYy0Lzz5HZlnERAiwd39tvfZe1xs19TKJllD?=
=?utf-8?q?S0ONTgOpivxQOwOGtmnfwlgNssbN+dpO9TdaOnUyDpdLTgSdGCarH3RrcyQE9u4Wp?=
=?utf-8?q?9FUj7fdTW9PdRuRT+h/QC1iMorUndl7oNqk7Xz5+K1BFgc2IgSwHnQerILEDRlh0L?=
=?utf-8?q?Mx6fCw84zhwO65H9oOxStBkQ6tSOh4M5ZSgY3HAxSv2k60zpaxvzQv0c0uSXVy/Mt?=
=?utf-8?q?Z3bbyF5EIjcZpB2J7xAnpbSubXQBDZbfeHzJGyAcPxyNDzoFTrL7pkQlC8RCyVXNo?=
=?utf-8?q?sJ2tyPuKXlMwZtrqSgKuySKg/KgTpt2v9OVP66s0gwDrC0jgITyO7eBaOzcbv8Thf?=
=?utf-8?q?2lkjZoM//1215VCeV/h3xh1aXZzWRjZY2ceYVEcgGG3bVTFcBzZDVkWnQySlY/E9y?=
=?utf-8?q?7wR0znrQJ847sgMC8CaB8UbgKkl1ZteanBAbkDUMFW2OH7BN79VoU32c3MxSCivFo?=
=?utf-8?q?d6K7+Ya46LBxBEOTkbHbJohN5/uyso3nuxGHc/Yd6YfMk5Ex7ov3H84UhoEW+9xdC?=
=?utf-8?q?D9xdgI7q6Ab72JX9ddjQVNAbEBID2dxV+naWvjHU7pMPzzoBzbcIav4DHijk1utY9?=
=?utf-8?q?olNH2shCedlkH+taFn+nf8DXx1ymIOJSfVWmeaRB/ilpeTT5y14q0K1Rf/EbmQleV?=
=?utf-8?q?+TLKJbZiM7JPUISf0+77JjPjxJxSgUFv6XLV8GJhu5QIhRDtx2Gud3laO3d/CzE1u?=
=?utf-8?q?qw1XiYXiVzzokx0BF1vUDCLSeQTysgnPukrNEe+qqH+bIiKd6t3F9DSSOjnAobcFU?=
=?utf-8?q?Jg1SoyBC7nSXnQlvoA8bh47NFk8ocy7evdsPUiN0CDitzx+P0bI/EwJZRtpbxoQVy?=
=?utf-8?q?h7Qz3yU31AyBNqX1nQvJ4Ct7uuy3YptoYCZ+T61g/hIGeDwh1hgkb1Y2q6NheGTgL?=
=?utf-8?q?NUvzX4tn9FIdxiAKigBmBVBQEtDyXUU1JIpy54LUCe0MFb+giD/qbM=3D?=
X-MS-Exchange-CrossTenant-Network-Message-Id:
cbf2ee99-853f-4346-4d3a-08dbd53ec166
X-MS-Exchange-CrossTenant-AuthSource: BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Oct 2023 09:42:51.4030
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
FgRQ51fTszwwskzABsKs90519CPxfv+r4HUWmtbdjWp3uP5H3u1i96NUyC/W/WnBsj8anuveFMvMlWSzF8Xh6Rh91KQACIVcURLgRmrSVBVz8Cmv5O25tfObg7fMz3lI
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BEZP281MB1814
X-OriginatorOrg: aisec.fraunhofer.de
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]);
Wed, 25 Oct 2023 02:44:42 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1780720167215574345
X-GMAIL-MSGID: 1780720167215574345
|
| Series |
device_cgroup: guard mknod for non-initial user namespace
|
|
Message
Michael Weiß
Oct. 25, 2023, 9:42 a.m. UTC
Introduce the flag BPF_DEVCG_ACC_MKNOD_UNS for bpf programs of type
BPF_PROG_TYPE_CGROUP_DEVICE which allows to guard access to mknod
in non-initial user namespaces.
