From patchwork Wed Jan 25 15:55:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mateusz Guzik X-Patchwork-Id: 48195 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp353426wrn; Wed, 25 Jan 2023 08:07:40 -0800 (PST) X-Google-Smtp-Source: AK7set903b2Z77iUvanz60b+flXnaR36qQXOd5I7uSY++hKm09Id3nIFCUKS7AcGh2RJgbOkqxSi X-Received: by 2002:aa7:c697:0:b0:4a0:b6c8:2555 with SMTP id n23-20020aa7c697000000b004a0b6c82555mr327992edq.10.1674662860071; Wed, 25 Jan 2023 08:07:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674662860; cv=none; d=google.com; s=arc-20160816; b=CI4fg+tNzcC1BQGza89cbqCe3ybenFycMuWiyZQrmayPHed9rhORHnpsqH7RBu8yXi aq2aXdHNO1H0F9SQ638cJPmkvQ8CeN1AtLGlAxXVmhgnreaadQAfN0EoBCea3af0oA8a ehvosaSduQEOUJzRKezChmd4UWZx9oDJOM/+esMRcUFpv6mQADQg/mmbI1q3XTx4ATK/ dBlwmx4f0tXGZ+zHtwkmVJSoShyHpLu5d5dqrw5GtE1E4+JXFhtGvR7nF0CXJeV9+7Md w72d8y/dlax6vFRdwxd8otVK8goRUa2FJcVXSXCouHbRPFoR+wX5ApT/LKkumKaGBfLc PygQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=YwP2tm0CAOWY073suUhF0J/FRKYyYwUasCH1kI3YMoo=; b=NCGnAx1XwQ//bIaqKW+L+wnZmbmL9vINeEEv1bDp3npqPXy/JCgTdxKewpYw/PWqRK VDr/elzLqxxcPWUvTSJAuUmPsuUWApvx/YWMouFwH363DKcrMjbSzqhxwJL/FkWDA/09 t+ZCauPMOppAZVBrQlJE1Paqoxb3t9VQDQALMOFBC40S9HaQpdX4eqmuhsW/r45aaT8Y 5yStK5sVWhRPZvuW4Y9F1e5z6IMSguyx8us/+lmMTd6/OC9qC2CwT2Zfs2im706yfLjo M4udV0ME9jXZ6UZumOt454PepZBcXiX7m0iSOBosXEUFKoWJzKKtt8XcjHm5LZyMpR85 m1Uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=b4Hz3cF3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f29-20020a50d55d000000b0049f512ad602si7589129edj.336.2023.01.25.08.07.15; Wed, 25 Jan 2023 08:07:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=b4Hz3cF3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235651AbjAYP4T (ORCPT + 99 others); Wed, 25 Jan 2023 10:56:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235046AbjAYP4G (ORCPT ); Wed, 25 Jan 2023 10:56:06 -0500 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4EBD4113CE; Wed, 25 Jan 2023 07:56:04 -0800 (PST) Received: by mail-ed1-x52b.google.com with SMTP id u21so363019edv.3; Wed, 25 Jan 2023 07:56:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=YwP2tm0CAOWY073suUhF0J/FRKYyYwUasCH1kI3YMoo=; b=b4Hz3cF3NnfPCbJomxECRfpWj1EP+pcb7wwtSC3FfiHAtis7Fa5wHww841JNA8SfCs KI5ydzziw1GyKjGph9B0R2bUY7w9eOIMCiTMtCSSwWRTFgBMIt4vtyya0bEhltICTtVT HXPXkm03w94K7eVlE/046M5lHlrZWMorer8C2PysP7EH16d7r+bD88618oouazgF7DyM lq1b9BR2r7hz8Vt/cNVQBdXlV+5k/zhxf3vFE1K3xOBT4iR+LgBpsWRdaDwt70ZzENJ8 E17gitlojSEGk8tS2+lhF2KG1aa0M6ldVeBY+eRTMlnaMTv7ehMB8GLnbQ/ZCcBtGVkX VXFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YwP2tm0CAOWY073suUhF0J/FRKYyYwUasCH1kI3YMoo=; b=zttSkI4LdfEFVPiVdkjO6vCwoLb91LO6Y92BsBwYQhR9a8BgBiccBdFQY6V2c4Ewyi 1B1Re6vMRYDtFvkUd2PJRhLRcMWZ3XwASA1auypK/TAxbrMjWBFFhlq7Ck+TmX+Le9rs 7R4qzhMsHycJo7iGiGmnmj/LLooIHaKST3XmlZoz1kvHrjopPwCYYFNZbhp0HQsmiyHC 40AGWLmsmxkWdZFL2SgTGa4susBh+QnI3Pa/zusQKakG6ezTt5witsfVZixuNaO1Y6DO 91J0AvpPHnF0rjy0Tnyd51OSJ/dTzM3UU5eU4QMb9+aIbaBymFwJsY2dSq9JUF7FOTFS