Re: [PATCH RFC v3 08/10] net, pidfs, coredump: only allow coredumping tasks to connect to coredump socket
From: Kuniyuki Iwashima <hidden>
Date: 2025-05-06 19:29:38
Also in:
linux-fsdevel, lkml
From: Christian Brauner <brauner@kernel.org> Date: Tue, 6 May 2025 17:16:13 +0200
On Tue, May 06, 2025 at 04:51:25PM +0200, Jann Horn wrote:quoted
On Tue, May 6, 2025 at 9:39 AM Christian Brauner [off-list ref] wrote:quoted
quoted
("a kernel socket" is not necessarily the same as "a kernel socket intended for core dumping")Indeed. The usermodehelper is a kernel protocol. Here it's the task with its own credentials that's connecting to a userspace socket. Which makes this very elegant because it's just userspace IPC. No one is running around with kernel credentials anywhere.To be clear: I think your current patch is using special kernel privileges in one regard, because kernel_connect() bypasses the security_socket_connect() security hook.
Precisely, whether LSM ignores kernel sockets or not depends on LSM. When we create a socket, kern=0/1 is passed to security_socket_create(). Currently, SELinux always ignore the kernel socket, and AppArmor depends on another condition. Other LSM doesn't care. Especially, BPF LSM is just a set of functions to attach BPF programs, so it can enfoce whatever.
I think it is a good thingquoted
that it bypasses security hooks in this way; I think we wouldn't want LSMs to get in the way of this special connect(), since the task in whose context the connect() call happens is not in control of this connection; the system administrator is the one who decided that this connect() should happen on core dumps. It is kind of inconsistent though that that separate security_unix_stream_connect() LSM hook will still be invoked in this case, and we might have to watch out to make sure that LSMs won't end up blocking such connections... which I thinkRight, it is the same as for the usermode helper. It calls kernel_execve() which invokes at least security_bprm_creds_for_exec() and security_bprm_check(). Both of which can be used to make the usermodehelper execve fail. Fwiw, it's even the case for dumping directly to a file as in that case it's subject to all kinds of lookup and open security hooks like security_file_open() and then another round in do_truncate(). All of that happens fully in the task's context as well via file_open()/file_open_root() or do_truncate(). So there's nothing special here.