If a container manager restricts its unprivileged (user namespaced)
children by a device cgroup, it is not necessary to deny mknod()
anymore. Thus, user space applications may map devices on different
locations in the file system by using mknod() inside the container.
A use case for this, we also use in GyroidOS, is to run virsh for
VMs inside an unprivileged container. virsh creates device nodes,
e.g., "/var/run/libvirt/qemu/11-fgfg.dev/null" which currently fails
in a non-initial userns, even if a cgroup device white list with the
corresponding major, minor of /dev/null exists. Thus, in this case
the usual bind mounts or pre populated device nodes under /dev are
not sufficient.
To circumvent this limitation, allow mknod() by checking CAP_MKNOD
in the userns by implementing the security_inode_mknod_nscap(). The
hook implementation checks if the corresponding permission flag
BPF_DEVCG_ACC_MKNOD_UNS is set for the device in the bpf program.
To avoid to create unusable inodes in user space the hook also
checks SB_I_NODEV on the corresponding super block.
Further, the security_sb_alloc_userns() hook is implemented using
cgroup_bpf_current_enabled() to allow usage of device nodes on super
blocks mounted by a guarded task.
Patch 1 to 3 rework the current devcgroup_inode hooks as an LSM
Patch 4 to 8 rework explicit calls to devcgroup_check_permission
also as LSM hooks and finalize the conversion of the device_cgroup
subsystem to a LSM.
Patch 9 and 10 introduce new generic security hooks to be used
for the actual mknod device guard implementation.
Patch 11 wires up the security hooks in the vfs
Patch 12 and 13 provide helper functions in the bpf cgroup
subsystem.
Patch 14 finally implement the LSM hooks to grand access
Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
Changes in v2:
- Integrate this as LSM (Christian, Paul)
- Switched to a device cgroup specific flag instead of a generic
bpf program flag (Christian)
- do not ignore SB_I_NODEV in fs/namei.c but use LSM hook in
sb_alloc_super in fs/super.c
- Link to v1: https://lore.kernel.org/r/20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de
Michael Weiß (14):
device_cgroup: Implement devcgroup hooks as lsm security hooks
vfs: Remove explicit devcgroup_inode calls
device_cgroup: Remove explicit devcgroup_inode hooks
lsm: Add security_dev_permission() hook
device_cgroup: Implement dev_permission() hook
block: Switch from devcgroup_check_permission to security hook
drm/amdkfd: Switch from devcgroup_check_permission to security hook
device_cgroup: Hide devcgroup functionality completely in lsm
lsm: Add security_inode_mknod_nscap() hook
lsm: Add security_sb_alloc_userns() hook
vfs: Wire up security hooks for lsm-based device guard in userns
bpf: Add flag BPF_DEVCG_ACC_MKNOD_UNS for device access
bpf: cgroup: Introduce helper cgroup_bpf_current_enabled()
device_cgroup: Allow mknod in non-initial userns if guarded
block/bdev.c | 9 +-
drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 7 +-
fs/namei.c | 24 ++--
fs/super.c | 6 +-
include/linux/bpf-cgroup.h | 2 +
include/linux/device_cgroup.h | 67 -----------
include/linux/lsm_hook_defs.h | 4 +
include/linux/security.h | 18 +++
include/uapi/linux/bpf.h | 1 +
init/Kconfig | 4 +
kernel/bpf/cgroup.c | 14 +++
security/Kconfig | 1 +
security/Makefile | 2 +-
security/device_cgroup/Kconfig | 7 ++
security/device_cgroup/Makefile | 4 +
security/{ => device_cgroup}/device_cgroup.c | 3 +-
security/device_cgroup/device_cgroup.h | 20 ++++
security/device_cgroup/lsm.c | 114 +++++++++++++++++++
security/security.c | 75 ++++++++++++
19 files changed, 294 insertions(+), 88 deletions(-)
delete mode 100644 include/linux/device_cgroup.h
