From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 150B0282EE; Mon, 5 May 2025 11:13:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443640; cv=none; b=BYtD6ETPs5EA0EsxQcmhVe+eoxTZO5mhENg1kO1KIBRyZ99lLLmzo6bhhYNXFETG08c74Lg+AY4L6ePga8JdB9RK4geuQqTP/0Dh9iMaatD11aWsyEtakxVYE5HHMxRvaxU5Ur8eTQYpQdMXZhL0TYG7vE9XQ7NG2csotYF6JSA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443640; c=relaxed/simple; bh=d48rlIeb55kv9LHwHtfILNbBpVSvS+cV2//Rf2p6cRQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=VKPt5ofHSYYhNkuE7EEVef06jUy8qlMdlJj+LXpjiJfxX4Bv74e/78u7UNIFy1fEOHvWUBKty4E4H0gh1DHzg9U1KqOUsbBlJrNHwTo38Sw9y4okYU0Mc5RgOUuYsxN1Bfr6sTSrfyjxMZ6ydd2a3xAt5eBCctByHg+Q4T63nbY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=b69qnpy9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="b69qnpy9" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 42654C4CEE9; Mon, 5 May 2025 11:13:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443639; bh=d48rlIeb55kv9LHwHtfILNbBpVSvS+cV2//Rf2p6cRQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=b69qnpy93rFsg3bgjnBd3366af2y0CtsY34o0ydOHUORuJaJhvHoYD9e5FJP4oUgb oDTTX4R3qEW9O1DMiwHutARD8LqajYeCV7QZISa+O7+DLXEu32utgw/r3UT5zlvEh8 qEZFtBPcS+AEkjqyfZVSpY44JbAX2PWyGtSUne/WfQGKgfxi8HIB/sTs/winEAqnwY /PgOB1dZbbgBXazhjygcja6YsYhIMyLCrsa2hGWdi4x82kMKcq/btzIE7nYbb2ZrHq SsFIH1g4PfhQ1Tx98Atxwy8TMnHMbWhvLAL5L2/VXuNI9IrPBvBSAX78aKRDsXvVLi Vs6TQGmNkIfAg== From: Christian Brauner Date: Mon, 05 May 2025 13:13:39 +0200 Subject: [PATCH RFC v3 01/10] coredump: massage format_corname() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-1-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=4656; i=brauner@kernel.org; h=from:subject:message-id; bh=d48rlIeb55kv9LHwHtfILNbBpVSvS+cV2//Rf2p6cRQ=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM2ds/Lp7WPLn4TMjA3t2L3c4qSPuFd92xGbj1YGE tOW/41+3lHKwiDGxSArpsji0G4SLrecp2KzUaYGzBxWJpAhDFycAjCRL1oM/6O2TOh8LiFwLlL9 nOok+aN/7kcmiLPJFq/RfJj36HNKHCfDH550fg4b041ceb+Psn8K/Hg1eG544Qc1uR+ePffLDzJ HsgMA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 We're going to extend the coredump code in follow-up patches. Clean it up so we can do this more easily. Signed-off-by: Christian Brauner --- fs/coredump.c | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index d740a0411266..281320ea351f 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -76,9 +76,15 @@ static char core_pattern[CORENAME_MAX_SIZE] =3D "core"; static int core_name_size =3D CORENAME_MAX_SIZE; unsigned int core_file_note_size_limit =3D CORE_FILE_NOTE_SIZE_DEFAULT; =20 +enum coredump_type_t { + COREDUMP_FILE =3D 1, + COREDUMP_PIPE =3D 2, +}; + struct core_name { char *corename; int used, size; + enum coredump_type_t core_type; }; =20 static int expand_corename(struct core_name *cn, int size) @@ -218,18 +224,21 @@ static int format_corename(struct core_name *cn, stru= ct coredump_params *cprm, { const struct cred *cred =3D current_cred(); const char *pat_ptr =3D core_pattern; - int ispipe =3D (*pat_ptr =3D=3D '|'); bool was_space =3D false; int pid_in_pattern =3D 0; int err =3D 0; =20 cn->used =3D 0; cn->corename =3D NULL; + if (*pat_ptr =3D=3D '|') + cn->core_type =3D COREDUMP_PIPE; + else + cn->core_type =3D COREDUMP_FILE; if (expand_corename(cn, core_name_size)) return -ENOMEM; cn->corename[0] =3D '\0'; =20 - if (ispipe) { + if (cn->core_type =3D=3D COREDUMP_PIPE) { int argvs =3D sizeof(core_pattern) / 2; (*argv) =3D kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL); if (!(*argv)) @@ -247,7 +256,7 @@ static int format_corename(struct core_name *cn, struct= coredump_params *cprm, * Split on spaces before doing template expansion so that * %e and %E don't get split if they have spaces in them */ - if (ispipe) { + if (cn->core_type =3D=3D COREDUMP_PIPE) { if (isspace(*pat_ptr)) { if (cn->used !=3D 0) was_space =3D true; @@ -353,7 +362,7 @@ static int format_corename(struct core_name *cn, struct= coredump_params *cprm, * Installing a pidfd only makes sense if * we actually spawn a usermode helper. */ - if (!ispipe) + if (!(cn->core_type !=3D COREDUMP_PIPE)) break; =20 /* @@ -384,12 +393,12 @@ static int format_corename(struct core_name *cn, stru= ct coredump_params *cprm, * If core_pattern does not include a %p (as is the default) * and core_uses_pid is set, then .%pid will be appended to * the filename. Do not do this for piped commands. */ - if (!ispipe && !pid_in_pattern && core_uses_pid) { + if (!(cn->core_type =3D=3D COREDUMP_PIPE) && !pid_in_pattern && core_uses= _pid) { err =3D cn_printf(cn, ".%d", task_tgid_vnr(current)); if (err) return err; } - return ispipe; + return 0; } =20 static int zap_process(struct signal_struct *signal, int exit_code) @@ -583,7 +592,6 @@ void do_coredump(const kernel_siginfo_t *siginfo) const struct cred *old_cred; struct cred *cred; int retval =3D 0; - int ispipe; size_t *argv =3D NULL; int argc =3D 0; /* require nonrelative corefile path and be extra careful */ @@ -632,19 +640,18 @@ void do_coredump(const kernel_siginfo_t *siginfo) =20 old_cred =3D override_creds(cred); =20 - ispipe =3D format_corename(&cn, &cprm, &argv, &argc); + retval =3D format_corename(&cn, &cprm, &argv, &argc); + if (retval < 0) { + coredump_report_failure("format_corename failed, aborting core"); + goto fail_unlock; + } =20 - if (ispipe) { + if (cn.core_type =3D=3D COREDUMP_PIPE) { int argi; int dump_count; char **helper_argv; struct subprocess_info *sub_info; =20 - if (ispipe < 0) { - coredump_report_failure("format_corename failed, aborting core"); - goto fail_unlock; - } - if (cprm.limit =3D=3D 1) { /* See umh_coredump_setup() which sets RLIMIT_CORE =3D 1. * @@ -695,7 +702,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) coredump_report_failure("|%s pipe failed", cn.corename); goto close_fail; } - } else { + } else if (cn.core_type =3D=3D COREDUMP_FILE) { struct mnt_idmap *idmap; struct inode *inode; int open_flags =3D O_CREAT | O_WRONLY | O_NOFOLLOW | @@ -823,13 +830,13 @@ void do_coredump(const kernel_siginfo_t *siginfo) file_end_write(cprm.file); free_vma_snapshot(&cprm); } - if (ispipe && core_pipe_limit) + if ((cn.core_type =3D=3D COREDUMP_PIPE) && core_pipe_limit) wait_for_dump_helpers(cprm.file); close_fail: if (cprm.file) filp_close(cprm.file, NULL); fail_dropcount: - if (ispipe) + if (cn.core_type =3D=3D COREDUMP_PIPE) atomic_dec(&core_dump_count); fail_unlock: kfree(argv); --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE5A9282EE; Mon, 5 May 2025 11:14:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443644; cv=none; b=J6kCKcA9joh4YGsLnVYsID8KB2kixBihw1jlbI41tUrX/QIvlnHQ+hJOgXLWTXOc50bBVs3ZI4CSwD5YVfFNYHiLT2zGWXz95wOGcS5gw7OtRCOsAQiWisc+dDRz4P7hFhMi+vRqeQG4jeJqtzOUmtC+N7nM8X9PZ6dEG4hk+GY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443644; c=relaxed/simple; bh=sY3uIB6g6xsWBkS/M2/GrdpdnZH6W10Su5t41D1OTEg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=pUWmYn5X528XLlehdI3ymxGtW4B4C48uRpB/drLEpiQdoiSrUD/UqtSpfCYLQZzCPx1SJxaJDr5g6jea0l5HzBe3Dss+kL/rFwDDU2EtrHnW63+hKToW56qcOej99NTGMt23s+LIZ8hydMu7EnF1SnhmWC+KboZ9tdtJlLTcvOc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=DkjSkPhN; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="DkjSkPhN" Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0224C4CEF6; Mon, 5 May 2025 11:13:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443644; bh=sY3uIB6g6xsWBkS/M2/GrdpdnZH6W10Su5t41D1OTEg=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=DkjSkPhNx+2WHsjnkemPSKwEKlYmWiVFAjCsefhgqCjdo1xJj6bcJNeA2a8Ou2WKA SURnXWsH2M/UdG56h7kNdGeLQWLbhG4pVajNe7U5lxizSsAvAGdgGs2MikY/xJr+/x 49KBSqPzPrCV+J/KU+8/tKqR+s4rdQT5Ygb0H5TW6cV6vJjsLA8nFJPRwdXQ7c8TlA 2Qhz3ASB81qh7v1qNZ++XJHsux+tdpnjRHW6cH1JNv4NvtsAIC7/afpTHvsw3fNVep 6/PmZKvgV5eqYk6wfd7cfgvavvzCtdsjn3baLvq2PprT/r7RUXCdOEitX/++gB9xNF zH97+ePNwENfg== From: Christian Brauner Date: Mon, 05 May 2025 13:13:40 +0200 Subject: [PATCH RFC v3 02/10] coredump: massage do_coredump() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-2-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=4933; i=brauner@kernel.org; h=from:subject:message-id; bh=sY3uIB6g6xsWBkS/M2/GrdpdnZH6W10Su5t41D1OTEg=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM1VmvSjT9vAUM2qf//zapt/V2/L/b+o/dfh49EJH //wpGYKdpSyMIhxMciKKbI4tJuEyy3nqdhslKkBM4eVCWQIAxenAEykO5+R4VPHvy2sy7kMJSze ShS25Hx7wcP+9Oqn6T8uvVj7aZfIXQ+G/9Xd8p6LNIV+nLy1XWY/R/2Fud37j99886DNzt9l/8r vj/kA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 We're going to extend the coredump code in follow-up patches. Clean it up so we can do this more easily. Signed-off-by: Christian Brauner --- fs/coredump.c | 123 +++++++++++++++++++++++++++++++-----------------------= ---- 1 file changed, 66 insertions(+), 57 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index 281320ea351f..1779299b8c61 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -646,63 +646,8 @@ void do_coredump(const kernel_siginfo_t *siginfo) goto fail_unlock; } =20 - if (cn.core_type =3D=3D COREDUMP_PIPE) { - int argi; - int dump_count; - char **helper_argv; - struct subprocess_info *sub_info; - - if (cprm.limit =3D=3D 1) { - /* See umh_coredump_setup() which sets RLIMIT_CORE =3D 1. - * - * Normally core limits are irrelevant to pipes, since - * we're not writing to the file system, but we use - * cprm.limit of 1 here as a special value, this is a - * consistent way to catch recursive crashes. - * We can still crash if the core_pattern binary sets - * RLIM_CORE =3D !1, but it runs as root, and can do - * lots of stupid things. - * - * Note that we use task_tgid_vnr here to grab the pid - * of the process group leader. That way we get the - * right pid if a thread in a multi-threaded - * core_pattern process dies. - */ - coredump_report_failure("RLIMIT_CORE is set to 1, aborting core"); - goto fail_unlock; - } - cprm.limit =3D RLIM_INFINITY; - - dump_count =3D atomic_inc_return(&core_dump_count); - if (core_pipe_limit && (core_pipe_limit < dump_count)) { - coredump_report_failure("over core_pipe_limit, skipping core dump"); - goto fail_dropcount; - } - - helper_argv =3D kmalloc_array(argc + 1, sizeof(*helper_argv), - GFP_KERNEL); - if (!helper_argv) { - coredump_report_failure("%s failed to allocate memory", __func__); - goto fail_dropcount; - } - for (argi =3D 0; argi < argc; argi++) - helper_argv[argi] =3D cn.corename + argv[argi]; - helper_argv[argi] =3D NULL; - - retval =3D -ENOMEM; - sub_info =3D call_usermodehelper_setup(helper_argv[0], - helper_argv, NULL, GFP_KERNEL, - umh_coredump_setup, NULL, &cprm); - if (sub_info) - retval =3D call_usermodehelper_exec(sub_info, - UMH_WAIT_EXEC); - - kfree(helper_argv); - if (retval) { - coredump_report_failure("|%s pipe failed", cn.corename); - goto close_fail; - } - } else if (cn.core_type =3D=3D COREDUMP_FILE) { + switch (cn.core_type) { + case COREDUMP_FILE: { struct mnt_idmap *idmap; struct inode *inode; int open_flags =3D O_CREAT | O_WRONLY | O_NOFOLLOW | @@ -796,6 +741,70 @@ void do_coredump(const kernel_siginfo_t *siginfo) if (do_truncate(idmap, cprm.file->f_path.dentry, 0, 0, cprm.file)) goto close_fail; + break; + } + case COREDUMP_PIPE: { + int argi; + int dump_count; + char **helper_argv; + struct subprocess_info *sub_info; + + if (cprm.limit =3D=3D 1) { + /* See umh_coredump_setup() which sets RLIMIT_CORE =3D 1. + * + * Normally core limits are irrelevant to pipes, since + * we're not writing to the file system, but we use + * cprm.limit of 1 here as a special value, this is a + * consistent way to catch recursive crashes. + * We can still crash if the core_pattern binary sets + * RLIM_CORE =3D !1, but it runs as root, and can do + * lots of stupid things. + * + * Note that we use task_tgid_vnr here to grab the pid + * of the process group leader. That way we get the + * right pid if a thread in a multi-threaded + * core_pattern process dies. + */ + coredump_report_failure("RLIMIT_CORE is set to 1, aborting core"); + goto fail_unlock; + } + cprm.limit =3D RLIM_INFINITY; + + dump_count =3D atomic_inc_return(&core_dump_count); + if (core_pipe_limit && (core_pipe_limit < dump_count)) { + coredump_report_failure("over core_pipe_limit, skipping core dump"); + goto fail_dropcount; + } + + helper_argv =3D kmalloc_array(argc + 1, sizeof(*helper_argv), + GFP_KERNEL); + if (!helper_argv) { + coredump_report_failure("%s failed to allocate memory", __func__); + goto fail_dropcount; + } + for (argi =3D 0; argi < argc; argi++) + helper_argv[argi] =3D cn.corename + argv[argi]; + helper_argv[argi] =3D NULL; + + retval =3D -ENOMEM; + sub_info =3D call_usermodehelper_setup(helper_argv[0], + helper_argv, NULL, GFP_KERNEL, + umh_coredump_setup, NULL, &cprm); + if (sub_info) + retval =3D call_usermodehelper_exec(sub_info, + UMH_WAIT_EXEC); + + kfree(helper_argv); + if (retval) { + coredump_report_failure("|%s pipe failed", cn.corename); + goto close_fail; + } + break; + } + default: + WARN_ON_ONCE(true); + retval =3D -EINVAL; + goto close_fail; } =20 /* get us an unshared descriptor table; almost always a no-op */ --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C95320299B; Mon, 5 May 2025 11:14:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443649; cv=none; b=Gnql+xQFTlTo8NHy3K9iV9Kad9VZn2gfZl4SDfmDvXBLbdcmiJjLAOwb+zhm3Pl4r1UvdcBp5sHJkBjSkp7votISZmTTK6cD10iKHaRqa65+8so/EuaOrWruNBmEQdTtdwmv3vFojIyRxLA9HU191VHs0nbM39zqzgLrwx9qIIE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443649; c=relaxed/simple; bh=M/nfP+nWzNfyDS+hsdkqduv5bjH+2u+KfH7py/tn25g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=CxXrlXt7F1FSwtYzRjiQnWcuxauDfL6WrQXnanHN6Jc3A2Utg2uVNxOiPYOQvcB2pdKLlbEcda3FollcmaO2hBDBlgRPcm8CJ62ag7rlHiUKzgF8tAVJ4IkTfntJFHHfHaThUwjGylw8+GbtraxZRm/rbnWZlZ+jm8ltz+g0S4I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kGuXjLIA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kGuXjLIA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C1741C4CEF0; Mon, 5 May 2025 11:14:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443648; bh=M/nfP+nWzNfyDS+hsdkqduv5bjH+2u+KfH7py/tn25g=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=kGuXjLIAaTGgKQhAsYkggP5Gp9Jg0WaL2xqiiIQ51kL+kpyxIT6EBqdFPX8z5oyWo s3UuUuj/gZz3fXGIHYI5i4bgyrdR/awg+Q8VZRp4p1q5vjUJOKlRVR3rqDmln+gUio sPHGHmI6XY7LcvrdLeW31c+dB3oulmKBr3RUSTONNKG1oOwnfzAMldzDRxkz5P8AJ3 lKstb2sTwtFZZIhcHfjk+faDgq7jHrjCI6jkpldk/XIJKsgVRA4gYApvd4aAsXelCI Y2oUt+jVqdTa6PD42dJs3m3nGg5DoZdFVLJ1GyEYHyCSOBwno8ZztUo6FVMBZ9f8z/ LgOVKU8yCTAxg== From: Christian Brauner Date: Mon, 05 May 2025 13:13:41 +0200 Subject: [PATCH RFC v3 03/10] net: reserve prefix Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-3-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=4545; i=brauner@kernel.org; h=from:subject:message-id; bh=M/nfP+nWzNfyDS+hsdkqduv5bjH+2u+KfH7py/tn25g=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM3T0P3D/IQ7IHliiLiy8M3fm7pbY2UrJpqdulfwX NllT0VPRykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwETq2hj+u7JHZ22bcbfOO9ho r7BAXsu39XFmETXKJk/elk9LabEJZ2S47seeb62Q77BP03Hipptnf1fOO7m1fufD7sPPtE6a7H7 OBAA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add the reserved "linuxafsk/" prefix for AF_UNIX sockets and require CAP_NET_ADMIN in the owning user namespace of the network namespace to bind it. This will be used in next patches to support the coredump socket but is a generally useful concept. The collision risk is so low that we can just start using it. Userspace must already be prepared to retry if a given abstract address isn't usable anyway. Signed-off-by: Christian Brauner --- include/uapi/linux/un.h | 2 ++ net/unix/af_unix.c | 45 +++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/include/uapi/linux/un.h b/include/uapi/linux/un.h index 0ad59dc8b686..bbd5ad508dfa 100644 --- a/include/uapi/linux/un.h +++ b/include/uapi/linux/un.h @@ -5,6 +5,8 @@ #include =20 #define UNIX_PATH_MAX 108 +/* reserved AF_UNIX socket namespace. */ +#define UNIX_SOCKET_NAMESPACE "linuxafsk/" =20 struct sockaddr_un { __kernel_sa_family_t sun_family; /* AF_UNIX */ diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 472f8aa9ea15..edc2f143f401 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -114,6 +114,9 @@ static atomic_long_t unix_nr_socks; static struct hlist_head bsd_socket_buckets[UNIX_HASH_SIZE / 2]; static spinlock_t bsd_socket_locks[UNIX_HASH_SIZE / 2]; =20 +static struct sockaddr_un