From patchwork Mon Aug 14 14:26:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 135498 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2799457vqi; Mon, 14 Aug 2023 07:59:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE2zw+lHqxSijT1llrWDL6jo/3b4ozvU2NUFdA/skghD9SVAiRBMRnDxxtWfv+ElEk3Wgcm X-Received: by 2002:a05:6a00:b42:b0:687:55cb:ef94 with SMTP id p2-20020a056a000b4200b0068755cbef94mr13401209pfo.34.1692025162041; Mon, 14 Aug 2023 07:59:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692025162; cv=none; d=google.com; s=arc-20160816; b=SnDxzzxtHb/3ypVMSZTac6kMJZEnMGwQrAUHdpvpABu9uLjM7lXClC2bC7CjsWxNx1 rPZu22EBHU9z7FaQj7XM2B1uNtSZjCd3HNDjvB0k92w1x0Bdrgg61gVWKA+qBJwcNFT5 mLs+hj98mcgL6ZV1As0Gznwh8A8W5i08Ia7AZQACMFc8IEBBImEM5sexwqVlLGG7XrvP tFVDBd/0lDNT9UxSkgjB1yE3Vz/76uo1uAYyIQVumDarW9964Sb/FDWnpbXR6XCIXOxk v6/yBwCNyvvv3YiP+S+D6/6GRz22XGVDQwURoEtx3gMZ+x9fTgKLSeULC+lqFmfwmZ+L 9jAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:cc:to:in-reply-to:references :message-id:content-transfer-encoding:mime-version:subject:date:from; bh=ArJmXskmco3jEGblS7VKJKQu1NCFpuhIUo6wCFyOpuc=; fh=jwJxZdUUofBTgt9wVHmWAoi0ItKWI8Pp9vqTyzXXy10=; b=rpp8vwndGjSLqq7eHW3Jh56qxZ5YosnOFOiavzWC6hAIP8Vfm+5UDNf01vettpaigi RQh2HFcrW4kN2/aWInhszX3Z5COF6f0+evXCa7vkbGEF1/O45nFzJQFPbPkcOGqg5mxK 1hwBmL7TDjlwVIjAIFhHkCP/cYG4dgYi9Pz/rx+lNWuhrEqy/Fc7TYQ3e+beJWXVXn90 Ulu8mwZ4rqybKPxsWVpGzl7mYt+xnoq55HXly27m4d7LNDQRzWVesc/2punkieh4WGKd 1OAAfF58WQJcbMeYuGnAitQfBF+7vq+4V9oZqISFXyBRy4zI40XyMpIxt8YvUwyturwm KGbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y1-20020a636401000000b0056424e3bb74si8427572pgb.203.2023.08.14.07.59.08; Mon, 14 Aug 2023 07:59:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232276AbjHNO1L (ORCPT + 99 others); Mon, 14 Aug 2023 10:27:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44288 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231658AbjHNO0o (ORCPT ); Mon, 14 Aug 2023 10:26:44 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC8F0E4; Mon, 14 Aug 2023 07:26:40 -0700 (PDT) Received: from [127.0.1.1] ([91.67.199.65]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MBBCI-1qcfXN31gM-00Ci0I; Mon, 14 Aug 2023 16:26:15 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= Date: Mon, 14 Aug 2023 16:26:09 +0200 Subject: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog MIME-Version: 1.0 Message-Id: <20230814-devcg_guard-v1-1-654971ab88b1@aisec.fraunhofer.de> References: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> In-Reply-To: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> To: Alexander Mikhalitsyn , Christian Brauner , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de, =?utf-8?q?Mich?= =?utf-8?q?ael_Wei=C3=9F?= X-Mailer: b4 0.12.3 X-Provags-ID: V03:K1:0cXxcmdgmClBD4GPMdMTPagr2itnvAUiDtQcsv8MxFS6hE07CYQ BeojX5oXPIPVsWXg8FGVsg2nAXIeCSqU70B8yFYo2t841na+NM2vD4GebfRs3ESXUqOyxfq iWSfseZ18CHeWFu1Izn2mMmrccgCe52Gq7OkjltVIt49/NlPPe2K2h0XDJsfCl0ESt//0M5 8QTkixGVHRT2s3YuaM21A== UI-OutboundReport: notjunk:1;M01:P0:NddmDHLVZyw=;qsT8AXUoHtD7PW1/NyA4rUt3YMp ylwjpt+PAIzcM283QbCvuzZ72TtkhK80xTbNCQskNMQHFG/Rp9D7eF6lgrWhxRB0fLTBRpvT9 5ThI+pXRVs2ox2KhrINecSUftwLyWEPiKtdjn6sb4YqxeSntR/LOfQGFkE1prO98O/ssOP/Z7 jcXSdLwaLWoVbCV79jx6S4J82GhE2H9fxLs44O/Nm0Hu4xNnWkL0ocy6uZ2sSILuqZPTl8+Bl 9RUjQA0aoCwBl3F4aK1MCMq14UZ6cQ6qtoSlXzYmbS7J6mLPLNMe28F9AoijWh+tYnNFaITfb jSLkvpuSEPMDeGyWtiDdXC+0sV0lKJ4mDWMARx/dh5U84Hxcs7VYZKMh9UiXHTlSENH1/Jwhz SR5mbvzVMJPRdgwbt2HaFw5ybajmbicIUtBLdXQVlAUCUQ/IqjQJQzM6k0NB86bUDLNMwt4eT