From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.7 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD5A0C433E0 for ; Fri, 15 Jan 2021 14:59:26 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 8475823370 for ; Fri, 15 Jan 2021 14:59:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8475823370 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id A5CA18D0184; Fri, 15 Jan 2021 09:59:15 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 8F55A8D0186; Fri, 15 Jan 2021 09:59:15 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 668F98D0187; Fri, 15 Jan 2021 09:59:15 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0149.hostedemail.com [216.40.44.149]) by kanga.kvack.org (Postfix) with ESMTP id 3FB278D0187 for ; Fri, 15 Jan 2021 09:59:15 -0500 (EST) Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 087F5181AEF3C for ; Fri, 15 Jan 2021 14:59:15 +0000 (UTC) X-FDA: 77708317470.13.hour92_6112df727530 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin13.hostedemail.com (Postfix) with ESMTP id DD81418140B69 for ; Fri, 15 Jan 2021 14:59:14 +0000 (UTC) X-HE-Tag: hour92_6112df727530 X-Filterd-Recvd-Size: 4244 Received: from raptor.unsafe.ru (raptor.unsafe.ru [5.9.43.93]) by imf06.hostedemail.com (Postfix) with ESMTP for ; Fri, 15 Jan 2021 14:59:14 +0000 (UTC) Received: from comp-core-i7-2640m-0182e6.redhat.com (ip-89-103-122-167.net.upcbroadband.cz [89.103.122.167]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by raptor.unsafe.ru (Postfix) with ESMTPSA id BB5F720A22; Fri, 15 Jan 2021 14:59:13 +0000 (UTC) From: Alexey Gladkov To: LKML , io-uring@vger.kernel.org, Kernel Hardening , Linux Containers , linux-mm@kvack.org Cc: Alexey Gladkov , Andrew Morton , Christian Brauner , "Eric W . Biederman" , Jann Horn , Jens Axboe , Kees Cook , Linus Torvalds , Oleg Nesterov Subject: [RFC PATCH v3 7/8] Move RLIMIT_NPROC check to the place where we increment the counter Date: Fri, 15 Jan 2021 15:57:28 +0100 Message-Id: <0829877fe0381f10d927bb94548021224e72f3c9.1610722474.git.gladkov.alexey@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: References: MIME-Version: 1.0 X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (raptor.unsafe.ru [5.9.43.93]); Fri, 15 Jan 2021 14:59:14 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: After calling set_user(), we always have to call commit_creds() to apply new credentials upon the current task. There is no need to separate limit check and counter incrementing. Signed-off-by: Alexey Gladkov --- kernel/cred.c | 22 +++++++++++++++++----- kernel/sys.c | 13 ------------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index c43e30407d22..991c43559ee8 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -487,14 +487,26 @@ int commit_creds(struct cred *new) if (!gid_eq(new->fsgid, old->fsgid)) key_fsgid_changed(new); =20 - /* do it - * RLIMIT_NPROC limits on user->processes have already been checked - * in set_user(). - */ alter_cred_subscribers(new, 2); if (new->user !=3D old->user || new->user_ns !=3D old->user_ns) { + bool overlimit; + set_cred_ucounts(new, new->user_ns, new->euid); - inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1); + + overlimit =3D inc_rlimit_ucounts_and_test(new->ucounts, UCOUNT_RLIMIT_= NPROC, + 1, rlimit(RLIMIT_NPROC)); + + /* + * We don't fail in case of NPROC limit excess here because too many + * poorly written programs don't check set*uid() return code, assuming + * it never fails if called by root. We may still enforce NPROC limit + * for programs doing set*uid()+execve() by harmlessly deferring the + * failure to the execve() stage. + */ + if (overlimit && new->user !=3D INIT_USER) + current->flags |=3D PF_NPROC_EXCEEDED; + else + current->flags &=3D ~PF_NPROC_EXCEEDED; } rcu_assign_pointer(task->real_cred, new); rcu_assign_pointer(task->cred, new); diff --git a/kernel/sys.c b/kernel/sys.c index c2734ab9474e..180c4e06064f 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -467,19 +467,6 @@ static int set_user(struct cred *new) if (!new_user) return -EAGAIN; =20 - /* - * We don't fail in case of NPROC limit excess here because too many - * poorly written programs don't check set*uid() return code, assuming - * it never fails if called by root. We may still enforce NPROC limit - * for programs doing set*uid()+execve() by harmlessly deferring the - * failure to the execve() stage. - */ - if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIM= IT_NPROC)) && - new_user !=3D INIT_USER) - current->flags |=3D PF_NPROC_EXCEEDED; - else - current->flags &=3D ~PF_NPROC_EXCEEDED; - free_uid(new->user); new->user =3D new_user; return 0; --=20 2.29.2