Re: [RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd()

From: MickaÃl SalaÃn
Date: Wed Sep 14 2016 - 18:08:09 EST

Next message: Kyle Huey: "Re: [RESEND][PATCH v2 1/3] syscalls,x86 Expose arch_prctl on x86-32."
Previous message: Dan Williams: "Re: [PATCH] sparse: Track the boundaries of memory sections for accurate checks"
In reply to: MickaÃl SalaÃn: "[RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd()"
Next in thread: MickaÃl SalaÃn: "[RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 14/09/2016 09:24, MickaÃl SalaÃn wrote:
> Add security access check for cgroup backed FD. The "cgroup.procs" file
> of the corresponding cgroup must be readable to identify the cgroup, and
> writable to prove that the current process can manage this cgroup (e.g.
> through delegation). This is similar to the check done by
> cgroup_procs_write_permission().
>
> Signed-off-by: MickaÃl SalaÃn <mic@xxxxxxxxxxx>
> Cc: Alexei Starovoitov <ast@xxxxxxxxxx>
> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Cc: Daniel Mack <daniel@xxxxxxxxxx>
> Cc: David S. Miller <davem@xxxxxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Tejun Heo <tj@xxxxxxxxxx>
> ---
> include/linux/cgroup.h | 2 +-
> kernel/bpf/arraymap.c | 2 +-
> kernel/bpf/syscall.c | 6 +++---
> kernel/cgroup.c | 16 +++++++++++++++-
> 4 files changed, 20 insertions(+), 6 deletions(-)
...
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 48b650a640a9..3bbaf3f02ed2 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -6241,17 +6241,20 @@ EXPORT_SYMBOL_GPL(cgroup_get_from_path);
> /**
> * cgroup_get_from_fd - get a cgroup pointer from a fd
> * @fd: fd obtained by open(cgroup2_dir)
> + * @access_mask: contains the permission mask
> *
> * Find the cgroup from a fd which should be obtained
> * by opening a cgroup directory. Returns a pointer to the
> * cgroup on success. ERR_PTR is returned if the cgroup
> * cannot be found.
> */
> -struct cgroup *cgroup_get_from_fd(int fd)
> +struct cgroup *cgroup_get_from_fd(int fd, int access_mask)
> {
> struct cgroup_subsys_state *css;
> struct cgroup *cgrp;
> struct file *f;
> + struct inode *inode;
> + int ret;
>
> f = fget_raw(fd);
> if (!f)
> @@ -6268,6 +6271,17 @@ struct cgroup *cgroup_get_from_fd(int fd)
> return ERR_PTR(-EBADF);
> }
>
> + ret = -ENOMEM;
> + inode = kernfs_get_inode(f->f_path.dentry->d_sb, cgrp->procs_file.kn);

I forgot to properly move fput(f) after this lineâ This will be fixed.

Attachment: signature.asc
Description: OpenPGP digital signature

Next message: Kyle Huey: "Re: [RESEND][PATCH v2 1/3] syscalls,x86 Expose arch_prctl on x86-32."
Previous message: Dan Williams: "Re: [PATCH] sparse: Track the boundaries of memory sections for accurate checks"
In reply to: MickaÃl SalaÃn: "[RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd()"
Next in thread: MickaÃl SalaÃn: "[RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]