Vf9QXTluSMDI+KNXDMpTr3DDq9qcp+93IN8qFx+sKV2n3WbvQypKo+5k+islmLIr9sZEmZrwy kxS5GhrQgfu0lIIYwJJyMV9f8aUBbnyAZCP1De0/K6u4lgVrilWV7KpD2g1oTEcKgF2gLH8E2 gPQOjI0lI6AInRUBEPem+ajayq9+2Nt7Rd8VeKzLNyjwCKito0tBhAj/n6/RgJYipe59mFx5Z Nng32yZyfnFrPpSQt2d2JcF5MRrMVYffJr9wmihm22xDahO2a/AHumdOwv9S+X6fdnvRiShZU NjS95U+RK78Jjg3SWz7FYCXeoQ3DPsvHsb3fTvP5jpAtErAn3tTEVm8Z65kClEBpAE/QPPlhg giQI9xP/dcNUXdYzBl5pqT0DbM7Wsvg48PGhZNuzUk3kG2TPC9TQ8KwSs0L9SMguv9Yrw2N48 rpx7BIZEIK8Jf+xqIc2Y8VEb2YoC2C/fQf/c= X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774216976095273922 X-GMAIL-MSGID: 1774216976095273922 Introduce the BPF_F_CGROUP_DEVICE_GUARD flag for BPF_PROG_LOAD which allows to set a cgroup device program to be a device guard. Later this may be used to guard actions on device nodes in non-initial userns. For this reason we provide the helper function cgroup_bpf_device_guard_enabled() to check if a task has a cgroups device program which is a device guard in its effective set of bpf programs. Signed-off-by: Michael Weiß --- include/linux/bpf-cgroup.h | 7 +++++++ include/linux/bpf.h | 1 + include/uapi/linux/bpf.h | 5 +++++ kernel/bpf/cgroup.c | 30 ++++++++++++++++++++++++++++++ kernel/bpf/syscall.c | 5 ++++- tools/include/uapi/linux/bpf.h | 5 +++++ 6 files changed, 52 insertions(+), 1 deletion(-) diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h index 57e9e109257e..112b6093f9fd 100644 --- a/include/linux/bpf-cgroup.h +++ b/include/linux/bpf-cgroup.h @@ -184,6 +184,8 @@ static inline bool cgroup_bpf_sock_enabled(struct sock *sk, return array != &bpf_empty_prog_array.hdr; } +bool cgroup_bpf_device_guard_enabled(struct task_struct *task); + /* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */ #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb) \ ({ \ @@ -476,6 +478,11 @@ static inline int bpf_percpu_cgroup_storage_update(struct bpf_map *map, return 0; } +static bool cgroup_bpf_device_guard_enabled(struct task_struct *task) +{ + return false; +} + #define cgroup_bpf_enabled(atype) (0) #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, atype, t_ctx) ({ 0; }) #define BPF_CGROUP_RUN_SA_PROG(sk, uaddr, atype) ({ 0; }) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index f58895830ada..313cce8aee05 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1384,6 +1384,7 @@ struct bpf_prog_aux { bool sleepable; bool tail_call_reachable; bool xdp_has_frags; + bool cgroup_device_guard; /* BTF_KIND_FUNC_PROTO for valid attach_btf_id */ const struct btf_type *attach_func_proto; /* function name for valid attach_btf_id */ diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 60a9d59beeab..3be57f7957b1 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -1165,6 +1165,11 @@ enum bpf_link_type { */ #define BPF_F_XDP_DEV_BOUND_ONLY (1U << 6) +/* If BPF_F_CGROUP_DEVICE_GUARD is used in BPF_PROG_LOAD command, the loaded + * program will be allowed to guard device access inside user namespaces. + */ +#define BPF_F_CGROUP_DEVICE_GUARD (1U << 7) + /* link_create.kprobe_multi.flags used in LINK_CREATE command for * BPF_TRACE_KPROBE_MULTI attach type to create return probe. */ diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 5b2741aa0d9b..230693ca4cdb 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -2505,6 +2505,36 @@ const struct bpf_verifier_ops cg_sockopt_verifier_ops = { const struct bpf_prog_ops cg_sockopt_prog_ops = { }; +bool +cgroup_bpf_device_guard_enabled(struct task_struct *task) +{ + bool ret; + const struct bpf_prog_array *array; + const