b28ddcc32d
Moving pidfds from the anonymous inode infrastructure to a separate tiny in-kernel filesystem similar to sockfs, pipefs, and anon_inodefs causes selinux denials and thus various userspace components that make heavy use of pidfds to fail as pidfds used anon_inode_getfile() which aren't subject to any LSM hooks. But dentry_open() is and that would cause regressions. The failures that are seen are selinux denials. But the core failure is dbus-broker. That cascades into other services failing that depend on dbus-broker. For example, when dbus-broker fails to start polkit and all the others won't be able to work because they depend on dbus-broker. The reason for dbus-broker failing is because it doesn't handle failures for SO_PEERPIDFD correctly. Last kernel release we introduced SO_PEERPIDFD (and SCM_PIDFD). SO_PEERPIDFD allows dbus-broker and polkit and others to receive a pidfd for the peer of an AF_UNIX socket. This is the first time in the history of Linux that we can safely authenticate clients in a race-free manner. dbus-broker immediately made use of this but messed up the error checking. It only allowed EINVAL as a valid failure for SO_PEERPIDFD. That's obviously problematic not just because of LSM denials but because of seccomp denials that would prevent SO_PEERPIDFD from working; or any other new error code from there. So this is catching a flawed implementation in dbus-broker as well. It has to fallback to the old pid-based authentication when SO_PEERPIDFD doesn't work no matter the reasons otherwise it'll always risk such failures. So overall that LSM denial should not have caused dbus-broker to fail. It can never assume that a feature released one kernel ago like SO_PEERPIDFD can be assumed to be available. So, the next fix separate from the selinux policy update is to try and fix dbus-broker at [3]. That should make it into Fedora as well. In addition the selinux reference policy should also be updated. See [4] for that. If Selinux is in enforcing mode in userspace and it encounters anything that it doesn't know about it will deny it by default. And the policy is entirely in userspace including declaring new types for stuff like nsfs or pidfs to allow it. For now we continue to raise S_PRIVATE on the inode if it's a pidfs inode which means things behave exactly like before. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2265630 Link: https://github.com/fedora-selinux/selinux-policy/pull/2050 Link: https://github.com/bus1/dbus-broker/pull/343 [3] Link: https://github.com/SELinuxProject/refpolicy/pull/762 [4] Reported-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/r/20240222190334.GA412503@dev-arch.thelio-3990X Link: https://lore.kernel.org/r/20240218-neufahrzeuge-brauhaus-fb0eb6459771@brauner Signed-off-by: Christian Brauner <brauner@kernel.org>
290 lines
7.3 KiB
C
290 lines
7.3 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#include <linux/anon_inodes.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/magic.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/pid.h>
|
|
#include <linux/pidfs.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/poll.h>
|
|
#include <linux/proc_fs.h>
|
|
#include <linux/proc_ns.h>
|
|
#include <linux/pseudo_fs.h>
|
|
#include <linux/seq_file.h>
|
|
#include <uapi/linux/pidfd.h>
|
|
|
|
#include "internal.h"
|
|
|
|
static int pidfd_release(struct inode *inode, struct file *file)
|
|
{
|
|
#ifndef CONFIG_FS_PID
|
|
struct pid *pid = file->private_data;
|
|
|
|
file->private_data = NULL;
|
|
put_pid(pid);
|
|
#endif
|
|
return 0;
|
|
}
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
/**
|
|
* pidfd_show_fdinfo - print information about a pidfd
|
|
* @m: proc fdinfo file
|
|
* @f: file referencing a pidfd
|
|
*
|
|
* Pid:
|
|
* This function will print the pid that a given pidfd refers to in the
|
|
* pid namespace of the procfs instance.
|
|
* If the pid namespace of the process is not a descendant of the pid
|
|
* namespace of the procfs instance 0 will be shown as its pid. This is
|
|
* similar to calling getppid() on a process whose parent is outside of
|
|
* its pid namespace.
|
|
*
|
|
* NSpid:
|
|
* If pid namespaces are supported then this function will also print
|
|
* the pid of a given pidfd refers to for all descendant pid namespaces
|
|
* starting from the current pid namespace of the instance, i.e. the
|
|
* Pid field and the first entry in the NSpid field will be identical.
|
|
* If the pid namespace of the process is not a descendant of the pid
|
|
* namespace of the procfs instance 0 will be shown as its first NSpid
|
|
* entry and no others will be shown.