create mode 100644 security/device_cgroup/Kconfig
create mode 100644 security/device_cgroup/Makefile
rename security/{ => device_cgroup}/device_cgroup.c (99%)
create mode 100644 security/device_cgroup/device_cgroup.h
create mode 100644 security/device_cgroup/lsm.c
base-commit: 58720809f52779dc0f08e53e54b014209d13eebb
Comments
On Wed, Oct 25, 2023 at 5:42 AM Michael Weiß <michael.weiss@aisec.fraunhofer.de> wrote: > > Introduce the flag BPF_DEVCG_ACC_MKNOD_UNS for bpf programs of type > BPF_PROG_TYPE_CGROUP_DEVICE which allows to guard access to mknod > in non-initial user namespaces. > > If a container manager restricts its unprivileged (user namespaced) > children by a device cgroup, it is not necessary to deny mknod() > anymore. Thus, user space applications may map devices on different > locations in the file system by using mknod() inside the container. > > A use case for this, we also use in GyroidOS, is to run virsh for > VMs inside an unprivileged container. virsh creates device nodes, > e.g., "/var/run/libvirt/qemu/11-fgfg.dev/null" which currently fails > in a non-initial userns, even if a cgroup device white list with the > corresponding major, minor of /dev/null exists. Thus, in this case > the usual bind mounts or pre populated device nodes under /dev are > not sufficient. > > To circumvent this limitation, allow mknod() by checking CAP_MKNOD > in the userns by implementing the security_inode_mknod_nscap(). The > hook implementation checks if the corresponding permission flag > BPF_DEVCG_ACC_MKNOD_UNS is set for the device in the bpf program. > To avoid to create unusable inodes in user space the hook also > checks SB_I_NODEV on the corresponding super block. > > Further, the security_sb_alloc_userns() hook is implemented using > cgroup_bpf_current_enabled() to allow usage of device nodes on super > blocks mounted by a guarded task. > > Patch 1 to 3 rework the current devcgroup_inode hooks as an LSM > > Patch 4 to 8 rework explicit calls to devcgroup_check_permission > also as LSM hooks and finalize the conversion of the device_cgroup > subsystem to a LSM. > > Patch 9 and 10 introduce new generic security hooks to be used > for the actual mknod device guard implementation. > > Patch 11 wires up the security hooks in the vfs > > Patch 12 and 13 provide helper functions in the bpf cgroup > subsystem. > > Patch 14 finally implement the LSM hooks to grand access > > Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de> > --- > Changes in v2: > - Integrate this as LSM (Christian, Paul) > - Switched to a device cgroup specific flag instead of a generic > bpf program flag (Christian) > - do not ignore SB_I_NODEV in fs/namei.c but use LSM hook in > sb_alloc_super in fs/super.c > - Link to v1: https://lore.kernel.org/r/20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de > > Michael Weiß (14): > device_cgroup: Implement devcgroup hooks as lsm security hooks > vfs: Remove explicit devcgroup_inode calls > device_cgroup: Remove explicit devcgroup_inode hooks > lsm: Add security_dev_permission() hook > device_cgroup: Implement dev_permission() hook > block: Switch from devcgroup_check_permission to security hook > drm/amdkfd: Switch from devcgroup_check_permission to security hook > device_cgroup: Hide devcgroup functionality completely in lsm > lsm: Add security_inode_mknod_nscap() hook > lsm: Add security_sb_alloc_userns() hook > vfs: Wire up security hooks for lsm-based device guard in userns > bpf: Add flag BPF_DEVCG_ACC_MKNOD_UNS for device access > bpf: cgroup: Introduce helper cgroup_bpf_current_enabled() > device_cgroup: Allow mknod in non-initial userns if guarded > > block/bdev.c | 9 +- > drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 