struct bpf_prog_array_item *item; + const struct bpf_prog *prog; + struct cgroup *cgrp = task_dfl_cgroup(task); + + ret = false; + + array = rcu_access_pointer(cgrp->bpf.effective[CGROUP_DEVICE]); + if (array == &bpf_empty_prog_array.hdr) + return ret; + + mutex_lock(&cgroup_mutex); + array = rcu_dereference_protected(cgrp->bpf.effective[CGROUP_DEVICE], + lockdep_is_held(&cgroup_mutex)); + item = &array->items[0]; + while ((prog = READ_ONCE(item->prog))) { + if (prog->aux->cgroup_device_guard) { + ret = true; + break; + } + item++; + } + mutex_unlock(&cgroup_mutex); + return ret; +} + /* Common helpers for cgroup hooks. */ const struct bpf_func_proto * cgroup_common_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index a2aef900519c..33ea67c702c1 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2564,7 +2564,8 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size) BPF_F_SLEEPABLE | BPF_F_TEST_RND_HI32 | BPF_F_XDP_HAS_FRAGS | - BPF_F_XDP_DEV_BOUND_ONLY)) + BPF_F_XDP_DEV_BOUND_ONLY | + BPF_F_CGROUP_DEVICE_GUARD)) return -EINVAL; if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && @@ -2651,6 +2652,8 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size) prog->aux->dev_bound = !!attr->prog_ifindex; prog->aux->sleepable = attr->prog_flags & BPF_F_SLEEPABLE; prog->aux->xdp_has_frags = attr->prog_flags & BPF_F_XDP_HAS_FRAGS; + prog->aux->cgroup_device_guard = + attr->prog_flags & BPF_F_CGROUP_DEVICE_GUARD; err = security_bpf_prog_alloc(prog->aux); if (err) diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index 60a9d59beeab..3be57f7957b1 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -1165,6 +1165,11 @@ enum bpf_link_type { */ #define BPF_F_XDP_DEV_BOUND_ONLY (1U << 6) +/* If BPF_F_CGROUP_DEVICE_GUARD is used in BPF_PROG_LOAD command, the loaded + * program will be allowed to guard device access inside user namespaces. + */ +#define BPF_F_CGROUP_DEVICE_GUARD (1U << 7) + /* link_create.kprobe_multi.flags used in LINK_CREATE command for * BPF_TRACE_KPROBE_MULTI attach type to create return probe. */ From patchwork Mon Aug 14 14:26:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 135518 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2832094vqi; Mon, 14 Aug 2023 08:49:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGYf0yc83Ss6I840sh2uWphaGtEkiISXZ0gxdmBBi/TZLlduxAzKeGYDF9CpvsjWCY3bnQz X-Received: by 2002:a05:6a00:1954:b0:687:e02b:e3c with SMTP id s20-20020a056a00195400b00687e02b0e3cmr13203287pfk.17.1692028181208; Mon, 14 Aug 2023 08:49:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692028181; cv=none; d=google.com; s=arc-20160816; b=JishzXAa1LNNIl9Oo4nunPE/xz7uzAfkA9pybyRsMZbwullTMjsBwasHLmAQE79RRV e75SQR3OHsw+bIayYYCVr5ZkSJQtOxyzRCkGZpBTJ2wtjKL3Qt1vt9R8WHUPp8nALFpa tGN5HFjJOY59Qzsv9oBY8bk+uljTtxCh41oO8y1Y+IAfJ85qyVKHXvU1gzYn+JpEX3vR j+KLmTwDO/a/SN5mRONS535EStsupNhuXvkmRkIwNC1sfiaX51+zMccCXvC5bbdIL0t3 Lx018t35XaCKavUQBffQhgKqD9ohX6t6XJ1rD79Y0swmz3FZFp2dnKqcLSM19eT3bqju 1rrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:cc:to:in-reply-to:references :message-id:content-transfer-encoding:mime-version:subject:date:from; bh=6H8ssPXFOtBK7PPDQFehA8qcRZfwqcIHr1JC1l5gUrw=; fh=jwJxZdUUofBTgt9wVHmWAoi0ItKWI8Pp9vqTyzXXy10=; b=IplNiq4iPIlxoWwXSmj1HTUq5Dcea6R8ULzXW1WOgtj7hQ+7tj6csi5OQIc3eTXQCT SB3zAelp54JOF2GdtenG5nd/zK5xUt5uc4eNmewueFKSWBViMJXwLH97KZ1rZVihqc/7 dnmlQX896j1z2d0Loo2UPZxXnYJCWHLlzaV4USJkMoTzVg/AwEkDCVvqApOhG80kjBDh I5VAGNu9hubk9NEJFftd5RgMFkSkztCEcztV4vW55Y2PPUWIbti8abpW1suZp2aqJm9O