|
|
* Note that this differs from the Pid and NSpid fields in
|
|
* /proc/<pid>/status where Pid and NSpid are always shown relative to
|
|
* the pid namespace of the procfs instance. The difference becomes
|
|
* obvious when sending around a pidfd between pid namespaces from a
|
|
* different branch of the tree, i.e. where no ancestral relation is
|
|
* present between the pid namespaces:
|
|
* - create two new pid namespaces ns1 and ns2 in the initial pid
|
|
* namespace (also take care to create new mount namespaces in the
|
|
* new pid namespace and mount procfs)
|
|
* - create a process with a pidfd in ns1
|
|
* - send pidfd from ns1 to ns2
|
|
* - read /proc/self/fdinfo/<pidfd> and observe that both Pid and NSpid
|
|
* have exactly one entry, which is 0
|
|
*/
|
|
static void pidfd_show_fdinfo(struct seq_file *m, struct file *f)
|
|
{
|
|
struct pid *pid = pidfd_pid(f);
|
|
struct pid_namespace *ns;
|
|
pid_t nr = -1;
|
|
|
|
if (likely(pid_has_task(pid, PIDTYPE_PID))) {
|
|
ns = proc_pid_ns(file_inode(m->file)->i_sb);
|
|
nr = pid_nr_ns(pid, ns);
|
|
}
|
|
|
|
seq_put_decimal_ll(m, "Pid:\t", nr);
|
|
|
|
#ifdef CONFIG_PID_NS
|
|
seq_put_decimal_ll(m, "\nNSpid:\t", nr);
|
|
if (nr > 0) {
|
|
int i;
|
|
|
|
/* If nr is non-zero it means that 'pid' is valid and that
|
|
* ns, i.e. the pid namespace associated with the procfs
|
|
* instance, is in the pid namespace hierarchy of pid.
|
|
* Start at one below the already printed level.
|
|
*/
|
|
for (i = ns->level + 1; i <= pid->level; i++)
|
|
seq_put_decimal_ll(m, "\t", pid->numbers[i].nr);
|
|
}
|
|
#endif
|
|
seq_putc(m, '\n');
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Poll support for process exit notification.
|
|
*/
|
|
static __poll_t pidfd_poll(struct file *file, struct poll_table_struct *pts)
|
|
{
|
|
struct pid *pid = pidfd_pid(file);
|
|
bool thread = file->f_flags & PIDFD_THREAD;
|
|
struct task_struct *task;
|
|
__poll_t poll_flags = 0;
|
|
|
|
poll_wait(file, &pid->wait_pidfd, pts);
|
|
/*
|
|
* Depending on PIDFD_THREAD, inform pollers when the thread
|
|
* or the whole thread-group exits.
|
|
*/
|
|
guard(rcu)();
|
|
task = pid_task(pid, PIDTYPE_PID);
|
|
if (!task)
|
|
poll_flags = EPOLLIN | EPOLLRDNORM | EPOLLHUP;
|
|
else if (task->exit_state && (thread || thread_group_empty(task)))
|
|
poll_flags = EPOLLIN | EPOLLRDNORM;
|
|
|
|
return poll_flags;
|
|
}
|
|
|
|
static const struct file_operations pidfs_file_operations = {
|
|
.release = pidfd_release,
|
|
.poll = pidfd_poll,
|
|
#ifdef CONFIG_PROC_FS
|
|
.show_fdinfo = pidfd_show_fdinfo,
|
|
#endif
|
|
};
|
|
|
|
struct pid *pidfd_pid(const struct file *file)
|
|
{
|
|
if (file->f_op != &pidfs_file_operations)
|
|
return ERR_PTR(-EBADF);
|
|
#ifdef CONFIG_FS_PID
|
|
return file_inode(file)->i_private;
|
|
#else
|
|
return file->private_data;
|
|
#endif
|
|
}
|
|
|
|
#ifdef CONFIG_FS_PID
|
|
static struct vfsmount *pidfs_mnt __ro_after_init;
|
|
static struct super_block *pidfs_sb __ro_after_init;
|
|
|
|
/*
|
|
* The vfs falls back to simple_setattr() if i_op->setattr() isn't
|
|
* implemented. Let's reject it completely until we have a clean
|
|
* permission concept for pidfds.