7 +- > fs/namei.c | 24 ++-- > fs/super.c | 6 +- > include/linux/bpf-cgroup.h | 2 + > include/linux/device_cgroup.h | 67 ----------- > include/linux/lsm_hook_defs.h | 4 + > include/linux/security.h | 18 +++ > include/uapi/linux/bpf.h | 1 + > init/Kconfig | 4 + > kernel/bpf/cgroup.c | 14 +++ > security/Kconfig | 1 + > security/Makefile | 2 +- > security/device_cgroup/Kconfig | 7 ++ > security/device_cgroup/Makefile | 4 + > security/{ => device_cgroup}/device_cgroup.c | 3 +- > security/device_cgroup/device_cgroup.h | 20 ++++ > security/device_cgroup/lsm.c | 114 +++++++++++++++++++ > security/security.c | 75 ++++++++++++ > 19 files changed, 294 insertions(+), 88 deletions(-) > delete mode 100644 include/linux/device_cgroup.h > create mode 100644 security/device_cgroup/Kconfig > create mode 100644 security/device_cgroup/Makefile > rename security/{ => device_cgroup}/device_cgroup.c (99%) > create mode 100644 security/device_cgroup/device_cgroup.h > create mode 100644 security/device_cgroup/lsm.c Hi Michael, I think this was lost because it wasn't CC'd to the LSM list (see below). I've CC'd the list on my reply, but future patch submissions that involve the LSM must be posted to the LSM list if you would like them to be considered. http://vger.kernel.org/vger-lists.html#linux-security-module
On 25.10.23 15:17, Paul Moore wrote: > On Wed, Oct 25, 2023 at 5:42 AM Michael Weiß > <michael.weiss@aisec.fraunhofer.de> wrote: >> >> Introduce the flag BPF_DEVCG_ACC_MKNOD_UNS for bpf programs of type >> BPF_PROG_TYPE_CGROUP_DEVICE which allows to guard access to mknod >> in non-initial user namespaces. >> >> If a container manager restricts its unprivileged (user namespaced) >> children by a device cgroup, it is not necessary to deny mknod() >> anymore. Thus, user space applications may map devices on different >> locations in the file system by using mknod() inside the container. >> >> A use case for this, we also use in GyroidOS, is to run virsh for >> VMs inside an unprivileged container. virsh creates device nodes, >> e.g., "/var/run/libvirt/qemu/11-fgfg.dev/null" which currently fails >> in a non-initial userns, even if a cgroup device white list with the >> corresponding major, minor of /dev/null exists. Thus, in this case >> the usual bind mounts or pre populated device nodes under /dev are >> not sufficient. >> >> To circumvent this limitation, allow mknod() by checking CAP_MKNOD >> in the userns by implementing the security_inode_mknod_nscap(). The >> hook implementation checks if the corresponding permission flag >> BPF_DEVCG_ACC_MKNOD_UNS is set for the device in the bpf program. >> To avoid to create unusable inodes in user space the hook also >> checks SB_I_NODEV on the corresponding super block. >> >> Further, the security_sb_alloc_userns() hook is implemented using >> cgroup_bpf_current_enabled() to allow usage of device nodes on super >> blocks mounted by a guarded task. >> >> Patch 1 to 3 rework the current devcgroup_inode hooks as an LSM >> >> Patch 4 to 8 rework explicit calls to devcgroup_check_permission >> also as LSM hooks and finalize the conversion of the device_cgroup >> subsystem to a LSM. >> >> Patch 9 and 10 introduce new generic security hooks to be used >> for the actual mknod device guard implementation. >> >> Patch 11 wires up the security hooks in the vfs >> >> Patch 12 and 13 provide helper functions in the bpf cgroup >> subsystem. >> >> Patch 14 finally implement the LSM hooks to grand access >> >> Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de> >> --- >> Changes in v2: >> - Integrate this as LSM (Christian, Paul) >> - Switched to a device cgroup specific flag instead of a generic >> bpf program flag (Christian) >> - do not ignore SB_I_NODEV in fs/namei.c but use LSM hook in >> sb_alloc_super in fs/super.c >> - Link to v1: https://lore.kernel.org/r/20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de >> >> Michael Weiß (14): >> device_cgroup: Implement devcgroup hooks as lsm security hooks >> vfs: Remove explicit devcgroup_inode calls >> device_cgroup: Remove explicit devcgroup_inode hooks >> lsm: Add security_dev_permission() hook >> device_cgroup: Implement dev_permission() hook >> block: Switch from devcgroup_check_permission to security hook >> drm/amdkfd: Switch from devcgroup_check_permission to security hook >> device_cgroup: Hide devcgroup functionality completely in lsm >> lsm: Add security_inode_mknod_nscap() hook >> lsm: Add security_sb_alloc_userns() hook >> vfs: Wire up security hooks for lsm-based device guard in userns >> bpf: Add flag BPF_DEVCG_ACC_MKNOD_UNS for device access >> bpf: cgroup: Introduce helper cgroup_bpf_current_enabled() >> device_cgroup: Allow mknod in non-initial userns if guarded >> >> block/bdev.c | 9 +- >> drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 7 +- >> fs/namei.c | 24 ++-- >> fs/super.c | 6 +- >> include/linux/bpf-cgroup.h | 2 + >> include/linux/device_cgroup.h | 67 ----------- >> include/linux/lsm_hook_defs.h | 4 + >> include/linux/security.h | 18 +++ >> include/uapi/linux/bpf.h | 1 + >> init/Kconfig | 4 + >> kernel/bpf/cgroup.c | 14 +++ >> security/Kconfig | 1 + >> security/Makefile | 2 +- >> security/device_cgroup/Kconfig | 7 ++ >> security/device_cgroup/Makefile | 4 + >> security/{ => device_cgroup}/device_cgroup.c | 3 +- >> security/device_cgroup/device_cgroup.h | 20 ++++ >> security/device_cgroup/lsm.c | 114 +++++++++++++++++++ >> security/security.c | 75 ++++++++++++ >> 19 files changed, 294 insertions(+), 88 deletions(-) >> delete mode 100644 include/linux/device_cgroup.h >> create mode 100644 security/device_cgroup/Kconfig >> create mode 100644 security/device_cgroup/Makefile >> rename security/{ => device_cgroup}/device_cgroup.c (99%) >> create mode 100644 security/device_cgroup/device_cgroup.h >> create mode 100644 security/device_cgroup/lsm.c > > Hi Michael, > > I think this was lost because it wasn't CC'd to the LSM list (see > below). I've CC'd the list on my reply, but future patch submissions > that involve the LSM must be posted to the LSM list if you would like > them to be considered. > > http://vger.kernel.org/vger-lists.html#linux-security-module > Hi Paul, thanks, I'll keep this in mind for the next submissions. I have also resend because, I realized that some spam filters my have swallowed the last submission as I used my private smtp server from another domain in the gitconfig. Sorry for that. I hope now every one received it. Thanks, Michael
> - Integrate this as LSM (Christian, Paul)
Huh, my rant made you write an LSM. I'm not sure if that's a good or bad
thing...
So I dislike this less than the initial version that just worked around
SB_I_NODEV and this might be able to go somewhere. _But_ I want to see
the rules written down:
(1) current device access management
I summarized the current places where that's done very very briefly in
https://lore.kernel.org/all/20230815-feigling-kopfsache-56c2d31275bd@brauner
* inode_permission()
-> devcgroup_inode_permission()
* vfs_mknod()
-> devcgroup_inode_mknod()
* blkdev_get_by_dev() // sget()/sget_fc(), other ways to open block devices and friends
-> devcgroup_check_permission()
* drivers/gpu/drm/amd/amdkfd // weird restrictions on showing gpu info afaict
-> devcgroup_check_permission()
but that's not enough. What we need is a summary of how device node
creation and device node opening currently interact.
