Re: [PATCH 3/7] vfs: Add a mount-notification facility

[RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · David Howells <dhowells@redhat.com> · 2019-05-28
[PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Greg KH <gregkh@linuxfoundation.org> · 2019-05-28
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Greg KH <gregkh@linuxfoundation.org> · 2019-05-28
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Jann Horn <jannh@google.com> · 2019-05-29
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Peter Zijlstra <peterz@infradead.org> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Peter Zijlstra <peterz@infradead.org> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Peter Zijlstra <peterz@infradead.org> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Peter Zijlstra <peterz@infradead.org> · 2019-06-17
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Greg KH <gregkh@linuxfoundation.org> · 2019-05-29
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Greg KH <gregkh@linuxfoundation.org> · 2019-05-29
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Andrea Parri <hidden> · 2019-05-30
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Peter Zijlstra <peterz@infradead.org> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Peter Zijlstra <peterz@infradead.org> · 2019-05-31
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Jann Horn <jannh@google.com> · 2019-05-28
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 1/7] General notification queue with user mmap()'able ring buffer · Jann Horn <jannh@google.com> · 2019-05-28
[PATCH 2/7] keys: Add a notification facility · David Howells <dhowells@redhat.com> · 2019-05-28
[PATCH 3/7] vfs: Add a mount-notification facility · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Jann Horn <jannh@google.com> · 2019-05-28
Re: [PATCH 3/7] vfs: Add a mount-notification facility · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 3/7] vfs: Add a mount-notification facility · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Jann Horn <jannh@google.com> · 2019-05-28
Re: [PATCH 3/7] vfs: Add a mount-notification facility · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Jann Horn <jannh@google.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · David Howells <dhowells@redhat.com> · 2019-06-03
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Andy Lutomirski <luto@amacapital.net> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Jann Horn <jannh@google.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Jann Horn <jannh@google.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Andy Lutomirski <luto@amacapital.net> · 2019-05-29
Re: [PATCH 3/7] vfs: Add a mount-notification facility · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-29
[PATCH 4/7] vfs: Add superblock notifications · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 4/7] vfs: Add superblock notifications · Jann Horn <jannh@google.com> · 2019-05-28
Re: [PATCH 4/7] vfs: Add superblock notifications · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [PATCH 4/7] vfs: Add superblock notifications · Jann Horn <jannh@google.com> · 2019-05-29
[PATCH 5/7] fsinfo: Export superblock notification counter · David Howells <dhowells@redhat.com> · 2019-05-28
[PATCH 6/7] block: Add block layer notifications · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [PATCH 6/7] block: Add block layer notifications · Jann Horn <jannh@google.com> · 2019-05-28
[PATCH 7/7] Add sample notification program · David Howells <dhowells@redhat.com> · 2019-05-28
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Greg KH <gregkh@linuxfoundation.org> · 2019-05-28
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Amir Goldstein <amir73il@gmail.com> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · David Howells <dhowells@redhat.com> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Amir Goldstein <amir73il@gmail.com> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Jan Kara <jack@suse.cz> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Greg KH <gregkh@linuxfoundation.org> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Amir Goldstein <amir73il@gmail.com> · 2019-05-29
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · Jan Kara <jack@suse.cz> · 2019-05-30
Re: [RFC][PATCH 0/7] Mount, FS, Block and Keyrings notifications · David Howells <dhowells@redhat.com> · 2019-06-04

From: Jann Horn <jannh@google.com>
Date: 2019-05-29 16:12:51
Also in: keyrings, linux-api, linux-block, linux-fsdevel, lkml

On Wed, May 29, 2019 at 5:53 PM Casey Schaufler [off-list ref] wrote:

On 5/29/2019 4:00 AM, David Howells wrote:

quoted

Jann Horn [off-list ref] wrote:

quoted

+void post_mount_notification(struct mount *changed,
+                            struct mount_notification *notify)
+{
+       const struct cred *cred = current_cred();

This current_cred() looks bogus to me. Can't mount topology changes
come from all sorts of places? For example, umount_mnt() from
umount_tree() from dissolve_on_fput() from __fput(), which could
happen pretty much anywhere depending on where the last reference gets
dropped?

IIRC, that's what Casey argued is the right thing to do from a security PoV.
Casey?

You need to identify the credential of the subject that triggered
the event. If it isn't current_cred(), the cred needs to be passed
in to post_mount_notification(), or derived by some other means.

quoted

Maybe I should pass in NULL creds in the case that an event is being generated
because an object is being destroyed due to the last usage[*] being removed.

You should pass the cred of the process that removed the
last usage. If the last usage was removed by something like
the power being turned off on a disk drive a system cred
should be used. Someone or something caused the event. It can
be important who it was.

The kernel's normal security model means that you should be able to
e.g. accept FDs that random processes send you and perform
read()/write() calls on them without acting as a subject in any
security checks; let alone close(). If you send a file descriptor over
a unix domain socket and the unix domain socket is garbage collected,
for example, I think the close() will just come from some random,
completely unrelated task that happens to trigger the garbage
collector?

Also, I think if someone does I/O via io_uring, I think the caller's
credentials for read/write operations will probably just be normal
kernel creds?

Here the checks probably aren't all that important, but in other
places, when people try to use an LSM as the primary line of defense,
checks that don't align with the kernel's normal security model might
lead to a bunch of problems.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help