All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ipc: check checkpoint_restore_ns_capable() to modify C/R proc files
@ 2021-09-16 16:37 Michal Clapinski
  2021-09-17  6:34 ` kernel test robot
  0 siblings, 1 reply; 2+ messages in thread
From: Michal Clapinski @ 2021-09-16 16:37 UTC (permalink / raw)
  To: Andrew Morton; +Cc: linux-kernel, Michal Clapinski

This commit removes the requirement to be root to modify sem_next_id,
msg_next_id and shm_next_id and checks checkpoint_restore_ns_capable
instead.

Since those files are specific to the IPC namespace, there is no reason
they should require root privileges. This is similar to ns_last_pid,
which also only checks checkpoint_restore_ns_capable.

Signed-off-by: Michal Clapinski <mclapinski@google.com>
---
 ipc/ipc_sysctl.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
index 3f312bf2b116..f8e27203ca49 100644
--- a/ipc/ipc_sysctl.c
+++ b/ipc/ipc_sysctl.c
@@ -104,6 +104,19 @@ static int proc_ipc_sem_dointvec(struct ctl_table *table, int write,
 	return ret;
 }
 
+#ifdef CONFIG_CHECKPOINT_RESTORE
+static int proc_ipc_dointvec_minmax_checkpoint_restore(struct ctl_table *table,
+		int write, void *buffer, size_t *lenp, loff_t *ppos)
+{
+	struct user_namespace *user_ns = current->nsproxy->ipc_ns->user_ns;
+
+	if (write && !checkpoint_restore_ns_capable(user_ns))
+		return -EPERM;
+
+	return proc_ipc_dointvec_minmax(table, write, buffer, lenp, ppos);
+}
+#endif
+
 #else
 #define proc_ipc_doulongvec_minmax NULL
 #define proc_ipc_dointvec	   NULL
@@ -111,6 +124,9 @@ static int proc_ipc_sem_dointvec(struct ctl_table *table, int write,
 #define proc_ipc_dointvec_minmax_orphans   NULL
 #define proc_ipc_auto_msgmni	   NULL
 #define proc_ipc_sem_dointvec	   NULL
+#ifdef CONFIG_CHECKPOINT_RESTORE
+#define proc_ipc_dointvec_minmax_checkpoint_restore	NULL
+#endif	/* CONFIG_CHECKPOINT_RESTORE */
 #endif
 
 int ipc_mni = IPCMNI;
@@ -198,8 +214,8 @@ static struct ctl_table ipc_kern_table[] = {
 		.procname	= "sem_next_id",
 		.data		= &init_ipc_ns.ids[IPC_SEM_IDS].next_id,
 		.maxlen		= sizeof(init_ipc_ns.ids[IPC_SEM_IDS].next_id),
-		.mode		= 0644,
-		.proc_handler	= proc_ipc_dointvec_minmax,
+		.mode		= 0666,
+		.proc_handler	= proc_ipc_dointvec_minmax_checkpoint_restore,
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= SYSCTL_INT_MAX,
 	},
@@ -207,8 +223,8 @@ static struct ctl_table ipc_kern_table[] = {
 		.procname	= "msg_next_id",
 		.data		= &init_ipc_ns.ids[IPC_MSG_IDS].next_id,
 		.maxlen		= sizeof(init_ipc_ns.ids[IPC_MSG_IDS].next_id),
-		.mode		= 0644,
-		.proc_handler	= proc_ipc_dointvec_minmax,
+		.mode		= 0666,
+		.proc_handler	= proc_ipc_dointvec_minmax_checkpoint_restore,
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= SYSCTL_INT_MAX,
 	},
@@ -216,8 +232,8 @@ static struct ctl_table ipc_kern_table[] = {
 		.procname	= "shm_next_id",
 		.data		= &init_ipc_ns.ids[IPC_SHM_IDS].next_id,
 		.maxlen		= sizeof(init_ipc_ns.ids[IPC_SHM_IDS].next_id),
-		.mode		= 0644,
-		.proc_handler	= proc_ipc_dointvec_minmax,
+		.mode		= 0666,
+		.proc_handler	= proc_ipc_dointvec_minmax_checkpoint_restore,
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= SYSCTL_INT_MAX,
 	},
-- 
2.33.0.309.g3052b89438-goog


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] ipc: check checkpoint_restore_ns_capable() to modify C/R proc files
  2021-09-16 16:37 [PATCH] ipc: check checkpoint_restore_ns_capable() to modify C/R proc files Michal Clapinski
@ 2021-09-17  6:34 ` kernel test robot
  0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2021-09-17  6:34 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 3243 bytes --]

Hi Michal,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on hnaz-mm/master]
[also build test ERROR on linux/master linus/master v5.15-rc1 next-20210916]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Michal-Clapinski/ipc-check-checkpoint_restore_ns_capable-to-modify-C-R-proc-files/20210917-020956
base:   https://github.com/hnaz/linux-mm master
config: microblaze-randconfig-r011-20210916 (attached as .config)
compiler: microblaze-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/a667ba4d29dc378f8692185740d1e016832ca20a
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Michal-Clapinski/ipc-check-checkpoint_restore_ns_capable-to-modify-C-R-proc-files/20210917-020956
        git checkout a667ba4d29dc378f8692185740d1e016832ca20a
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross ARCH=microblaze 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from include/linux/kernel.h:11,
                    from include/linux/list.h:9,
                    from include/linux/module.h:12,
                    from ipc/ipc_sysctl.c:8:
   ipc/ipc_sysctl.c: In function 'proc_ipc_dointvec_minmax_checkpoint_restore':
>> ipc/ipc_sysctl.c:113:23: error: implicit declaration of function 'checkpoint_restore_ns_capable' [-Werror=implicit-function-declaration]
     113 |         if (write && !checkpoint_restore_ns_capable(user_ns))
         |                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/compiler.h:58:52: note: in definition of macro '__trace_if_var'
      58 | #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
         |                                                    ^~~~
   ipc/ipc_sysctl.c:113:9: note: in expansion of macro 'if'
     113 |         if (write && !checkpoint_restore_ns_capable(user_ns))
         |         ^~
   cc1: some warnings being treated as errors


vim +/checkpoint_restore_ns_capable +113 ipc/ipc_sysctl.c

   106	
   107	#ifdef CONFIG_CHECKPOINT_RESTORE
   108	static int proc_ipc_dointvec_minmax_checkpoint_restore(struct ctl_table *table,
   109			int write, void *buffer, size_t *lenp, loff_t *ppos)
   110	{
   111		struct user_namespace *user_ns = current->nsproxy->ipc_ns->user_ns;
   112	
 > 113		if (write && !checkpoint_restore_ns_capable(user_ns))
   114			return -EPERM;
   115	
   116		return proc_ipc_dointvec_minmax(table, write, buffer, lenp, ppos);
   117	}
   118	#endif
   119	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 35353 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-17  6:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 16:37 [PATCH] ipc: check checkpoint_restore_ns_capable() to modify C/R proc files Michal Clapinski
2021-09-17  6:34 ` kernel test robot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.