Because it is subtle. Currently you cannot even create device nodes
without capable(CAP_SYS_ADMIN) and you can't open any existing ones
if you lack capable(CAP_SYS_ADMIN).
Years ago we tried that insane model where we enabled userspace to
create device nodes but not open them. IOW, the capability check
for device node creation was lifted but the SB_I_NODEV limitation
wasn't lifted. That broke the whole world and had to be reverted.
(2) LSM device access management
I really want to be able to see how you envision the permission
checking to work in the new model. Specifically:
* How do device node creation and device node opening interact.
* The consequences of allowing to remove the SB_I_NODEV restriction.
* Permission checking for users without and without a bpf guarded
profile.
If you write this down we'll add it to documentation as well or to the
commit messages. It won't be lost. It doesn't have to be some really
long thing. I just want to better understand what you think this is
going to do and what the code does.
On Fri, Nov 24, 2023 at 05:47:32PM +0100, Christian Brauner wrote: > > - Integrate this as LSM (Christian, Paul) > > Huh, my rant made you write an LSM. I'm not sure if that's a good or bad > thing... > > So I dislike this less than the initial version that just worked around Hm, I wonder if we're being to timid or too complex in how we want to solve this problem. The device cgroup management logic is hacked into multiple layers and is frankly pretty appalling. What I think device access management wants to look like is that you can implement a policy in an LSM - be it bpf or regular selinux - and have this guarded by the main hooks: security_file_open() security_inode_mknod() So, look at: vfs_get_tree() -> security_sb_set_mnt_opts() -> bpf_sb_set_mnt_opts() A bpf LSM program should be able to strip SB_I_NODEV from sb->s_iflags today via bpf_sb_set_mnt_opts() without any kernel changes at all. I assume that a bpf LSM can also keep state in sb->s_security just like selinux et al? If so then a device access management program or whatever can be stored in sb->s_security. That device access management program would then be run on each call to: security_file_open() -> bpf_file_open() and security_inode_mknod() -> bpf_sb_set_mnt_opts() and take access decisions. This obviously makes device access management something that's tied completely to a filesystem. So, you could have the same device node on two tmpfs filesystems both mounted in the same userns. The first tmpfs has SB_I_NODEV and doesn't allow you to open that device. The second tmpfs has a bpf LSM program attached to it that has stripped SB_I_NODEV and manages device access and allows callers to open that device. I guess it's even possible to restrict this on a caller basis by marking them with a "container id" when the container is started. That can be done with that task storage thing also via a bpf LSM hook. And then you can further restrict device access to only those tasks that have a specific container id in some range or some token or something. I might just be fantasizing abilities into bpf that it doesn't have so anyone with the knowledge please speak up. If this is feasible then the only thing we need to figure out is what to do with the legacy cgroup access management and specifically the capable(CAP_SYS_ADMIN) check that's more of a hack than anything else. So, we could introduce a sysctl that makes it possible to turn this check into ns_capable(sb->s_userns, CAP_SYS_ADMIN). Because due to SB_I_NODEV it is inherently safe to do that. It's just that a lot of container runtimes need to have time to adapt to a world where you may be able to create a device but not be able to then open it. This isn't rocket science but it will take time. But in the end this will mean we get away with minimal kernel changes and using a lot of existing infrastructure. Thoughts?
