From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB1E421CFEA; Wed, 14 May 2025 22:04:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260243; cv=none; b=cxOxl6lE+ZM5ybiDivV5SeGYGx9Ntuz8f+uAturBSTuamzIsQXuQGJ5c/lTPmZUflTUMXAsyLXKvfxbvdbf/AJ2N7ZfXv/Zw5CUa+dAQDeI7EeYaEuKJ6CrOHNDw89tGLNSW010cohFAXeoU/w+ulsldN01quFhhQZfPdcrKCfA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260243; c=relaxed/simple; bh=yJIcK7PPInODHuXyqw2gaMqbfBwseUsiKi2NQv8EWpM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=R8J2KIB/dtWYfkrjfAvzO3oudKKCJWd/JfQ2LInJQyBzTP2Cterhinchzf/IhtAcjsMuujNF8Xf4cR80eW77a4YL9BRFe5netAevhhEx6Y+TWKKvLgf6o4Lw/8pR9F2j5D7VYjdTqr8+kKXexKii1c7KjXMNzlRwsO+cDD10fnw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eMOthckD; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eMOthckD" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 96B61C4CEED; Wed, 14 May 2025 22:03:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260243; bh=yJIcK7PPInODHuXyqw2gaMqbfBwseUsiKi2NQv8EWpM=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=eMOthckD76mt4jHkhDMIIcQhiYodJiIY2efP3FuCLDoSBi4FVEI1qROcs6lYPCKa9 YJ2tkYXYfbtwbjllrx0OHRm+oXHKe2FYjv+YKAJXJ7fANgJQAKP28HX0fhG73hAeeq efDqx+eL5PghBu+MqcaoQPFNe7zcULY4DF/N8Bs+c+oXQ1/nw8HYSZOvR2rHH+8K23 9r7btDeTG0QI2q60NS5G24vuxoGy/QGzZgv8zCsA0FRcQ1F8eFkF9bEELupAijMDRd tyrXEmygKVl1dTLtL5Q+v33B2n9j0ql3vUEwz2DWDeacDc19OsmR2M1f7CH7/1fvpR KLdR699Y3vxhg== From: Christian Brauner Date: Thu, 15 May 2025 00:03:34 +0200 Subject: [PATCH v7 1/9] coredump: massage format_corname() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-1-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=4653; i=brauner@kernel.org; h=from:subject:message-id; bh=yJIcK7PPInODHuXyqw2gaMqbfBwseUsiKi2NQv8EWpM=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCnucX7xWx+y8EeNcVh31hWwJq11nsxRf3sO69K6d3 Y6Ql9MOdZSyMIhxMciKKbI4tJuEyy3nqdhslKkBM4eVCWQIAxenAExk7yFGhh3tbY6HPzIZ8tgk 6b7YsqbSll032EPm3bEJdXe+r/juEcnI8FbnA/e2jSJHnVa2vHn+5sC0o5sOtXF+nr3E5eOti15 +hjwA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 We're going to extend the coredump code in follow-up patches. Clean it up so we can do this more easily. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Acked-by: Serge Hallyn Reviewed-by: Alexander Mikhalitsyn Reviewed-by: Jann Horn --- fs/coredump.c | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index d740a0411266..368751d98781 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -76,9 +76,15 @@ static char core_pattern[CORENAME_MAX_SIZE] =3D "core"; static int core_name_size =3D CORENAME_MAX_SIZE; unsigned int core_file_note_size_limit =3D CORE_FILE_NOTE_SIZE_DEFAULT; =20 +enum coredump_type_t { + COREDUMP_FILE =3D 1, + COREDUMP_PIPE =3D 2, +}; + struct core_name { char *corename; int used, size; + enum coredump_type_t core_type; }; =20 static int expand_corename(struct core_name *cn, int size) @@ -218,18 +224,21 @@ static int format_corename(struct core_name *cn, stru= ct coredump_params *cprm, { const struct cred *cred =3D current_cred(); const char *pat_ptr =3D core_pattern; - int ispipe =3D (*pat_ptr =3D=3D '|'); bool was_space =3D false; int pid_in_pattern =3D 0; int err =3D 0; =20 cn->used =3D 0; cn->corename =3D NULL; + if (*pat_ptr =3D=3D '|') + cn->core_type =3D COREDUMP_PIPE; + else + cn->core_type =3D COREDUMP_FILE; if (expand_corename(cn, core_name_size)) return -ENOMEM; cn->corename[0] =3D '\0'; =20 - if (ispipe) { + if (cn->core_type =3D=3D COREDUMP_PIPE) { int argvs =3D sizeof(core_pattern) / 2; (*argv) =3D kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL); if (!(*argv)) @@ -247,7 +256,7 @@ static int format_corename(struct core_name *cn, struct= coredump_params *cprm, * Split on spaces before doing template expansion so that * %e and %E don't get split if they have spaces in them */ - if (ispipe) { + if (cn->core_type =3D=3D COREDUMP_PIPE) { if (isspace(*pat_ptr)) { if (cn->used !=3D 0) was_space =3D true; @@ -353,7 +362,7 @@ static int format_corename(struct core_name *cn, struct= coredump_params *cprm, * Installing a pidfd only makes sense if * we actually spawn a usermode helper. */ - if (!ispipe) + if (cn->core_type !