iLo7N/YjeeQFrF8rlS43q2qY8fx6TqGX2cFh7SNafG33Yj5heHnjOvF2LjHGH5IJ7ipZ HGTA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cp9-20020a056a00348900b00682d2ab09dbsi8271445pfb.306.2023.08.14.08.49.21; Mon, 14 Aug 2023 08:49:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229974AbjHNOk0 (ORCPT + 99 others); Mon, 14 Aug 2023 10:40:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56332 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232515AbjHNOkT (ORCPT ); Mon, 14 Aug 2023 10:40:19 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6F7CF5; Mon, 14 Aug 2023 07:40:17 -0700 (PDT) Received: from [127.0.1.1] ([91.67.199.65]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1N5UoU-1pgYbq1NVa-016zzS; Mon, 14 Aug 2023 16:26:16 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= Date: Mon, 14 Aug 2023 16:26:10 +0200 Subject: [PATCH RFC 2/4] bpf: provide cgroup_device_guard in bpf_prog_info to user space MIME-Version: 1.0 Message-Id: <20230814-devcg_guard-v1-2-654971ab88b1@aisec.fraunhofer.de> References: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> In-Reply-To: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> To: Alexander Mikhalitsyn , Christian Brauner , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de, =?utf-8?q?Mich?= =?utf-8?q?ael_Wei=C3=9F?= X-Mailer: b4 0.12.3 X-Provags-ID: V03:K1:o8/eibR0KEBv814SkAfdQUcPXonJ4/KKrEByU28jqQCeZFziDrX Jh/nBbMV0+Pqqx0ZAhoiwrS6qeOne5dKIiuY7ocFyLjGOOWLJVKoYkYM6ll2MwgWWbd02yC 8gLOxL4UU8xYYbb9wkiOmLprQj5Y48d6pl6OAUe6EJRZhNRbc3c8LTgWhkdNLxUdooHCahG lW5Zf1nZFvO/RPdhxsTPQ== UI-OutboundReport: notjunk:1;M01:P0:xxe2lkYlnOU=;2D+cFgrrWAhPUaEiBJb1W4nqw5v 3u/N/KWFj85CjLC09xRjrG2hLIM0DQUtynr3J216+IVA2UgW+Y5TDtMW75Gxn0CMBofS0XDes gXHA2Tz6feEpXNk1cHRhuz7zH+JkhGEsdiY7b80qufCZMBYS9Hfd3A9gz4SKlTxe4HHUQLB+/ dgicc6X9CLgVR7MTx5LVKf9hYCkJsZTfsnKV6cK76o+xd+TBiliKO7LB8/M9iIxVjbmtJS44o u81FLIfYqPqJK45u8frJxbmKWMnC1rVCX4G+DomMJzlgDel407Ji6diLlt9XJaYMsho+24DBj m43tSSFi/rdECLXDsBlN+j3G3UuikprxUn14hmIp9a0R9Kv6TREnZQ5bNfw9byEhBmP28zRCr qPcT6O1BRAwUJxYGQ40FmwWewhqkEkr3nz3ptN8UT7ssfxNPOH2YF48XdFh9q3NEVuGHVHSp2 GTWp+nkuXL3DlCq4dym8HWXUdSP0rwb/qM3XKK1eOeR4q0x0Ss+DBPyBXxHLMwH8rhnhfjPT5 BHPWBUICqzNmKlNgjwoDUEpAkOkaHa2SRHVJ3d/s1BE5EC/zddh4DmbbrmNjNFVkYuBNob1gL P8fEDFqOSXvTeLgOM3MYVVZZfrbNyhjDRu8JfMaKArd9YLj1isYZ+35IHArukCuqTKGJty4Cq 6lr7apRBTqCs2zhsY87i4WD6Jse/95ZZlXNGZRehGMWpEL9Yevy04REwOJzYw0zBUIY2GlzVq cAwGxAF8ezlsgk/Z8GRT+pvwxDNtzahwUag95krLReBFhNLRjmGDjAsQra8TxhECiTWBh/4Fo zTqks+EEDiPxxQHClhD9T7Ehrzgq2FrfRjG8cJ952TEvV0Kzoz2yThdZcH5Ozu53lzs9tArf2 3yCavtTKp+73glg== X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774220142114554468 X-GMAIL-MSGID: 1774220142114554468 To allow user space tools to check if a device guard is active, we extend the struct bpf_prog_info by a cgroup_device_guard field. This is then used by the bpftool in print_prog_header_*() functions. Output of bpftool, here for the bpf prog of a GyroidOS container: # ./bpftool prog show id 37 37: cgroup_device tag 1824c08482acee1b gpl cgdev_guard loaded_at 2023-08-14T13:47:10+0200 uid 0 xlated 456B jited 311B memlock 4096B Signed-off-by: Michael Weiß --- include/uapi/linux/bpf.h | 3 ++- kernel/bpf/syscall.c | 1 + tools/bpf/bpftool/prog.c | 2 ++ tools/include/uapi/linux/bpf.h | 3 ++- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 3be57f7957b1..7b383665d5f4 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -6331,7 +6331,8 @@ struct bpf_prog_info { char name[BPF_OBJ_NAME_LEN]; __u32 ifindex; __u32 gpl_compatible:1; - __u32 :31; /* alignment pad */ + __u32 cgroup_device_guard:1; + __u32 :30; /* alignment pad */ __u64 netns_dev; __u64 netns_ino; __u32 nr_jited_ksyms; diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 33ea67c702c1..9bc6d5dd2e90 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -4062,6 +4062,7 @@ static int bpf_prog_get_info_by_fd(struct file *file, info.created_by_uid = from_kuid_munged(current_user_ns(), prog->aux->user->uid); info.gpl_compatible = prog->gpl_compatible; + info.cgroup_device_guard = prog->aux->cgroup_device_guard; memcpy(info.tag, prog->tag, sizeof(prog->tag)); memcpy(info.name, prog->aux->name, sizeof(prog->aux->name)); diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c index 8443a149dd17..66d21794b641 100644 --- a/tools/bpf/bpftool/prog.c +++ b/tools/bpf/bpftool/prog.c @@ -434,6 +434,7 @@ static void print_prog_header_json(struct bpf_prog_info *info, int fd) info->tag[4], info->tag[5], info->tag[6], info->tag[7]); jsonw_bool_field(json_wtr, "gpl_compatible", info->gpl_compatible); + jsonw_bool_field(json_wtr, "cgroup_device_guard", info->cgroup_device_guard); if (info->run_time_ns) { jsonw_uint_field(json_wtr, "run_time_ns", info->run_time_ns); jsonw_uint_field(json_wtr, "run_cnt", info->run_cnt); @@ -519,6 +520,7 @@ static void print_prog_header_plain(struct bpf_prog_info *info, int fd) fprint_hex(stdout, info->tag, BPF_TAG_SIZE, ""); print_dev_plain(info->ifindex, info->netns_dev, info->netns_ino); printf("%s", info->gpl_compatible ? " gpl" : ""); + printf("%s", info->cgroup_device_guard ? " cgdev_guard" : ""); if (info->run_time_ns) printf(" run_time_ns %lld run_cnt %lld", info->run_time_ns, info->run_cnt); diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index 3be57f7957b1..7b383665d5f4 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -6331,7 +6331,8 @@ struct bpf_prog_info { char name[BPF_OBJ_NAME_LEN]; __u32 ifindex; __u32 gpl_compatible:1; - __u32 :31; /* alignment pad */ + __u32 cgroup_device_guard:1; + __u32 :30; /* alignment pad */ __u64 netns_dev; __u64 netns_ino; __u32 nr_jited_ksyms; From patchwork Mon Aug 14 14:26:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 135496 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2798591vqi; Mon, 14 Aug 2023 07:57:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEkkP4HFhtNnFE8Dc7kMkL2rtsTLvmdJipoECqKgNZVbE0ShT+hsX73r/BV41K1qUw2Ttnh X-Received: by 2002:a17:90b:8d1:b0:26b:4f2f:6da7 with SMTP id ds17-20020a17090b08d100b0026b4f2f6da7mr3398458pjb.1.1692025058015; Mon, 14 Aug 2023 07:57:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692025058; cv=none; d=google.com; s=arc-20160816; b=cUTDA8X7+NP8yWGjWOS8QQZUMTC2KR4glEGc/gK7GoskjB+Q5U8gdMf1rmZTC1rhL+ sF4x/eVfaz31jt7dJSNQjWaKXAntB8yp1QxngON1209fg47eRNRbxZUu8xBCdtXp08Iv fTy1kHyaS/wvyL1B0hdKINKvykuWAxgyPvGHqmxHUnSqkmeyb9IXPlKCD6mBbvs7fdn3 W1Jn2cs8hbz0yuMBWz2lzQchw7dbjswzLEB3deUx2p1UNO5z9ZdZyOcz1ovIzKQAhNus a1YENI5xg3H5GW7WX+ORQ9Ps6Td4EAtUIFKvj6B3DdAKWRS28FQyZtSGxc/TFc0afXzB kV2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:cc:to:in-reply-to:references :message-id:content-transfer-encoding:mime-version:subject:date:from; bh=gWPXgErmdJ0LSwcmH/5W61a4n3/WquhBViCqxi+LfJ4=; fh=jwJxZdUUofBTgt9wVHmWAoi0ItKWI8Pp9vqTyzXXy10=; b=WhcJ0XbTOKd4XPC5QXeyLemULqKHwCNIDO6YKxdEuUtJ8KTE92Pr3kB3KvMHVZ3/jT J4eMeYzkxI9RBAJTUzEb/MoHcb1E/ON/GEMV+Yq1qkHvJ4MTW2X1OVHOsqsKBms50uGJ q5c3VvdwRVkhlENhn/n6XsSkR2iCA1yJeMzwAQk6xDOZduaK3qzlGYsQu4x+JAkWGWIh KTPx064kFflImd0MOoe5AzweP7BOjjGpi2bWPMu3+IfaLVam6H+9YgvJyJtFv2ETfgwK