From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964889AbbGHNNO (ORCPT ); Wed, 8 Jul 2015 09:13:14 -0400 Received: from mail-wi0-f175.google.com ([209.85.212.175]:38311 "EHLO mail-wi0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758408AbbGHNNJ (ORCPT ); Wed, 8 Jul 2015 09:13:09 -0400 MIME-Version: 1.0 In-Reply-To: References: Date: Wed, 8 Jul 2015 09:13:08 -0400 Message-ID: Subject: Re: mm: shmem_zero_setup skip security check and lockdep conflict with XFS From: Stephen Smalley To: Hugh Dickins Cc: Linus Torvalds , Prarit Bhargava , Morten Stevens , Daniel Wagner , Dave Chinner , Eric Paris , Eric Sandeen , Andrew Morton , linux-mm@kvack.org, Linux Kernel , Stephen Smalley , Paul Moore , selinux Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 14, 2015 at 12:48 PM, Hugh Dickins wrote: > It appears that, at some point last year, XFS made directory handling > changes which bring it into lockdep conflict with shmem_zero_setup(): > it is surprising that mmap() can clone an inode while holding mmap_sem, > but that has been so for many years. > > Since those few lockdep traces that I've seen all implicated selinux, > I'm hoping that we can use the __shmem_file_setup(,,,S_PRIVATE) which > v3.13's commit c7277090927a ("security: shmem: implement kernel private > shmem inodes") introduced to avoid LSM checks on kernel-internal inodes: > the mmap("/dev/zero") cloned inode is indeed a kernel-internal detail. > > This also covers the !CONFIG_SHMEM use of ramfs to support /dev/zero > (and MAP_SHARED|MAP_ANONYMOUS). I thought there were also drivers > which cloned inode in mmap(), but if so, I cannot locate them now. This causes a regression for SELinux (please, in the future, cc selinux list and Paul Moore on SELinux-related changes). In particular, this change disables SELinux checking of mprotect PROT_EXEC on shared anonymous mappings, so we lose the ability to control executable mappings. That said, we are only getting that check today as a side effect of our file execute check on the tmpfs inode, whereas it would be better (and more consistent with the mmap-time checks) to apply an execmem check in that case, in which case we wouldn't care about the inode-based check. However, I am unclear on how to correctly detect that situation from selinux_file_mprotect() -> file_map_prot_check(), because we do have a non-NULL vma->vm_file so we treat it as a file execute check. In contrast, if directly creating an anonymous shared mapping with PROT_EXEC via mmap(...PROT_EXEC...), selinux_mmap_file is called with a NULL file and therefore we end up applying an execmem check. > > Reported-and-tested-by: Prarit Bhargava > Reported-by: Daniel Wagner > Reported-by: Morten Stevens > Signed-off-by: Hugh Dickins > --- > > mm/shmem.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > --- 4.1-rc7/mm/shmem.c 2015-04-26 19:16:31.352191298 -0700 > +++ linux/mm/shmem.c 2015-06-14 09:26:49.461120166 -0700 > @@ -3401,7 +3401,13 @@ int shmem_zero_setup(struct vm_area_stru > struct file *file; > loff_t size = vma->vm_end - vma->vm_start; > > - file = shmem_file_setup("dev/zero", size, vma->vm_flags); > + /* > + * Cloning a new file under mmap_sem leads to a lock ordering conflict > + * between XFS directory reading and selinux: since this file is only > + * accessible to the user through its mapping, use S_PRIVATE flag to > + * bypass file security, in the same way as shmem_kernel_file_setup(). > + */ > + file = __shmem_file_setup("dev/zero", size, vma->vm_flags, S_PRIVATE); > if (IS_ERR(file)) > return PTR_ERR(file); > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/