From patchwork Tue Oct 25 11:31:01 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wang Weiyang <wangweiyang2@huawei.com>
X-Patchwork-Id: 10716
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp938306wru;
        Tue, 25 Oct 2022 04:05:43 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM6eL3l/eJ1L8aajYoaPipllRuotNCkK3/OC+qalsCoEuK/c82sYjSj8lYDwFsDXicheYFE1
X-Received: by 2002:a17:907:2c72:b0:7a4:a4b4:9fcb with SMTP id
 ib18-20020a1709072c7200b007a4a4b49fcbmr11379623ejc.403.1666695943697;
        Tue, 25 Oct 2022 04:05:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666695943; cv=none;
        d=google.com; s=arc-20160816;
        b=YW4rMqoPHDgkDeoBMGqY32z98W7KcmtlOrxztmvwFhUphb1022Wcz92o63fACQG1B/
         Ay7DNbFRXZ5o5MibVQCLN3TFcrHYA7BykEVTWnRYUONCrVCPm9GLqImIn0pXfs91eXyr
         oaJusLsJhWFNDhfIqXtNpc9YcMJSvjuytOGuBr8gk7q76VHrkKdfXg8YCbgA4LzqUvNd
         EfQxzQBtIsrrlJC9WBYUpaiaOGdDAI46fd3lTOXoDaRephV98x9MHthr9SXp+utAGfH1
         0bEa1RGU2oV1Bdpv4vMpa/8+FhdqsDBhLlaBaSOJ98q/JZgsQ7k9UJnE/a/517UGy55t
         LNQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
        bh=frCaxaac5j5si0HeN1SjHkj14EUiI0DuIwDRo8Q5nvY=;
        b=bLBgHH0euziRx42F/d5l1QvxAYSbAj82lM4qQTfSO3wFVt7yLwgNiyorG+GX2bOTeK
         txeDp/wvq8V7GPTgQeIVuDVNFnbSFKPQcWZOMJzoDQI83hqtFbFCzf1qcrCqCUGSf3er
         YKiPovV4jWBK7/2cnPv7BL1PN9pWrEfCehBtyr7poC31if+yxzmjQ10xtJYPbZGkePmq
         CHnCWLaO3tbxKYbeWvN0ZLXy34GeuMWtmlw19t1n9Gu9QUZ/F2iQ1be8tEMLEGlpJBW/
         97rGwVryC4x+cAISv/0ANChtNlxawwJLW+nNoPT9ReVPTYfv167olXtzRbSfPJklmX6J
         vkcA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 u19-20020a1709067d1300b00711da52c6e4si2217620ejo.309.2022.10.25.04.05.07;
        Tue, 25 Oct 2022 04:05:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232221AbiJYLCa (ORCPT <rfc822;lucius.rs.storz@gmail.com>
        + 99 others); Tue, 25 Oct 2022 07:02:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38126 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230245AbiJYLC2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Oct 2022 07:02:28 -0400
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 957F3DFB4B;
        Tue, 25 Oct 2022 04:02:25 -0700 (PDT)
Received: from dggpemm500023.china.huawei.com (unknown [172.30.72.54])
        by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4MxTV22n9xzJn7j;
        Tue, 25 Oct 2022 18:59:38 +0800 (CST)
Received: from dggpemm500001.china.huawei.com (7.185.36.107) by
 dggpemm500023.china.huawei.com (7.185.36.83) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.31; Tue, 25 Oct 2022 19:02:23 +0800
Received: from octopus.huawei.com (10.67.174.191) by
 dggpemm500001.china.huawei.com (7.185.36.107) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.31; Tue, 25 Oct 2022 19:02:23 +0800
From: Wang Weiyang <wangweiyang2@huawei.com>
To: <paul@paul-moore.com>, <jmorris@namei.org>, <serge@hallyn.com>,
        <serge.hallyn@canonical.com>, <akpm@linux-foundation.org>,
        <aris@redhat.com>
CC: <linux-security-module@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>
Subject: [PATCH] device_cgroup: Roll back to original exceptions after copy
 failure
Date: Tue, 25 Oct 2022 19:31:01 +0800
Message-ID: <20221025113101.41132-1-wangweiyang2@huawei.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
X-Originating-IP: [10.67.174.191]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
 dggpemm500001.china.huawei.com (7.185.36.107)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747657366077227166?=
X-GMAIL-MSGID: =?utf-8?q?1747657366077227166?=

When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's
exceptions will be cleaned and A's behavior is changed to
DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's
whitelist. If copy failure occurs, just return leaving A to grant
permissions to all devices. And A may grant more permissions than
parent.

Backup A's whitelist and recover original exceptions after copy
failure.

Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: Aristeu Rozanski <aris@redhat.com>
---
 security/device_cgroup.c | 33 +++++++++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index a9f8c63a96d1..bef2b9285fb3 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -82,6 +82,17 @@ static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig)
 	return -ENOMEM;
 }
 
+static void dev_exceptions_move(struct list_head *dest, struct list_head *orig)
+{
+	struct dev_exception_item *ex, *tmp;
+
+	lockdep_assert_held(&devcgroup_mutex);
+
+	list_for_each_entry_safe(ex, tmp, orig, list) {
+		list_move_tail(&ex->list, dest);
+	}
+}
+
 /*
  * called under devcgroup_mutex
  */
@@ -604,11 +615,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 	int count, rc = 0;
 	struct dev_exception_item ex;
 	struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
+	struct dev_cgroup tmp_devcgrp;
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	memset(&ex, 0, sizeof(ex));
+	memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp));
 	b = buffer;
 
 	switch (*b) {
@@ -620,15 +633,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 
 			if (!may_allow_all(parent))
 				return -EPERM;
-			dev_exception_clean(devcgroup);
-			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
-			if (!parent)
+			if (!parent) {
+				devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+				dev_exception_clean(devcgroup);
 				break;
+			}
 
+			INIT_LIST_HEAD(&tmp_devcgrp.exceptions);
+			rc = dev_exceptions_copy(&tmp_devcgrp.exceptions,
+						 &devcgroup->exceptions);
+			if (rc)
+				return rc;
+			dev_exception_clean(devcgroup);
 			rc = dev_exceptions_copy(&devcgroup->exceptions,
 						 &parent->exceptions);
-			if (rc)
+			if (rc) {
+				dev_exceptions_move(&devcgroup->exceptions,
+						    &tmp_devcgrp.exceptions);
 				return rc;
+			}
+			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+			dev_exception_clean(&tmp_devcgrp);
 			break;
 		case DEVCG_DENY:
 			if (css_has_online_children(&devcgroup->css))