linuxafsk_addr; +static size_t linuxafsk_addr_len; + /* SMP locking strategy: * hash table is protected with spinlock. * each socket state is protected by separate spinlock. @@ -436,6 +439,30 @@ static struct sock *__unix_find_socket_byname(struct n= et *net, return NULL; } =20 +static int unix_may_bind_name(struct net *net, struct sockaddr_un *sunname, + int len, unsigned int hash) +{ + struct sock *s; + + s =3D __unix_find_socket_byname(net, sunname, len, hash); + if (s) + return -EADDRINUSE; + + /* + * Check whether this is our reserved prefix and if so ensure + * that only privileged processes can bind it. + */ + if (linuxafsk_addr_len <=3D len && + !memcmp(&linuxafsk_addr, sunname, linuxafsk_addr_len)) { + /* Don't bind the namespace itself. */ + if (linuxafsk_addr_len =3D=3D len) + return -ECONNREFUSED; + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) + return -ECONNREFUSED; + } + return 0; +} + static inline struct sock *unix_find_socket_byname(struct net *net, struct sockaddr_un *sunname, int len, unsigned int hash) @@ -1258,10 +1285,10 @@ static int unix_autobind(struct sock *sk) new_hash =3D unix_abstract_hash(addr->name, addr->len, sk->sk_type); unix_table_double_lock(net, old_hash, new_hash); =20 - if (__unix_find_socket_byname(net, addr->name, addr->len, new_hash)) { + if (unix_may_bind_name(net, addr->name, addr->len, new_hash)) { unix_table_double_unlock(net, old_hash, new_hash); =20 - /* __unix_find_socket_byname() may take long time if many names + /* unix_may_bind_name() may take long time if many names * are already in use. */ cond_resched(); @@ -1379,7 +1406,8 @@ static int unix_bind_abstract(struct sock *sk, struct= sockaddr_un *sunaddr, new_hash =3D unix_abstract_hash(addr->name, addr->len, sk->sk_type); unix_table_double_lock(net, old_hash, new_hash); =20 - if (__unix_find_socket_byname(net, addr->name, addr->len, new_hash)) + err =3D unix_may_bind_name(net, addr->name, addr->len, new_hash); + if (err) goto out_spin; =20 __unix_set_addr_hash(net, sk, addr, new_hash); @@ -1389,7 +1417,6 @@ static int unix_bind_abstract(struct sock *sk, struct= sockaddr_un *sunaddr, =20 out_spin: unix_table_double_unlock(net, old_hash, new_hash); - err =3D -EADDRINUSE; out_mutex: mutex_unlock(&u->bindlock); out: @@ -3841,6 +3868,16 @@ static int __init af_unix_init(void) =20 BUILD_BUG_ON(sizeof(struct unix_skb_parms) > sizeof_field(struct sk_buff,= cb)); =20 + /* + * We need a leading NUL byte for the abstract namespace. Just + * use the trailing one given by sizeof(). + */ + linuxafsk_addr_len =3D offsetof(struct sockaddr_un, sun_path) + sizeof(UN= IX_SOCKET_NAMESPACE); + linuxafsk_addr.sun_family =3D AF_UNIX; + memcpy(linuxafsk_addr.sun_path + 1, UNIX_SOCKET_NAMESPACE, sizeof(UNIX_SO= CKET_NAMESPACE) - 1); + /* Technically not needed, but let's be explicit. */ + linuxafsk_addr.sun_path[0] =3D '\0'; + for (i =3D 0; i < UNIX_HASH_SIZE / 2; i++) { spin_lock_init(&bsd_socket_locks[i]); INIT_HLIST_HEAD(&bsd_socket_buckets[i]); --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9BAD204C1A; Mon, 5 May 2025 11:14:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443654; cv=none; b=m1hGs8KAenJvQLVZHS4ggH0HW4/H4ag0r9RH6HQV0PVyyh048WQJmtq3Q3L9d3FkUsVThO5u6JkvojWQZMtlQOYir4b7YQwrhYJCgaL8mn0OMiJAuv+yA8PddBuj6M+4pM2bdNu/GVO55NMASqagjD0OUzP5tGsCsypmjPMLu/0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443654; c=relaxed/simple; bh=WJFhVJpUnW5v6etEW6AgGfqjonqZqrou+9Gp48MUAZ8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bxZctBwZXHyKOqI2yNa3l0Njjh4fIuPl0eaORr5sZlYEvOqEFqQ27vINY1bRthQU+UZdNbA2kkufiwAp4fCo+M2uQpP5R0A4smp3qZkYVogGyErMzfX3uMVh3btVQYftVY1ft/K9pVoPJ0AquFa9HOcFL7x7/nXoO8KuPzwPFzI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=sL7/nJ+o; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sL7/nJ+o" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E76CC4CEE9; Mon, 5 May 2025 11:14:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443653; bh=WJFhVJpUnW5v6etEW6AgGfqjonqZqrou+9Gp48MUAZ8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=sL7/nJ+oTHJ8qzu9Ta0vgBrAQzJgsUHoNwATaVk6W0PQKjmX2UFbBN2maRsCZ/qvB ZJ9iCNnj6HODLkxBuglQJk3N5Mfzaudy54qzjsiadW45hOjS61ElDff9DyyqnVjigg Zm7fnTEDrTbfidpHbYDbBUaBgtlMNB3UdRd9CMgXgq0282Bkc4r7745iCrzFwxeRBw kWK14hCoWE1LYYKwR4srxtNqyDVlsk4hkZ5uTIVlkKuXnXgwVXu2TG8yS3oWUDuMwi sKqmdY1at6Oqo+51bFej7o6oKwloL5+SCadIbUX99HorBmucf4FoCxdScmE15uy37Z mLzvk36FRa3Vg== From: Christian Brauner Date: Mon, 05 May 2025 13:13:42 +0200 Subject: [PATCH RFC v3 04/10] coredump: add coredump socket Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-4-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=12135; i=brauner@kernel.org; h=from:subject:message-id; bh=WJFhVJpUnW5v6etEW6AgGfqjonqZqrou+9Gp48MUAZ8=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM3zd9zQur5VbUnaFEem/X5fuN12HZ3tf2/Fj2W7/ FNb5xWEdZSyMIhxMciKKbI4tJuEyy3nqdhslKkBM4eVCWQIAxenAExk3z2G/57SD1vOGl478/hL uYrGjjDHL//jDoZPSe+q1v+kwhBis5XhfxrX5qc1H5lDP92UvL4uYlfCv0kv/inonPdO6b6k+f/ 1cw4A X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Coredumping currently supports two modes: (1) Dumping directly into a file somewhere on the filesystem. (2) Dumping into a pipe connected to a usermode helper process spawned as a child of the system_unbound_wq or kthreadd. For simplicity I'm mostly ignoring (1). There's probably still some users of (1) out there but processing coredumps in this way can be considered adventurous especially in the face of set*id binaries. The most common option should be (2) by now. It works by allowing userspace to put a string into /proc/sys/kernel/core_pattern like: |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h The "|" at the beginning indicates to the kernel that a pipe must be used. The path following the pipe indicator is a path to a binary that will be spawned as a usermode helper process. Any additional parameters pass information about the task that is generating the coredump to the binary that processes the coredump. In the example core_pattern shown above systemd-coredump is spawned as a usermode helper. There's various conceptual consequences of this (non-exhaustive list): - systemd-coredump is spawned with file descriptor number 0 (stdin) connected to the read-end of the pipe. All other file descriptors are closed. That specifically includes 1 (stdout) and 2 (stderr). This has already caused bugs because userspace assumed that this cannot happen (Whether or not this is a sane assumption is irrelevant.). - systemd-coredump will be spawned as a child of system_unbound_wq. So it is not a child of any userspace process and specifically not a child of PID 1. It cannot be waited upon and is in a weird hybrid upcall which are difficult for userspace to control correctly. - systemd-coredump is spawned with full kernel privileges. This necessitates all kinds of weird privilege dropping excercises in userspace to make this safe. - A new usermode helper has to be spawned for each crashing process. This series adds a new mode: (3) Dumping into an abstract AF_UNIX socket. Userspace can set /proc/sys/kernel/core_pattern to: @linuxafsk/coredump_socket The "@" at the beginning indicates to the kernel that the abstract AF_UNIX coredump socket will be used to process coredumps. The coredump socket uses the fixed address "linuxafsk/coredump.socket" for now. The coredump socket is located in the initial network namespace. To bind the coredump socket userspace must hold CAP_SYS_ADMIN in the initial user namespace. Listening and reading can happen from whatever unprivileged context is necessary to safely process coredumps. When a task coredumps it opens a client socket in the initial network namespace and connects to the coredump socket. For now only tasks that are acctually coredumping are allowed to connect to the initial coredump socket. - The coredump server should use SO_PEERPIDFD to get a stable handle on the connected crashing task. The retrieved pidfd will provide a stable reference even if the crashing task gets SIGKILLed while generating the coredump. - By setting core_pipe_limit non-zero userspace can guarantee that the crashing task cannot be