=3D COREDUMP_PIPE) break; =20 /* @@ -384,12 +393,12 @@ static int format_corename(struct core_name *cn, stru= ct coredump_params *cprm, * If core_pattern does not include a %p (as is the default) * and core_uses_pid is set, then .%pid will be appended to * the filename. Do not do this for piped commands. */ - if (!ispipe && !pid_in_pattern && core_uses_pid) { + if (!(cn->core_type =3D=3D COREDUMP_PIPE) && !pid_in_pattern && core_uses= _pid) { err =3D cn_printf(cn, ".%d", task_tgid_vnr(current)); if (err) return err; } - return ispipe; + return 0; } =20 static int zap_process(struct signal_struct *signal, int exit_code) @@ -583,7 +592,6 @@ void do_coredump(const kernel_siginfo_t *siginfo) const struct cred *old_cred; struct cred *cred; int retval =3D 0; - int ispipe; size_t *argv =3D NULL; int argc =3D 0; /* require nonrelative corefile path and be extra careful */ @@ -632,19 +640,18 @@ void do_coredump(const kernel_siginfo_t *siginfo) =20 old_cred =3D override_creds(cred); =20 - ispipe =3D format_corename(&cn, &cprm, &argv, &argc); + retval =3D format_corename(&cn, &cprm, &argv, &argc); + if (retval < 0) { + coredump_report_failure("format_corename failed, aborting core"); + goto fail_unlock; + } =20 - if (ispipe) { + if (cn.core_type =3D=3D COREDUMP_PIPE) { int argi; int dump_count; char **helper_argv; struct subprocess_info *sub_info; =20 - if (ispipe < 0) { - coredump_report_failure("format_corename failed, aborting core"); - goto fail_unlock; - } - if (cprm.limit =3D=3D 1) { /* See umh_coredump_setup() which sets RLIMIT_CORE =3D 1. * @@ -695,7 +702,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) coredump_report_failure("|%s pipe failed", cn.corename); goto close_fail; } - } else { + } else if (cn.core_type =3D=3D COREDUMP_FILE) { struct mnt_idmap *idmap; struct inode *inode; int open_flags =3D O_CREAT | O_WRONLY | O_NOFOLLOW | @@ -823,13 +830,13 @@ void do_coredump(const kernel_siginfo_t *siginfo) file_end_write(cprm.file); free_vma_snapshot(&cprm); } - if (ispipe && core_pipe_limit) + if ((cn.core_type =3D=3D COREDUMP_PIPE) && core_pipe_limit) wait_for_dump_helpers(cprm.file); close_fail: if (cprm.file) filp_close(cprm.file, NULL); fail_dropcount: - if (ispipe) + if (cn.core_type =3D=3D COREDUMP_PIPE) atomic_dec(&core_dump_count); fail_unlock: kfree(argv); --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF7D522257F; Wed, 14 May 2025 22:04:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260249; cv=none; b=Gh9jLVzA3J8JKXtX6ruTZPb5l2snX8AF3Zdc4UKnkpuoAwesAjgBRBLoyVilwrWk4nj9KjsbAlN4nuul6ZnbqMNc//Sjc3XDFQf1tHKbrJryNs5b4MZnfC3hbQHkm1u4y3DmNVQJKacHONsOVYH7bHtBIM5BAanVY6oDkaT81Ak= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260249; c=relaxed/simple; bh=A1ET0rfOsbnb/BsO8UCsIl2X+TJza69sCPkeWIG0Ss8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Wns1VisBv/2o1N6DNkHapR2eR0LmkxG/vFWjHw6Lk02DtdKDrtbeQ3YlWpDGgkwK3iahudVs5i3nTr8TNmx+LIglhgngihwUOrsoPdwMHdUtbGAp8RS/k/H0Z5YLF9rgUdkOGrvGPYdRsvhvqiTN3rIkkbKHRc8pZ16HLa8Llwk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=XOVDRl0O; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="XOVDRl0O" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0078C4CEE3; Wed, 14 May 2025 22:04:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260248; bh=A1ET0rfOsbnb/BsO8UCsIl2X+TJza69sCPkeWIG0Ss8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=XOVDRl0OqrgSimlJGdCbVK1ob9RrM6ZoqBHTanl0daF9sWRt0aA/4fQXRjwqVyNG7 9apMeL+10phRr53fqTFeQf/PEVjCd7FbKp0vZbNhxEMiv0izKuuW/EfRwdPvaa0Mt6 M3+X3sCWthYKiRXSDbvsyjsUr9OhYpGysRgaLgN+NAIkAKBY1cRjcRgRqzTkWjCbIJ bozzjzZpiPB+WAGU37d0Rat/yfgHRh8Zs9f7ntyRs4NThWnOeMQFnMXolULOa/4Pts Y2VPWAOg4i1lfHrji+Q1u2t1iS5Rs0Qv1FIdInAwpe3Zi3180Q+FroF2VEHYF8/Ygf pTdNouoHtolYg== From: Christian Brauner Date: Thu, 15 May 2025 00:03:35 +0200 Subject: [PATCH v7 2/9] coredump: massage do_coredump() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-2-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=4911; i=brauner@kernel.org; h=from:subject:message-id; bh=A1ET0rfOsbnb/BsO8UCsIl2X+TJza69sCPkeWIG0Ss8=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCntIe9edC12R9mzWPN5pO8Lu+b7LVa02MG9IWqYZs sowjsGwo5SFQYyLQVZMkcWh3SRcbjlPxWajTA2YOaxMIEMYuDgFYCKFnxkZjmsatn9wcHPr1l38 RfLtBXvrnY2z1fgVPDvlpqx/8t9Qj5Hhh3VryNXih4xH7wU84rg+P6Tbk3PtI5vAyVtuBWyam2L IDwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 We're going to extend the coredump code in follow-up patches. Clean it up so we can do this more easily. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn Reviewed-by: Jann Horn --- fs/coredump.c | 122 +++++++++++++++++++++++++++++++-----------------------= ---- 1 file changed, 65 insertions(+), 57 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index 368751d98781..0e97c21b35e3 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -646,63 +646,8 @@ void do_coredump(const kernel_siginfo_t *siginfo) goto fail_unlock; } =20 - if (cn.core_type =3D=3D COREDUMP_PIPE) { - int argi; - int dump_count; - char **helper_argv; - struct subprocess_info *sub_info; - - if (cprm.limit =3D=3D 1) { - /* See umh_coredump_setup() which sets RLIMIT_CORE =3D 1. - * - * Normally core limits are irrelevant to pipes, since - * we're not writing to the file system, but we use - * cprm.limit of 1 here as a special value, this is a - * consistent way to catch recursive crashes. - * We can still crash if the core_pattern binary sets - * RLIM_CORE =3D !1, but it runs as root, and can do - * lots of stupid things. - * - * Note that we use task_tgid_vnr here to grab the pid - * of the process group leader. That way we get the - * right pid if a thread in a multi-threaded - * core_pattern process dies. - */ - coredump_report_failure("RLIMIT_CORE is set to 1, aborting core"); - goto fail_unlock; - } - cprm.limit =3D RLIM_INFINITY; - - dump_count =3D atomic_inc_return(&core_dump_count); - if (core_pipe_limit && (core_pipe_limit < dump_count)) { - coredump_report_failure("over core_pipe_limit, skipping core dump"); - goto fail_dropcount; - } - - helper_argv =3D kmalloc_array(argc + 1, sizeof(*helper_argv), - GFP_KERNEL); - if (!helper_argv) { - coredump_report_failure("%s failed to allocate memory", __func__); - goto fail_dropcount; - } - for (argi =3D 0; argi < argc; argi++) - helper_argv[argi] =3D cn.corename + argv[argi]; - helper_argv[argi] =3D NULL; - - retval =3D -ENOMEM; - sub_info =3D call_usermodehelper_setup(helper_argv[0], - helper_argv, NULL, GFP_KERNEL, - umh_coredump_setup, NULL, &cprm); - if (sub_info) - retval =3D call_usermodehelper_exec(sub_info, - UMH_WAIT_EXEC); - - kfree(helper_argv); - if (retval) { - coredump_report_failure("|%s pipe failed", cn.corename); - goto close_fail; - } - } else if (cn.core_type =3D=3D COREDUMP_FILE) { + switch (cn.core_type) { + case COREDUMP_FILE: { struct mnt_idmap *idmap; struct inode *inode; int open_flags =3D O_CREAT | O_WRONLY | O_NOFOLLOW | @@ -796,6 +741,69 @@ void do_coredump(const kernel_siginfo_t *siginfo) if (do_truncate(idmap, cprm.file->f_path.dentry, 0, 0, cprm.file)) goto close_fail; + break; + } + case COREDUMP_PIPE: { + int argi; + int dump_count; + char **helper_argv; + struct subprocess_info *sub_info; + + if (cprm.limit =3D=3D 1) { + /* See umh_coredump_setup() which sets RLIMIT_CORE =3D 1. + * + * Normally core limits are irrelevant to pipes, since + * we're not writing to the file system, but we use + * cprm.limit of 1 here as a special value, this is a + * consistent way to catch recursive crashes. + * We can still crash if the core_pattern binary sets + * RLIM_CORE =3D !1, but it runs as root, and can do + * lots of stupid things. + * + * Note that we use task_tgid_vnr here to grab the pid + * of the process group leader. That way we get the + * right pid if a thread in a multi-threaded + * core_pattern process dies. + */ + coredump_report_failure("RLIMIT_CORE is set to 1, aborting core"); + goto fail_unlock; + } + cprm.limit =3D RLIM_INFINITY; + + dump_count =3D atomic_inc_return(&core_dump_count); + if (core_pipe_limit && (core_pipe_limit < dump_count)) { + coredump_report_failure("over core_pipe_limit, skipping core dump"); + goto fail_dropcount; + } + + helper_argv =3D kmalloc_array(argc + 1, sizeof(*helper_argv), + GFP_KERNEL); + if (!helper_argv) { + coredump_report_failure("%s failed to allocate memory", __func__); + goto fail_dropcount; + } + for (argi =3D 0; argi < argc; argi++) + helper_argv[argi] =3D cn.corename + argv[argi]; + helper_argv[argi] =3D NULL; + + retval =3D -ENOMEM; + sub_info =3D call_usermodehelper_setup(helper_argv[0], + helper_argv, NULL, GFP_KERNEL, + umh_coredump_setup, NULL, &cprm); + if (sub_info) + retval =3D call_usermodehelper_exec(sub_info, + UMH_WAIT_EXEC); + + kfree(helper_argv); + if (retval) { + coredump_report_failure("|%s pipe failed", cn.corename); + goto close_fail; + } + break; + } + default: + WARN_ON_ONCE(true); + goto close_fail; } =20 /* get us an unshared descriptor table; almost always a no-op */ --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29D50223DDD; Wed, 14 May 2025 22:04:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260254; cv=none; b=Ltdd3/cWa47A8s1JRDjNa0S5Q1phAzg+TIjG4fJqx26/pwHNN72vxcm9bt4AFlSfphoAZh8IRR9BYkTcBcydkMu0TdEna+4rFAjXCW4+Y9N/amvH5LRFjH2cxP4vOK8AZCCXOvBanj15Kil+pDl0eFZOpbBO0NuNtDuRueU5pnU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260254; c=relaxed/simple; bh=D7Loxo9G/kcLmw4x1TO7tL5CmVqFKJ1HEu4OaNHweVk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=s+XIiFiIiPwbPWHtHYKpnkRBCAVdh8kaaLFoT5e5poWpVlE2kmAmDtaEaWCZx81ZI+Ee36as6XYGvMH4S7u+NfuiIRu7ndIA+y0dAeNuuZddtpyeQyqqlP7sLNu84HQPBrPY6bHC+GORMewavvC+iP35+/xog9Bw8hX3RpYk89s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HeBMtrf/; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HeBMtrf/" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DAA44C4CEEF; Wed, 14 May 2025 22:04:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260253; bh=D7Loxo9G/kcLmw4x1TO7tL5CmVqFKJ1HEu4OaNHweVk=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=HeBMtrf/TyA0/y/R55ampa8iLylsNPOIQfb8FGOr62bDnCnJgcKFKYsMzmQJqxcHz jy58bMdGRTrRItR/mjn3gtljP5Oa/kKvNyrT/WgCrusU1hK5IBZydPCDFZe7FnDpn6 6B3UkqPExTeef/m24oyuSSbJcDKu1s9BLUtuwdrNygw7lxt8RImmQkJN4l/w5Yxl4l hQpAyaBJhMf/+bx8/XuiUq6oz5SBgVpZAIBxJYV8jQByFzEN42X8F0a7DrciE2JiK3 sa/nh196quN3FGwdlbhIGmKxTb2DKuXdOPhgRNNfOJBGnUnoNXBUEk18KYmLw3m5Pl MUXgjRsrsM7PQ== From: Christian Brauner Date: Thu, 15 May 2025 00:03:36 +0200 Subject: [PATCH v7 3/9] coredump: reflow dump helpers a little Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-3-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1478; i=brauner@kernel.org; h=from:subject:message-id; bh=D7Loxo9G/kcLmw4x1TO7tL5CmVqFKJ1HEu4OaNHweVk=; b=kA0DAAoWkcYbwGV43KIByyZiAGglE0jISMl5DdGL0t075cM4WKmWRMcvt3OeO/99UMI59U7hX Ih1BAAWCgAdFiEEQIc0Vx6nDHizMmkokcYbwGV43KIFAmglE0gACgkQkcYbwGV43KIWJgEAtDoH vbvbLyFI4TeVuzq3rWMFpbu1z3P+EcIcgUvpaGEBAMLLiQuEVbF8lR1ry/DW02JqTx0klpa8Fz1 CdOdgEHMH X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 They look rather messy right now. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn Reviewed-by: Jann Horn --- fs/coredump.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index 0e97c21b35e3..a70929c3585b 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -867,10 +867,9 @@ static int __dump_emit(struct coredump_params *cprm, c= onst void *addr, int nr) struct file *file =3D cprm->file; loff_t pos =3D file->f_pos; ssize_t n; + if (cprm->written + nr > cprm->limit) return 0; - - if (dump_interrupted()) return 0; n =3D __kernel_write(file, addr, nr, &pos); @@ -887,20 +886,21 @@ static int __dump_skip(struct coredump_params *cprm, = size_t nr) { static char zeroes[PAGE_SIZE]; struct file *file =3D cprm->file; + if (file->f_mode & FMODE_LSEEK) { - if (dump_interrupted() || - vfs_llseek(file, nr, SEEK_CUR) < 0) + if (dump_interrupted() || vfs_llseek(file, nr, SEEK_CUR) < 0) return 0; cprm->pos +=3D nr; return 1; - } else { - while (nr > PAGE_SIZE) { - if (!