2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
* linux/fs/proc/root.c
|
|
|
|
*
|
|
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
|
|
*
|
|
|
|
* proc root directory handling functions
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/time.h>
|
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
#include <linux/stat.h>
|
|
|
|
#include <linux/init.h>
|
2006-10-18 11:55:46 -06:00
|
|
|
#include <linux/sched.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/bitops.h>
|
2013-03-24 15:28:27 -06:00
|
|
|
#include <linux/user_namespace.h>
|
2006-10-02 03:17:07 -06:00
|
|
|
#include <linux/mount.h>
|
2007-10-19 00:40:08 -06:00
|
|
|
#include <linux/pid_namespace.h>
|
2012-01-10 16:11:27 -07:00
|
|
|
#include <linux/parser.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2006-01-08 02:04:16 -07:00
|
|
|
#include "internal.h"
|
|
|
|
|
2007-10-19 00:40:08 -06:00
|
|
|
static int proc_test_super(struct super_block *sb, void *data)
|
|
|
|
{
|
|
|
|
return sb->s_fs_info == data;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int proc_set_super(struct super_block *sb, void *data)
|
|
|
|
{
|
2011-06-12 07:42:17 -06:00
|
|
|
int err = set_anon_super(sb, NULL);
|
|
|
|
if (!err) {
|
|
|
|
struct pid_namespace *ns = (struct pid_namespace *)data;
|
|
|
|
sb->s_fs_info = get_pid_ns(ns);
|
|
|
|
}
|
|
|
|
return err;
|
2007-10-19 00:40:08 -06:00
|
|
|
}
|
|
|
|
|
2012-01-10 16:11:27 -07:00
|
|
|
enum {
|
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-10 16:11:31 -07:00
|
|
|
Opt_gid, Opt_hidepid, Opt_err,
|
2012-01-10 16:11:27 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
static const match_table_t tokens = {
|
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-10 16:11:31 -07:00
|
|
|
{Opt_hidepid, "hidepid=%u"},
|
|
|
|
{Opt_gid, "gid=%u"},
|
2012-01-10 16:11:27 -07:00
|
|
|
{Opt_err, NULL},
|
|
|
|
};
|
|
|
|
|
|
|
|
static int proc_parse_options(char *options, struct pid_namespace *pid)
|
|
|
|
{
|
|
|
|
char *p;
|
|
|
|
substring_t args[MAX_OPT_ARGS];
|
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-10 16:11:31 -07:00
|
|
|
int option;
|
2012-01-10 16:11:27 -07:00
|
|
|
|
|
|
|
if (!options)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
while ((p = strsep(&options, ",")) != NULL) {
|
|
|
|
int token;
|
|
|
|
if (!*p)
|
|
|
|
continue;
|
|
|
|
|
2012-10-04 18:15:46 -06:00
|
|
|
args[0].to = args[0].from = NULL;
|
2012-01-10 16:11:27 -07:00
|
|
|
token = match_token(p, tokens, args);
|
|
|
|
switch (token) {
|
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-10 16:11:31 -07:00
|
|
|
case Opt_gid:
|
|
|
|
if (match_int(&args[0], &option))
|
|
|
|
return 0;
|
2012-02-09 09:48:21 -07:00
|
|
|
pid->pid_gid = make_kgid(current_user_ns(), option);
|
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-10 16:11:31 -07:00
|
|
|
break;
|
|
|
|
case Opt_hidepid:
|
|
|
|
if (match_int(&args[0], &option))
|
|
|
|
return 0;
|
|
|
|
if (option < 0 || option > 2) {
|
|
|
|
pr_err("proc: hidepid value must be between 0 and 2.\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
pid->hide_pid = option;
|
|
|
|
break;
|
2012-01-10 16:11:27 -07:00
|
|
|
default:
|
|
|
|
pr_err("proc: unrecognized mount option \"%s\" "
|
|
|
|
"or missing value\n", p);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int proc_remount(struct super_block *sb, int *flags, char *data)
