From patchwork Thu Dec 26 18:02:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sargun Dhillon X-Patchwork-Id: 11310645 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9CA7A138D for ; Thu, 26 Dec 2019 18:02:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 798CA20740 for ; Thu, 26 Dec 2019 18:02:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=sargun.me header.i=@sargun.me header.b="eYQYnmtT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726809AbfLZSCx (ORCPT ); Thu, 26 Dec 2019 13:02:53 -0500 Received: from mail-il1-f194.google.com ([209.85.166.194]:33970 "EHLO mail-il1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726453AbfLZSCw (ORCPT ); Thu, 26 Dec 2019 13:02:52 -0500 Received: by mail-il1-f194.google.com with SMTP id s15so20736744iln.1 for ; Thu, 26 Dec 2019 10:02:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=95zWt2Z69IUHsLURwx9n6gzaWPPvYgMk/GcCPX29V/c=; b=eYQYnmtTVq7IAkoD6mWevnIm4ZAF0ODJg6TaWUapN+4jsEXr066HZiedbNvlQVSgxo k6I/mQ1woCg1NwlBKmVk328kcyssV0EhpUy+uG9LdtOM02C/JbMHeTjdSSpwM6nrARTN MlQHaHs1XR9871stmPtkLuWZ66yIu6wKJgu9M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=95zWt2Z69IUHsLURwx9n6gzaWPPvYgMk/GcCPX29V/c=; b=gaXsxgM5j/CaziUJ2SPRiIz6cWBji8p/ouZIYuMFC9vh31ZYKzD07IHzPBX6RkLxTW Tak0pMYBtO7RxCRmgBHFNp9gBjIA8h/8h3DdIoYRvG4HJTJ3ZS8fRFgXDdZkhyTGWt1S n12f+ZzZW8AxYGPJyvSGvoTFmgufVb0hnqyYUuKaE6+unfMYI/M1b9lqmg9kdNwjXDas ebtIpqJIVFbD9q1kq59P/dgoz+iH4vBVdRy0U3ubAzH44SOaOCl6Vmotw8Yzs+aaB918 jYl4QPiNiMMsc7Jz1G3O+ptnZ4DpmQCeJWC4k8zbedg+TxjxhwBbuDaTAZOKWB6tFcyP UqCw== X-Gm-Message-State: APjAAAVHQSuADbERXqhX7NObbI5yaPBC1UUeDlcFElSFLW3+iOOxWTbC jDjPGG16Eln+YUDvRNSfXRlocA== X-Google-Smtp-Source: APXvYqwuPh0h8udaoUmMS8XY1wHMNfY0+1txaS/KPwC/sTG9xo4FvqM8qLvYSotQm+JfRptnjC6p3g== X-Received: by 2002:a92:9c48:: with SMTP id h69mr35887985ili.222.1577383372217; Thu, 26 Dec 2019 10:02:52 -0800 (PST) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id l83sm12442170ild.34.2019.12.26.10.02.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Dec 2019 10:02:50 -0800 (PST) Date: Thu, 26 Dec 2019 18:02:47 +0000 From: Sargun Dhillon To: linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org Cc: tycho@tycho.ws, jannh@google.com, cyphar@cyphar.com, christian.brauner@ubuntu.com, oleg@redhat.com, luto@amacapital.net, viro@zeniv.linux.org.uk, gpascutto@mozilla.com, ealvarez@mozilla.com, fweimer@redhat.com, jld@mozilla.com, arnd@arndb.de Subject: [PATCH v7 1/3] vfs, fdtable: Add get_task_file helper Message-ID: <20191226180245.GA29398@ircssh-2.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org This introduces a function which can be used to fetch a file, given an arbitrary task. As long as the user holds a reference (refcnt) to the task_struct it is safe to call, and will either return NULL on failure, or a pointer to the file, with a refcnt. This patch is based on Oleg Nesterov's (cf. [1]) patch from September 2018. [1]: Link: https://lore.kernel.org/r/20180915160423.GA31461@redhat.com Signed-off-by: Sargun Dhillon Suggested-by: Oleg Nesterov Acked-by: Christian Brauner --- fs/file.c | 21 +++++++++++++++++++-- include/linux/file.h | 2 ++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/fs/file.c b/fs/file.c index 2f4fcf985079..d3bdb1717d1e 100644 --- a/fs/file.c +++ b/fs/file.c @@ -706,9 +706,9 @@ void do_close_on_exec(struct files_struct *files) spin_unlock(&files->file_lock); } -static struct file *__fget(unsigned int fd, fmode_t mask, unsigned int refs) +static struct file *__fget_files(struct files_struct *files, unsigned int fd, + fmode_t mask, unsigned int