|
|
*/
|
|
static int pidfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
|
|
struct iattr *attr)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static int pidfs_getattr(struct mnt_idmap *idmap, const struct path *path,
|
|
struct kstat *stat, u32 request_mask,
|
|
unsigned int query_flags)
|
|
{
|
|
struct inode *inode = d_inode(path->dentry);
|
|
|
|
generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat);
|
|
return 0;
|
|
}
|
|
|
|
static const struct inode_operations pidfs_inode_operations = {
|
|
.getattr = pidfs_getattr,
|
|
.setattr = pidfs_setattr,
|
|
};
|
|
|
|
static void pidfs_evict_inode(struct inode *inode)
|
|
{
|
|
struct pid *pid = inode->i_private;
|
|
|
|
clear_inode(inode);
|
|
put_pid(pid);
|
|
}
|
|
|
|
static const struct super_operations pidfs_sops = {
|
|
.drop_inode = generic_delete_inode,
|
|
.evict_inode = pidfs_evict_inode,
|
|
.statfs = simple_statfs,
|
|
};
|
|
|
|
static char *pidfs_dname(struct dentry *dentry, char *buffer, int buflen)
|
|
{
|
|
return dynamic_dname(buffer, buflen, "pidfd:[%lu]",
|
|
d_inode(dentry)->i_ino);
|
|
}
|
|
|
|
static void pidfs_prune_dentry(struct dentry *dentry)
|
|
{
|
|
struct inode *inode;
|
|
|
|
inode = d_inode(dentry);
|
|
if (inode) {
|
|
struct pid *pid = inode->i_private;
|
|
WRITE_ONCE(pid->stashed, NULL);
|
|
}
|
|
}
|
|
|
|
static const struct dentry_operations pidfs_dentry_operations = {
|
|
.d_delete = always_delete_dentry,
|
|
.d_dname = pidfs_dname,
|
|
.d_prune = pidfs_prune_dentry,
|
|
};
|
|
|
|
static int pidfs_init_fs_context(struct fs_context *fc)
|
|
{
|
|
struct pseudo_fs_context *ctx;
|
|
|
|
ctx = init_pseudo(fc, PID_FS_MAGIC);
|
|
if (!ctx)
|
|
return -ENOMEM;
|
|
|
|
ctx->ops = &pidfs_sops;
|
|
ctx->dops = &pidfs_dentry_operations;
|
|
return 0;
|
|
}
|
|
|
|
static struct file_system_type pidfs_type = {
|
|
.name = "pidfs",
|
|
.init_fs_context = pidfs_init_fs_context,
|
|
.kill_sb = kill_anon_super,
|
|
};
|
|
|
|
struct file *pidfs_alloc_file(struct pid *pid, unsigned int flags)
|
|
{
|
|
|
|
struct file *pidfd_file;
|
|
struct path path;
|
|
int ret;
|
|
|
|
do {
|
|
/*
|
|
* Inode numbering for pidfs start at RESERVED_PIDS + 1.
|
|
* This avoids collisions with the root inode which is 1
|
|
* for pseudo filesystems.
|
|
*/
|
|
ret = path_from_stashed(&pid->stashed, pid->ino, pidfs_mnt,
|
|
&pidfs_file_operations,
|
|
&pidfs_inode_operations, get_pid(pid),
|
|
&path);
|
|
if (ret <= 0 && ret != -EAGAIN)
|
|
put_pid(pid);
|
|
} while (ret == -EAGAIN);
|
|
if (ret < 0)
|
|
return ERR_PTR(ret);
|
|
|
|
pidfd_file = dentry_open(&path, flags, current_cred());
|
|
path_put(&path);
|
|
return pidfd_file;
|
|
}
|
|
|
|
void __init pidfs_init(void)
|
|
{
|
|
pidfs_mnt = kern_mount(&pidfs_type);
|
|
if (IS_ERR(pidfs_mnt))
|
|
panic("Failed to mount pidfs pseudo filesystem");
|
|
|
|
pidfs_sb = pidfs_mnt->mnt_sb;
|
|
}
|
|
|
|
bool is_pidfs_sb(const struct super_block *sb)
|
|
{
|
|
return sb == pidfs_mnt->mnt_sb;
|
|
}
|
|
|
|
#else /* !CONFIG_FS_PID */
|
|
|
|
struct file *pidfs_alloc_file(struct pid *pid, unsigned int flags)
|
|
{
|
|
struct file *pidfd_file;
|
|
|
|
pidfd_file = anon_inode_getfile("[pidfd]", &pidfs_file_operations, pid,
|
|
flags | O_RDWR);
|
|
if (IS_ERR(pidfd_file))
|
|
return pidfd_file;
|
|
|
|
get_pid(pid);
|
|
return pidfd_file;
|
|
}
|
|
|
|
void __init pidfs_init(void) { }
|
|
bool is_pidfs_sb(const struct super_block *sb)
|
|
{
|
|
return false;
|
|
}
|
|
#endif
|