__dump_emit(cprm, zeroes, PAGE_SIZE)) - return 0; - nr -=3D PAGE_SIZE; - } - return __dump_emit(cprm, zeroes, nr); } + + while (nr > PAGE_SIZE) { + if (!__dump_emit(cprm, zeroes, PAGE_SIZE)) + return 0; + nr -=3D PAGE_SIZE; + } + + return __dump_emit(cprm, zeroes, nr); } =20 int dump_emit(struct coredump_params *cprm, const void *addr, int nr) --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EF632248B9; Wed, 14 May 2025 22:04:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260259; cv=none; b=JHTXOFt6m/AfpieFF0haTn2A+i2R+1iwJjie4y7eDcQkmdKAwSX2kR6Ns+rP6OurO5Gl894WSq5eNHhalOPikpCaW3Zk/KH+hmDOMuCToEAoQ5xodzKErPxIP1ruA84Bw2hxJCVazVkkDmd7nMglrZgesyCcc71jea55Cc93XMw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260259; c=relaxed/simple; bh=dAiDeq66rsr9gQnMOf7li8SkADl+B7AVWPSfQn9RwlQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=W2MS1fTetYUZfvbDXqSSMQr56W3Q9z0II9AdRYTxi6j/uEsQs9gdZ9Iaz0zUNg91fhWTzIaNd03D3yI9A+u9hefq08jB28bGJECZuCRJgT7P3kfzbl4q+B8t5blzJbRsZj9cAhxxXdDQSaEPqir4oVTJT4ADT0v7lNG2rD4T5ac= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dwPvtKDq; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dwPvtKDq" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 28C90C4CEE3; Wed, 14 May 2025 22:04:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260258; bh=dAiDeq66rsr9gQnMOf7li8SkADl+B7AVWPSfQn9RwlQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=dwPvtKDqRTTGFtAU5ZDmUyMcbVQB900/9fVELdl89j5e5pOVkO5HdPGieH4S7SBa8 eNWd2U9G91vjtu/OzDjMUVzEJqH/PnPx5lbVPAeRkR7vM7MJLy5FC0FS6w8APk9qno thtdZ34JhGlZWJrkz8jeVb8zO+v55Q5iDmMcfIIkAv/aM0Fu7hPXwUL9w3GHWx83d6 TZhfo9Bz5jj/RdTBfec+r4cmJw0G+81+yFlp3i3Ku9OHT2pZIpPzPTqZ87FQmU2Q05 mtpUS28vXR9blfum9LTNE3eK3oChe89Wdi+sJf6vinFOSbT0RklsdNKPAJMrYPvfQR clN+QkSubtiWg== From: Christian Brauner Date: Thu, 15 May 2025 00:03:37 +0200 Subject: [PATCH v7 4/9] coredump: add coredump socket Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-4-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=14598; i=brauner@kernel.org; h=from:subject:message-id; bh=dAiDeq66rsr9gQnMOf7li8SkADl+B7AVWPSfQn9RwlQ=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCnuY759h68ShcJ91jsCj6f8dTFcWaMTLG//p9p3jx b1lN49aRykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwEQmzWX4K361sE/DrOapYEjC 1qyf+hfs7njp3g9iNWK5NTfhmQdvAMP/iNZtZ26fXKVbFvtM92H/pRixDuaP6y9zPJc9JKRjsNy WGQA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Coredumping currently supports two modes: (1) Dumping directly into a file somewhere on the filesystem. (2) Dumping into a pipe connected to a usermode helper process spawned as a child of the system_unbound_wq or kthreadd. For simplicity I'm mostly ignoring (1). There's probably still some users of (1) out there but processing coredumps in this way can be considered adventurous especially in the face of set*id binaries. The most common option should be (2) by now. It works by allowing userspace to put a string into /proc/sys/kernel/core_pattern like: |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h The "|" at the beginning indicates to the kernel that a pipe must be used. The path following the pipe indicator is a path to a binary that will be spawned as a usermode helper process. Any additional parameters pass information about the task that is generating the coredump to the binary that processes the coredump. In the example core_pattern shown above systemd-coredump is spawned as a usermode helper. There's various conceptual consequences of this (non-exhaustive list): - systemd-coredump is spawned with file descriptor number 0 (stdin) connected to the read-end of the pipe. All other file descriptors are closed. That specifically includes 1 (stdout) and 2 (stderr). This has already caused bugs because userspace assumed that this cannot happen (Whether or not this is a sane assumption is irrelevant.). - systemd-coredump will be spawned as a child of system_unbound_wq. So it is not a child of any userspace process and specifically not a child of PID 1. It cannot be waited upon and is