refs) { - struct files_struct *files = current->files; struct file *file; rcu_read_lock(); @@ -729,6 +729,11 @@ static struct file *__fget(unsigned int fd, fmode_t mask, unsigned int refs) return file; } +static inline struct file *__fget(unsigned int fd, fmode_t mask, unsigned int refs) +{ + return __fget_files(current->files, fd, mask, refs); +} + struct file *fget_many(unsigned int fd, unsigned int refs) { return __fget(fd, FMODE_PATH, refs); @@ -746,6 +751,18 @@ struct file *fget_raw(unsigned int fd) } EXPORT_SYMBOL(fget_raw); +struct file *fget_task(struct task_struct *task, unsigned int fd) +{ + struct file *file = NULL; + + task_lock(task); + if (task->files) + file = __fget_files(task->files, fd, 0, 1); + task_unlock(task); + + return file; +} + /* * Lightweight file lookup - no refcnt increment if fd table isn't shared. * diff --git a/include/linux/file.h b/include/linux/file.h index 3fcddff56bc4..c6c7b24ea9f7 100644 --- a/include/linux/file.h +++ b/include/linux/file.h @@ -16,6 +16,7 @@ extern void fput(struct file *); extern void fput_many(struct file *, unsigned int); struct file_operations; +struct task_struct; struct vfsmount; struct dentry; struct inode; @@ -47,6 +48,7 @@ static inline void fdput(struct fd fd) extern struct file *fget(unsigned int fd); extern struct file *fget_many(unsigned int fd, unsigned int refs); extern struct file *fget_raw(unsigned int fd); +extern struct file *fget_task(struct task_struct *task, unsigned int fd); extern unsigned long __fdget(unsigned int fd); extern unsigned long __fdget_raw(unsigned int fd); extern unsigned long __fdget_pos(unsigned int fd); From patchwork Thu Dec 26 18:03:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sargun Dhillon X-Patchwork-Id: 11310647 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D70A614E3 for ; Thu, 26 Dec 2019 18:03:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A9DEB20740 for ; Thu, 26 Dec 2019 18:03:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=sargun.me header.i=@sargun.me header.b="lavHEYAV" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726761AbfLZSD6 (ORCPT ); Thu, 26 Dec 2019 13:03:58 -0500 Received: from mail-io1-f66.google.com ([209.85.166.66]:43469 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726728AbfLZSD5 (ORCPT ); Thu, 26 Dec 2019 13:03:57 -0500 Received: by mail-io1-f66.google.com with SMTP id n21so22265658ioo.10 for ; Thu, 26 Dec 2019 10:03:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=1EjxEMjVAWnnOpLxKk+KMm00zqnEJXfhZTgbcuw5aho=; b=lavHEYAVQwUJaao27wruGeWXLE37b4y4s43TjmHTyqFgXAPft+KO95RsFm9cmG1e5/ jnb2tnGZEh7QQZjqKQad6PpVJcwnCspdp+j8FOAOTwxKllIy+BtfRehQw18c/jCXobXW 268UaI4I+gDQI6zHBUJeuXcg42QCN6ulIB/vw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=1EjxEMjVAWnnOpLxKk+KMm00zqnEJXfhZTgbcuw5aho=; b=cLfyglOXa6LD52xW4S/JLnstBDfz6IulcavqRkTdnA6O+ru1BDhmwOaP3U1p2eDMVx LhmzgVzrAhDBq6eT81zIj1nRPzcGIf+cF8QSf0GWggONiTO2aLp3wuvBaFGgoDFqu7wM raDgOOXo+bMw5tFaFMW5ZTyXrL5UEXuSpaJkMXEBVTkcat9m+SMmkSXxyH3G6WGWusxb NItzEkw0WtLPlTD4zBTg/vFmgxH42oQl5keikjrbGZz48p+IGIB86jRTb5MLJZ9IiFGh jODxu2he6l/iuYFGm0GlZIy2fRlLZDjtiuglmm+y6FEUCPDD5eKODEO7XwHZyOkoZPII VN8A== X-Gm-Message-State: APjAAAWx89Ko+S2We8jb9bjscMq7zL5NNt9Buig8W4Lbn+qKH14qw73h Nu2ZoLdC/nDq3eMOtO95RzCXgg== X-Google-Smtp-Source: APXvYqyrKdccQKqV+UAWe0PRcaA/gPL90pgkebGYNNgkX86qD4QocmrS4nMC4O3k6LdztSrrw1pSiQ== X-Received: by 2002:a6b:8f87:: with SMTP id r129mr28461961iod.46.1577383436708; Thu, 26 Dec 2019 10:03:56 -0800 (PST) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id h71sm12409796ila.30.2019.12.26.10.03.