[PATCH] nbd: override creds to kernel when calling sock_{send, recv}msg()
Paul Moore
paul at paul-moore.com
Thu Oct 9 14:59:05 UTC 2025
On Thu, Oct 9, 2025 at 10:34 AM Stephen Smalley
<stephen.smalley.work at gmail.com> wrote:
> On Thu, Oct 9, 2025 at 9:45 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> >
> > sock_{send,recv}msg() internally calls security_socket_{send,recv}msg(),
> > which does security checks (e.g. SELinux) for socket access against the
> > current task. However, _sock_xmit() in drivers/block/nbd.c may be called
> > indirectly from a userspace syscall, where the NBD socket access would
> > be incorrectly checked against the calling userspace task (which simply
> > tries to read/write a file that happens to reside on an NBD device).
> >
> > To fix this, temporarily override creds to kernel ones before calling
> > the sock_*() functions. This allows the security modules to recognize
> > this as internal access by the kernel, which will normally be allowed.
...
> > @@ -2706,6 +2720,8 @@ static void __exit nbd_cleanup(void)
> >
> > nbd_dbg_close();
> >
> > + put_cred(nbd_cred);
> > +
>
> Should this be done at the end, after the workqueue is destroyed?
I didn't trace the send side, but it does look like the receive side
could end up calling into __sock_xmit() while the workqueue is still
alive.
> > mutex_lock(&nbd_index_mutex);
> > idr_for_each(&nbd_index_idr, &nbd_exit_cb, &del_list);
> > mutex_unlock(&nbd_index_mutex);
> > --
> > 2.51.0
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list