yLAU254mWTOZcKiDVVHsVVFsHvxbF+OoV5XORFUI9Y2LFS9uN2dR8eqn21u59dRqK+pL tPJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f19-20020a17090ace1300b00263046538e1si8248765pju.84.2023.08.14.07.57.24; Mon, 14 Aug 2023 07:57:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232223AbjHNO1K (ORCPT + 99 others); Mon, 14 Aug 2023 10:27:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44296 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231674AbjHNO0p (ORCPT ); Mon, 14 Aug 2023 10:26:45 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E41A6E9; Mon, 14 Aug 2023 07:26:40 -0700 (PDT) Received: from [127.0.1.1] ([91.67.199.65]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MC0HF-1qdUU141YD-00CR9d; Mon, 14 Aug 2023 16:26:17 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= Date: Mon, 14 Aug 2023 16:26:11 +0200 Subject: [PATCH RFC 3/4] device_cgroup: wrapper for bpf cgroup device guard MIME-Version: 1.0 Message-Id: <20230814-devcg_guard-v1-3-654971ab88b1@aisec.fraunhofer.de> References: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> In-Reply-To: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> To: Alexander Mikhalitsyn , Christian Brauner , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de, =?utf-8?q?Mich?= =?utf-8?q?ael_Wei=C3=9F?= X-Mailer: b4 0.12.3 X-Provags-ID: V03:K1:eZ1bcl/qUp/USJZEuscMU0XkBYRRzn/ZnVwtDVGvt8VlbAaRHzn 3fw0y8DLmlAla58hSO9qkLHjlcj4UhHhqMmUUWJrI9YcmzlsIycllF2K4HQ8mML2xTSEZKF YfwpV7MfWD6rA0VsUzx4TA08P/5TODnGSrkqa3MmjRr8uzutlTgYUBvhWerF8dedD8eZeq/ vRMIKjiSm2u3an9j1efcw== UI-OutboundReport: notjunk:1;M01:P0:6nqlDtKzeQw=;r1tH9lsibZO3DNJQqiovKwBrXV6 uzXQ/KvQQ34/Ix/MUk6kQw/pwwC9ZCc+43YmYQs96/LPSNazeMuR7AJtTxumxlVWm39qJe9Yn 3+v+UE6f/+gTlgw6ubJM3eSDc8gDaPT+zr1CnNJChDfYdCZDLSMyYmZc1Hv2vXayGySKF3xRn nLrPCGcc4SHLrQm4bxNTviUYoLsZ5bNgwz2tii7a5dTJTkG6X0KmrX8VmpQcUUKTylxTbviys qF5MVAMDnXRJrImMQ8wU9Swk7uA1OqWJS6prn+Zuw3a3DkbUwFRJf+Hyzobp8ps1Q0AN9hHv3 EFc8qg7OoFWLoDUDC0OZgokIjpHbMi+ZMKAfq7T2TWY1bgs84XKB7nq/FqV1/THzUU2pz/kwm arHJ3UthpPGf4JdBmk9spBXujOt3Bo4DEzKjKfBWx96+Itn8wDnK3eomZ5Q1qhXVV/wS7vR5p FRjC7U526KUNkvYsGVMukyRh4DeVEJizL9urhhtaAYdZKBoDY8nLPRc0R3PSbMgjNvojbt+CE a+QVMq3L0HhgRSHocZBBUbetCa+mlD2u36vgcESWEzBGnz0caE8gSFkFvZ9uoEjPGNDq+uzmg G0fTXqPX97jFkzvYA6cl2INI6IopeN0lmJlSARElCRzLdrVfW4SyXc8Bf5isQe7k1SIz5CO18 fs753EpKhUHHMNd+m+9xLnZXYX5Cjau6CE+yvu/X2wqxybtBjQaGASIstVfMeOe9ccZFbeeou BESWC0Zkgrs9eRSJFb/p14OzloBKWl5bERIPO5bkyXmJA3UKplOu8RIZF8Wvl0aqJRoUcx5wT 6b8MfvQFORZ2/SktvhsF6cW5NwnNcdZK78Z8y3d86WQvY+8FwaCMVTpOon5EZgVKKhfHmplrN ciwhslV9RGi4+UGNBunTRiwWup/UQ93DZoUk= X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774216867127015206 X-GMAIL-MSGID: 1774216867127015206 Export the bpf based cgroup guard through device_cgroup to others. Thus, devcgroup_task_is_guarded() could be used by subsystems which already make use of device_cgroup features, such as fs/namei. Signed-off-by: Michael Weiß --- include/linux/device_cgroup.h | 7 +++++++ security/device_cgroup.c | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h index d02f32b7514e..00c0748b6a8d 100644 --- a/include/linux/device_cgroup.h +++ b/include/linux/device_cgroup.h @@ -65,3 +65,10 @@ static inline int devcgroup_inode_permission(struct inode *inode, int mask) static inline int devcgroup_inode_mknod(int mode, dev_t dev) { return 0; } #endif + +#ifdef CONFIG_CGROUP_BPF +bool devcgroup_task_is_guarded(struct task_struct *task); +#else +static inline bool devcgroup_task_is_guarded(struct task_struct *task) +{ return false; } +#endif /* CONFIG_CGROUP_BPF */ diff --git a/security/device_cgroup.c b/security/device_cgroup.c index dc4df7475081..95200a3d0b63 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -874,3 +874,13 @@ int devcgroup_check_permission(short type, u32 major, u32 minor, short access) } EXPORT_SYMBOL(devcgroup_check_permission); #endif /* defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) */ + +#ifdef CONFIG_CGROUP_BPF + +bool devcgroup_task_is_guarded(struct task_struct *task) +{ + return (cgroup_bpf_enabled(CGROUP_DEVICE) && + cgroup_bpf_device_guard_enabled(task)); +} +EXPORT_SYMBOL(devcgroup_task_is_guarded); +#endif /* CONFIG_CGROUP_BPF */ From patchwork Mon Aug 14 14:26:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 135497 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2798897vqi; Mon, 14 Aug 2023 07:58:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH4Qjp2rXjOzBfgsG4BTuzP+lhqounkDeRRPqEdM7Ewp97aaKMc4ww/FoOJz+asSyHECjdM X-Received: by 2002:aa7:db45:0:b0:522:7db8:9939 with SMTP id n5-20020aa7db45000000b005227db89939mr8141112edt.29.1692025095021; Mon, 14 Aug 2023 07:58:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692025095; cv=none; d=google.com; s=arc-20160816; b=N9/32ZECEpwvxSzeH4y3hAPMjKd9q5TnkSS1eZnkaqAgCz9CdZINjioriZzgwpkANK oto0Z2fGPtpv7nlK5wTkkgw+06YfkAhT9tAc2Ip9Lngn7dA/J1sxTSarOOWH2op7/lSR Y9bJr7lmdv2tm17F6f1QJa9Cy+OqM+NBEYSxjZKzUEGdzQWUOl7IqQZTeWTFhhWIljgL lzkcwaLIZ4BlY2nsBrJWx1SUbnEhtf+RIlwymUT0pwHNMgsFZXOIcUN7V+UwnFivYdDp CaT7DhrycrxeMSz4LjhS4REEW5RK+bRBjboP6h5aNp3jspTvUp6aK15nLmgPlK8rxAbg qW4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:cc:to:in-reply-to:references :message-id:content-transfer-encoding:mime-version:subject:date:from; bh=qz5C+lcfXWQDumxXmFQ8dQ6birCp3+t0E94olRS9cgg=; fh=jwJxZdUUofBTgt9wVHmWAoi0ItKWI8Pp9vqTyzXXy10=; b=fDSn13s9DGV8ALSEQ+Bv6AtuZag1IMPn+gDmAtI36XsTedF1POkX8SysLjSeSMisKg EC9/LCq2llIHaUQ0Oi44UwXX1kciV+4fu3fwTxhzGhVaGLB4+u8+rZd8UHCwuGNoCY6X crUGXxMAJUX2nGuQW3YBPRewFlEAfNH7dGWPFIZ3uYuApt5ViXNnwMI5fjeXwa0Pk8ht MqrsRuKI761dGPmYbGddyisWjT/QIgwcBbvfT5JX800AmF8rDyI8XbDrpscy9+oOVzJr SOBub+rDe37Emq6v4pqwapekkppGl+RodyEBO/Qcs5opA/ivUWwDHB/asBvVMxJ3QUFH kDWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v3-20020a056402184300b005234024a300si7583458edy.362.2023.08.14.07.57.34; Mon, 14 Aug 2023 07:58:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232159AbjHNO1I (ORCPT + 99 others); Mon, 14 Aug 2023 10:27:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44278 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231634AbjHNO0o (ORCPT ); Mon, 14 Aug 2023 10:26:44 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A4A9B2; Mon, 14 Aug 2023 07:26:40 -0700 (PDT) Received: from [127.0.1.1] ([91.67.199.65]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MwjO6-1pXnAR2Gdu-00yAHm; Mon, 14 Aug 2023 16:26:17 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= Date: Mon, 14 Aug 2023 16:26:12 +0200 Subject: [PATCH RFC 4/4] fs: allow mknod in non-initial userns using cgroup device guard MIME-Version: 1.0 Message-Id: <20230814-devcg_guard-v1-4-654971ab88b1@aisec.fraunhofer.de> References: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> In-Reply-To: <20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de> To: Alexander Mikhalitsyn , Christian Brauner , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de, =?utf-8?q?Mich?= =?utf-8?q?ael_Wei=C3=9F?