reaped behind it's back and thus process all necessary information in /proc/. The SO_PEERPIDFD can be used to detect whether /proc/ still refers to the same process. The core_pipe_limit isn't used to rate-limit connections to the socket. This can simply be done via AF_UNIX socket directly. - The pidfd for the crashing task will contain information how the task coredumps. The PIDFD_GET_INFO ioctl gained a new flag PIDFD_INFO_COREDUMP which can be used to retreive the coredump information. If the coredump gets a new coredump client connection the kernel guarantees that PIDFD_INFO_COREDUMP information is available. Currently the following information is provided in the new @coredump_mask extension to struct pidfd_info: * PIDFD_COREDUMPED is raised if the task did actually coredump. * PIDFD_COREDUMP_SKIP is raised if the task skipped coredumping (e.g., undumpable). * PIDFD_COREDUMP_USER is raised if this is a regular coredump and doesn't need special care by the coredump server. * IDFD_COREDUMP_ROOT is raised if the generated coredump should be treated as sensitive and the coredump server should restrict to the generated coredump to sufficiently privileged users. - Since unix_stream_connect() runs bpf programs during connect it's possible to even redirect or multiplex coredumps to other sockets. - The coredump server should mark itself as non-dumpable. To capture coredumps for the coredump server itself a bpf program should be run at connect to redirect it to another socket in userspace. This can be useful for debugging crashing coredump servers. - A container coredump server in a separate network namespace can simply bind to linuxafsk/coredump.socket and systemd-coredump fowards coredumps to the container. - Fwiw, one idea is to handle coredumps via per-user/session coredump servers that run with that users privileges. The coredump server listens on the coredump socket and accepts a new coredump connection. It then retrieves SO_PEERPIDFD for the client, inspects uid/gid and hands the accepted client to the users own coredump handler which runs with the users privileges only. The new coredump socket will allow userspace to not have to rely on usermode helpers for processing coredumps and provides a safer way to handle them instead of relying on super privileged coredumping helpers. This will also be significantly more lightweight since no fork()+exec() for the usermodehelper is required for each crashing process. The coredump server in userspace can just keep a worker pool. This is easy to test: (a) coredump processing (we're using socat): > cat coredump_socket.sh #!/bin/bash set -x sudo bash -c "echo '@linuxafsk/coredump.socket' > /proc/sys/kernel/core= _pattern" sudo socat --statistics abstract-listen:linuxafsk/coredump.socket,fork = FILE:core_file,create,append,trunc (b) trigger a coredump: user1@localhost:~/data/scripts$ cat crash.c #include #include int main(int argc, char *argv[]) { fprintf(stderr, "%u\n", (1 / 0)); _exit(0); } Signed-off-by: Christian Brauner --- fs/coredump.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++= +--- 1 file changed, 107 insertions(+), 5 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index 1779299b8c61..c60f86c473ad 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -44,7 +44,11 @@ #include #include #include +#include +#include +#include #include +#include =20 #include #include @@ -79,6 +83,7 @@ unsigned int core_file_note_size_limit =3D CORE_FILE_NOTE= _SIZE_DEFAULT; enum coredump_type_t { COREDUMP_FILE =3D 1, COREDUMP_PIPE =3D 2, + COREDUMP_SOCK =3D 3, }; =20 struct core_name { @@ -232,13 +237,16 @@ static int format_corename(struct core_name *cn, stru= ct coredump_params *cprm, cn->corename =3D NULL; if (*pat_ptr =3D=3D '|') cn->core_type =3D COREDUMP_PIPE; + else if (*pat_ptr =3D=3D '@') + cn->core_type =3D COREDUMP_SOCK; else cn->core_type =3D COREDUMP_FILE; if (expand_corename(cn, core_name_size)) return -ENOMEM; cn->corename[0] =3D '\0'; =20 - if (cn->core_type =3D=3D COREDUMP_PIPE) { + switch (cn->core_type) { + case COREDUMP_PIPE: { int argvs =3D sizeof(core_pattern) / 2; (*argv) =3D kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL); if (!(*argv)) @@ -247,6 +255,32 @@ static int format_corename(struct core_name *cn, struc= t coredump_params *cprm, ++pat_ptr; if (!(*pat_ptr)) return -ENOMEM; + break; + } + case COREDUMP_SOCK: { + err =3D cn_printf(cn, "%s", pat_ptr); + if (err) + return err; + + /* + * We can potentially allow this to be changed later but + * I currently see no reason to. + */ + if (strcmp(cn->corename, "@linuxafsk/coredump.socket")) + return -EINVAL; + + /* + * Currently no need to parse any other options. + * Relevant information can be retrieved from the peer + * pidfd retrievable via SO_PEERPIDFD by the receiver or + * via /proc/, using the SO_PEERPIDFD to guard + * against pid recycling when opening /proc/. + */ + return 0; + } + default: + WARN_ON_ONCE(cn->core_type !=3D COREDUMP_FILE); + break; } =20 /* Repeat as long as we have more pattern to process and more output @@ -583,6 +617,17 @@ static int umh_coredump_setup(struct subprocess_info *= info, struct cred *new) return 0; } =20 +#ifdef CONFIG_UNIX +struct sockaddr_un coredump_unix_socket =3D { + .sun_family =3D AF_UNIX, + .sun_path =3D "\0linuxafsk/coredump.socket", +}; +/* Without trailing NUL byte. */ +#define COREDUMP_UNIX_SOCKET_ADDR_SIZE \ + (offsetof(struct sockaddr_un, sun_path) + \ + sizeof("\0linuxafsk/coredump.socket") - 1) +#endif + void do_coredump(const kernel_siginfo_t *siginfo) { struct core_state core_state; @@ -801,6 +846,40 @@ void do_coredump(const kernel_siginfo_t *siginfo) } break; } + case COREDUMP_SOCK: { + struct file *file __free(fput) =3D NULL; +#ifdef CONFIG_UNIX + struct socket *socket; + + /* + * It is possible that the userspace process which is + * supposed to handle the coredump and is listening on + * the AF_UNIX socket coredumps. Userspace should just + * mark itself non dumpable. + */ + + retval =3D sock_create_kern(&init_net, AF_UNIX, SOCK_STREAM, 0, &socket); + if (retval < 0) + goto close_fail; + + file =3D sock_alloc_file(socket, 0, NULL); + if (IS_ERR(file)) { + sock_release(socket); + retval =3D PTR_ERR(file); + goto close_fail; + } + + retval =3D kernel_connect(socket, + (struct sockaddr *)(&coredump_unix_socket), + COREDUMP_UNIX_SOCKET_ADDR_SIZE, 0); + if (retval) + goto close_fail; + + cprm.limit =3D RLIM_INFINITY; +#endif + cprm.file =3D no_free_ptr(file); + break; + } default: WARN_ON_ONCE(true); retval =3D -EINVAL; @@ -818,7 +897,10 @@ void do_coredump(const kernel_siginfo_t *siginfo) * have this set to NULL. */ if (!cprm.file) { - coredump_report_failure("Core dump to |%s disabled", cn.corename); + if (cn.core_type =3D=3D COREDUMP_PIPE) + coredump_report_failure("Core dump to |%s disabled", cn.corename); + else + coredump_report_failure("Core dump to @%s disabled", cn.corename); goto close_fail; } if (!dump_vma_snapshot(&cprm)) @@ -839,8 +921,28 @@ void do_coredump(const kernel_siginfo_t *siginfo) file_end_write(cprm.file); free_vma_snapshot(&cprm); } - if ((cn.core_type =3D=3D COREDUMP_PIPE) && core_pipe_limit) - wait_for_dump_helpers(cprm.file); + + if (core_pipe_limit) { + switch (cn.core_type) { + case COREDUMP_PIPE: + wait_for_dump_helpers(cprm.file); + break; + case COREDUMP_SOCK: { + char buf[1]; + /* + * We use a simple read to wait for the coredump + * processing to finish. Either the socket is + * closed or we get sent unexpected data. In + * both cases, we're done. + */ + __kernel_read(cprm.file, buf, 1, NULL); + break; + } + default: + break; + } + } + close_fail: if (cprm.file) filp_close(cprm.file, NULL); @@ -1070,7 +1172,7 @@ EXPORT_SYMBOL(dump_align); void validate_coredump_safety(void) { if (suid_dumpable =3D=3D SUID_DUMP_ROOT && - core_pattern[0] !=3D '/' && core_pattern[0] !=3D '|') { + core_pattern[0] !=3D '/' && core_pattern[0] !=3D '|' && core_pattern[= 0] !