in a weird hybrid upcall which are difficult for userspace to control correctly. - systemd-coredump is spawned with full kernel privileges. This necessitates all kinds of weird privilege dropping excercises in userspace to make this safe. - A new usermode helper has to be spawned for each crashing process. This series adds a new mode: (3) Dumping into an AF_UNIX socket. Userspace can set /proc/sys/kernel/core_pattern to: @/path/to/coredump.socket The "@" at the beginning indicates to the kernel that an AF_UNIX coredump socket will be used to process coredumps. The coredump socket must be located in the initial mount namespace. When a task coredumps it opens a client socket in the initial network namespace and connects to the coredump socket. - The coredump server uses SO_PEERPIDFD to get a stable handle on the connected crashing task. The retrieved pidfd will provide a stable reference even if the crashing task gets SIGKILLed while generating the coredump. - By setting core_pipe_limit non-zero userspace can guarantee that the crashing task cannot be reaped behind it's back and thus process all necessary information in /proc/. The SO_PEERPIDFD can be used to detect whether /proc/ still refers to the same process. The core_pipe_limit isn't used to rate-limit connections to the socket. This can simply be done via AF_UNIX sockets directly. - The pidfd for the crashing task will grow new information how the task coredumps. - The coredump server should mark itself as non-dumpable. - A container coredump server in a separate network namespace can simply bind to another well-know address and systemd-coredump fowards coredumps to the container. - Coredumps could in the future also be handled via per-user/session coredump servers that run only with that users privileges. The coredump server listens on the coredump socket and accepts a new coredump connection. It then retrieves SO_PEERPIDFD for the client, inspects uid/gid and hands the accepted client to the users own coredump handler which runs with the users privileges only (It must of coure pay close attention to not forward crashing suid binaries.). The new coredump socket will allow userspace to not have to rely on usermode helpers for processing coredumps and provides a safer way to handle them instead of relying on super privileged coredumping helpers that have and continue to cause significant CVEs. This will also be significantly more lightweight since no fork()+exec() for the usermodehelper is required for each crashing process. The coredump server in userspace can e.g., just keep a worker pool. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn Reviewed-by: Kuniyuki Iwashima --- fs/coredump.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++= ---- include/linux/net.h | 1 + net/unix/af_unix.c | 53 ++++++++++++++++----- 3 files changed, 166 insertions(+), 21 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index a70929c3585b..e1256ebb89c1 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -44,7 +44,11 @@ #include #include #include +#include +#include +#include #include +#include =20 #include #include @@ -79,6 +83,7 @@ unsigned int core_file_note_size_limit =3D CORE_FILE_NOTE= _SIZE_DEFAULT; enum coredump_type_t { COREDUMP_FILE =3D 1, COREDUMP_PIPE =3D 2, + COREDUMP_SOCK =3D 3, }; =20 struct core_name { @@ -232,13 +237,16 @@ static int format_corename(struct core_name *cn, stru= ct coredump_params *cprm, cn->corename =3D NULL; if (*pat_ptr =3D=3D '|') cn->core_type =3D COREDUMP_PIPE; + else if (*pat_ptr =3D=3D '@') + cn->core_type =3D COREDUMP_SOCK; else cn->core_type =3D COREDUMP_FILE; if (expand_corename(cn, core_name_size)) return -ENOMEM; cn->corename[0] =3D '\0'; =20 - if (cn->core_type =3D=3D COREDUMP_PIPE) { + switch (cn->core_type) { + case COREDUMP_PIPE: { int argvs =3D sizeof(core_pattern) / 2; (*argv) =3D kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL); if (!(*argv)) @@ -247,6 +255,33 @@ static int format_corename(struct core_name *cn, struc= t coredump_params *cprm, ++pat_ptr; if (!