|
|
|
|
{
|
|
|
|
struct pid_namespace *pid = sb->s_fs_info;
|
|
|
|
return !proc_parse_options(data, pid);
|
|
|
|
}
|
|
|
|
|
2010-07-26 03:12:54 -06:00
|
|
|
static struct dentry *proc_mount(struct file_system_type *fs_type,
|
|
|
|
int flags, const char *dev_name, void *data)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2007-10-19 00:40:08 -06:00
|
|
|
int err;
|
|
|
|
struct super_block *sb;
|
|
|
|
struct pid_namespace *ns;
|
2012-01-10 16:11:27 -07:00
|
|
|
char *options;
|
2007-10-19 00:40:08 -06:00
|
|
|
|
2012-01-10 16:11:27 -07:00
|
|
|
if (flags & MS_KERNMOUNT) {
|
2007-10-19 00:40:08 -06:00
|
|
|
ns = (struct pid_namespace *)data;
|
2012-01-10 16:11:27 -07:00
|
|
|
options = NULL;
|
|
|
|
} else {
|
2010-03-02 15:51:53 -07:00
|
|
|
ns = task_active_pid_ns(current);
|
2012-01-10 16:11:27 -07:00
|
|
|
options = data;
|
2013-03-24 15:28:27 -06:00
|
|
|
|
2013-03-30 20:57:41 -06:00
|
|
|
if (!capable(CAP_SYS_ADMIN) && !fs_fully_visible(fs_type))
|
|
|
|
return ERR_PTR(-EPERM);
|
|
|
|
|
|
|
|
/* Does the mounter have privilege over the pid namespace? */
|
|
|
|
if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
|
2013-03-24 15:28:27 -06:00
|
|
|
return ERR_PTR(-EPERM);
|
2012-01-10 16:11:27 -07:00
|
|
|
}
|
2007-10-19 00:40:08 -06:00
|
|
|
|
2012-06-25 05:55:37 -06:00
|
|
|
sb = sget(fs_type, proc_test_super, proc_set_super, flags, ns);
|
2007-10-19 00:40:08 -06:00
|
|
|
if (IS_ERR(sb))
|
2010-07-26 03:12:54 -06:00
|
|
|
return ERR_CAST(sb);
|
2007-10-19 00:40:08 -06:00
|
|
|
|
2012-04-05 15:25:04 -06:00
|
|
|
if (!proc_parse_options(options, ns)) {
|
|
|
|
deactivate_locked_super(sb);
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
}
|
|
|
|
|
2007-10-19 00:40:08 -06:00
|
|
|
if (!sb->s_root) {
|
|
|
|
err = proc_fill_super(sb);
|
|
|
|
if (err) {
|
2009-05-05 23:34:22 -06:00
|
|
|
deactivate_locked_super(sb);
|
2010-07-26 03:12:54 -06:00
|
|
|
return ERR_PTR(err);
|
2007-10-19 00:40:08 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
sb->s_flags |= MS_ACTIVE;
|
|
|
|
}
|
|
|
|
|
2010-07-26 03:12:54 -06:00
|
|
|
return dget(sb->s_root);
|
2007-10-19 00:40:08 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static void proc_kill_sb(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct pid_namespace *ns;
|
|
|
|
|
|
|
|
ns = (struct pid_namespace *)sb->s_fs_info;
|
2013-03-29 17:27:05 -06:00
|
|
|
if (ns->proc_self)
|
|
|
|
dput(ns->proc_self);
|
2007-10-19 00:40:08 -06:00
|
|
|
kill_anon_super(sb);
|
|
|
|
put_pid_ns(ns);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
proc: fix NULL ->i_fop oops
proc_kill_inodes() can clear ->i_fop in the middle of vfs_readdir resulting in
NULL dereference during "file->f_op->readdir(file, buf, filler)".
The solution is to remove proc_kill_inodes() completely:
a) we don't have tricky modules implementing their tricky readdir hooks which
could keeping this revoke from hell.
b) In a situation when module is gone but PDE still alive, standard
readdir will return only "." and "..", because pde->next was cleared by
remove_proc_entry().
c) the race proc_kill_inode() destined to prevent is not completely
fixed, just race window made smaller, because vfs_readdir() is run
without sb_lock held and without file_list_lock held. Effectively,
->i_fop is cleared at random moment, which can't fix properly anything.
