From: Alexey Gladkov <gladkov.alexey@gmail.com> To: LKML <linux-kernel@vger.kernel.org>, io-uring@vger.kernel.org, Kernel Hardening <kernel-hardening@lists.openwall.com>, Linux Containers <containers@lists.linux-foundation.org>, linux-mm@kvack.org Cc: Jens Axboe <axboe@kernel.dk>, Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>, Linus Torvalds <torvalds@linux-foundation.org>, Oleg Nesterov <oleg@redhat.com>, "Eric W . Biederman" <ebiederm@xmission.com>, Andrew Morton <akpm@linux-foundation.org>, Alexey Gladkov <legion@kernel.org> Subject: [RFC PATCH v3 7/8] Move RLIMIT_NPROC check to the place where we increment the counter Date: Fri, 15 Jan 2021 15:57:28 +0100 [thread overview] Message-ID: <0829877fe0381f10d927bb94548021224e72f3c9.1610722474.git.gladkov.alexey@gmail.com> (raw) In-Reply-To: <cover.1610722473.git.gladkov.alexey@gmail.com> After calling set_user(), we always have to call commit_creds() to apply new credentials upon the current task. There is no need to separate limit check and counter incrementing. Signed-off-by: Alexey Gladkov <gladkov.alexey@gmail.com> --- kernel/cred.c | 22 +++++++++++++++++----- kernel/sys.c | 13 ------------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index c43e30407d22..991c43559ee8 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -487,14 +487,26 @@ int commit_creds(struct cred *new) if (!gid_eq(new->fsgid, old->fsgid)) key_fsgid_changed(new); - /* do it - * RLIMIT_NPROC limits on user->processes have already been checked - * in set_user(). - */ alter_cred_subscribers(new, 2); if (new->user != old->user || new->user_ns != old->user_ns) { + bool overlimit; + set_cred_ucounts(new, new->user_ns, new->euid); - inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1); + + overlimit = inc_rlimit_ucounts_and_test(new->ucounts, UCOUNT_RLIMIT_NPROC, + 1, rlimit(RLIMIT_NPROC)); + + /* + * We don't fail in case of NPROC limit excess here because too many + * poorly written programs don't check set*uid() return code, assuming + * it never fails if called by root. We may still enforce NPROC limit + * for programs doing set*uid()+execve() by harmlessly deferring the + * failure to the execve() stage. + */ + if (overlimit && new->user != INIT_USER) + current->flags |= PF_NPROC_EXCEEDED; + else + current->flags &= ~PF_NPROC_EXCEEDED; } rcu_assign_pointer(task->real_cred, new); rcu_assign_pointer(task->cred, new); diff --git a/kernel/sys.c b/kernel/sys.c index c2734ab9474e..180c4e06064f 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -467,19 +467,6 @@ static int set_user(struct cred *new) if (!new_user) return -EAGAIN; - /* - * We don't fail in case of NPROC limit excess here because too many - * poorly written programs don't check set*uid() return code, assuming - * it never fails if called by root. We may still enforce NPROC limit - * for programs doing set*uid()+execve() by harmlessly deferring the - * failure to the execve() stage. - */ - if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) && - new_user != INIT_USER) - current->flags |= PF_NPROC_EXCEEDED; - else - current->flags &= ~PF_NPROC_EXCEEDED; - free_uid(new->user); new->user = new_user; return 0; -- 2.29.2 _______________________________________________ Containers mailing list Containers@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/containers
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Gladkov <gladkov.alexey@gmail.com> To: LKML <linux-kernel@vger.kernel.org>, io-uring@vger.kernel.org, Kernel Hardening <kernel-hardening@lists.openwall.com>, Linux Containers <containers@lists.linux-foundation.org>, linux-mm@kvack.org Cc: Alexey Gladkov <legion@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Christian Brauner <christian.brauner@ubuntu.com>, "Eric W . Biederman" <ebiederm@xmission.com>, Jann Horn <jannh@google.com>, Jens Axboe <axboe@kernel.dk>, Kees Cook <keescook@chromium.org>, Linus Torvalds <torvalds@linux-foundation.org>, Oleg Nesterov <oleg@redhat.com> Subject: [RFC PATCH v3 7/8] Move RLIMIT_NPROC check to the place where we increment the counter Date: Fri, 15 Jan 2021 15:57:28 +0100 [thread overview] Message-ID: <0829877fe0381f10d927bb94548021224e72f3c9.1610722474.git.gladkov.alexey@gmail.com> (raw) In-Reply-To: <cover.1610722473.git.gladkov.alexey@gmail.com> After calling set_user(), we always have to call commit_creds() to apply new credentials upon the current task. There is no need to separate limit check and counter incrementing. Signed-off-by: Alexey Gladkov <gladkov.alexey@gmail.com> --- kernel/cred.c | 22 +++++++++++++++++----- kernel/sys.c | 13 ------------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index c43e30407d22..991c43559ee8 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -487,14 +487,26 @@ int commit_creds(struct cred *new) if (!gid_eq(new->fsgid, old->fsgid)) key_fsgid_changed(new); - /* do it - * RLIMIT_NPROC limits on user->processes have already been checked - * in set_user(). - */ alter_cred_subscribers(new, 