• Christian Brauner's avatar
    pidfs: convert to path_from_stashed() helper · b28ddcc3
    Christian Brauner authored
    Moving pidfds from the anonymous inode infrastructure to a separate tiny
    in-kernel filesystem similar to sockfs, pipefs, and anon_inodefs causes
    selinux denials and thus various userspace components that make heavy
    use of pidfds to fail as pidfds used anon_inode_getfile() which aren't
    subject to any LSM hooks. But dentry_open() is and that would cause
    regressions.
    
    The failures that are seen are selinux denials. But the core failure is
    dbus-broker. That cascades into other services failing that depend on
    dbus-broker. For example, when dbus-broker fails to start polkit and all
    the others won't be able to work because they depend on dbus-broker.
    
    The reason for dbus-broker failing is because it doesn't handle failures
    for SO_PEERPIDFD correctly. Last kernel release we introduced
    SO_PEERPIDFD (and SCM_PIDFD). SO_PEERPIDFD allows dbus-broker and polkit
    and others to receive a pidfd for the peer of an AF_UNIX socket. This is
    the first time in the history of Linux that we can safely authenticate
    clients in a race-free manner.
    
    dbus-broker immediately made use of this but messed up the error
    checking. It only allowed EINVAL as a valid failure for SO_PEERPIDFD.
    That's obviously problematic not just because of LSM denials but because
    of seccomp denials that would prevent SO_PEERPIDFD from working; or any
    other new error code from there.
    
    So this is catching a flawed implementation in dbus-broker as well. It
    has to fallback to the old pid-based authentication when SO_PEERPIDFD
    doesn't work no matter the reasons otherwise it'll always risk such
    failures. So overall that LSM denial should not have caused dbus-broker
    to fail. It can never assume that a feature released one kernel ago like
    SO_PEERPIDFD can be assumed to be available.
    
    So, the next fix separate from the selinux policy update is to try and
    fix dbus-broker at [3]. That should make it into Fedora as well. In
    addition the selinux reference policy should also be updated. See [4]
    for that. If Selinux is in enforcing mode in userspace and it encounters
    anything that it doesn't know about it will deny it by default. And the
    policy is entirely in userspace including declaring new types for stuff
    like nsfs or pidfs to allow it.
    
    For now we continue to raise S_PRIVATE on the inode if it's a pidfs
    inode which means things behave exactly like before.
    
    Link: https://bugzilla.redhat.com/show_bug.cgi?id=2265630
    Link: https://github.com/fedora-selinux/selinux-policy/pull/2050
    Link: https://github.com/bus1/dbus-broker/pull/343 [3]
    Link: https://github.com/SELinuxProject/refpolicy/pull/762 [4]
    Reported-by: default avatarNathan Chancellor <nathan@kernel.org>
    Link: https://lore.kernel.org/r/20240222190334.GA412503@dev-arch.thelio-3990X
    Link: https://lore.kernel.org/r/20240218-neufahrzeuge-brauhaus-fb0eb6459771@braunerSigned-off-by: default avatarChristian Brauner <brauner@kernel.org>
    b28ddcc3
nsfs.c 5.62 KB