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
printing eip: c1061205 *pdpt = 0000000005b22001 *pde = 0000000000000000
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: foo af_packet ipv6 cpufreq_ondemand loop serio_raw sr_mod k8temp cdrom hwmon amd_rng
Pid: 2033, comm: find Not tainted (2.6.24-rc1-b1d08ac064268d0ae2281e98bf5e82627e0f0c56 #2)
EIP: 0060:[<c1061205>] EFLAGS: 00010246 CPU: 0
EIP is at vfs_readdir+0x47/0x74
EAX: c6b6a780 EBX: 00000000 ECX: c1061040 EDX: c5decf94
ESI: c6b6a780 EDI: fffffffe EBP: c9797c54 ESP: c5decf78
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process find (pid: 2033, ti=c5dec000 task=c64bba90 task.ti=c5dec000)
Stack: c5decf94 c1061040 fffffff7 0805ffbc 00000000 c6b6a780 c1061295 0805ffbc
00000000 00000400 00000000 00000004 0805ffbc 4588eff4 c5dec000 c10026ba
00000004 0805ffbc 00000400 0805ffbc 4588eff4 bfdc6c70 000000dc 0000007b
Call Trace:
[<c1061040>] filldir64+0x0/0xc5
[<c1061295>] sys_getdents64+0x63/0xa5
[<c10026ba>] sysenter_past_esp+0x5f/0x85
=======================
Code: 49 83 78 18 00 74 43 8d 6b 74 bf fe ff ff ff 89 e8 e8 b8 c0 12 00 f6 83 2c 01 00 00 10 75 22 8b 5e 10 8b 4c 24 04 89 f0 8b 14 24 <ff> 53 18 f6 46 1a 04 89 c7 75 0b 8b 56 0c 8b 46 08 e8 c8 66 00
EIP: [<c1061205>] vfs_readdir+0x47/0x74 SS:ESP 0068:c5decf78
hch: "Nice, getting rid of this is a very good step formwards.
Unfortunately we have another copy of this junk in
security/selinux/selinuxfs.c:sel_remove_entries() which would need the
same treatment."
Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Acked-by: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-11-28 17:21:23 -07:00
|
|
|
static struct file_system_type proc_fs_type = {
|
2005-04-16 16:20:36 -06:00
|
|
|
.name = "proc",
|
2010-07-26 03:12:54 -06:00
|
|
|
.mount = proc_mount,
|
2007-10-19 00:40:08 -06:00
|
|
|
.kill_sb = proc_kill_sb,
|
2012-07-27 06:56:48 -06:00
|
|
|
.fs_flags = FS_USERNS_MOUNT,
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
void __init proc_root_init(void)
|
|
|
|
{
|
2008-10-16 17:43:55 -06:00
|
|
|
int err;
|
|
|
|
|
|
|
|
proc_init_inodecache();
|
2005-04-16 16:20:36 -06:00
|
|
|
err = register_filesystem(&proc_fs_type);
|
|
|
|
if (err)
|
|
|
|
return;
|
2007-10-19 00:40:08 -06:00
|
|
|
|
2010-07-10 15:52:49 -06:00
|
|
|
proc_self_init();
|
2008-10-06 04:49:39 -06:00
|
|
|
proc_symlink("mounts", NULL, "self/mounts");
|
2007-09-12 04:01:34 -06:00
|
|
|
|
|
|
|
proc_net_init();
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
#ifdef CONFIG_SYSVIPC
|
|
|
|
proc_mkdir("sysvipc", NULL);
|
|
|
|
#endif
|
2008-04-29 02:01:42 -06:00
|
|
|
proc_mkdir("fs", NULL);
|
2008-04-29 02:01:44 -06:00
|
|
|
proc_mkdir("driver", NULL);
|
2005-04-16 16:20:36 -06:00
|
|
|
proc_mkdir("fs/nfsd", NULL); /* somewhere for the nfsd filesystem to be mounted */
|
|
|
|
#if defined(CONFIG_SUN_OPENPROMFS) || defined(CONFIG_SUN_OPENPROMFS_MODULE)
|
|
|
|
/* just give it a mountpoint */
|
|
|
|
proc_mkdir("openprom", NULL);
|
|
|
|
#endif
|
|
|
|