=3D '@') { =20 coredump_report_failure("Unsafe core_pattern used with fs.suid_dumpable= =3D2: " "pipe handler or fully qualified core dump path required. " --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6198202C44; Mon, 5 May 2025 11:14:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443659; cv=none; b=Cr13gSqBOwu0C/idsaBn1/BjqBy9srREgqC3wBgxCd9HXY4yZ1RthswKez3U+INxbI2Zop7Yt/dmAotW2maEurngS8/5yJQz4uilgc18mr4VkFF+ZJ2sDYJdrqSwRSUYKZuOeH4ZHotitV8Zybg6z23H6JDmbdHDt0groTJdb/g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443659; c=relaxed/simple; bh=/uknDbEVxAQovH7hvslY3diyqJp2ptgrXNsx1BL3wHc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=goa5o+5yx6TsFhg/N3WJ5AJq1ypGLABmeMH7iE5rcZNAJskcl6mMmXLbwqn8BIjf8x1H2f6322Y4UqDz9U+YuJDzLBQEAa4hpghPqdGjrxJeXRkDaoTpMh8RWHJTMvkM2hU8ZPJgibi2NI8L/4KiY1LWbdkTME/U1b6+I8dabkU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SxOs8Qdp; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SxOs8Qdp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D59B0C4CEE4; Mon, 5 May 2025 11:14:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443658; bh=/uknDbEVxAQovH7hvslY3diyqJp2ptgrXNsx1BL3wHc=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=SxOs8QdpRcwG0cRi+wlg9v8wO8QA0gftgcfF2/il8Y+UjNiDqrGeLnznp5sdnwLwD qyMuZRoVPu8gXt/5GUvtP5MKT9YpL1HSxujmYsAGNeOpgex5aHS2SRkh26jMJT0URA +vjLNNdAEKsamsEoYT7lzBfgHmNPNlQA01upJjMP4Yn+gbUXQIMsNHDk8hjRS3u2Xl LwrOjOiCX2B9euxmuaCXY4qlr/PwCGzwn2DA7N6CmaKPSDHirGGh6wZ8BtvCexCtx1 9gxuPw1WSlSrVWtWhbCsXX6j8rd9FMEwFsDpZyZqgvKIhXdWELzF5Tcoxd3lLgm7oh DBgJ4JtXI7D/Q== From: Christian Brauner Date: Mon, 05 May 2025 13:13:43 +0200 Subject: [PATCH RFC v3 05/10] coredump: validate socket name as it is written Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-5-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1280; i=brauner@kernel.org; h=from:subject:message-id; bh=/uknDbEVxAQovH7hvslY3diyqJp2ptgrXNsx1BL3wHc=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM1jlo9n8Jua97dx1aRDIfO1Qh23aO30E24Vfv31Q fy9m61/OkpZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACZy3Y3hnyWj5Kr/t/c2+fvE bPbO8v/Dxfw+f/HhnMTiw5N8lGTVHRn+yl03zHu/+cNCXaP0wvURG2++ufv01CFdlUObDnD4fFW 2ZAEA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 In contrast to other parameters written into /proc/sys/kernel/core_pattern that never fail we can validate enabling the new AF_UNIX support. This is obviously racy as hell but it's always been that way. Signed-off-by: Christian Brauner --- fs/coredump.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index c60f86c473ad..d3f12ba0f150 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -1183,10 +1183,21 @@ void validate_coredump_safety(void) static int proc_dostring_coredump(const struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { - int error =3D proc_dostring(table, write, buffer, lenp, ppos); + int error; + ssize_t retval; + char old_core_pattern[CORENAME_MAX_SIZE]; + + retval =3D strscpy(old_core_pattern, core_pattern, CORENAME_MAX_SIZE); + + error =3D proc_dostring(table, write, buffer, lenp, ppos); + if (error) + return error; + if (core_pattern[0] =3D=3D '@' && strcmp(core_pattern, "@linuxafsk/coredu= mp.socket")) { + strscpy(core_pattern, old_core_pattern, retval + 1); + return -EINVAL; + } =20 - if (!error) - validate_coredump_safety(); + validate_coredump_safety(); return error; } =20 --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB5A8202C44; Mon, 5 May 2025 11:14:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443662; cv=none; b=bi7afv6jPcfuEAGdl2eagCu9fc3GpH620+8iVZmeAqGaAWEGdsCtOIKtoZNAcj4tWAF26LaSahJ/Lp/ow7az5U+GdvgSk5teHfRLF3FxGOmLDvTbQpuJn665i5291bPprCGWjRqsPY523PnagPEzcEJWcKj5ebbcgi/0j/8HUhw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443662; c=relaxed/simple; bh=JDoGvjfCNvj7yWywk2edcAkOb6wyjmCSvk4ij427g0g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=q8U+NCsSHlUnGjM8QByJk6mMX2evxRZwqJZ0Q8y5LSo+aoLwDQM6+p7Nt3hgiLfSkA+oINefrVf97WFI3X2ff6A8c9L3Z9gX7YLlLVkwNnayr7gGNsl6PIiWObCJ/fIImARavnOm9mdGo61cGohglFq8DdHiPQKWDIdwiIN2uKg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=DMIRbq7U; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="DMIRbq7U" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8FA65C4CEEF; Mon, 5 May 2025 11:14:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443662; bh=JDoGvjfCNvj7yWywk2edcAkOb6wyjmCSvk4ij427g0g=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=DMIRbq7UbBsvDtQpOME71heg3tTAC1x9fshiLpU5tXxSt4onj/kFGIECIlt/n2Ivo OzXmqqvQ+FPJ+9nQAXlZLlIPDGDrGhPSq/GlYCisrxJFYQaT5+osH/nNpBmthkeuty pPlYa6t1isQ+u8Gj6fFDllr5CyaM7TsgPX1GdsVl49tp54wyL3kNQ74IxsWxJWzuny 60Oz4OAR1jH49q6Vg2Cr2IfOpl/383X2qrXJXgqxK+cwTwFrauQ4l6ss7Yy0bXE+at c0Be7r9gAg+YaI8XpOVJQJTYdDYbyKX3UqRipyDSQ3cxwZKiwjymISyyMD6h93WH9Y /AMFQuD6DjNKA== From: Christian Brauner Date: Mon, 05 May 2025 13:13:44 +0200 Subject: [PATCH RFC v3 06/10] coredump: show supported coredump modes Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-6-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1139; i=brauner@kernel.org; h=from:subject:message-id; bh=JDoGvjfCNvj7yWywk2edcAkOb6wyjmCSvk4ij427g0g=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM0TXnloDmv7tsUetp3Ps45km/9T8MubsKQ9sF395 fzWm67nOkpZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACaSWs7I8GOJTu/MlTf+aV9g dXhrJnhMbu78G9vu6shOYaiafmhRVCrDP0PRSRfezLntfW/C6tP5QptuLZQIf/ky2YOvR+yZCc+ KR7wA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Allow userspace to discover what coredump modes are supported. Signed-off-by: Christian Brauner --- fs/coredump.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index d3f12ba0f150..37dc5aa3806f 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -1203,6 +1203,12 @@ static int proc_dostring_coredump(const struct ctl_t= able *table, int write, =20 static const unsigned int core_file_note_size_min =3D CORE_FILE_NOTE_SIZE_= DEFAULT; static const unsigned int core_file_note_size_max =3D CORE_FILE_NOTE_SIZE_= MAX; +static char core_modes[] =3D { + "file\npipe" +#ifdef CONFIG_UNIX + "\nlinuxafsk/coredump.socket" +#endif +}; =20 static const struct ctl_table coredump_sysctls[] =3D { { @@ -1246,6 +1252,13 @@ static const struct ctl_table coredump_sysctls[] =3D= { .extra1 =3D SYSCTL_ZERO, .extra2 =3D SYSCTL_ONE, }, + { + .procname =3D "core_modes", + .data =3D core_modes, + .maxlen =3D sizeof(core_modes) - 1, + .mode =3D 0444, + .proc_handler =3D proc_dostring, + }, }; =20 static int __init init_fs_coredump_sysctls(void) --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB6F3205501; Mon, 5 May 2025 11:14:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443668; cv=none; b=eWM7F+kMUOeXaJQmAaGJaV620egZAUJRIdYwQgq1w4kpwHXg31MWnykL6c0uXKwMn4SKSCG2nBHcd8X18E0fUEICs+inLHIfZP/mD+p9NVpa54B+udzvhalg7LenwRYElMKseG/s6HJx8F8VQ9wCWrDpjUXzOM1wtXT4t7a4GTg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443668; c=relaxed/simple; bh=FGPVAlSyUWiE0nw9P99qFYAvm4mIutgM8NSMMdkUFCM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=tMuu7EShoBZbZcStyno2Aq0cxCcO5t42rZDOCFAoZwXD+MOJ9R5fr+C64GqSDupi30RmgXWWyfEZi9xOhSMmhc/OOcLLtOHtsFiyB7YFhcI5IC6UGhvJRkiVAQBfL+TvyC7IFK1QJPsgQWka/0npF+OpytYRe4fEbwblvYV1dJ0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HFp94hgS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HFp94hgS" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 16CAFC4CEE4; Mon, 5 May 2025 11:14:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443667; bh=FGPVAlSyUWiE0nw9P99qFYAvm4mIutgM8NSMMdkUFCM=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=HFp94hgSNHT4STF8tjcD3d09vh9bWUrSYBCcldMli0CHd8HAu9mRyJb0whMtwDwnz R6xmi+cjqx6bPjeWHWlikQFdFLLnel/8vFm1QRUwCzER0BEBsI7gMvZUifEpc1v+1h bVv95FM1TBB8IMf3pe3KGliWgrlo3f2cohQfLPfDTFB/EkWJwomTWxmSiCko38V7Jm VaJsrjgj9hVJHYcH4kiFs/Ka6LcoE5R29S/3qDVyyhsEb4UWItLxX8XW1ds7PHnxo0 YGBW8if8TAYllr0YhAOXlOSQb7v4q1/sKbtyr88DXCjN2ROrtXdElCVYPwCQZN2dg9 FRpuiLwFOxILg== From: Christian Brauner Date: Mon, 05 May 2025 13:13:45 +0200 Subject: [PATCH RFC v3 07/10] pidfs, coredump: add PIDFD_INFO_COREDUMP Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-7-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=7705; i=brauner@kernel.org; h=from:subject:message-id; bh=FGPVAlSyUWiE0nw9P99qFYAvm4mIutgM8NSMMdkUFCM=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM0Lv3v56PZHoVWTP5YJfPVam6z2uk9yvsSWZZqcF 1tbvknldJSyMIhxMciKKbI4tJuEyy3nqdhslKkBM4eVCWQIAxenAExEKoGRoTv+u7KYeFOOGoeJ 