LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 0/2] avoid prepare_creds in faccessat when possible
@ 2015-03-09 20:35 Mateusz Guzik
  2015-03-09 20:35 ` [PATCH 1/2] CAPABILITIES: add cap_isequal helper Mateusz Guzik
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Mateusz Guzik @ 2015-03-09 20:35 UTC (permalink / raw)
  To: Alexander Viro, Serge Hallyn
  Cc: Paul Moore, Eric Paris, linux-fsdevel, linux-kernel,
	linux-security-module

Sometimes faccessat needs to modify current thread's credentials, but
calls prepare_creds unconditionally.

However, typically resulting credentials are identical to original ones
and in that case newcredentials are unnecessary. We can detect this before
allocating anything.

This patch series adds a helper which allows comparing capability sets and
modifies faccessat to use it.

Mateusz Guzik (2):
  CAPABILITIES: add cap_isequal helper
  fs: avoid unnecessary prepare_creds in faccessat

 fs/open.c                  | 53 ++++++++++++++++++++++++++++++----------------
 include/linux/capability.h | 10 +++++++++
 2 files changed, 45 insertions(+), 18 deletions(-)

-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/2] CAPABILITIES: add cap_isequal helper
  2015-03-09 20:35 [PATCH 0/2] avoid prepare_creds in faccessat when possible Mateusz Guzik
@ 2015-03-09 20:35 ` Mateusz Guzik
  2015-03-13 14:02   ` Paul Moore
  2015-03-09 20:35 ` [PATCH 2/2] fs: avoid unnecessary prepare_creds in faccessat Mateusz Guzik
  2015-03-13 12:08 ` [PATCH 0/2] avoid prepare_creds in faccessat when possible Mateusz Guzik
  2 siblings, 1 reply; 6+ messages in thread
From: Mateusz Guzik @ 2015-03-09 20:35 UTC (permalink / raw)
  To: Alexander Viro, Serge Hallyn
  Cc: Paul Moore, Eric Paris, linux-fsdevel, linux-kernel,
	linux-security-module

Can be used to determine whether two given sets have the same
capabilities.

Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
---
 include/linux/capability.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index af9f0b9..2fcf941 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -155,6 +155,16 @@ static inline int cap_isclear(const kernel_cap_t a)
 	return 1;
 }
 
+static inline int cap_isequal(const kernel_cap_t a, const kernel_cap_t b)
+{
+	unsigned __capi;
+	CAP_FOR_EACH_U32(__capi) {
+		if (a.cap[__capi] != b.cap[__capi])
+			return 0;
+	}
+	return 1;
+}
+
 /*
  * Check if "a" is a subset of "set".
  * return 1 if ALL of the capabilities in "a" are also in "set"
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 2/2] fs: avoid unnecessary prepare_creds in faccessat
  2015-03-09 20:35 [PATCH 0/2] avoid prepare_creds in faccessat when possible Mateusz Guzik
  2015-03-09 20:35 ` [PATCH 1/2] CAPABILITIES: add cap_isequal helper Mateusz Guzik
@ 2015-03-09 20:35 ` Mateusz Guzik
  2015-03-13 12:08 ` [PATCH 0/2] avoid prepare_creds in faccessat when possible Mateusz Guzik
  2 siblings, 0 replies; 6+ messages in thread
From: Mateusz Guzik @ 2015-03-09 20:35 UTC (permalink / raw)
  To: Alexander Viro, Serge Hallyn
  Cc: Paul Moore, Eric Paris, linux-fsdevel, linux-kernel,
	linux-security-module

Sometimes faccessat needs to modify current thread's credentials, but
calls prepare_creds unconditionally.

Take advantage of the fact that we can detect whether any modification
to credentials is needed and in turn avoid unnecessary allocations.

Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
---
 fs/open.c | 53 +++++++++++++++++++++++++++++++++++------------------
 1 file changed, 35 insertions(+), 18 deletions(-)

diff --git a/fs/open.c b/fs/open.c
index 33f9cbf..166eb45 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -330,8 +330,10 @@ SYSCALL_DEFINE4(fallocate, int, fd, int, mode, loff_t, offset, loff_t, len)
  */
 SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
 {
-	const struct cred *old_cred;
-	struct cred *override_cred;
+	const struct cred *old_cred = current_cred();
+	struct cred *override_cred = NULL;
+	kernel_cap_t cap_effective;
+	int modify_cap_effective = 0;
 	struct path path;
 	struct inode *inode;
 	int res;
@@ -340,24 +342,37 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
 	if (mode & ~S_IRWXO)	/* where's F_OK, X_OK, W_OK, R_OK? */
 		return -EINVAL;
 
-	override_cred = prepare_creds();
-	if (!override_cred)
-		return -ENOMEM;
-
-	override_cred->fsuid = override_cred->uid;
-	override_cred->fsgid = override_cred->gid;
-
 	if (!issecure(SECURE_NO_SETUID_FIXUP)) {
 		/* Clear the capabilities if we switch to a non-root user */
-		kuid_t root_uid = make_kuid(override_cred->user_ns, 0);
-		if (!uid_eq(override_cred->uid, root_uid))
-			cap_clear(override_cred->cap_effective);
-		else
-			override_cred->cap_effective =
-				override_cred->cap_permitted;
+		kuid_t root_uid = make_kuid(old_cred->user_ns, 0);
+		if (!uid_eq(old_cred->uid, root_uid)) {
+			if (!cap_isclear(old_cred->cap_effective)) {
+				cap_clear(cap_effective);
+				modify_cap_effective = 1;
+			}
+		} else {
+			if (!cap_isequal(old_cred->cap_effective,
+				old_cred->cap_permitted)) {
+				cap_effective = old_cred->cap_permitted;
+				modify_cap_effective = 1;
+			}
+		}
 	}
 
-	old_cred = override_creds(override_cred);
+	if (!uid_eq(old_cred->fsuid, old_cred->uid) ||
+	    !gid_eq(old_cred->fsgid, old_cred->gid) ||
+	    modify_cap_effective) {
+		override_cred = prepare_creds();
+		if (!override_cred)
+			return -ENOMEM;
+
+		override_cred->fsuid = override_cred->uid;
+		override_cred->fsgid = override_cred->gid;
+		if (modify_cap_effective)
+			override_cred->cap_effective = cap_effective;
+
+		override_creds(override_cred);
+	}
 retry:
 	res = user_path_at(dfd, filename, lookup_flags, &path);
 	if (res)
@@ -399,8 +414,10 @@ out_path_release:
 		goto retry;
 	}
 out:
-	revert_creds(old_cred);
-	put_cred(override_cred);
+	if (override_cred) {
+		revert_creds(old_cred);
+		put_cred(override_cred);
+	}
 	return res;
 }
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/2] avoid prepare_creds in faccessat when possible
  2015-03-09 20:35 [PATCH 0/2] avoid prepare_creds in faccessat when possible Mateusz Guzik
  2015-03-09 20:35 ` [PATCH 1/2] CAPABILITIES: add cap_isequal helper Mateusz Guzik
  2015-03-09 20:35 ` [PATCH 2/2] fs: avoid unnecessary prepare_creds in faccessat Mateusz Guzik
@ 2015-03-13 12:08 ` Mateusz Guzik
  2 siblings, 0 replies; 6+ messages in thread
From: Mateusz Guzik @ 2015-03-13 12:08 UTC (permalink / raw)
  To: Alexander Viro, Serge Hallyn
  Cc: Paul Moore, Eric Paris, linux-fsdevel, linux-kernel,
	linux-security-module

On Mon, Mar 09, 2015 at 09:35:45PM +0100, Mateusz Guzik wrote:
> Sometimes faccessat needs to modify current thread's credentials, but
> calls prepare_creds unconditionally.
> 
> However, typically resulting credentials are identical to original ones
> and in that case newcredentials are unnecessary. We can detect this before
> allocating anything.
> 
> This patch series adds a helper which allows comparing capability sets and
> modifies faccessat to use it.
> 
> Mateusz Guzik (2):
>   CAPABILITIES: add cap_isequal helper
>   fs: avoid unnecessary prepare_creds in faccessat
> 

Can I get some (N)ACKs on this one?