On 24.11.23 19:08, Christian Brauner wrote: > On Fri, Nov 24, 2023 at 05:47:32PM +0100, Christian Brauner wrote: >>> - Integrate this as LSM (Christian, Paul) >> >> Huh, my rant made you write an LSM. I'm not sure if that's a good or bad >> thing... >> >> So I dislike this less than the initial version that just worked around >> SB_I_NODEV and this might be able to go somewhere. _But_ I want to see the rules written down: Since we have some new Ideas, I also will try to better describe the vision and current device node interaction when submitting the next version. > > Hm, I wonder if we're being to timid or too complex in how we want to > solve this problem. > > The device cgroup management logic is hacked into multiple layers and is > frankly pretty appalling. > > What I think device access management wants to look like is that you can > implement a policy in an LSM - be it bpf or regular selinux - and have > this guarded by the main hooks: > > security_file_open() > security_inode_mknod() > > So, look at: > > vfs_get_tree() > -> security_sb_set_mnt_opts() > -> bpf_sb_set_mnt_opts() > > A bpf LSM program should be able to strip SB_I_NODEV from sb->s_iflags > today via bpf_sb_set_mnt_opts() without any kernel changes at all. > > I assume that a bpf LSM can also keep state in sb->s_security just like > selinux et al? If so then a device access management program or whatever > can be stored in sb->s_security. > > That device access management program would then be run on each call to: > > security_file_open() > -> bpf_file_open() > > and > > security_inode_mknod() > -> bpf_sb_set_mnt_opts() > > and take access security_sb_set_mnt_optsdecisions. > > This obviously makes device access management something that's tied > completely to a filesystem. So, you could have the same device node on > two tmpfs filesystems both mounted in the same userns. > > The first tmpfs has SB_I_NODEV and doesn't allow you to open that > device. The second tmpfs has a bpf LSM program attached to it that has > stripped SB_I_NODEV and manages device access and allows callers to open > that device. I like the approach to clear SB_I_NODEV in security_sb_set_mnt_opts(). I still have to sort this out but I think that was the missing piece in the current patch set. > > I guess it's even possible to restrict this on a caller basis by marking > them with a "container id" when the container is started. That can be > done with that task storage thing also via a bpf LSM hook. And then > you can further restrict device access to only those tasks that have a > specific container id in some range or some token or something. > > I might just be fantasizing abilities into bpf that it doesn't have so > anyone with the knowledge please speak up. > > If this is feasible then the only thing we need to figure out is what to > do with the legacy cgroup access management and specifically the > capable(CAP_SYS_ADMIN) check that's more of a hack than anything else. First to make this clear, we speak about CAP_SYS_MKNOD. My approach was to restructure the cgroup_device in an own cgroup_device lsm not in the current bpf lsm, to also be able to handle the legacy calls. Especially, the remaining direct calls to devcgroup_check_permission() are transformed to a new security_hook security_dev_permission() which is similar to security_inode_permission() but could be called in such places where only the dev_t representation is available. However, if we implement it that way you sketched up above, we can just leave the devcgroup_check_permission() in its current place and only implement the devcgroup_inode_permission() and devcgroup_mknode and let the blk and amd/gpu drivers as is for now, or just leave all the devcgroup_*() hooks as is. > > So, we could introduce a sysctl that makes it possible to turn this > check into ns_capable(sb->s_userns, CAP_SYS_ADMIN). Because due to > SB_I_NODEV it is inherently safe to do that. It's just that a lot of > container runtimes need to have time to adapt to a world where you may > be able to create a device but not be able to then open it. This isn't > rocket science but it will take time. True. I think a sysctl would be a good option. > > But in the end this will mean we get away with minimal kernel changes > and using a lot of existing infrastructure. > > Thoughts? For the whole bpf lsm part I'm not confident enough to make any proposition, yet. But I think an own simple devnode lsm would be feasible with the above described security_sb_set_mnt_opts() handling to get this idea realized. Maybe we go that way to implement a simple lsm without any changes to the device_cgroup and keep the devcgroup hooks in place. To implement it as bpf lsm with all full blown conatiner_id could then be done orthogonally. So from a simple container runtime perspective one could just use the simple lsm and the existing bpf device cgroup program without any change only having to activate the sysctl. A more complex cloud setup Kubernetes what so ever, could then use bpf lsm approach.