1amlCnNEmLeXrRSQPX7J5P+DaV9vfGL4p9Wbd7Y16l3ibD3n7mRFhX3ZbvWL5q94K7r97wFp9zt TeQE= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Let userspace know that the task coredumped and whether it was dumped as root or as regular user. The latter is needed so that access permissions to the executable are correctly handled. I don't think this requires any additional privileges checks. The missing exposure of the dumpability attribute of a given task is an issue we should fix given that we already expose whether a task is coredumping or not. Signed-off-by: Christian Brauner --- fs/coredump.c | 35 +++++++++++++++++++++++++++++ fs/pidfs.c | 55 ++++++++++++++++++++++++++++++++++++++++++= ++++ include/linux/pidfs.h | 3 +++ include/uapi/linux/pidfd.h | 16 ++++++++++++++ 4 files changed, 109 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index 37dc5aa3806f..a5f17aaeee32 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -46,7 +46,9 @@ #include #include #include +#include #include +#include #include #include =20 @@ -588,6 +590,8 @@ static int umh_coredump_setup(struct subprocess_info *i= nfo, struct cred *new) if (IS_ERR(pidfs_file)) return PTR_ERR(pidfs_file); =20 + pidfs_coredump(cp); + /* * Usermode helpers are childen of either * system_unbound_wq or of kthreadd. So we know that @@ -869,11 +873,42 @@ void do_coredump(const kernel_siginfo_t *siginfo) goto close_fail; } =20 + /* + * Set the thread-group leader pid which is used for the + * peer credentials during connect() below. Then + * immediately register it in pidfs... + */ + cprm.pid =3D task_tgid(current); + retval =3D pidfs_register_pid(cprm.pid); + if (retval) { + sock_release(socket); + goto close_fail; + } + + /* + * ... and set the coredump information so userspace + * has it available after connect()... + */ + pidfs_coredump(&cprm); + + /* + * ... On connect() the peer credentials are recorded + * and @cprm.pid registered in pidfs... + */ retval =3D kernel_connect(socket, (struct sockaddr *)(&coredump_unix_socket), COREDUMP_UNIX_SOCKET_ADDR_SIZE, 0); + /* + * ... So we can safely put our pidfs reference now... + */ + pidfs_put_pid(cprm.pid); if (retval) goto close_fail; + /* ... and validate that @sk_peer_pid matches @cprm.pid. */ + if (WARN_ON_ONCE(unix_peer(socket->sk)->sk_peer_pid !=3D cprm.pid)) { + retval =3D -ESRCH; + goto close_fail; + } =20 cprm.limit =3D RLIM_INFINITY; #endif diff --git a/fs/pidfs.c b/fs/pidfs.c index 3b39e471840b..8c4d83fb115b 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -20,6 +20,7 @@ #include #include #include +#include =20 #include "internal.h" #include "mount.h" @@ -33,6 +34,7 @@ static struct kmem_cache *pidfs_cachep __ro_after_init; struct pidfs_exit_info { __u64 cgroupid; __s32 exit_code; + __u32 coredump_mask; }; =20 struct pidfs_inode { @@ -240,6 +242,22 @@ static inline bool pid_in_current_pidns(const struct p= id *pid) return false; } =20 +static __u32 pidfs_coredump_mask(unsigned long mm_flags) +{ + switch (__get_dumpable(mm_flags)) { + case SUID_DUMP_USER: + return PIDFD_COREDUMP_USER; + case SUID_DUMP_ROOT: + return PIDFD_COREDUMP_ROOT; + case SUID_DUMP_DISABLE: + return PIDFD_COREDUMP_SKIP; + default: + WARN_ON_ONCE(true); + } + + return 0; +} + static long pidfd_info(struct file *file, unsigned int cmd, unsigned long = arg) { struct pidfd_info __user *uinfo =3D (struct pidfd_info __user *)arg; @@ -280,6 +298,11 @@ static long pidfd_info(struct file *file, unsigned int= cmd, unsigned long arg) } } =20 + if (mask & PIDFD_INFO_COREDUMP) { + kinfo.mask |=3D PIDFD_INFO_COREDUMP; + kinfo.coredump_mask =3D READ_ONCE(pidfs_i(inode)->__pei.coredump_mask); + } + task =3D get_pid_task(pid, PIDTYPE_PID); if (!task) { /* @@ -296,6 +319,13 @@ static long pidfd_info(struct file *file, unsigned int= cmd, unsigned long arg) if (!c) return -ESRCH; =20 + if (!(kinfo.mask & PIDFD_INFO_COREDUMP)) { + task_lock(task); + if (task->mm) + kinfo.coredump_mask =3D pidfs_coredump_mask(task->mm->flags); + task_unlock(task); + } + /* Unconditionally return identifiers and credentials, the rest only on r= equest */ =20 user_ns =3D current_user_ns(); @@ -559,6 +589,31 @@ void pidfs_exit(struct task_struct *tsk) } } =20 +void pidfs_coredump(const struct coredump_params *cprm) +{ + struct pid *pid =3D cprm->pid; + struct pidfs_exit_info *exit_info; + struct dentry *dentry; + struct inode *inode; + __u32 coredump_mask =3D 0; + + dentry =3D stashed_dentry_get(&pid->stashed); + if (WARN_ON_ONCE(!dentry)) + return; + + inode =3D d_inode(dentry); + exit_info =3D &pidfs_i(inode)->__pei; + /* Note how we were coredumped. */ + coredump_mask =3D pidfs_coredump_mask(cprm->mm_flags); + /* Note that we actually did coredump. */ + coredump_mask |=3D PIDFD_COREDUMPED; + /* If coredumping is set to skip we should never end up here. */ + VFS_WARN_ON_ONCE(coredump_mask & PIDFD_COREDUMP_SKIP); + smp_store_release(&exit_info->coredump_mask, coredump_mask); + /* Fwiw, this cannot be the last reference. */ + dput(dentry); +} + static struct vfsmount *pidfs_mnt __ro_after_init; =20 /* diff --git a/include/linux/pidfs.h b/include/linux/pidfs.h index 2676890c4d0d..f7729b9371bc 100644 --- a/include/linux/pidfs.h +++ b/include/linux/pidfs.h @@ -2,11 +2,14 @@ #ifndef _LINUX_PID_FS_H #define _LINUX_PID_FS_H =20 +struct coredump_params; + struct file *pidfs_alloc_file(struct pid *pid, unsigned int flags); void __init pidfs_init(void); void pidfs_add_pid(struct pid *pid); void pidfs_remove_pid(struct pid *pid); void pidfs_exit(struct task_struct *tsk); +void pidfs_coredump(const struct coredump_params *cprm); extern const struct dentry_operations pidfs_dentry_operations; int pidfs_register_pid(struct pid *pid); void pidfs_get_pid(struct pid *pid); diff --git a/include/uapi/linux/pidfd.h b/include/uapi/linux/pidfd.h index 8c1511edd0e9..84ac709f560c 100644 --- a/include/uapi/linux/pidfd.h +++ b/include/uapi/linux/pidfd.h @@ -25,9 +25,23 @@ #define PIDFD_INFO_CREDS (1UL << 1) /* Always returned, even if not reque= sted */ #define PIDFD_INFO_CGROUPID (1UL << 2) /* Always returned if available, e= ven if not requested */ #define PIDFD_INFO_EXIT (1UL << 3) /* Only returned if requested. */ +#define PIDFD_INFO_COREDUMP (1UL << 4) /* Only returned if requested. */ =20 #define PIDFD_INFO_SIZE_VER0 64 /* sizeof first published struct */ =20 +/* + * Values for @coredump_mask in pidfd_info. + * Only valid if PIDFD_INFO_SUID_COREDUMP is set in @mask. + * + * Note, the @PIDFD_COREDUMP_ROOT flag indicates that the generated + * coredump should be treated as sensitive and access should only be + * granted to privileged users. + */ +#define PIDFD_COREDUMPED (1U << 0) /* Did crash and... */ +#define PIDFD_COREDUMP_SKIP (1U << 1) /* coredumping generation was skippe= d. */ +#define PIDFD_COREDUMP_USER (1U << 2) /* coredump was done as the user. */ +#define PIDFD_COREDUMP_ROOT (1U << 3) /* coredump was done as root. */ + /* * The concept of process and threads in userland and the kernel is a conf= using * one - within the kernel every thread is a 'task' with its own individua= l PID, @@ -92,6 +106,8 @@ struct pidfd_info { __u32 fsuid; __u32 fsgid; __s32 exit_code; + __u32 coredump_mask; + __u32 __spare1; }; =20 #define PIDFS_IOCTL_MAGIC 0xFF --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65C5F205501; Mon, 5 May 2025 11:14:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443672; cv=none; b=obvNcH3Cjz6zqscuyZJCWE+wP6c7Pq9E8KIK++yzBgKeO8Eu4/mW6CNxnN8y4MDf9HX7ycoDn8Y3MF+XB91317Ea8hYO2oHgYsuxGAJShsZ5z/RynM9rt8kIjQFOzqC6CmKMJMaI69EXuCOru7O2vjiFTkbw3uWGnsyUdgZ7e/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443672; c=relaxed/simple; bh=bI0caR6OLZqfvV36W6soJHjyrY3NJW1ltnBAht9lalI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=YCRoJMjXBlboSvpSKmxQLzobmozr0VjVUty5y1rJtm6oK/zjmarmO07cF3lp3jCFqwKIHqVNG3KABgJcLxb1+j4Ua4Tif6YNMmcIZehpvgZEVXBuLQ//7OsrRB3co9itPeH6lf/i2kk6uMaQQ1tJAykfyCMZhg7zZ3ts3WMn3LA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ajTVjPCs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ajTVjPCs" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CC65FC4CEEF; Mon, 5 May 2025 