YAKg== X-Gm-Message-State: AFqh2krYGRCz0iBEkBtJUsaWBcU6F/lW15jjUZK6CQJagvdPrcppj9if AEILbNy0obDH7bzHTQCd10I= X-Received: by 2002:a05:6402:25cb:b0:49d:6ebe:e9dc with SMTP id x11-20020a05640225cb00b0049d6ebee9dcmr43014072edb.25.1674662162788; Wed, 25 Jan 2023 07:56:02 -0800 (PST) Received: from f.. (cst-prg-88-122.cust.vodafone.cz. [46.135.88.122]) by smtp.gmail.com with ESMTPSA id d24-20020a056402517800b0049e249c0e56sm2539287ede.56.2023.01.25.07.56.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Jan 2023 07:56:02 -0800 (PST) From: Mateusz Guzik To: viro@zeniv.linux.org.uk Cc: serge@hallyn.com, torvalds@linux-foundation.org, paul@paul-moore.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Mateusz Guzik Subject: [PATCH v3 1/2] capability: add cap_isidentical Date: Wed, 25 Jan 2023 16:55:56 +0100 Message-Id: <20230125155557.37816-1-mjguzik@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756011283097111069?= X-GMAIL-MSGID: =?utf-8?q?1756011283097111069?= Signed-off-by: Mateusz Guzik Reviewed-by: Serge Hallyn --- include/linux/capability.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..736a973c677a 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -156,6 +156,16 @@ static inline bool cap_isclear(const kernel_cap_t a) return true; } +static inline bool cap_isidentical(const kernel_cap_t a, const kernel_cap_t b) +{ + unsigned __capi; + CAP_FOR_EACH_U32(__capi) { + if (a.cap[__capi] != b.cap[__capi]) + return false; + } + return true; +} + /* * Check if "a" is a subset of "set". * return true if ALL of the capabilities in "a" are also in "set" From patchwork Wed Jan 25 15:55:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mateusz Guzik X-Patchwork-Id: 48197 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp361291wrn; Wed, 25 Jan 2023 08:21:58 -0800 (PST) X-Google-Smtp-Source: AMrXdXvJPjNmWlw5NwnWtsXKU3WwT/8sJ8E8HFU/etrOjXYKf8w1YptE7/8CVBr3qsnyA8N4Lcfm X-Received: by 2002:a17:90a:1905:b0:22a:83:647f with SMTP id 5-20020a17090a190500b0022a0083647fmr23132866pjg.32.1674663718488; Wed, 25 Jan 2023 08:21:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674663718; cv=none; d=google.com; s=arc-20160816; b=oZc9JcZtN9TeFfXBmerv5nU90ALz/6AtixBrycWTamHpmi6rgOH9D5Y97KzY0uWmMe /A38WE7vFK989yGpztXuSWCdl9aKh3ivrMUQe1oh03Zm/gHZnoQ2G2vzB5mZU84Tp8GP 2yHVMdGMP8090BAM6TSXSnQXnf2jgVfBAH71icggWh6887Dgj/9ak+1RRKI345FfI7Tf P5bpNgn3z2Bk6Fw7+A+jShhi81Iv3SDMFLuTQk37kN6um73wQ0xRHQcMi2YF+KSJw7B7 Wy8ec1RCFAXd9UqRJo3PaZc0qcCBrgnAlJrXWSh3xzlOzglDSxbmM/l/K+PxUCYEC8ZL rgNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Fzcelv9hExj0f2F+i5zGp2yUjab3yaJdo+KwahsiJf0=; b=wUWFRkG9dRonHc8gP4UlABJF5Wcnci7WHZxrOhPvvyckQUS+3u4xDrOwX6s98KFm24 Ohw1nbqbWj2n6l5B4wKRC8M9AxamOli/iudn6yfffbmiCrmiLivS/qIOr/5becqwcb4o l4CHQBMNZ6byifQfiYErk0He8l2resxv9eVOJwuuC+zRYt89yR8JaMUqc/Uc7fv1Hzuq W+XvxfQTvi0bsl9gN+ZrU2OiBZS+g+HVmimSw4MNF2JJJRyYsb48WR7tvcQusBczfNU/ KjTMYUphLzlklQi2X03Q9dyfjRbSv9WoAcJ+nrJNq1PqcWNKxT9DFAMi8iCzXy4IfCD2 IWXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nE90rl6f; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s6-20020a63af46000000b004b60d66f56asi5440875pgo.181.2023.01.25.08.21.46; Wed, 25 Jan 2023 08:21:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nE90rl6f; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235846AbjAYP4X (ORCPT + 99 others); Wed, 25 Jan 2023 10:56:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235283AbjAYP4I (ORCPT ); Wed, 25 Jan 2023 10:56:08 -0500 Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D994A10AB4; Wed, 25 Jan 2023 07:56:06 -0800 (PST) Received: by mail-ed1-x529.google.com with SMTP id w11so6944394edv.0; Wed, 25 Jan 2023 07:56:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Fzcelv9hExj0f2F+i5zGp2yUjab3yaJdo+KwahsiJf0=; b=nE90rl6fqAh0jCIH7Gl0AQ0V9jAsrWH1dAAnE8tualF10WBRgjTq9SGZySM3YXKZcV bu1dhTOjsVlLchc6+T38L1tBOAU1k9Jp2fAxreOzHEH9BDYJU6THRdA3b4ksRzFwD22f p0JqXDNBePZJFj0OenNUwLrZQDZTVRRuc5OrBIhIY5ec+BqzLZ36hBoBH4f2qHqVESYy IWW2JDsVRA0CP8Ur1FYGWYiq8PPQqatWyXUloFVR8IEME8L2Rj238p3adSkruE/VIDRf 4ptc4p0Ac0iLQ29cRsd39P78TFO+Xtvtp+dHJnb3JrRX3X2ZXbhMo4B3Fmi171xeefx7 9y7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fzcelv9hExj0f2F+i5zGp2yUjab3yaJdo+KwahsiJf0=; b=TtbrFCAcP6EI5ecm6opJH80EA89rNw3MqUfBO5X8oZKMVhbwWTBPVWWEjWRwC+y15C zPjKyo3pS/R0gDZV9+GlePba5wP7+qf5BUP7Ol0ZXC2KMj8h7CLv7US3GCb2frkYJUuI kIbWa2HAoaYmO7gKByJGjAq3XC3iaw4jHQubUoAnSWU9oM9Uv7bSPJM6/iljuTamN0qy kacIlkyTmwbPqyRDD+BIIxG/9cXi4wPK2b+pA60XsDPjCnnfqeZKBLf7FxN3vfubkCOo BHsvVJ7VQ7zH9hGbUXT3syf+uGaOclId9nMdGzY9fKXJEqKcyEdKOjsMEbFN6wWTBwnZ pDUA== X-Gm-Message-State: AFqh2kqNQKTl06zEofzIFUQzB2L946AYZbOAl491grqKdS3HYnL4AuAR tXvXcbHYyU2DaRqV0dC3+5o= X-Received: by 2002:aa7:cac2:0:b0:497:948b:e8 with SMTP id l2-20020aa7cac2000000b00497948b00e8mr30451221edt.6.1674662165281; Wed, 25 Jan 2023 07:56:05 -0800 (PST) Received: from f.. (cst-prg-88-122.cust.vodafone.cz. [46.135.88.122]) by smtp.gmail.com with ESMTPSA id d24-20020a056402517800b0049e249c0e56sm2539287ede.56.2023.01.25.07.56.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Jan 2023 07:56:04 -0800 (PST) From: Mateusz Guzik To: viro@zeniv.linux.org.uk Cc: serge@hallyn.com, torvalds@linux-foundation.org, paul@paul-moore.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Mateusz Guzik Subject: [PATCH v3 2/2] vfs: avoid duplicating creds in faccessat if possible Date: Wed, 25 Jan 2023 16:55:57 +0100 Message-Id: <20230125155557.37816-2-mjguzik@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230125155557.37816-1-mjguzik@gmail.com> References: <20230125155557.37816-1-mjguzik@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756012183376663398?= X-GMAIL-MSGID: =?utf-8?q?1756012183376663398?