@@ -1657,7 +1657,7 @@ static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb,
if (unlikely(!req->file->f_op->fsync))
return -EINVAL;
- req->creds = prepare_creds();
+ req->creds = prepare_protected_creds();
if (!req->creds)
return -ENOMEM;
@@ -248,7 +248,7 @@ int fuse_backing_open(struct fuse_conn *fc, struct fuse_backing_map *map)
goto out_fput;
fb->file = file;
- fb->cred = prepare_creds();
+ fb->cred = prepare_protected_creds();
refcount_set(&fb->count, 1);
res = fuse_backing_id_alloc(fc, fb);
@@ -228,7 +228,7 @@ int nfs_idmap_init(void)
set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
- id_resolver_cache = cred;
+ id_resolver_cache = protect_creds(cred);
return 0;
failed_reg_legacy:
@@ -79,7 +79,7 @@ int nfsd_setuser(struct svc_cred *cred, struct svc_export *exp)
else
new->cap_effective = cap_raise_nfsd_set(new->cap_effective,
new->cap_permitted);
- put_cred(override_creds(new));
+ put_cred(override_creds(protect_creds(new)));
return 0;
oom:
@@ -81,7 +81,7 @@ nfs4_save_creds(const struct cred **original_creds)
new->fsuid = GLOBAL_ROOT_UID;
new->fsgid = GLOBAL_ROOT_GID;
- *original_creds = override_creds(new);
+ *original_creds = override_creds(protect_creds(new));
return 0;
}
@@ -221,7 +221,7 @@ static __be32 nfsd_set_fh_dentry(struct svc_rqst *rqstp, struct net *net,
new->cap_effective =
cap_raise_nfsd_set(new->cap_effective,
new->cap_permitted);
- put_cred(override_creds(new));
+ put_cred(override_creds(protect_creds(new)));
} else {
error = nfsd_setuser_and_check_port(rqstp, cred, exp);
if (error)
@@ -457,7 +457,7 @@ static const struct cred *access_override_creds(void)
* freeing.
*/
override_cred->non_rcu = 1;
- return override_creds(override_cred);
+ return override_creds(protect_creds(override_cred));
}
static long do_faccessat(int dfd, const char __user *filename, int mode, int flags)
@@ -580,7 +580,7 @@ static const struct cred *ovl_setup_cred_for_create(struct dentry *dentry,
* We must be called with creator creds already, otherwise we risk
* leaking creds.
*/
- old_cred = override_creds(override_cred);
+ old_cred = override_creds(protect_creds(override_cred));
WARN_ON_ONCE(old_cred != ovl_creds(dentry->d_sb));
return override_cred;
@@ -1318,7 +1318,7 @@ int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
sb->s_d_op = &ovl_dentry_operations;
err = -ENOMEM;
- ofs->creator_cred = cred = prepare_creds();
+ ofs->creator_cred = cred = prepare_protected_creds();
if (!cred)
goto out_err;
The kpkeys_hardened_cred feature, when enabled, automatically protects credentials installed by commit_creds(). However, because override_creds() does not consume its argument, it is up to its callers to protect the credentials before calling override_creds(). This is done by calling protect_creds(), moving the credentials to a protected memory location. In some cases, the credentials returned by prepare_creds() are passed to override_creds() as-is. In such situation where write access to the credentials is not needed, prepare_protected_creds() is used to avoid the copy incurred by a separate call to protect_creds(). This patch covers the main users of override_creds(), but it is not comprehensive. This patch is a no-op if kpkeys_hardened_cred isn't enabled. Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com> --- fs/aio.c | 2 +- fs/fuse/passthrough.c | 2 +- fs/nfs/nfs4idmap.c | 2 +- fs/nfsd/auth.c | 2 +- fs/nfsd/nfs4recover.c | 2 +- fs/nfsd/nfsfh.c | 2 +- fs/open.c | 2 +- fs/overlayfs/dir.c | 2 +- fs/overlayfs/super.c | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-)