11:14:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443671; bh=bI0caR6OLZqfvV36W6soJHjyrY3NJW1ltnBAht9lalI=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=ajTVjPCs6AmpgqRYCYuGldhzEwKX8qtgd+IUJTErCWIhh2XBih3Za1HoUVbOoDXfR kiJ8w1NFHi1qwMieYRfX9kVXAlsZWL1T/P/NltMlR4PHbM+axz1eIfNuiAxemmIX/i zM0HWs/WCNv1fzDpimniAo6gFO25DU5QarjgpyIcZ2CDa9OuL4aiPlXQY9Yne3Sp7G 0aN6/6tadstpO4niY6HZMDyVeVyGEAodGyG49P2YetYF8UjcTQN9bp0Yb1bLr3ttXB 4rt0V5N2cMjoajN3VNDxpLkbrWcizCLbzOji84rn8TIM2kojKZjGseJxN/C2e4o+3F b22NZ9nQEEhMg== From: Christian Brauner Date: Mon, 05 May 2025 13:13:46 +0200 Subject: [PATCH RFC v3 08/10] net, pidfs, coredump: only allow coredumping tasks to connect to coredump socket Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-8-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=6790; i=brauner@kernel.org; h=from:subject:message-id; bh=bI0caR6OLZqfvV36W6soJHjyrY3NJW1ltnBAht9lalI=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM1bVbNp/8eHd4vnJq/OmJJz91xZn3HX7MuM93m2z jm2+dYHs45SFgYxLgZZMUUWh3aTcLnlPBWbjTI1YOawMoEMYeDiFICJJKcyMrxc9WI5t2XP/rvO Ej4qpk3b8kS7qm4rzVl+vJprkXBKiCUjwyoLs8uGfArMnO2VlUWpHofPWryQONPN/1TExzRJgaG ECwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Make sure that only tasks that actually coredumped may connect to the coredump socket. This restriction may be loosened later in case userspace processes would like to use it to generate their own coredumps. Though it'd be wiser if userspace just exposed a separate socket for that. Signed-off-by: Christian Brauner --- fs/coredump.c | 25 +++++++++++++++++++++++++ fs/pidfs.c | 13 +++++++++++++ include/linux/coredump.h | 12 ++++++++++++ include/linux/pidfs.h | 1 + net/unix/af_unix.c | 19 +++++++++++++------ 5 files changed, 64 insertions(+), 6 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index a5f17aaeee32..8a9620ce4fd0 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -630,6 +630,31 @@ struct sockaddr_un coredump_unix_socket =3D { #define COREDUMP_UNIX_SOCKET_ADDR_SIZE \ (offsetof(struct sockaddr_un, sun_path) + \ sizeof("\0linuxafsk/coredump.socket") - 1) + +static inline bool is_coredump_socket(const struct sockaddr_un *sunname, + unsigned int len) +{ + return (COREDUMP_UNIX_SOCKET_ADDR_SIZE =3D=3D len) && + !memcmp(&coredump_unix_socket, sunname, len); +} + +/* + * For the coredump socket in the initial network namespace we only + * allow actual coredumping processes to connect to it, i.e., the kernel + * itself. + */ +bool unix_use_coredump_socket(const struct net *net, const struct pid *pid, + const struct sockaddr_un *sunname, + unsigned int len) +{ + if (net !=3D &init_net) + return true; + + if (!is_coredump_socket(sunname, len)) + return true; + + return pidfs_pid_coredumped(pid); +} #endif =20 void do_coredump(const kernel_siginfo_t *siginfo) diff --git a/fs/pidfs.c b/fs/pidfs.c index 8c4d83fb115b..e0a4c34ddc42 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -258,6 +258,19 @@ static __u32 pidfs_coredump_mask(unsigned long mm_flag= s) return 0; } =20 +bool pidfs_pid_coredumped(const struct pid *pid) +{ + struct inode *inode; + + if (!pid) + return false; + + /* We expect the caller to hold a reference to @pid->stashed. */ + VFS_WARN_ON_ONCE(!pid->stashed); + inode =3D d_inode(pid->stashed); + return (READ_ONCE(pidfs_i(inode)->__pei.coredump_mask) & PIDFD_COREDUMPED= ); +} + static long pidfd_info(struct file *file, unsigned int cmd, unsigned long = arg) { struct pidfd_info __user *uinfo =3D (struct pidfd_info __user *)arg; diff --git a/include/linux/coredump.h b/include/linux/coredump.h index 76e41805b92d..2b2f0c016c16 100644 --- a/include/linux/coredump.h +++ b/include/linux/coredump.h @@ -7,6 +7,8 @@ #include #include =20 +struct sockaddr_un; + #ifdef CONFIG_COREDUMP struct core_vma_metadata { unsigned long start, end; @@ -44,6 +46,9 @@ extern int dump_align(struct coredump_params *cprm, int a= lign); int dump_user_range(struct coredump_params *cprm, unsigned long start, unsigned long len); extern void do_coredump(const kernel_siginfo_t *siginfo); +bool unix_use_coredump_socket(const struct net *net, const struct pid *pid, + const struct sockaddr_un *sunname, + unsigned int len); =20 /* * Logging for the coredump code, ratelimited. @@ -64,6 +69,13 @@ extern void do_coredump(const kernel_siginfo_t *siginfo); =20 #else static inline void do_coredump(const kernel_siginfo_t *siginfo) {} +static inline bool unix_use_coredump_socket(const struct net *net, + const struct pid *pid, + const struct sockaddr_un *sunname, + unsigned int len) +{ + return true; +} =20 #define coredump_report(...) #define coredump_report_failure(...) diff --git a/include/linux/pidfs.h b/include/linux/pidfs.h index f7729b9371bc..f9c287c0e0ff 100644 --- a/include/linux/pidfs.h +++ b/include/linux/pidfs.h @@ -14,5 +14,6 @@ extern const struct dentry_operations pidfs_dentry_operat= ions; int pidfs_register_pid(struct pid *pid); void pidfs_get_pid(struct pid *pid); void pidfs_put_pid(struct pid *pid); +bool pidfs_pid_coredumped(const struct pid *pid); =20 #endif /* _LINUX_PID_FS_H */ diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index edc2f143f401..613cf9225381 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -101,6 +101,7 @@ #include #include #include +#include #include #include #include @@ -1217,6 +1218,7 @@ static struct sock *unix_find_bsd(struct sockaddr_un = *sunaddr, int addr_len, } =20 static struct sock *unix_find_abstract(struct net *net, + const struct pid *peer_pid, struct sockaddr_un *sunaddr, int addr_len, int type) { @@ -1224,6 +1226,9 @@ static struct sock *unix_find_abstract(struct net *ne= t, struct dentry *dentry; struct sock *sk; =20 + if (!unix_use_coredump_socket(net, peer_pid, sunaddr, addr_len)) + return ERR_PTR(-ECONNREFUSED); + sk =3D unix_find_socket_byname(net, sunaddr, addr_len, hash); if (!sk) return ERR_PTR(-ECONNREFUSED); @@ -1236,15 +1241,16 @@ static struct sock *unix_find_abstract(struct net *= net, } =20 static struct sock *unix_find_other(struct net *net, - struct sockaddr_un *sunaddr, - int addr_len, int type) + const struct pid *peer_pid, + struct sockaddr_un *sunaddr, int addr_len, + int type) { struct sock *sk; =20 if (sunaddr->sun_path[0]) sk =3D unix_find_bsd(sunaddr, addr_len, type); else - sk =3D unix_find_abstract(net, sunaddr, addr_len, type); + sk =3D unix_find_abstract(net, peer_pid, sunaddr, addr_len, type); =20 return sk; } @@ -1500,7 +1506,7 @@ static int unix_dgram_connect(struct socket *sock, st= ruct sockaddr *addr, } =20 restart: - other =3D unix_find_other(sock_net(sk), sunaddr, alen, sock->type); + other =3D unix_find_other(sock_net(sk), NULL, sunaddr, alen, sock->type); if (IS_ERR(other)) { err =3D PTR_ERR(other); goto out; @@ -1647,7 +1653,8 @@ static int unix_stream_connect(struct socket *sock, s= truct sockaddr *uaddr, =20 restart: /* Find listening sock. */ - other =3D unix_find_other(net, sunaddr, addr_len, sk->sk_type); + other =3D unix_find_other(net, peercred.peer_pid, sunaddr, addr_len, + sk->sk_type); if (IS_ERR(other)) { err =3D PTR_ERR(other); goto out_free_skb; @@ -2115,7 +2122,7 @@ static int unix_dgram_sendmsg(struct socket *sock, st= ruct msghdr *msg, =20 if (msg->msg_namelen) { lookup: - other =3D unix_find_other(sock_net(sk), msg->msg_name, + other =3D unix_find_other(sock_net(sk), NULL, msg->msg_name, msg->msg_namelen, sk->sk_type); if (IS_ERR(other)) { err =3D PTR_ERR(other); --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0728621505C; Mon, 5 May 2025 11:14:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443677; cv=none; b=QG6jqaOgUFRdGouYGyUa/d/+M6acHjGValZKnwBi4RIQyprUTKGFBJRTkt2kXS3F1tKatzJFsSakNjiuV7TP6dxx5RjE0hGeUkoX8LjEsyj59D4kmJdS/b+VfC8Ul8INdhmg5uGDzmi19T6YfzsRjTQ9ZTlDerPKLXS3FuTxHPY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443677; c=relaxed/simple; bh=rojmlNBBYZrLt7jghiEYSsqnznF4z3iX/lIAQtk2wM0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=MU0Rp9QdfHHHI14XOhGMSZZRYsRPBAVuETbmR3woHNQKWMBp4zPv38hYvlKlzCJXXCejd29bu78R+3UzDO1td9YbvsPgi0HHFHZexcUrj/EnyI4tsdbZwZ1lfiEa0uh5D1DEdpCpD1IbRihO+LZ0VrfFhh06kIE4ZtHuIymKmCY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SszgRe0z; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SszgRe0z" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 