From patchwork Sun Dec 30 13:28:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chun-Yi Lee X-Patchwork-Id: 10745095 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2BC6613AD for ; Sun, 30 Dec 2018 13:29:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E174F28657 for ; Sun, 30 Dec 2018 13:29:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CE6C2286D0; Sun, 30 Dec 2018 13:29:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F312428657 for ; Sun, 30 Dec 2018 13:29:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725939AbeL3N3Y (ORCPT ); Sun, 30 Dec 2018 08:29:24 -0500 Received: from mail-pg1-f196.google.com ([209.85.215.196]:43725 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725914AbeL3N3Y (ORCPT ); Sun, 30 Dec 2018 08:29:24 -0500 Received: by mail-pg1-f196.google.com with SMTP id v28so11835571pgk.10; Sun, 30 Dec 2018 05:29:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=F2L2T9oJgmNfEnAFbFUxwgnELqEvEC5ITjkVMEaYPJk=; b=USSi4n0S30API4z7/ouBePwh45GO7jTnSPZNg0Bqw/BLcGXjG6REfD3Jr9CZ1rNH+S 2SOTMSmxkO29x9WqajuDri3RyymknXJb3dOpM9Zv32lEDhJeMrFLPAjbQf20gEl/h0Th rVWAdwxP1mNeUDV6PhKNrgow8qY0rzTBQEMw0RBTgnvYxAkZlb07amyCT6fp4AeBVzxl u8gG2Mi/Zfa3a2PMXB2MSL1BADj8PJhBk5e8atPDs65pHXNKY/2ozXtHMDiOvcndQWCF Yi9BLNh4pzQiIgTY51KGr7NMbqeGoEXrKe+VpCdze9fqG7+vyxlvdNahJjXdc04hPHCM 6CvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=F2L2T9oJgmNfEnAFbFUxwgnELqEvEC5ITjkVMEaYPJk=; b=NSuOKHKZHGg9XwrPRil1ZolnO8Ww5TVxAeVlVY9ZNY4AEi8AsN/uMacYlzFzSEb6Mo AXVsnlxl5a539I4H2RFE2XSkUp8G4WodxSUgBe7lruTDol3Jfv9/qko5PpG5an/0MLoK fmyOG5L+YXU2x4JkiDpC2PMG0RVJGbEzixEC+tv7k7agbxh2WJEPjgwWWqccfK1U/Q5o rYZ/wkqh/oodaP3XgYUSLec3LNb+NB3Ocxe/2hmOiNINg3ofIxE9O/NRK5EU1mbo6zfy da/tW+4mnXuuDnyJEb/RWCLePqmVWLeBMxCL9baN2rD3nn8T+dJekMVf156ijdY/3gft 53hQ== X-Gm-Message-State: AJcUuke9PG34v+1x5nKU0G/nhjKca9K2Z5keXYgboxuGIwao3WfJ2wE9 j128YKW5XuZnLhC4G9w7AYme53X8 X-Google-Smtp-Source: ALg8bN7LRCtqzDiWWUqlZL85LxgZzSkQOfol1vIor2N3Mnx1DeDFFGq5YXcW1pYqZtxFRutnRjIFdQ== X-Received: by 2002:a63:4566:: with SMTP id u38mr4472393pgk.4.1546176563247; Sun, 30 Dec 2018 05:29:23 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id n73sm74103091pfj.148.2018.12.30.05.29.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 30 Dec 2018 05:29:22 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: Greg Kroah-Hartman , "Rafael J . Wysocki" , Pavel Machek , Len Brown , "Martin K . Petersen" , Randy Dunlap , Joe Perches , Bart Van Assche Cc: linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org, "Lee, Chun-Yi" , Chen Yu , Giovanni Gherdovich , Jann Horn , Andy Lutomirski Subject: [PATCH 0/2] [RFC] sysfs: Add hook for checking the file capability of opener Date: Sun, 30 Dec 2018 21:28:54 +0800 Message-Id: <20181230132856.24095-1-jlee@suse.com> X-Mailer: git-send-email 2.12.3 Sender: linux-pm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP There have some discussion in the following mail loop about checking capability in sysfs write handler: https://lkml.org/lkml/2018/9/13/978 Sometimes we check the capability in sysfs implementation by using capable function. But the checking can be bypassed by opening sysfs file within an unprivileged process then writing the file within a privileged process. The tricking way has been exposed by Andy Lutomirski for CVE-2013-1959. Because the sysfs_ops does not forward the file descriptor to the show/store callback, there doesn't have chance to check the capability of file's opener. This patch adds the hook to sysfs_ops that allows different implementation in object and attribute levels for checking file capable before accessing sysfs interfaces. The callback function of kobject sysfs_ops is the first implementation of new hook. It casts attribute to kobj_attribute then calls the file capability callback function of attribute level. The same logic can be implemented in other sysfs file types, like: device, driver and bus type. The capability checking logic in wake_lock/wake_unlock sysfs interface is the first example for kobject. It will check the opener's capability. Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Cc: Chen Yu Cc: Giovanni Gherdovich Cc: Jann Horn Cc: Andy Lutomirski Cc: Pavel Machek Cc: Len Brown Cc: "Martin K. Petersen" Cc: Randy Dunlap Cc: Joe Perches Cc: Bart Van Assche Signed-off-by: "Lee, Chun-Yi" Lee, Chun-Yi (2): sysfs: Add hook for checking the file capable PM / Sleep: Checking the file capability when writing wak lock interface fs/sysfs/file.c | 8 ++++++++ include/linux/kobject.h | 2 ++ include/linux/sysfs.h | 2 ++ kernel/power/main.c | 14 ++++++++++++++ kernel/power/wakelock.c | 6 ------ lib/kobject.c | 26 ++++++++++++++++++++++++++ 6 files changed, 52 insertions(+), 6 deletions(-)