= X-Mailer: b4 0.12.3 X-Provags-ID: V03:K1:KnYIKMx55P6NK3c2PuhV1Jjt7cPFGO+HnnkYu53YVAgcVZCfr3h 4Z2EvDbitfpN9SHiCXEva3v7Eaf1aqh0jCzx/Pl3/T06bVjGJ4ocF2ilWIUhc+nmNzH/FRG ou/GAwoz57HLmMHB4NUbU2EhXSeSHNSfOPLl/Yz9JRTO7gOXJqqlGq8PpaoO75Z8t0B5ue2 51GzcyHexLZZdjbOwbofw== UI-OutboundReport: notjunk:1;M01:P0:ZC+KimZeN+Q=;hFy3WtlerHgRnIyCK1FgNycDelT tSlbU/EinBU2IgWv2cHad0g4tD/fF+XI/Ihofiat1cpCrsjndEekjM+UPJV6aFTt1lpByeW1z 6KuNn22ma5Ca1BEgu8H3jQP3Gx+AsouUS4uCllJIzlUodx5Ol9Zkty4Dd/KFGMvwg7SRbrxgN FU+G38weWulGB2RPunAeLAdu8vGaW01v30ucduy9O1NVgUCJ/F2OaEt9fv7s29Gq4SOk4EGXk qWaYLp+8+2xE6evTly40GIDQ4QZILo8i7I8sTTaXQ8rFA6t2INpG90HiAE6PAFQLK0M58O6RA Iwnzyv/3jmubBV12eNR8ROfaRJsmvjf8NMpfnt6zfHv+5tNLaN7/9m37Ns4l7ZNEpwX/eenHY 23WDlsZ+DRIsb52kTAReNlXdwA/0ES+Oyo2BymranLj8I8G6D+1sXuos5YMscRESK8eD6p98m OKxr6ZcFfRVc+DwxdinnZHasr/E5/6M877674vSsw4zIt9bS3a4/lsvuNsJjyjmiqX3sHGEV7 0XK7xE0Zu9ypCA7h4QUoPp2fzZydhdah/rGsPlCOckNd2g3eHqQ/fdyrE0epm4Nz/zI8V3hJR EqiwS8lFuhC6ktKVHRWmKKOf7h8eO4A3nzIJjdvB/NlZsS/8tWnyFlLaaI6YWWmDgGUCbwfXN rfKhbqAd7FDeN7v1fbDPRbeco1Ra9PRlkgs1sHgq5nzTzdL45llUn+YPndRWpDtcf8NMA+KXC ghNRnOwuIIstzPpWoX6EZhh/J9n2J12FzG3WYQ4nijD+rm062r3S/dczEUtHfx8crJUCWNPLL LSDhQXheZ+/esG2G4p7domdRczsbff0xcNCW4ts4NZjhW80v2BpneNCL4jfWQPZqDEK2X0/ec LGbvzftt1FUL72Q== X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774216905706591095 X-GMAIL-MSGID: 1774216905706591095 If a container manager restricts its unprivileged (user namespaced) children by a device cgroup, it is not necessary to deny mknod anymore. Thus, user space applications may map devices on different locations in the file system by using mknod() inside the container. A use case for this, we also use in GyroidOS, is to run virsh for VMs inside an unprivileged container. virsh creates device nodes, e.g., "/var/run/libvirt/qemu/11-fgfg.dev/null" which currently fails in a non-initial userns, even if a cgroup device white list with the corresponding major, minor of /dev/null exists. Thus, in this case the usual bind mounts or pre populated device nodes under /dev are not sufficient. To circumvent this limitation, we allow mknod() in fs/namei.c if a bpf cgroup device guard is enabeld for the current task using devcgroup_task_is_guarded() and check CAP_MKNOD for the current user namespace by ns_capable() instead of the global CAP_MKNOD. To avoid unusable device nodes on file systems mounted in non-initial user namespace, may_open_dev() ignores the SB_I_NODEV for cgroup device guarded tasks. Signed-off-by: Michael Weiß --- fs/namei.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index e56ff39a79bc..ef4f22b9575c 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3221,6 +3221,9 @@ EXPORT_SYMBOL(vfs_mkobj); bool may_open_dev(const struct path *path) { + if (devcgroup_task_is_guarded(current)) + return !(path->mnt->mnt_flags & MNT_NODEV); + return !(path->mnt->mnt_flags & MNT_NODEV) && !(path->mnt->mnt_sb->s_iflags & SB_I_NODEV); } @@ -3976,9 +3979,19 @@ int vfs_mknod(struct mnt_idmap *idmap, struct inode *dir, if (error) return error; - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !is_whiteout && - !capable(CAP_MKNOD)) - return -EPERM; + /* + * In case of a device cgroup restirction allow mknod in user + * namespace. Otherwise just check global capability; thus, + * mknod is also disabled for user namespace other than the + * initial one. + */ + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !is_whiteout) { + if (devcgroup_task_is_guarded(current)) { + if (!ns_capable(current_user_ns(), CAP_MKNOD)) + return -EPERM; + } else if (!capable(CAP_MKNOD)) + return -EPERM; + } if (!dir->i_op->mknod) return -EPERM;