[PATCH] RDMA/uverbs: Consider capability of the process that opens the file
Parav Pandit
parav at nvidia.com
Wed Apr 23 12:41:26 UTC 2025
> From: Serge E. Hallyn <serge at hallyn.com>
> Sent: Tuesday, April 22, 2025 10:00 PM
>
> On Tue, Apr 22, 2025 at 01:11:27PM -0300, Jason Gunthorpe wrote:
> > On Tue, Apr 22, 2025 at 08:14:33AM -0500, Serge E. Hallyn wrote:
> > > Hi Jason,
> > >
> > > On Tue, Apr 22, 2025 at 09:46:40AM -0300, Jason Gunthorpe wrote:
> > > > On Mon, Apr 21, 2025 at 12:22:36PM -0500, Serge E. Hallyn wrote:
> > > > > > > 1. the create should check
> > > > > > > ns_capable(current->nsproxy->net->user_ns,
> > > > > > > CAP_NET_RAW)
> > > > > > I believe this is sufficient as this create call happens through the
> ioctl().
> > > > > > But more question on #3.
> > > >
> > > > I think this is the right one to use everywhere.
> > >
> > > It's the right one to use when creating resources, but when later
> > > using them, since below you say that the resource should in fact be
> > > tied to the creator's network namespace, that means that checking
> > > current->nsproxy->net->user_ns would have nothing to do with the
> > > resource being used, right?
> >
> > Yes, in that case you'd check something stored in the uobject.
>
> Perfect, that's exactly the kind of thing I was looking for. Thanks.
>
It means uboject create path will refcount and store user_ns,
uobject->user_ns = get_user_ns(current->nsproxy->net->user_ns);
And uobject destroy will do,
put_user_ns(uobject->user_ns).
This will ensure that in below flow we won't have use_after_free.
1. process_A created object in user_ns_A
2. process_A shared fd with process_B in user_ns_B
3. process_A is killed and
4. user_ns_A is free is attempted (free is skipped, until uobject is destroyed by process_B).
More information about the Linux-security-module-archive
mailing list