linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Miklos Szeredi <mszeredi@redhat.com>,
	Stephen Rothwell <sfr@canb.auug.org.au>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] call_with_creds()
Date: Wed, 18 Jul 2018 20:46:37 +0100	[thread overview]
Message-ID: <20180718194637.GV30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+55aFxh62Yttq-W2Cr_YQQ5tAL1xjijjnaz1-zdZNqZPQFM0g@mail.gmail.com>

On Wed, Jul 18, 2018 at 11:19:18AM -0700, Linus Torvalds wrote:
> On Wed, Jul 18, 2018 at 11:13 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > Linus, David - do you have any objections to the above?
> 
> I damn well do.
> 
> I explained earlier why it's wrong and fragile, and why it can just
> cause the *reverse* security problem if you do it wrong. So now you
> take a subtle bug, and make it even more subtle, and encourage people
> to do this known-broken model of using creds at IO time.
> 
> No.
> 
> Some debugging option to just clear current->creds entirely and catch
> mis-uses, sure. But saying "we have shit buggy garbage in random write
> functions, so we'll just paper over it"? No.

Huh?  Nevermind ->write(), what about open()?  Here's a specific question
Miklos brought when I suggested to get rid of that override:
/*
 * These allocate and release file read/write context information.
 */
int nfs_open(struct inode *inode, struct file *filp)
{
        struct nfs_open_context *ctx;

        ctx = alloc_nfs_open_context(file_dentry(filp), filp->f_mode, filp);

struct nfs_open_context *alloc_nfs_open_context(struct dentry *dentry,
                                                fmode_t f_mode,
                                                struct file *filp)
{
        struct nfs_open_context *ctx;
        struct rpc_cred *cred = rpc_lookup_cred();

struct rpc_cred *rpc_lookup_cred(void)
{
        return rpcauth_lookupcred(&generic_auth, 0);

struct rpc_cred *
rpcauth_lookupcred(struct rpc_auth *auth, int flags)
{
        struct auth_cred acred;
        struct rpc_cred *ret;
        const struct cred *cred = current_cred();

How should we bring the cred passed to do_dentry_open() where open() has been
called to rpcauth_lookupcred() where we end up looking for rpc_cred by what
should've been the cred passed to do_dentry_open() and is, instead, current_cred()?

We can pass filp->f_cred to rpc_lookup_cred() variant that gets it as an explicit
argument and feed it down to rpcauth_lookupcred() variant that does the same.
We can basically ignore the ->f_cred here.  Or we can get current_cred() equal
to ->f_cred for the duration of open().

I'd probably prefer the first variant, but the last part of the question Miklos
asked
> Okay, so ->open() is a file op, and file ops should use file->f_cred,
> but how are we going to enforce this?
is not trivial - how do we find the places where that kind of thing happens and
what do we do in the meanwhile?  I don't see any quick answers - any suggestions
would be very welcome.  It's not just direct current_cred() callers; that stuff
gets called deep in call chains.  And lifting it all the way up means a lot of
methods that need to get an explicit struct cred * argument.  Are you OK with
going in that direction?

I'm honestly not sure - it's not an attempt to maneuver you into changing your
policy re ->write().  Do we care about ->f_cred at all and if we do, how do we
get it consistent across the filesystems?  I'd buy "it's a weird and obscure thing"
for overlayfs, but that example is on NFS...

We definitely do have bugs in that area - consider e.g.
static int ecryptfs_threadfn(void *ignored)
{
        set_freezable();
        while (1)  {
                struct ecryptfs_open_req *req;

                wait_event_freezable(
                        ecryptfs_kthread_ctl.wait,
                        (!list_empty(&ecryptfs_kthread_ctl.req_list)
                         || kthread_should_stop()));
                mutex_lock(&ecryptfs_kthread_ctl.mux);
                if (ecryptfs_kthread_ctl.flags & ECRYPTFS_KTHREAD_ZOMBIE) {
                        mutex_unlock(&ecryptfs_kthread_ctl.mux);
                        goto out;
                }
                while (!list_empty(&ecryptfs_kthread_ctl.req_list)) {
                        req = list_first_entry(&ecryptfs_kthread_ctl.req_list,
                                               struct ecryptfs_open_req,
                                               kthread_ctl_list);
                        list_del(&req->kthread_ctl_list);
                        *req->lower_file = dentry_open(&req->path,
                                (O_RDWR | O_LARGEFILE), current_cred());
                        complete(&req->done);
                }
                mutex_unlock(&ecryptfs_kthread_ctl.mux);
        }
out:
        return 0;
}

It's a kernel thread, so current_cred() looks bogus...

  reply	other threads:[~2018-07-18 20:26 UTC|newest]