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Dec 2019 10:03:38 -0800 (PST) Date: Thu, 26 Dec 2019 18:03:36 +0000 From: Sargun Dhillon To: linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org Cc: tycho@tycho.ws, jannh@google.com, cyphar@cyphar.com, christian.brauner@ubuntu.com, oleg@redhat.com, luto@amacapital.net, viro@zeniv.linux.org.uk, gpascutto@mozilla.com, ealvarez@mozilla.com, fweimer@redhat.com, jld@mozilla.com, arnd@arndb.de Subject: [PATCH v7 2/3] pid: Introduce pidfd_getfd syscall Message-ID: <20191226180334.GA29409@ircssh-2.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org This syscall allows for the retrieval of file descriptors from other processes, based on their pidfd. This is possible using ptrace, and injection of parasitic code to inject code which leverages SCM_RIGHTS to move file descriptors between a tracee and a tracer. Unfortunately, ptrace comes with a high cost of requiring the process to be stopped, and breaks debuggers. This does not require stopping the process under manipulation. One reason to use this is to allow sandboxers to take actions on file descriptors on the behalf of another process. For example, this can be combined with seccomp-bpf's user notification to do on-demand fd extraction and take privileged actions. One such privileged action is binding a socket to a privileged port. This also adds the syscall to all architectures at the same time. /* prototype */ /* flags is currently reserved and should be set to 0 */ int sys_pidfd_getfd(int pidfd, int fd, unsigned int flags); /* testing */ Ran self-test suite on x86_64 Signed-off-by: Sargun Dhillon Cc: Christian Brauner Reported-by: kbuild test robot --- arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 + arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + include/linux/syscalls.h | 1 + include/uapi/asm-generic/unistd.h | 4 +- kernel/pid.c | 103 ++++++++++++++++++++ 21 files changed, 126 insertions(+), 2 deletions(-) diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl index 8e13b0b2928d..d1cac0d657b7 100644 --- a/arch/alpha/kernel/syscalls/syscall.tbl +++ b/arch/alpha/kernel/syscalls/syscall.tbl @@ -475,3 +475,4 @@ 543 common fspick sys_fspick 544 common pidfd_open sys_pidfd_open # 545 reserved for clone3 +548 common pidfd_getfd sys_pidfd diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl index 6da7dc4d79cc..ba045e2f3a60 100644 --- a/arch/arm/tools/syscall.tbl +++ b/arch/arm/tools/syscall.tbl @@ -449,3 +449,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open 435 common clone3 sys_clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h index 2629a68b8724..b722e47377a5 100644 --- a/arch/arm64/include/asm/unistd.h +++ b/arch/arm64/include/asm/unistd.h @@ -38,7 +38,7 @@ #define __ARM_NR_compat_set_tls (__ARM_NR_COMPAT_BASE + 5) #define __ARM_NR_COMPAT_END (__ARM_NR_COMPAT_BASE + 0x800) -#define __NR_compat_syscalls 436 +#define __NR_compat_syscalls 439 #endif #define __ARCH_WANT_SYS_CLONE diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 94ab29cf4f00..a8da97a2de41 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -879,6 +879,8 @@ __SYSCALL(__NR_fspick, sys_fspick) __SYSCALL(__NR_pidfd_open, sys_pidfd_open) #define __NR_clone3 435 __SYSCALL(__NR_clone3, sys_clone3) +#define __NR_pidfd_getfd 438 +__SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) /* * Please add new compat syscalls above this comment and update diff --git a/arch/ia64/kernel/syscalls/syscall.tbl b/arch/ia64/kernel/syscalls/syscall.tbl index 36d5faf4c86c..2b11adfc860c 100644 --- a/arch/ia64/kernel/syscalls/syscall.tbl +++ b/arch/ia64/kernel/syscalls/syscall.tbl @@ -356,3 +356,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open # 435 reserved for clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/syscalls/syscall.tbl index a88a285a0e5f..44e879e98459 100644 --- a/arch/m68k/kernel/syscalls/syscall.tbl +++ b/arch/m68k/kernel/syscalls/syscall.tbl @@ -435,3 +435,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open # 435 reserved for clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/kernel/syscalls/syscall.tbl index 09b0cd7dab0a..7afa00125cc4 100644 --- a/arch/microblaze/kernel/syscalls/syscall.tbl +++ b/arch/microblaze/kernel/syscalls/syscall.tbl @@ -441,3 +441,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open 435 common clone3 sys_clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl index e7c5ab38e403..856d5ba34461 100644 --- a/arch/mips/kernel/syscalls/syscall_n32.tbl +++ b/arch/mips/kernel/syscalls/syscall_n32.tbl @@ -374,3 +374,4 @@ 433 n32 fspick sys_fspick 434 n32 pidfd_open sys_pidfd_open 435 n32 clone3 __sys_clone3 +438 n32 pidfd_getfd sys_pidfd_getfd diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/syscalls/syscall_n64.tbl index 13cd66581f3b..2db6075352f3 100644 --- a/arch/mips/kernel/syscalls/syscall_n64.tbl +++ b/arch/mips/kernel/syscalls/syscall_n64.tbl @@ -350,3 +350,4 @@ 433 n64 fspick sys_fspick 434 n64 pidfd_open sys_pidfd_open 435 n64 clone3 __sys_clone3 +438 n64 pidfd_getfd sys_pidfd_getfd diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl index 353539ea4140..e9f9d4a9b105 100644 --- a/arch/mips/kernel/syscalls/syscall_o32.tbl +++ b/arch/mips/kernel/syscalls/syscall_o32.tbl @@ -423,3 +423,4 @@ 433 o32 fspick sys_fspick 434 o32 pidfd_open sys_pidfd_open 435 o32 clone3 __sys_clone3 +438 o32 pidfd_getfd sys_pidfd_getfd diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl index 285ff516150c..c58c7eb144ca 100644 --- a/arch/parisc/kernel/syscalls/syscall.tbl +++ b/arch/parisc/kernel/syscalls/syscall.tbl @@ -433,3 +433,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open 435 common clone3 sys_clone3_wrapper +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl index 43f736ed47f2..707609bfe3ea 100644 --- a/arch/powerpc/kernel/syscalls/syscall.tbl +++ b/arch/powerpc/kernel/syscalls/syscall.tbl @@ -517,3 +517,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open 435 nospu clone3 ppc_clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl index 3054e9c035a3..185cd624face 100644 --- a/arch/s390/kernel/syscalls/syscall.tbl +++ b/arch/s390/kernel/syscalls/syscall.tbl @@ -438,3 +438,4 @@ 433 common fspick sys_fspick sys_fspick 434 common pidfd_open sys_pidfd_open sys_pidfd_open 435 common clone3 sys_clone3 sys_clone3 +438 common pidfd_getfd sys_pidfd_getfd sys_pidfd_getfd diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl index b5ed26c4c005..88f90895aad8 100644 --- a/arch/sh/kernel/syscalls/syscall.tbl +++ b/arch/sh/kernel/syscalls/syscall.tbl @@ -438,3 +438,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open # 435 reserved for clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl index 8c8cc7537fb2..218df6a2326e 100644 --- a/arch/sparc/kernel/syscalls/syscall.tbl +++ b/arch/sparc/kernel/syscalls/syscall.tbl @@ -481,3 +481,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open # 435 reserved for clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 15908eb9b17e..9c3101b65e0f 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -440,3 +440,4 @@ 433 i386 fspick sys_fspick __ia32_sys_fspick 434 i386 pidfd_open sys_pidfd_open __ia32_sys_pidfd_open 435 i386 clone3 sys_clone3 __ia32_sys_clone3 +438 i386 pidfd_getfd sys_pidfd_getfd __ia32_sys_pidfd_getfd diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl index c29976eca4a8..cef85db75a62 100644 --- a/arch/x86/entry/syscalls/syscall_64.tbl +++ b/arch/x86/entry/syscalls/syscall_64.tbl @@ -357,6 +357,7 @@ 433 common fspick __x64_sys_fspick 434 common pidfd_open __x64_sys_pidfd_open 435 common clone3 __x64_sys_clone3/ptregs +438 common pidfd_getfd __x64_sys_pidfd_getfd # # x32-specific system call numbers start at 512 to avoid cache impact diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/syscalls/syscall.tbl index 25f4de729a6d..ae15183def12 100644 --- a/arch/xtensa/kernel/syscalls/syscall.tbl +++ b/arch/xtensa/kernel/syscalls/syscall.tbl @@ -406,3 +406,4 @@ 433 common fspick sys_fspick 434 common pidfd_open sys_pidfd_open 435 common clone3 sys_clone3 +438 common pidfd_getfd sys_pidfd_getfd diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 2960dedcfde8..5edbc31af51f 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -1000,6 +1000,7 @@ asmlinkage long sys_fspick(int dfd, const char __user *path, unsigned int flags) asmlinkage long sys_pidfd_send_signal(int pidfd, int sig, siginfo_t __user *info, unsigned int flags); +asmlinkage long sys_pidfd_getfd(int pidfd, int fd, unsigned int flags); /* * Architecture-specific system calls diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h index 1fc8faa6e973..d36ec3d645bd 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -850,9 +850,11 @@ __SYSCALL(__NR_pidfd_open, sys_pidfd_open) #define __NR_clone3 435 __SYSCALL(__NR_clone3, sys_clone3) #endif +#define __NR_pidfd_getfd 438 +__SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) #undef __NR_syscalls -#define __NR_syscalls 436 +#define __NR_syscalls 439 /* * 32 bit systems traditionally used different diff --git a/kernel/pid.c b/kernel/pid.c index 2278e249141d..4a551f947869 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -578,3 +578,106 @@ void __init pid_idr_init(void) init_pid_ns.pid_cachep = KMEM_CACHE(pid, SLAB_HWCACHE_ALIGN | SLAB_PANIC | SLAB_ACCOUNT); } + +static struct file *__pidfd_fget(struct task_struct *task, int fd) +{ + struct file *file; + int ret; + + ret = mutex_lock_killable(&task->signal->cred_guard_mutex); + if (ret) + return ERR_PTR(ret); + + if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS)) { + file = ERR_PTR(-EPERM); + goto out; + } + + file = fget_task(task, fd); + if (!file) + file = ERR_PTR(-EBADF); + +out: + mutex_unlock(&task->signal->cred_guard_mutex); + return file; +} + +static int pidfd_getfd(struct pid *pid, int fd) +{ + struct task_struct *task; + struct file *file; + int ret, retfd; + + task = get_pid_task(pid, PIDTYPE_PID); + if (!task) + return -ESRCH; + + file = __pidfd_fget(task, fd); + put_task_struct(task); + if (IS_ERR(file)) + return PTR_ERR(file); + + retfd = get_unused_fd_flags(O_CLOEXEC); + if (retfd < 0) { + ret = retfd; + goto out; + } + + /* + * security_file_receive must come last since it may have side effects + * and cannot be reversed. + */ + ret = security_file_receive(file); + if (ret) + goto out_put_fd; + + fd_install(retfd, file); + return retfd; + +out_put_fd: + put_unused_fd(retfd); +out: + fput(file); + return ret; +} + +/** + * sys_pidfd_getfd() - Get a file descriptor from another process + * + * @pidfd: the pidfd file descriptor of the process + * @fd: the file descriptor number to get + * @flags: flags on how to get the fd (reserved) + * + * This syscall gets a copy of a file descriptor from