proc_tty_init();
|
|
|
|
#ifdef CONFIG_PROC_DEVICETREE
|
|
|
|
proc_device_tree_init();
|
|
|
|
#endif
|
2008-04-29 02:01:41 -06:00
|
|
|
proc_mkdir("bus", NULL);
|
2007-02-14 01:34:12 -07:00
|
|
|
proc_sys_init();
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2006-02-08 12:37:40 -07:00
|
|
|
static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
|
|
|
|
)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-02-08 12:37:40 -07:00
|
|
|
generic_fillattr(dentry->d_inode, stat);
|
|
|
|
stat->nlink = proc_root.nlink + nr_processes();
|
|
|
|
return 0;
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2012-06-10 15:13:09 -06:00
|
|
|
static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry, unsigned int flags)
|
2006-02-08 12:37:40 -07:00
|
|
|
{
|
2012-06-10 15:13:09 -06:00
|
|
|
if (!proc_lookup(dir, dentry, flags))
|
2005-04-16 16:20:36 -06:00
|
|
|
return NULL;
|
|
|
|
|
2012-06-10 15:13:09 -06:00
|
|
|
return proc_pid_lookup(dir, dentry, flags);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2013-05-16 10:07:31 -06:00
|
|
|
static int proc_root_readdir(struct file *file, struct dir_context *ctx)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2013-05-16 10:07:31 -06:00
|
|
|
if (ctx->pos < FIRST_PROCESS_ENTRY) {
|
2013-08-19 10:30:31 -06:00
|
|
|
int error = proc_readdir(file, ctx);
|
|
|
|
if (unlikely(error <= 0))
|
|
|
|
return error;
|
2013-05-16 10:07:31 -06:00
|
|
|
ctx->pos = FIRST_PROCESS_ENTRY;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2013-05-16 10:07:31 -06:00
|
|
|
return proc_pid_readdir(file, ctx);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The root /proc directory is special, as it has the
|
|
|
|
* <pid> directories. Thus we don't use the generic
|
|
|
|
* directory handling functions for that..
|
|
|
|
*/
|
2007-02-12 01:55:34 -07:00
|
|
|
static const struct file_operations proc_root_operations = {
|
2005-04-16 16:20:36 -06:00
|
|
|
.read = generic_read_dir,
|
2013-05-16 10:07:31 -06:00
|
|
|
.iterate = proc_root_readdir,
|
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 10:52:59 -06:00
|
|
|
.llseek = default_llseek,
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* proc root can do almost nothing..
|
|
|
|
*/
|
2007-02-12 01:55:40 -07:00
|
|
|
static const struct inode_operations proc_root_inode_operations = {
|
2005-04-16 16:20:36 -06:00
|
|
|
.lookup = proc_root_lookup,
|
2006-02-08 12:37:40 -07:00
|
|
|
.getattr = proc_root_getattr,
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This is the root "inode" in the /proc tree..
|
|
|
|
*/
|
|
|
|
struct proc_dir_entry proc_root = {
|
|
|
|
.low_ino = PROC_ROOT_INO,
|
|
|
|
.namelen = 5,
|
|
|
|
.mode = S_IFDIR | S_IRUGO | S_IXUGO,
|
|
|
|
.nlink = 2,
|
proc: fix proc_dir_entry refcounting
Creating PDEs with refcount 0 and "deleted" flag has problems (see below).
Switch to usual scheme:
* PDE is created with refcount 1
* every de_get does +1
* every de_put() and remove_proc_entry() do -1
* once refcount reaches 0, PDE is freed.
