| Message ID | 20230718115607.65652-1-omosnace@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:c923:0:b0:3e4:2afc:c1 with SMTP id j3csp1692512vqt;
Tue, 18 Jul 2023 05:08:04 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlG0jKWLtcW2bN3KIsDf3LJsRAasB5zM2G1/Ok4r40/HQqAcq3SnmYlIPZVckk+EIaNcZ9ve
X-Received: by 2002:a17:907:b0a:b0:993:6382:6e34 with SMTP id
h10-20020a1709070b0a00b0099363826e34mr11048360ejl.72.1689682084576;
Tue, 18 Jul 2023 05:08:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689682084; cv=none;
d=google.com; s=arc-20160816;
b=K+Qs2ScTGPHVw8sp41XAP5+Xx0nwR+Jx1QOa3LM+cPRQXUJM+Ar4L+mbVdcQsal5mN
BRz2R6LlaUksH1ojGGVWKe2iGxZrmJjGhKajRwSV6PmI909pRRATxYQ/90hAl/d/gyIa
f75iso1ULj0arDzyrX5U7G2wA+Yj/H81s1YQ+e+husIeYHKF6bGhuCuDWT0yRs7di1/B
udkV2oXK69jKmc9ldBeKwB9NR/MNmHZUy8oZ4PrQgDRH/B4A5UaXbobTTSeKxokYVKNR
REoEgPapkVDsTMXmxgPAymp+9eMJiP3ZVSFmORWfo6YrI3cbf03VWlI6v9YsVdqqJpLl
Glgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=HzrRHf2xvIEmTHm/Gu7FM0e+zDruuUgopzejA6ZU6c0=;
fh=kpeKXulbPrbW3xdRBSOHDKt7AeV7jkPK4tuFJxWnLMc=;
b=Qw7M7ErDuQyOXPaxH1bTGLSXYTvcvWJUSmrzvbg7PB4s8mUSI+3LYhxyEocKVKhsxK
DZA6z6+izvKtAvxfKXGVvuhp7bSSYMdxDMy9/8uGLcWXTQLsQSzVYdLvg0OJkCd+PCWe
dWDPYd5YUwS62NWSS7s+ghFLTDFHsFYTx9s/qvcq+zz+mgN3dAIsV1Ty0V7aiIZRHqow
VCtdTujWW7gcdPaYb2wIu58ltVi7OL0LZAkFaQPxd15EJW82hcxsuZFGUZGZWDeJMD0R
8OMAZAAkvxBI32GeJJFQJeDLfir6QHwbkCnvuvUFgy8lhns+YLyruo1+M/FfaLOxJZtE
ZabQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=TssADWMu;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
hb17-20020a170906b89100b00991cb7517bdsi994570ejb.948.2023.07.18.05.07.40;
Tue, 18 Jul 2023 05:08:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=TssADWMu;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229862AbjGRL47 (ORCPT <rfc822;assdfgzxcv4@gmail.com>
+ 99 others); Tue, 18 Jul 2023 07:56:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58986 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230156AbjGRL45 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 18 Jul 2023 07:56:57 -0400
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A14F918E
for <linux-kernel@vger.kernel.org>;
Tue, 18 Jul 2023 04:56:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1689681372;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=HzrRHf2xvIEmTHm/Gu7FM0e+zDruuUgopzejA6ZU6c0=;
b=TssADWMud3m77wAmIA8aGmiuRY2zb0IrJsv8h3MK8LeExfXxq1T2vKmUx0QrrXJBasrAxK
X+NielFzAW9G6Yx+e3f2EumN/Ebp3iQ4LlIsk86S95QEy8IyhmPPAF82Rs302LQax6uD2X
w/JIy8sbW/KANTQgm5Fg+qYsjGQD4Uo=
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com
[209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
us-mta-662-Rnc4iNATP3O8LLi7ULSGkg-1; Tue, 18 Jul 2023 07:56:11 -0400