another process + * based on the pidfd, and file descriptor number. It requires that + * the calling process has the ability to ptrace the process represented + * by the pidfd. The process which is having its file descriptor copied + * is otherwise unaffected. + * + * Return: On success, a cloexec file descriptor is returned. + * On error, a negative errno number will be returned. + */ +SYSCALL_DEFINE3(pidfd_getfd, int, pidfd, int, fd, + unsigned int, flags) +{ + struct pid *pid; + struct fd f; + int ret; + + /* flags is currently unused - make sure it's unset */ + if (flags) + return -EINVAL; + + f = fdget(pidfd); + if (!f.file) + return -EBADF; + + pid = pidfd_pid(f.file); + if (IS_ERR(pid)) + ret = PTR_ERR(pid); + else + ret = pidfd_getfd(pid, fd); + + fdput(f); + return ret; +} From patchwork Thu Dec 26 18:04:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sargun Dhillon X-Patchwork-Id: 11310649 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0CCA5138D for ; Thu, 26 Dec 2019 18:04:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DEBB220CC7 for ; Thu, 26 Dec 2019 18:04:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=sargun.me header.i=@sargun.me header.b="AR3D9T3p" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726985AbfLZSEP (ORCPT ); Thu, 26 Dec 2019 13:04:15 -0500 Received: from mail-io1-f65.google.com ([209.85.166.65]:40936 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726971AbfLZSEO (ORCPT ); Thu, 26 Dec 2019 13:04:14 -0500 Received: by mail-io1-f65.google.com with SMTP id x1so23834994iop.7 for ; Thu, 26 Dec 2019 10:04:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=pfSnT+Om3m1uUNyLpTf08/skVXUOjsI2l4qjm6wUW30=; b=AR3D9T3pPU/4+WxR6ZIJuqTz4zeYnU/vabofnHqaxolqnBtKHqwvPPtCNxKGHL1UlG 4QyvK05MQxZGGYxCZzr+tXqv/87UbSTOzUIKKQ3toUyN60kQioPW1z2Ekh477QoggNyp aXPyYuJTBIt5DZEnNrfE6saUwXvenWT+OnFwk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=pfSnT+Om3m1uUNyLpTf08/skVXUOjsI2l4qjm6wUW30=; b=sw5CM7bQhAz/dS7fH+RlM1LfHWDmkZsdKQINWfK4OfiuJEVOkY5al1HNCzqiLjEWsd dwEpw6gQipNhixr9Wg9sk7fkVVoGq1zq8j79EdQKGm/YBv5fTSOnwqaDwPFKwFyBi7qr eV7Av25h5yh1O2HbIAfhqQkZMClJ1k0OjXb/ovu+PdCpH0puRm8y8zm/CoeUcFy3HlzK G1Fmwhfg2kQrR2AT+uLpdV0kfzxH6CTE0f/FyBFBORQ7EbIUc6Jezv4pY5iJpKb+VQsC zk3rHxA9nyAWqIJKQrtgk40Y5DOs2bJ/LaEL4CV/52K/RmM6VoQVpBzM2VKWxD/TvtRY 1bUA== X-Gm-Message-State: APjAAAUYLWbg0i8IsnNJTJverGjnYzoxXYvnHgRHetQvogVqdvnrsGSA XcaSRrZavZtz0jklDYfhZ2iqqw== X-Google-Smtp-Source: APXvYqzusz4qv8K5i1A5Q2zFmJOQl3aOdoQOWn4la8O0SvMZQMuaWtgxcTLH63Tmiz4u62J9wuS9ng== X-Received: by 2002:a6b:8e51:: with SMTP id q78mr30157453iod.179.1577383453542; Thu, 26 Dec 2019 10:04:13 -0800 (PST) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id y11sm8706401iot.19.2019.12.26.10.04.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Dec 2019 10:04:12 -0800 (PST) Date: Thu, 26 Dec 2019 18:04:11 +0000 From: Sargun Dhillon To: linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org Cc: tycho@tycho.ws, jannh@google.com, cyphar@cyphar.com, christian.brauner@ubuntu.com, oleg@redhat.com, luto@amacapital.net, viro@zeniv.linux.org.uk, gpascutto@mozilla.com, ealvarez@mozilla.com, fweimer@redhat.com, jld@mozilla.com, arnd@arndb.de Subject: [PATCH v7 3/3] test: Add test for pidfd getfd Message-ID: <20191226180408.GA29421@ircssh-2.