= access(2) remains commonly used, for example on exec: access("/etc/ld.so.preload", R_OK) or when running gcc: strace -c gcc empty.c % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 0.00 0.000000 0 42 26 access It falls down to do_faccessat without the AT_EACCESS flag, which in turn results in allocation of new creds in order to modify fsuid/fsgid and caps. This is a very expensive process single-threaded and most notably multi-threaded, with numerous structures getting refed and unrefed on imminent new cred destruction. Turns out for typical consumers the resulting creds would be identical and this can be checked upfront, avoiding the hard work. An access benchmark plugged into will-it-scale running on Cascade Lake shows: test proc before after access1 1 1310582 2908735 (+121%) # distinct files access1 24 4716491 63822173 (+1353%) # distinct files access2 24 2378041 5370335 (+125%) # same file The above benchmarks are not integrated into will-it-scale, but can be found in a pull request: https://github.com/antonblanchard/will-it-scale/pull/36/files Signed-off-by: Mateusz Guzik v3: - add a comment warning about changing access_override_creds v2: - fix current->cred usage warn reported by the kernel test robot Link: https://lore.kernel.org/all/202301150709.9EC6UKBT-lkp@intel.com/ --- fs/open.c | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index 82c1a28b3308..2afed058250c 100644 --- a/fs/open.c +++ b/fs/open.c @@ -367,7 +367,37 @@ COMPAT_SYSCALL_DEFINE6(fallocate, int, fd, int, mode, compat_arg_u64_dual(offset * access() needs to use the real uid/gid, not the effective uid/gid. * We do this by temporarily clearing all FS-related capabilities and * switching the fsuid/fsgid around to the real ones. + * + * Creating new credentials is expensive, so we try to skip doing it, + * which we can if the result would match what we already got. */ +static bool access_need_override_creds(int flags) +{ + const struct cred *cred; + + if (flags & AT_EACCESS) + return false; + + cred = current_cred(); + if (!uid_eq(cred->fsuid, cred->uid) || + !gid_eq(cred->fsgid, cred->gid)) + return true; + + if (!issecure(SECURE_NO_SETUID_FIXUP)) { + kuid_t root_uid = make_kuid(cred->user_ns, 0); + if (!uid_eq(cred->uid, root_uid)) { + if (!cap_isclear(cred->cap_effective)) + return true; + } else { + if (!cap_isidentical(cred->cap_effective, + cred->cap_permitted)) + return true; + } + } + + return false; +} + static const struct cred *access_override_creds(void) { const struct cred *old_cred; @@ -377,6 +407,12 @@ static const struct cred *access_override_creds(void) if (!override_cred) return NULL; + /* + * XXX access_need_override_creds performs checks in hopes of skipping + * this work. Make sure it stays in sync if making any changes in this + * routine. + */ + override_cred->fsuid = override_cred->uid; override_cred->fsgid = override_cred->gid; @@ -436,7 +472,7 @@ static long do_faccessat(int dfd, const char __user *filename, int mode, int fla if (flags & AT_EMPTY_PATH) lookup_flags |= LOOKUP_EMPTY; - if (!(flags & AT_EACCESS)) { + if (access_need_override_creds(flags)) { old_cred = access_override_creds(); if (!old_cred) return -ENOMEM;