This elegantly fixes at least two following races (both observed) without
introducing new locks, without abusing old locks, without spreading
lock_kernel():
1) PDE leak
remove_proc_entry de_put
----------------- ------
[refcnt = 1]
if (atomic_read(&de->count) == 0)
if (atomic_dec_and_test(&de->count))
if (de->deleted)
/* also not taken! */
free_proc_entry(de);
else
de->deleted = 1;
[refcount=0, deleted=1]
2) use after free
remove_proc_entry de_put
----------------- ------
[refcnt = 1]
if (atomic_dec_and_test(&de->count))
if (atomic_read(&de->count) == 0)
free_proc_entry(de);
/* boom! */
if (de->deleted)
free_proc_entry(de);
BUG: unable to handle kernel paging request at virtual address 6b6b6b6b
printing eip: c10acdda *pdpt = 00000000338f8001 *pde = 0000000000000000
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: af_packet ipv6 cpufreq_ondemand loop serio_raw psmouse k8temp hwmon sr_mod cdrom
Pid: 23161, comm: cat Not tainted (2.6.24-rc2-8c0863403f109a43d7000b4646da4818220d501f #4)
EIP: 0060:[<c10acdda>] EFLAGS: 00210097 CPU: 1
EIP is at strnlen+0x6/0x18
EAX: 6b6b6b6b EBX: 6b6b6b6b ECX: 6b6b6b6b EDX: fffffffe
ESI: c128fa3b EDI: f380bf34 EBP: ffffffff ESP: f380be44
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process cat (pid: 23161, ti=f380b000 task=f38f2570 task.ti=f380b000)
Stack: c10ac4f0 00000278 c12ce000 f43cd2a8 00000163 00000000 7da86067 00000400
c128fa20 00896b18 f38325a8 c128fe20 ffffffff 00000000 c11f291e 00000400
f75be300 c128fa20 f769c9a0 c10ac779 f380bf34 f7bfee70 c1018e6b f380bf34
Call Trace:
[<c10ac4f0>] vsnprintf+0x2ad/0x49b
[<c10ac779>] vscnprintf+0x14/0x1f
[<c1018e6b>] vprintk+0xc5/0x2f9
[<c10379f1>] handle_fasteoi_irq+0x0/0xab
[<c1004f44>] do_IRQ+0x9f/0xb7
[<c117db3b>] preempt_schedule_irq+0x3f/0x5b
[<c100264e>] need_resched+0x1f/0x21
[<c10190ba>] printk+0x1b/0x1f
[<c107c8ad>] de_put+0x3d/0x50
[<c107c8f8>] proc_delete_inode+0x38/0x41
[<c107c8c0>] proc_delete_inode+0x0/0x41
[<c1066298>] generic_delete_inode+0x5e/0xc6
[<c1065aa9>] iput+0x60/0x62
[<c1063c8e>] d_kill+0x2d/0x46
[<c1063fa9>] dput+0xdc/0xe4
[<c10571a1>] __fput+0xb0/0xcd
[<c1054e49>] filp_close+0x48/0x4f
[<c1055ee9>] sys_close+0x67/0xa5
[<c10026b6>] sysenter_past_esp+0x5f/0x85
=======================
Code: c9 74 0c f2 ae 74 05 bf 01 00 00 00 4f 89 fa 5f 89 d0 c3 85 c9 57 89 c7 89 d0 74 05 f2 ae 75 01 4f 89 f8 5f c3 89 c1 89 c8 eb 06 <80> 38 00 74 07 40 4a 83 fa ff 75 f4 29 c8 c3 90 90 90 57 83 c9
EIP: [<c10acdda>] strnlen+0x6/0x18 SS:ESP 0068:f380be44
Also, remove broken usage of ->deleted from reiserfs: if sget() succeeds,
module is already pinned and remove_proc_entry() can't happen => nobody
can mark PDE deleted.
Dummy proc root in netns code is not marked with refcount 1. AFAICS, we
never get it, it's just for proper /proc/net removal. I double checked
CLONE_NETNS continues to work.
Patch survives many hours of modprobe/rmmod/cat loops without new bugs
which can be attributed to refcounting.
Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-05 00:45:28 -07:00
|
|
|
.count = ATOMIC_INIT(1),
|
2005-04-16 16:20:36 -06:00
|
|
|
.proc_iops = &proc_root_inode_operations,
|
|
|
|
.proc_fops = &proc_root_operations,
|
|
|
|
.parent = &proc_root,
|
2011-07-27 12:47:03 -06:00
|
|
|
.name = "/proc",
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
2007-10-19 00:40:11 -06:00
|
|
|
int pid_ns_prepare_proc(struct pid_namespace *ns)
|
|
|
|
{
|
|
|
|
struct vfsmount *mnt;
|
|
|
|
|
|
|
|
mnt = kern_mount_data(&proc_fs_type, ns);
|
|
|
|
if (IS_ERR(mnt))
|
|
|
|
return PTR_ERR(mnt);
|
|
|
|
|
2010-07-26 03:09:36 -06:00
|
|
|
ns->proc_mnt = mnt;
|
2007-10-19 00:40:11 -06:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
void pid_ns_release_proc(struct pid_namespace *ns)
|
|
|
|
{
|
2011-12-08 21:20:45 -07:00
|
|
|
kern_unmount(ns->proc_mnt);
|
2007-10-19 00:40:11 -06:00
|
|
|
}
|