Reputation: 19333
Ensure that UID/GID check in system call is executed in RCU-critical section
Task
I have a small kernel module I wrote for my RaspBerry Pi 2 which implements an additional system call for generating power consumption metrics. I would like to modify the system call so that it only gets invoked if a special user (such as "root" or user "pi") issues it. Otherwise, the call just skips the bulk of its body and returns success.
Background Work
I've read into the issue at length, and I've found a similar question on SO, but there are numerous problems with it, from my perspective (noted below).
Question
The linked question notes thatstruct task_structcontains a pointer element tostruct cred, as defined inlinux/sched.handlinux/cred.h. The latter of the two headers doesn't exist on my system(s), and the former doesn't show any declaration of a pointer to astruct credelement. Does this make sense?- Silly mistake. This is present in its entirety in the kernel headers (ie:
/usr/src/linux-headers-$(uname -r)/include/linux/cred.h), I was searching in gcc-build headers in/usr/include/linux.
- Silly mistake. This is present in its entirety in the kernel headers (ie:
Even if the above worked, it doesn't mention if I would be getting the the real, effective, or saved UID for the process. Is it even possible to get each of these three values from within the system call?cred.halready contains all of these.
Is there a safe way in the kernel module to quickly determine which groups the user belongs to without parsing/etc/group?cred.halready contains all of these.
Update
So, the only valid question remaining is the following:
Note, that iterating through processes and reading process's credentials should be done under RCU-critical section.
...how do I ensure my check is run in this critical section? Are there any working examples of how to accomplish this? I've found some existing kernel documentation that instructs readers to wrap the relevant code withrcu_read_lock()andrcu_read_unlock(). Do I just need to wrap an read operations against thestruct credand/orstruct task_structdata structures?
Upvotes: 4
Views: 229
Answers (2)
Reputation: 107759
First, adding a new system call is rarely the right way to do things. It's best to do things via the existing mechanisms because you'll benefit from already-existing tools on both sides: existing utility functions in the kernel, existing libc and high-level language support in userland. Files are a central concept in Linux (like other Unix systems) and most data is exchanged via files, either device files or special filesystems such as proc and sysfs.
I would like to modify the system call so that it only gets invoked if a special user (such as "root" or user "pi") issues it.
You can't do this in the kernel. Not only is it wrong from a design point of view, but it isn't even possible. The kernel knows nothing about user names. The only knowledge about users in the kernel in that some privileged actions are reserved to user 0 in the root namespace (don't forget that last part! And if that's new to you it's a sign that you shouldn't be doing advanced things like adding system calls). (Many actions actually look for a capability rather than being root.)
What you want to use is sysfs. Read the kernel documentation and look for non-ancient online tutorials or existing kernel code (code that uses sysfs is typically pretty clean nowadays). With sysfs, you expose information through files under /sys. Access control is up to userland — have a sane default in the kernel and do things like calling chgrp, chmod or setfacl in the boot scripts. That's one of the many wheels that you don't need to reinvent on the user side when using the existing mechanisms.
The sysfs show method automatically takes a lock around the file, so only one kernel thread can be executing it at a time. That's one of the many wheels that you don't need to reinvent on the kernel side when using the existing mechanisms.
Upvotes: 3
Reputation:
The linked question concerns a fundamentally different issue. To quote:
Please note that the uid that I want to get is NOT of the current process.
Clearly, a thread which is not the currently executing thread can in principle exit at any point or change credentials. Measures need to be taken to ensure the stability of whatever we are fiddling with. RCU is often the right answer. The answer provided there is somewhat wrong in the sense that there are other ways as well.
Meanwhile, if you want to operate on the thread executing the very code, you can know it wont exit (because it is executing your code as opposed to an exit path). A question arises what about the stability of credentials -- good news, they are also guaranteed to be there and can be accessed with no preparation whatsoever. This can be easily verified by checking the code doing credential switching.
We are left with the question what primitives can be used to do the access. To that end one can use make_kuid, uid_eq and similar primitives.
The real question is why is this a syscall as opposed to just a /proc file.
See this blogpost for somewhat elaborated description of credential handling: http://codingtragedy.blogspot.com/2015/04/weird-stuff-thread-credentials-in-linux.html
Upvotes: 2
Related Questions
- Return value of call_usermodehelper() is not correct
- Providing permissions for a root user in a kernel module
- My Linux kernel module is not receiving the correct User-space Application PID
- Check SUID attribute for open file within a kernel module
- How to get userID when writing Linux kernel module
- setuid() failing - operation not permitted
- Adding a new system call to Linux that requires root privileges
- How to read the list of gids a uid is associated in kernel space?
- C - Linux Kernel - Assistance with current_uid()
- how do I get current user in the kernel ie how to call current->uid the right way