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org This adds four tests: * Fetch FD, and then compare via kcmp * Read data from FD to make sure it works * Make sure getfd can be blocked by blocking ptrace_may_access * Making sure fetching bad FDs fails * Make sure trying to set flags to non-zero results in an EINVAL Signed-off-by: Sargun Dhillon --- tools/testing/selftests/pidfd/.gitignore | 1 + tools/testing/selftests/pidfd/Makefile | 2 +- .../selftests/pidfd/pidfd_getfd_test.c | 254 ++++++++++++++++++ 3 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/pidfd/pidfd_getfd_test.c diff --git a/tools/testing/selftests/pidfd/.gitignore b/tools/testing/selftests/pidfd/.gitignore index 8d069490e17b..3a779c084d96 100644 --- a/tools/testing/selftests/pidfd/.gitignore +++ b/tools/testing/selftests/pidfd/.gitignore @@ -2,3 +2,4 @@ pidfd_open_test pidfd_poll_test pidfd_test pidfd_wait +pidfd_getfd_test diff --git a/tools/testing/selftests/pidfd/Makefile b/tools/testing/selftests/pidfd/Makefile index 43db1b98e845..75a545861375 100644 --- a/tools/testing/selftests/pidfd/Makefile +++ b/tools/testing/selftests/pidfd/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-only CFLAGS += -g -I../../../../usr/include/ -pthread -TEST_GEN_PROGS := pidfd_test pidfd_fdinfo_test pidfd_open_test pidfd_poll_test pidfd_wait +TEST_GEN_PROGS := pidfd_test pidfd_fdinfo_test pidfd_open_test pidfd_poll_test pidfd_wait pidfd_getfd_test include ../lib.mk diff --git a/tools/testing/selftests/pidfd/pidfd_getfd_test.c b/tools/testing/selftests/pidfd/pidfd_getfd_test.c new file mode 100644 index 000000000000..4505e68a07ac --- /dev/null +++ b/tools/testing/selftests/pidfd/pidfd_getfd_test.c @@ -0,0 +1,254 @@ +// SPDX-License-Identifier: GPL-2.0 + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "pidfd.h" +#include "../kselftest.h" + +#define WELL_KNOWN_CHILD_FD 100 +#define UNKNOWN_FD 111 +#define SECRET_MESSAGE "secret" + +static int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, + unsigned long idx2) +{ + errno = 0; + return syscall(SYS_kcmp, pid1, pid2, type, idx1, idx2); +} + +/* Flags is currently reserved, so it is not exposed, and passed as 0 */ +static int pidfd_getfd(int pidfd, int fd) +{ + errno = 0; + return syscall(__NR_pidfd_getfd, pidfd, fd, 0); +} + +static int child(bool disable_ptrace, int sk) +{ + char buf[1024]; + int ret, fd; + + ret = prctl(PR_SET_PDEATHSIG, SIGKILL); + if (ret) + ksft_exit_fail_msg("%s: Child could not set DEATHSIG\n", + strerror(errno)); + + fd = syscall(SYS_memfd_create, "test", 0); + if (fd < 0) + ksft_exit_fail_msg("%s: Child could not create memfd\n", + strerror(errno)); + + ret = write(fd, SECRET_MESSAGE, sizeof(SECRET_MESSAGE)); + if (ret < 0) + ksft_exit_fail_msg("%s: Child could not write secret message\n", + strerror(errno)); + + ret = dup2(fd, WELL_KNOWN_CHILD_FD); + if (ret < 0) + ksft_exit_fail_msg("%s: Could not dup fd into well-known FD\n", + strerror(errno)); + + ret = close(fd); + if (ret < 0) + ksft_exit_fail_msg("%s: Child could close old fd\n", + strerror(errno)); + + if (disable_ptrace) { + ret = prctl(PR_SET_DUMPABLE, 0); + if (ret < 0) + ksft_exit_fail_msg("%s: Child failed to disable ptrace\n", + strerror(errno)); + } + ret = send(sk, "L", 1, 0); + if (ret < 0) + ksft_exit_fail_msg("%s: Child failed to send launched message\n", + strerror(errno)); + if (ret == 0) + ksft_exit_fail_msg("Failed to send launch message; other side is closed\n"); + + close(sk); + pause(); + + return EXIT_SUCCESS; +} + +static int start_child(bool disable_ptrace, pid_t *childpid) +{ + int pidfd, ret, sk_pair[2]; + char buf[1]; + + if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair) < 0) + ksft_exit_fail_msg("%s: failed to create socketpair\n", + strerror(errno)); + *childpid = fork(); + if (*childpid < 0) + ksft_exit_fail_msg("%s: failed to fork a child