(*pat_ptr)) return -ENOMEM; + break; + } + case COREDUMP_SOCK: { + /* skip the @ */ + pat_ptr++; + err =3D cn_printf(cn, "%s", pat_ptr); + if (err) + return err; + + /* Require absolute paths. */ + if (cn->corename[0] !=3D '/') + return -EINVAL; + + /* + * Currently no need to parse any other options. + * Relevant information can be retrieved from the peer + * pidfd retrievable via SO_PEERPIDFD by the receiver or + * via /proc/, using the SO_PEERPIDFD to guard + * against pid recycling when opening /proc/. + */ + return 0; + } + case COREDUMP_FILE: + break; + default: + WARN_ON_ONCE(true); + return -EINVAL; } =20 /* Repeat as long as we have more pattern to process and more output @@ -393,11 +428,20 @@ static int format_corename(struct core_name *cn, stru= ct coredump_params *cprm, * If core_pattern does not include a %p (as is the default) * and core_uses_pid is set, then .%pid will be appended to * the filename. Do not do this for piped commands. */ - if (!(cn->core_type =3D=3D COREDUMP_PIPE) && !pid_in_pattern && core_uses= _pid) { - err =3D cn_printf(cn, ".%d", task_tgid_vnr(current)); - if (err) - return err; + if (!pid_in_pattern && core_uses_pid) { + switch (cn->core_type) { + case COREDUMP_FILE: + return cn_printf(cn, ".%d", task_tgid_vnr(current)); + case COREDUMP_PIPE: + break; + case COREDUMP_SOCK: + break; + default: + WARN_ON_ONCE(true); + return -EINVAL; + } } + return 0; } =20 @@ -801,6 +845,55 @@ void do_coredump(const kernel_siginfo_t *siginfo) } break; } + case COREDUMP_SOCK: { +#ifdef CONFIG_UNIX + struct file *file __free(fput) =3D NULL; + struct sockaddr_un addr =3D { + .sun_family =3D AF_UNIX, + }; + ssize_t addr_len; + struct socket *socket; + + retval =3D strscpy(addr.sun_path, cn.corename, sizeof(addr.sun_path)); + if (retval < 0) + goto close_fail; + addr_len =3D offsetof(struct sockaddr_un, sun_path) + retval + 1; + + /* + * It is possible that the userspace process which is + * supposed to handle the coredump and is listening on + * the AF_UNIX socket coredumps. Userspace should just + * mark itself non dumpable. + */ + + retval =3D sock_create_kern(&init_net, AF_UNIX, SOCK_STREAM, 0, &socket); + if (retval < 0) + goto close_fail; + + file =3D sock_alloc_file(socket, 0, NULL); + if (IS_ERR(file)) { + sock_release(socket); + goto close_fail; + } + + retval =3D kernel_connect(socket, (struct sockaddr *)(&addr), + addr_len, O_NONBLOCK | SOCK_COREDUMP); + if (retval) { + if (retval =3D=3D -EAGAIN) + coredump_report_failure("Coredump socket %s receive queue full", addr.= sun_path); + else + coredump_report_failure("Coredump socket connection %s failed %d", add= r.sun_path, retval); + goto close_fail; + } + + cprm.limit =3D RLIM_INFINITY; + cprm.file =3D no_free_ptr(file); +#else + coredump_report_failure("Core dump socket support %s disabled", cn.coren= ame); + goto close_fail; +#endif + break; + } default: WARN_ON_ONCE(true); goto close_fail; @@ -838,8 +931,32 @@ void do_coredump(const kernel_siginfo_t *siginfo) file_end_write(cprm.file); free_vma_snapshot(&cprm); } - if ((cn.core_type =3D=3D COREDUMP_PIPE) && core_pipe_limit) - wait_for_dump_helpers(cprm.file); + + /* + * When core_pipe_limit is set we wait for the coredump server + * or usermodehelper to finish before exiting so it can e.g., + * inspect /proc/. + */ + if (core_pipe_limit) { + switch (cn.core_type) { + case COREDUMP_PIPE: + wait_for_dump_helpers(cprm.file); + break; + case COREDUMP_SOCK: { + /* + * We use a simple read to wait for the coredump + * processing to finish. Either the socket is + * closed or we get sent unexpected data. In + * both cases, we're done. + */ + __kernel_read(cprm.file, &(char){ 0 }, 1, NULL); + break; + } + default: + break; + } + } + close_fail: if (cprm.file) filp_close(cprm.file, NULL); @@ -1069,7 +1186,7 @@ EXPORT_SYMBOL(dump_align); void validate_coredump_safety(void) { if (suid_dumpable =3D=3D SUID_DUMP_ROOT && - core_pattern[0] !=3D '/' && core_pattern[0] !=3D '|') { + core_pattern[0] !=3D '/' && core_pattern[0] !