56E37C4CEF0; Mon, 5 May 2025 11:14:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443676; bh=rojmlNBBYZrLt7jghiEYSsqnznF4z3iX/lIAQtk2wM0=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=SszgRe0zrZSr2t80U13WkrI0JWgmcYYPbL5sU/R1e12T+bsyZoiQJwHstcyZnQHcW U1uEsNSB4KI65GyeZY8BA2qPnkOnJPxxGLQnt7eP4nj/vX11Z29IIj7WxrBsRBRlW9 ufIQR44FIMUcQkC4SYH9Wyel4BfguQPKM1PVMA8RLZKqZSzX46NPBf4ykUw9mGzcFE qXZTrJRxXXWC1mek7gtzRAQBbzuBSuLlkngKJrERJcAJq1C9GOKGHlW12MnZiySJeC DnfIoM7omU6HsKNhmoH4rr7SJoF1eWvFBw+oT1wOUZDwC8b2FIdzUNmIliBzpfMo3P KKb2CJVzTMY/Q== From: Christian Brauner Date: Mon, 05 May 2025 13:13:47 +0200 Subject: [PATCH RFC v3 09/10] selftests/pidfd: add PIDFD_INFO_COREDUMP infrastructure Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-9-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1355; i=brauner@kernel.org; h=from:subject:message-id; bh=rojmlNBBYZrLt7jghiEYSsqnznF4z3iX/lIAQtk2wM0=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM1jZX8cxWGz6MGqA3KuJ68Hp73o0Ph5ojLo+qMi9 2V+90RdO0pZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACbSPImRoUEq7PKWdrFwBpmz +bu3rzh/+17O7C/lCa9+Bm+SXuFR+I7hr8gLe4PU+ry9f5ucXu1NOGTzdeOt/WFXv7Z+WLTD95n pWkYA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add PIDFD_INFO_COREDUMP infrastructure so we can use it in tests. Signed-off-by: Christian Brauner --- tools/testing/selftests/pidfd/pidfd.h | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tools/testing/selftests/pidfd/pidfd.h b/tools/testing/selftest= s/pidfd/pidfd.h index 55bcf81a2b9a..6e812c3afca4 100644 --- a/tools/testing/selftests/pidfd/pidfd.h +++ b/tools/testing/selftests/pidfd/pidfd.h @@ -131,6 +131,26 @@ #define PIDFD_INFO_EXIT (1UL << 3) /* Always returned if available, even= if not requested */ #endif =20 +#ifndef PIDFD_INFO_COREDUMP +#define PIDFD_INFO_COREDUMP (1UL << 4) +#endif + +#ifndef PIDFD_COREDUMPED +#define PIDFD_COREDUMPED (1U << 0) /* Did crash and... */ +#endif + +#ifndef PIDFD_COREDUMP_SKIP +#define PIDFD_COREDUMP_SKIP (1U << 1) /* coredumping generation was skippe= d. */ +#endif + +#ifndef PIDFD_COREDUMP_USER +#define PIDFD_COREDUMP_USER (1U << 2) /* coredump was done as the user. */ +#endif + +#ifndef PIDFD_COREDUMP_ROOT +#define PIDFD_COREDUMP_ROOT (1U << 3) /* coredump was done as root. */ +#endif + #ifndef PIDFD_THREAD #define PIDFD_THREAD O_EXCL #endif @@ -150,6 +170,8 @@ struct pidfd_info { __u32 fsuid; __u32 fsgid; __s32 exit_code; + __u32 coredump_mask; + __u32 __spare1; }; =20 /* --=20 2.47.2 From nobody Tue Feb 10 04:23:31 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 466A120297F; Mon, 5 May 2025 11:14:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443681; cv=none; b=IpPnuZwnPCIDwwLjdrzXmbhjTkiwJAQTxyoDr8NQ03YR5C1Wb9dDV9rYPIjTBX/JDKaYLNlAI4RoPSCEkw976bZPJLodikVfz7siPrOIDOcNw89Dn4A60y5R7f4p+rjDjPBE87j1V0o7ls/l6fGRyjc/EQvwofeL/1/9kKk0adM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746443681; c=relaxed/simple; bh=PKfxvII8s03tZ/L5i8hb8YTGQUGotETeNiF7b11BExA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Yg1q+hQ/jfvSedlii2eWRCwHHHYospFgmyhUEXLDg/aQx2MriwZu5iw734PTz1Epmht2z32u1GudMZlyo9aAiNwpYUgJwwZ6mpdR/qqU81C/bNc7v4tHvs2j2lUyHLpD7NHXRFYzUi5ie2FmwlcSMWsg+fePn7pFa5KrFs1q3TI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TAdj8VzI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TAdj8VzI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D9A61C4CEE4; Mon, 5 May 2025 11:14:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1746443681; bh=PKfxvII8s03tZ/L5i8hb8YTGQUGotETeNiF7b11BExA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=TAdj8VzIg52sr2BDfqdA833NR/QLQhAn39r86YgTqdES/ueGk953pkeNUGxaugSIC ntLePb0QnWmL0wzGDe39BlWLtyhmzT42LUbwSyNfzywzbAfGEPbwvSFYtPHW04sDzN OZ2bG/JiG//o5WEr/K88aDqGr2EvCbPup9yqJEtQV8wXTItOm7AEtWaLMK29eNNjbW xpzVmu5MM/fv0YbdHxPdh6Az5qJeJqq8fU/ebZqAY46qGDbJW10ZWQxsHkL7MlqQUw oKb8wthsLTL6+XNuuRqf0lxFBpMjQfW7nCUcRC60axArwOisOYF+WjAHxLmzO9m0Ri R+DmM0pWLnBog== From: Christian Brauner Date: Mon, 05 May 2025 13:13:48 +0200 Subject: [PATCH RFC v3 10/10] selftests/coredump: add tests for AF_UNIX coredumps Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250505-work-coredump-socket-v3-10-e1832f0e1eae@kernel.org> References: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> In-Reply-To: <20250505-work-coredump-socket-v3-0-e1832f0e1eae@kernel.org> To: Eric Dumazet , Kuniyuki Iwashima , Oleg Nesterov , linux-fsdevel@vger.kernel.org, Jann Horn Cc: "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=3426; i=brauner@kernel.org; h=from:subject:message-id; bh=PKfxvII8s03tZ/L5i8hb8YTGQUGotETeNiF7b11BExA=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRIzM37G7FjHV+00xIRfQ/O55x8JtJdxRmvdW/e+27+e 0en+s+ejlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQxh4OIUgIlMnMLwvzpAxM995xbzPLlT uaIJjKqy5xIOzd/T9cNoedy84ua5VxgZmkPeqInFnF19dOnRV5pZRXYh03qP6C6ddil/7rTotfm v+AE= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add a simple test for generating coredumps via AF_UNIX sockets. Signed-off-by: Christian Brauner --- tools/testing/selftests/coredump/stackdump_test.c | 71 +++++++++++++++++++= +++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/coredump/stackdump_test.c b/tools/test= ing/selftests/coredump/stackdump_test.c index fe3c728cd6be..4d1d444ca3d4 100644 --- a/tools/testing/selftests/coredump/stackdump_test.c +++ b/tools/testing/selftests/coredump/stackdump_test.c @@ -5,10 +5,13 @@ #include #include #include +#include #include +#include #include =20 #include "../kselftest_harness.h" +#include "../pidfd/pidfd.h" =20 #define STACKDUMP_FILE "stack_values" #define STACKDUMP_SCRIPT "stackdump" @@ -35,6 +38,7 @@ static void crashing_child(void) FIXTURE(coredump) { char original_core_pattern[256]; + pid_t pid_socat; }; =20 FIXTURE_SETUP(coredump) @@ -44,6 +48,7 @@ FIXTURE_SETUP(coredump) char *dir; int ret; =20 + self->pid_socat =3D -ESRCH; file =3D fopen("/proc/sys/kernel/core_pattern", "r"); ASSERT_NE(NULL, file); =20 @@ -61,10 +66,15 @@ FIXTURE_TEARDOWN(coredump) { const char *reason; FILE *file; - int ret; + int ret, status; =20 unlink(STACKDUMP_FILE); =20 + if (self->pid_socat > 0) { + kill(self->pid_socat, SIGTERM); + waitpid(self->pid_socat, &status, 0); + } + file =3D fopen("/proc/sys/kernel/core_pattern", "w"); if (!file) { reason =3D "Unable to open core_pattern"; @@ -154,4 +164,63 @@ TEST_F_TIMEOUT(coredump, stackdump, 120) fclose(file); } =20 +TEST_F(coredump, socket) +{ + int fd, pidfd, ret, status; + FILE *file; + pid_t pid, pid_socat; + struct stat st; + char core_file[PATH_MAX]; + struct pidfd_info info =3D {}; + + ASSERT_EQ(unshare(CLONE_NEWNS), 0); + ASSERT_EQ(mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL), 0); + ASSERT_EQ(mount(NULL, "/tmp", "tmpfs", 0, NULL), 0); + + pid_socat =3D fork(); + ASSERT_GE(pid_socat, 0); + if (pid_socat =3D=3D 0) { + execlp("socat", "socat", + "abstract-listen:linuxafsk/coredump.socket,fork", + "FILE:/tmp/coredump_file,create,append,trunc", + (char *)NULL); + _exit(EXIT_FAILURE); + } + self->pid_socat =3D pid_socat; + + file =3D fopen("/proc/sys/kernel/core_pattern", "w"); + ASSERT_NE(NULL, file); + + ret =3D fprintf(file, "@linuxafsk/coredump.socket"); + ASSERT_EQ(ret, strlen("@linuxafsk/coredump.socket")); + ASSERT_EQ(fclose(file), 0); + + pid =3D fork(); + ASSERT_GE(pid, 0); + if (pid =3D=3D 0) + crashing_child(); + + pidfd =3D sys_pidfd_open(pid, 0); + ASSERT_GE(pidfd, 0); + + waitpid(pid, &status, 0); + ASSERT_TRUE(WIFSIGNALED(status)); + ASSERT_TRUE(WCOREDUMP(status)); + + info.mask =3D PIDFD_INFO_EXIT | PIDFD_INFO_COREDUMP; + ASSERT_EQ(ioctl(pidfd, PIDFD_GET_INFO, &info), 0); + ASSERT_GT((info.mask & PIDFD_INFO_COREDUMP), 0); + ASSERT_GT((info.coredump_mask & PIDFD_COREDUMPED), 0); + + ASSERT_EQ(kill(pid_socat, SIGTERM), 0); + waitpid(pid_socat, &status, 0); + self->pid_socat =3D -ESRCH; + ASSERT_TRUE(WIFEXITED(status)); + ASSERT_EQ(WEXITSTATUS(status), 143); + + /* We should somehow validate the produced core file. */ + ASSERT_EQ(stat("/tmp/coredump_file", &st), 0); + ASSERT_GT(st.st_size, 0); +} + TEST_HARNESS_MAIN --=20 2.47.2