X-MC-Unique: Rnc4iNATP3O8LLi7ULSGkg-1
Received: by mail-qv1-f70.google.com with SMTP id
6a1803df08f44-63788123d11so46781236d6.0
for <linux-kernel@vger.kernel.org>;
Tue, 18 Jul 2023 04:56:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1689681371; x=1692273371;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=HzrRHf2xvIEmTHm/Gu7FM0e+zDruuUgopzejA6ZU6c0=;
b=Eg+m/v0n0nAMXqMm0ypJSaeh1+UR0XBPaDXDqywLUVPiRqzG2ed9EN/M8+crTafoI1
PYSpvoC7hkFwYer83l6tMDLo/kgRuSonCEBbBVtI7Rv4COUWsLX8uqSTL/xq5sSLMclG
QUdpQjPMbQJLoXjQ6E0qWn7A2LiRtinWp6mz5PT81Ee6hQZ/wAT50gsMAGYU6u/FLkMA
y/EKtu1iV78gZF0hYLwUjMZy0LDRio2SFKvQoSPdy954NcfHYT8g53QOvC5XeJjSKwFz
Xy4ZqWaw+jHKYQw+ZSl5l636xT4C7cJEXne2GeY8M7xw86jLEBCOhBN2fC8hJ6gbqneC
264Q==
X-Gm-Message-State: ABy/qLZ0d/DZVfw6D9iT4hclVl/DqrNO9Q5JQqG49v0iu3FUzZXhbNuJ
M6tNEgD0NBteEKdA0cDzcJBrZ/yX4M/cLjDdBcXSU6vbi0uPolS+NWt1dfkrcSBVph6YVY+gXCx
WGlaRTIDCbwzNvdqJbflwHIcn
X-Received: by 2002:a0c:e283:0:b0:623:9ac1:a4be with SMTP id
r3-20020a0ce283000000b006239ac1a4bemr2032995qvl.12.1689681371139;
Tue, 18 Jul 2023 04:56:11 -0700 (PDT)
X-Received: by 2002:a0c:e283:0:b0:623:9ac1:a4be with SMTP id
r3-20020a0ce283000000b006239ac1a4bemr2032986qvl.12.1689681370899;
Tue, 18 Jul 2023 04:56:10 -0700 (PDT)
Received: from localhost.localdomain (nat-pool-brq-t.redhat.com.
[213.175.37.10])
by smtp.gmail.com with ESMTPSA id
i4-20020a0c9c84000000b0063612e03433sm657864qvf.101.2023.07.18.04.56.09
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 18 Jul 2023 04:56:10 -0700 (PDT)
From: Ondrej Mosnacek <omosnace@redhat.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: Pavel Begunkov <asml.silence@gmail.com>, io-uring@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH] io_uring: don't audit the capability check in
io_uring_create()
Date: Tue, 18 Jul 2023 13:56:07 +0200
Message-ID: <20230718115607.65652-1-omosnace@redhat.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771760081290764696
X-GMAIL-MSGID: 1771760081290764696
|
| Series |
io_uring: don't audit the capability check in io_uring_create()
|
|
Commit Message
Ondrej Mosnacek
July 18, 2023, 11:56 a.m. UTC
The check being unconditional may lead to unwanted denials reported by
LSMs when a process has the capability granted by DAC, but denied by an
LSM. In the case of SELinux such denials are a problem, since they can't
be effectively filtered out via the policy and when not silenced, they
produce noise that may hide a true problem or an attack.
Since not having the capability merely means that the created io_uring
context will be accounted against the current user's RLIMIT_MEMLOCK
limit, we can disable auditing of denials for this check by using
ns_capable_noaudit() instead of capable().