2); if (new->user != old->user || new->user_ns != old->user_ns) { + bool overlimit; + set_cred_ucounts(new, new->user_ns, new->euid); - inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1); + + overlimit = inc_rlimit_ucounts_and_test(new->ucounts, UCOUNT_RLIMIT_NPROC, + 1, rlimit(RLIMIT_NPROC)); + + /* + * We don't fail in case of NPROC limit excess here because too many + * poorly written programs don't check set*uid() return code, assuming + * it never fails if called by root. We may still enforce NPROC limit + * for programs doing set*uid()+execve() by harmlessly deferring the + * failure to the execve() stage. + */ + if (overlimit && new->user != INIT_USER) + current->flags |= PF_NPROC_EXCEEDED; + else + current->flags &= ~PF_NPROC_EXCEEDED; } rcu_assign_pointer(task->real_cred, new); rcu_assign_pointer(task->cred, new); diff --git a/kernel/sys.c b/kernel/sys.c index c2734ab9474e..180c4e06064f 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -467,19 +467,6 @@ static int set_user(struct cred *new) if (!new_user) return -EAGAIN; - /* - * We don't fail in case of NPROC limit excess here because too many - * poorly written programs don't check set*uid() return code, assuming - * it never fails if called by root. We may still enforce NPROC limit - * for programs doing set*uid()+execve() by harmlessly deferring the - * failure to the execve() stage. - */ - if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) && - new_user != INIT_USER) - current->flags |= PF_NPROC_EXCEEDED; - else - current->flags &= ~PF_NPROC_EXCEEDED; - free_uid(new->user); new->user = new_user; return 0; -- 2.29.2
next prev parent reply other threads:[~2021-01-15 14:59 UTC|newest] Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-15 14:57 [RFC PATCH v3 0/8] Count rlimits in each user namespace Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov 2021-01-15 14:57 ` [RFC PATCH v3 1/8] Use refcount_t for ucounts reference counting Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov 2021-01-18 6:06 ` c25050162e: WARNING:at_lib/refcount.c:#refcount_warn_saturate kernel test robot 2021-01-18 6:06 ` kernel test robot 2021-01-18 6:06 ` kernel test robot 2021-01-18 19:14 ` [RFC PATCH v3 1/8] Use refcount_t for ucounts reference counting Linus Torvalds 2021-01-18 19:14 ` Linus Torvalds 2021-01-18 19:14 ` Linus Torvalds 2021-01-18 19:45 ` Alexey Gladkov 2021-01-18 19:45 ` Alexey Gladkov 2021-01-18 20:34 ` Linus Torvalds 2021-01-18 20:34 ` Linus Torvalds 2021-01-18 20:34 ` Linus Torvalds 2021-01-18 20:56 ` Alexey Gladkov 2021-01-18 20:56 ` Alexey Gladkov 2021-01-19 4:35 ` Kaiwan N Billimoria 2021-01-19 4:35 ` Kaiwan N Billimoria 2021-01-19 4:35 ` Kaiwan N Billimoria 2021-01-20 1:57 ` Eric W. Biederman 2021-01-20 1:57 ` Eric W. Biederman 2021-01-20 1:57 ` Eric W. Biederman 2021-01-20 1:58 ` Eric W. Biederman 2021-01-20 1:58 ` Eric W. Biederman 2021-01-20 1:58 ` Eric W. Biederman 2021-01-21 12:04 ` Alexey Gladkov 2021-01-21 12:04 ` Alexey Gladkov 2021-01-21 15:50 ` Eric W. Biederman 2021-01-21 15:50 ` Eric W. Biederman 2021-01-21 15:50 ` Eric W. Biederman 2021-01-21 16:07 ` Alexey Gladkov 2021-01-21 16:07 ` Alexey Gladkov 2021-01-15 14:57 ` [RFC PATCH v3 2/8] Add a reference to ucounts for each cred Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov 2021-01-15 22:15 ` kernel test robot 2021-01-16 2:29 ` kernel test robot 2021-01-18 6:47 ` 14c3c8a27f: kernel_BUG_at_kernel/cred.c kernel test robot 2021-01-18 6:47 ` kernel test robot 2021-01-18 6:47 ` kernel test robot 2021-01-18 8:31 ` [PATCH v4 2/8] Add a reference to ucounts for each cred Alexey Gladkov 2021-01-18 8:31 ` Alexey Gladkov 2021-01-15 14:57 ` [RFC PATCH v3 3/8] Move RLIMIT_NPROC counter to ucounts Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov 2021-01-15 14:57 ` [RFC PATCH v3 4/8] Move RLIMIT_MSGQUEUE " Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov 2021-01-15 14:57 ` [RFC PATCH v3 5/8] Move RLIMIT_SIGPENDING " Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov 2021-01-15 14:57 ` [RFC PATCH v3 6/8] Move RLIMIT_MEMLOCK " Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov [this message] 2021-01-15 14:57 ` [RFC PATCH v3 7/8] Move RLIMIT_NPROC check to the place where we increment the counter Alexey Gladkov 2021-01-15 14:57 ` [RFC PATCH v3 8/8] kselftests: Add test to check for rlimit changes in different user namespaces Alexey Gladkov 2021-01-15 14:57 ` Alexey Gladkov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=0829877fe0381f10d927bb94548021224e72f3c9.1610722474.git.gladkov.alexey@gmail.com \ --to=gladkov.alexey@gmail.com \ --cc=akpm@linux-foundation.org \ --cc=axboe@kernel.dk \ --cc=containers@lists.linux-foundation.org \ --cc=ebiederm@xmission.com \ --cc=io-uring@vger.kernel.org \ --cc=jannh@google.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=legion@kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=oleg@redhat.com \ --cc=torvalds@linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.