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20180710101736.32d6cc6c@canb.auug.org.au>
     [not found] ` <20180710150455.GK30522@ZenIV.linux.org.uk>
2018-07-11  2:11   ` linux-next: manual merge of the vfs tree with the overlayfs tree Al Viro
2018-07-11  2:21     ` [RFC][PATCH 01/42] drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 02/42] cxl_getfile(): fix double-iput() on alloc_file() failures Al Viro
2018-07-11  2:21       ` [RFC][PATCH 03/42] ocxlflash_getfile(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 04/42] make get_empty_filp() to call file_free_rcu() directly Al Viro
2018-07-11  2:35         ` Linus Torvalds
2018-07-11  2:43           ` Al Viro
2018-07-11  2:21       ` [RFC][PATCH 05/42] fold security_file_free() into file_free() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 06/42] turn filp_clone_open() into inline wrapper for dentry_open() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 07/42] create_pipe_files(): use fput() if allocation of the second file fails Al Viro
2018-07-11  2:21       ` [RFC][PATCH 08/42] make sure do_dentry_open() won't return positive as an error Al Viro
2018-07-11  2:39         ` Linus Torvalds
2018-07-11  2:41           ` Al Viro
2018-07-11  2:21       ` [RFC][PATCH 09/42] pass creds to get_empty_filp(), make sure dentry_open() passes the right creds Al Viro
2018-07-11  2:21       ` [RFC][PATCH 10/42] get rid of cred argument of vfs_open() and do_dentry_open() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 11/42] security_file_open(): lose cred argument Al Viro
2018-07-11  2:21       ` [RFC][PATCH 12/42] ->file_open(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 13/42] introduce FMODE_OPENED Al Viro
2018-07-11  2:21       ` [RFC][PATCH 14/42] fold put_filp() into fput() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 15/42] lift fput() on late failures into path_openat() Al Viro
2018-07-11  5:43         ` Amir Goldstein
2018-07-11  2:21       ` [RFC][PATCH 16/42] now we can fold open_check_o_direct() into do_dentry_open() Al Viro
2018-07-11  2:44         ` Linus Torvalds
2018-07-11  2:59           ` Al Viro
2018-07-11  3:13             ` Linus Torvalds
2018-07-11  2:21       ` [RFC][PATCH 17/42] switch all remaining checks for FILE_OPENED to FMODE_OPENED Al Viro
2018-07-11  2:21       ` [RFC][PATCH 18/42] introduce FMODE_CREATED and switch to it Al Viro
2018-07-11  2:21       ` [RFC][PATCH 19/42] IMA: don't propagate opened through the entire thing Al Viro
2018-07-11  2:21       ` [RFC][PATCH 20/42] getting rid of 'opened' argument of ->atomic_open() - step 1 Al Viro
2018-07-11  2:21       ` [RFC][PATCH 21/42] getting rid of 'opened' argument of ->atomic_open() - part 2 Al Viro
2018-07-11  2:21       ` [RFC][PATCH 22/42] get rid of 'opened' argument of ->atomic_open() - part 3 Al Viro
2018-07-11  2:21       ` [RFC][PATCH 23/42] get rid of 'opened' in path_openat() and the helpers downstream Al Viro
2018-07-11  2:21       ` [RFC][PATCH 24/42] ->atomic_open(): return 0 in all success cases Al Viro
2018-07-11  2:21       ` [RFC][PATCH 25/42] document ->atomic_open() changes Al Viro
2018-07-11  2:21       ` [RFC][PATCH 26/42] switch atomic_open() and lookup_open() to returning 0 in all success cases Al Viro
2018-07-11  2:21       ` [RFC][PATCH 27/42] kill FILE_{CREATED,OPENED} Al Viro
2018-07-11  2:21       ` [RFC][PATCH 28/42] new wrapper: alloc_file_pseudo() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 29/42] __shmem_file_setup(): reorder allocations Al Viro
2018-07-11  2:21       ` [RFC][PATCH 30/42] ... and switch shmem_file_setup() to alloc_file_pseudo() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 31/42] cxl_getfile(): switch " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 32/42] ocxlflash_getfile(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 33/42] hugetlb_file_setup(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 34/42] anon_inode_getfile(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 35/42] create_pipe_files(): switch the first allocation " Al Viro
2018-07-11  2:22       ` [RFC][PATCH 36/42] new helper: alloc_file_clone() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 37/42] do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 38/42] make alloc_file() static Al Viro
2018-07-11  2:22       ` [RFC][PATCH 39/42] document alloc_file() changes Al Viro
2018-07-11  2:22       ` [RFC][PATCH 40/42] make path_init() unconditionally paired with terminate_walk() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 41/42] allow link_path_walk() to take ERR_PTR() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 42/42] few more cleanups of link_path_walk() callers Al Viro
2018-07-11  2:56       ` [RFC][PATCH 01/42] drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open() Linus Torvalds
2018-07-11 15:25         ` Al Viro
2018-07-11 16:15           ` Al Viro
2018-07-12 12:43             ` Al Viro
2018-07-12 15:05               ` Linus Torvalds
2018-07-12 15:53                 ` vfs / overlayfs conflict resolution for linux-next Al Viro
2018-07-18  2:56                   ` Al Viro
2018-07-18  3:29                     ` Stephen Rothwell
2018-07-18  7:25                       ` Miklos Szeredi
2018-07-18 12:10                         ` Miklos Szeredi
2018-07-18 12:43                           ` Al Viro
2018-07-18 13:46                             ` Al Viro
2018-07-18 15:46                             ` Miklos Szeredi
2018-07-18 18:12                               ` [RFC] call_with_creds() Al Viro
2018-07-18 18:19                                 ` Linus Torvalds
2018-07-18 19:46                                   ` Al Viro [this message]
2018-07-18 19:53                                     ` Linus Torvalds
2018-07-18 20:04                                       ` Al Viro
2018-07-18 20:15                                         ` Al Viro
2018-07-18 20:43                                         ` Linus Torvalds
2018-07-18 21:22                                           ` Al Viro
2018-07-18 23:06                                             ` Linus Torvalds
2018-07-18 21:27                                         ` David Howells
2018-07-18 23:16                                           ` Linus Torvalds
2018-07-18 21:28                                 ` David Howells
2018-07-18 23:13                                   ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180718194637.GV30522@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mszeredi@redhat.com \
    --cc=sfr@canb.auug.org.au \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).