Fixes: 2b188cc1bb85 ("Add io_uring IO interface")
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2193317
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Hi, Ondrej, Ondrej Mosnacek <omosnace@redhat.com> writes: > The check being unconditional may lead to unwanted denials reported by > LSMs when a process has the capability granted by DAC, but denied by an > LSM. In the case of SELinux such denials are a problem, since they can't > be effectively filtered out via the policy and when not silenced, they > produce noise that may hide a true problem or an attack. > > Since not having the capability merely means that the created io_uring > context will be accounted against the current user's RLIMIT_MEMLOCK > limit, we can disable auditing of denials for this check by using > ns_capable_noaudit() instead of capable(). Could you add a comment, or add some documentation to ns_capable_noaudit() about when it should be used? It wasn't apparent to me, at least, before this explanation. > Fixes: 2b188cc1bb85 ("Add io_uring IO interface") > Link: https://bugzilla.redhat.com/show_bug.cgi?id=2193317 > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > io_uring/io_uring.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c > index 7505de2428e03..a9923676d16d6 100644 > --- a/io_uring/io_uring.c > +++ b/io_uring/io_uring.c > @@ -3870,7 +3870,7 @@ static __cold int io_uring_create(unsigned entries, struct io_uring_params *p, > ctx->syscall_iopoll = 1; > > ctx->compat = in_compat_syscall(); > - if (!capable(CAP_IPC_LOCK)) > + if (!ns_capable_noaudit(&init_user_ns, CAP_IPC_LOCK)) > ctx->user = get_uid(current_user()); > > /* Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
On Tue, 18 Jul 2023 13:56:07 +0200, Ondrej Mosnacek wrote: > The check being unconditional may lead to unwanted denials reported by > LSMs when a process has the capability granted by DAC, but denied by an > LSM. In the case of SELinux such denials are a problem, since they can't > be effectively filtered out via the policy and when not silenced, they > produce noise that may hide a true problem or an attack. > > Since not having the capability merely means that the created io_uring > context will be accounted against the current user's RLIMIT_MEMLOCK > limit, we can disable auditing of denials for this check by using > ns_capable_noaudit() instead of capable(). > > [...] Applied, thanks! [1/1] io_uring: don't audit the capability check in io_uring_create() commit: 6adc2272aaaf84f34b652cf77f770c6fcc4b8336 Best regards,
On Tue, Jul 18, 2023 at 3:24 PM Jeff Moyer <jmoyer@redhat.com> wrote: > > Hi, Ondrej, > > Ondrej Mosnacek <omosnace@redhat.com> writes: > > > The check being unconditional may lead to unwanted denials reported by > > LSMs when a process has the capability granted by DAC, but denied by an > > LSM. In the case of SELinux such denials are a problem, since they can't > > be effectively filtered out via the policy and when not silenced, they > > produce noise that may hide a true problem or an attack. > > > > Since not having the capability merely means that the created io_uring > > context will be accounted against the current user's RLIMIT_MEMLOCK > > limit, we can disable auditing of denials for this check by using > > ns_capable_noaudit() instead of capable(). > > Could you add a comment, or add some documentation to > ns_capable_noaudit() about when it should be used? It wasn't apparent > to me, at least, before this explanation. This has been requested before, so I finally forced myself to look into it and only now I realized that there is a subtle difference between the has_capability and capable helpers. As the docstrings say, the former doesn't set the PF_SUPERPRIV on the task when the check succeeds, while the latter does. The problem is that I don't know what the exact implications are and thus I'm not able to document which helper should be used in what situation... It is possible some of the existing call sites use the wrong helper in the noaudit case (possibly including ones that I added/suggested). The comment at its declaration says "Used super-user privileges" and it seems to be used only to propagate into the ASU flag in task accounting information. But in the case of capability checks that do not fail the syscall it is not easy to tell if "super-user privileges" were "used" or not (or, rather, whether the task should be accounted as such or not after a successful check). If anyone is reading this and has a better understanding of the PF_SUPERPRIV flag semantics, I'd be thankful for a clarification so that we can sort out this mess :) -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 7505de2428e03..a9923676d16d6 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -3870,7 +3870,7 @@ static __cold int io_uring_create(unsigned entries, struct io_uring_params *p, ctx->syscall_iopoll = 1; ctx->compat = in_compat_syscall(); - if (!capable(CAP_IPC_LOCK)) + if (!ns_capable_noaudit(&init_user_ns, CAP_IPC_LOCK)) ctx->user = get_uid(current_user()); /*