Thanks,
-- 
Mateusz Guzik

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] CAPABILITIES: add cap_isequal helper
  2015-03-09 20:35 ` [PATCH 1/2] CAPABILITIES: add cap_isequal helper Mateusz Guzik
@ 2015-03-13 14:02   ` Paul Moore
  2015-03-13 16:13     ` Mateusz Guzik
  0 siblings, 1 reply; 6+ messages in thread
From: Paul Moore @ 2015-03-13 14:02 UTC (permalink / raw)
  To: Mateusz Guzik
  Cc: Alexander Viro, Serge Hallyn, Eric Paris, linux-fsdevel,
	linux-kernel, linux-security-module

On Monday, March 09, 2015 09:35:46 PM Mateusz Guzik wrote:
> Can be used to determine whether two given sets have the same
> capabilities.
> 
> Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
> ---
>  include/linux/capability.h | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index af9f0b9..2fcf941 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -155,6 +155,16 @@ static inline int cap_isclear(const kernel_cap_t a)
>  	return 1;
>  }
> 
> +static inline int cap_isequal(const kernel_cap_t a, const kernel_cap_t b)
> +{
> +	unsigned __capi;
> +	CAP_FOR_EACH_U32(__capi) {
> +		if (a.cap[__capi] != b.cap[__capi])
> +			return 0;
> +	}
> +	return 1;
> +}

I realize it is currently only a two pass loop so probably not that big of a 
deal, but couldn't you accomplish the same with a memcmp()?  I suppose the 
above implementation might be faster than those architectures which use the 
generic memcmp() implementation, but I wonder if the arch-specific memcmp() 
implementations would be faster.

Also, what is the main motivation for this patchset?  Do you have a workload 
that is being hit hard by prepare_creds()?

-- 
paul moore
security @ redhat


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] CAPABILITIES: add cap_isequal helper
  2015-03-13 14:02   ` Paul Moore
@ 2015-03-13 16:13     ` Mateusz Guzik
  0 siblings, 0 replies; 6+ messages in thread
From: Mateusz Guzik @ 2015-03-13 16:13 UTC (permalink / raw)
  To: Paul Moore
  Cc: Alexander Viro, Serge Hallyn, Eric Paris, linux-fsdevel,
	linux-kernel, linux-security-module

On Fri, Mar 13, 2015 at 10:02:46AM -0400, Paul Moore wrote:
> On Monday, March 09, 2015 09:35:46 PM Mateusz Guzik wrote:
> > Can be used to determine whether two given sets have the same
> > capabilities.
> > 
> > Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
> > ---
> >  include/linux/capability.h | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> > 
> > diff --git a/include/linux/capability.h b/include/linux/capability.h
> > index af9f0b9..2fcf941 100644
> > --- a/include/linux/capability.h
> > +++ b/include/linux/capability.h
> > @@ -155,6 +155,16 @@ static inline int cap_isclear(const kernel_cap_t a)
> >  	return 1;
> >  }
> > 
> > +static inline int cap_isequal(const kernel_cap_t a, const kernel_cap_t b)
> > +{
> > +	unsigned __capi;
> > +	CAP_FOR_EACH_U32(__capi) {
> > +		if (a.cap[__capi] != b.cap[__capi])
> > +			return 0;
> > +	}
> > +	return 1;
> > +}
> 
> I realize it is currently only a two pass loop so probably not that big of a 
> deal, but couldn't you accomplish the same with a memcmp()?  I suppose the 
> above implementation might be faster than those architectures which use the 
> generic memcmp() implementation, but I wonder if the arch-specific memcmp() 
> implementations would be faster.
> 

Well I did it this way for consistency with the rest of the file. Trying
to use memcpy with only 2 elements to compare may be a dubious
optimisation and would require providing additional macros for cap size.

As such, I would prefer to keep the loop as it is. This can be changed
should caps ever grow.

> Also, what is the main motivation for this patchset?  Do you have a workload 
> that is being hit hard by prepare_creds()?
> 

It's just something I stumbled upon and decided to microoptimize (fwiw,
faccessat is called quite often, but not enough for this change to be
world-changing).

Given the triviality of the patch I figured it should be fine to do it.

-- 
Mateusz Guzik

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-03-13 16:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-09 20:35 [PATCH 0/2] avoid prepare_creds in faccessat when possible Mateusz Guzik
2015-03-09 20:35 ` [PATCH 1/2] CAPABILITIES: add cap_isequal helper Mateusz Guzik
2015-03-13 14:02   ` Paul Moore
2015-03-13 16:13     ` Mateusz Guzik
2015-03-09 20:35 ` [PATCH 2/2] fs: avoid unnecessary prepare_creds in faccessat Mateusz Guzik
2015-03-13 12:08 ` [PATCH 0/2] avoid prepare_creds in faccessat when possible Mateusz Guzik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).