process\n", + strerror(errno)); + + if (*childpid == 0) + exit(child(disable_ptrace, sk_pair[1])); + + close(sk_pair[1]); + + pidfd = sys_pidfd_open(*childpid, 0); + if (pidfd < 0) + ksft_exit_fail_msg("%s: failed to pidfd_open\n", + strerror(errno)); + + ret = recv(sk_pair[0], &buf, 1, 0); + if (ret < 0) + ksft_exit_fail_msg("%s: failed read from launch socket\n", + strerror(errno)); + if (ret == 0) + ksft_exit_fail_msg("Failed to read from launch socket, child failed\n"); + + return pidfd; +} + +static void test_kcmp_and_fetch_fd(void) +{ + char buf[sizeof(SECRET_MESSAGE)]; + int fd, pidfd, ret; + pid_t child_pid; + + pidfd = start_child(false, &child_pid); + + fd = pidfd_getfd(pidfd, WELL_KNOWN_CHILD_FD); + if (fd < 0) + ksft_exit_fail_msg("%s: getfd failed\n", strerror(errno)); + + ret = kcmp(getpid(), child_pid, KCMP_FILE, fd, WELL_KNOWN_CHILD_FD); + if (ret != 0) + ksft_exit_fail_msg("Our FD not equal to child FD\n"); + + ksft_test_result_pass("kcmp\n"); + + ret = lseek(fd, 0, SEEK_SET); + if (ret < 0) + ksft_exit_fail_msg("%s: seek failed\n", strerror(errno)); + if (ret != 0) + ksft_exit_fail_msg("%d: unexpected seek position\n", ret); + + ret = read(fd, buf, sizeof(buf)); + if (ret < 0) + ksft_exit_fail_msg("%s: failed to read secret message\n", + strerror(errno)); + + if (strncmp(SECRET_MESSAGE, buf, sizeof(buf)) != 0) + ksft_exit_fail_msg("%s: Secret message not correct\n", buf); + + ret = sys_pidfd_send_signal(pidfd, SIGKILL, NULL, 0); + close(pidfd); + if (ret < 0) + ksft_exit_fail_msg("%s: failed to send kill to child\n", + strerror(errno)); + + ksft_test_result_pass("fetch_and_read\n"); +} + +static void test_no_ptrace(void) +{ + int fd, pidfd, ret, uid; + pid_t child_pid; + + /* turn into nobody if we're root, to avoid CAP_SYS_PTRACE */ + uid = getuid(); + if (uid == 0) + seteuid(USHRT_MAX); + + pidfd = start_child(true, &child_pid); + + fd = pidfd_getfd(pidfd, WELL_KNOWN_CHILD_FD); + if (fd != -1) + ksft_exit_fail_msg("%s: getfd succeeded when ptrace blocked\n", + strerror(errno)); + if (errno != EPERM) + ksft_exit_fail_msg("%s: getfd did not get EPERM\n", + strerror(errno)); + + ret = sys_pidfd_send_signal(pidfd, SIGKILL, NULL, 0); + close(pidfd); + if (ret < 0) + ksft_exit_fail_msg("%s: failed to send kill to child\n", + strerror(errno)); + + if (uid == 0) + seteuid(0); + + ksft_test_result_pass("no_ptrace\n"); +} + +static void test_unknown_fd(void) +{ + int fd, pidfd, ret; + pid_t child_pid; + + pidfd = start_child(false, &child_pid); + + fd = pidfd_getfd(pidfd, UNKNOWN_FD); + if (fd != -1) + ksft_exit_fail_msg("%s: getfd succeeded when fetching unknown FD\n", + strerror(errno)); + if (errno != EBADF) + ksft_exit_fail_msg("%s: getfd did not get EBADF\n", + strerror(errno)); + + ret = sys_pidfd_send_signal(pidfd, SIGKILL, NULL, 0); + close(pidfd); + if (ret < 0) + ksft_exit_fail_msg("%s: failed to send kill to child\n", + strerror(errno)); + + ksft_test_result_pass("unknown_fd\n"); +} + +static void test_flags_set(void) +{ + int ret; + + errno = 0; + ret = syscall(__NR_pidfd_getfd, 0, 1, 1); + if (ret != -1) + ksft_exit_fail_msg("getfd succeeded with invalid flags\n"); + if (errno != EINVAL) + ksft_exit_fail_msg("%s: getfd did not get EINVAL\n", + strerror(errno)); + + ksft_test_result_pass("flags_set\n"); +} + +int main(int argc, char **argv) +{ + char buf[sizeof(SECRET_MESSAGE)]; + int ret, status, fd, pidfd; + pid_t child_pid; + + ksft_print_header(); + ksft_set_plan(5); + + test_kcmp_and_fetch_fd(); + test_unknown_fd(); + test_no_ptrace(); + test_flags_set(); + + return ksft_exit_pass(); +}