=3D '|' && core_pattern[= 0] !=3D '@') { =20 coredump_report_failure("Unsafe core_pattern used with fs.suid_dumpable= =3D2: " "pipe handler or fully qualified core dump path required. " diff --git a/include/linux/net.h b/include/linux/net.h index 0ff950eecc6b..139c85d0f2ea 100644 --- a/include/linux/net.h +++ b/include/linux/net.h @@ -81,6 +81,7 @@ enum sock_type { #ifndef SOCK_NONBLOCK #define SOCK_NONBLOCK O_NONBLOCK #endif +#define SOCK_COREDUMP O_NOCTTY =20 #endif /* ARCH_HAS_SOCKET_TYPES */ =20 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 472f8aa9ea15..a9d1c9ba2961 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -85,10 +85,13 @@ #include #include #include +#include #include #include #include #include +#include +#include #include #include #include @@ -100,7 +103,6 @@ #include #include #include -#include #include #include #include @@ -1146,7 +1148,7 @@ static int unix_release(struct socket *sock) } =20 static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_le= n, - int type) + int type, unsigned int flags) { struct inode *inode; struct path path; @@ -1154,13 +1156,38 @@ static struct sock *unix_find_bsd(struct sockaddr_u= n *sunaddr, int addr_len, int err; =20 unix_mkname_bsd(sunaddr, addr_len); - err =3D kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path); - if (err) - goto fail; =20 - err =3D path_permission(&path, MAY_WRITE); - if (err) - goto path_put; + if (flags & SOCK_COREDUMP) { + struct path root; + struct cred *kcred; + const struct cred *cred; + + err =3D -ENOMEM; + kcred =3D prepare_kernel_cred(&init_task); + if (!kcred) + goto fail; + + task_lock(&init_task); + get_fs_root(init_task.fs, &root); + task_unlock(&init_task); + + cred =3D override_creds(kcred); + err =3D vfs_path_lookup(root.dentry, root.mnt, sunaddr->sun_path, + LOOKUP_BENEATH | LOOKUP_NO_SYMLINKS | + LOOKUP_NO_MAGICLINKS, &path); + put_cred(revert_creds(cred)); + path_put(&root); + if (err) + goto fail; + } else { + err =3D kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path); + if (err) + goto fail; + + err =3D path_permission(&path, MAY_WRITE); + if (err) + goto path_put; + } =20 err =3D -ECONNREFUSED; inode =3D d_backing_inode(path.dentry); @@ -1210,12 +1237,12 @@ static struct sock *unix_find_abstract(struct net *= net, =20 static struct sock *unix_find_other(struct net *net, struct sockaddr_un *sunaddr, - int addr_len, int type) + int addr_len, int type, int flags) { struct sock *sk; =20 if (sunaddr->sun_path[0]) - sk =3D unix_find_bsd(sunaddr, addr_len, type); + sk =3D unix_find_bsd(sunaddr, addr_len, type, flags); else sk =3D unix_find_abstract(net, sunaddr, addr_len, type); =20 @@ -1473,7 +1500,7 @@ static int unix_dgram_connect(struct socket *sock, st= ruct sockaddr *addr, } =20 restart: - other =3D unix_find_other(sock_net(sk), sunaddr, alen, sock->type); + other =3D unix_find_other(sock_net(sk), sunaddr, alen, sock->type, 0); if (IS_ERR(other)) { err =3D PTR_ERR(other); goto out; @@ -1620,7 +1647,7 @@ static int unix_stream_connect(struct socket *sock, s= truct sockaddr *uaddr, =20 restart: /* Find listening sock. */ - other =3D unix_find_other(net, sunaddr, addr_len, sk->sk_type); + other =3D unix_find_other(net, sunaddr, addr_len, sk->sk_type, flags); if (IS_ERR(other)) { err =3D PTR_ERR(other); goto out_free_skb; @@ -2089,7 +2116,7 @@ static int unix_dgram_sendmsg(struct socket *sock, st= ruct msghdr *msg, if (msg->msg_namelen) { lookup: other =3D unix_find_other(sock_net(sk), msg->msg_name, - msg->msg_namelen, sk->sk_type); + msg->msg_namelen, sk->sk_type, 0); if (IS_ERR(other)) { err =3D PTR_ERR(other); goto out_free; --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D3F422CBD9; Wed, 14 May 2025 22:04:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260264; cv=none; b=BVEUcA2kEU/jf2fTREbs4MJeIPAkErkUv9YzzQ5OXir8Tz0C34aY7IS5rq9iormUcqcigu5+4bujAtNb8ITkfxhmxvuFw8SpjJ6yqsLpH9ZuZGa5A5ZgZX1ba0zDic5jzkcg8jNXj5/xqaniJsqMCcwkOVw8FwLDXmeoLfeoEFE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260264; c=relaxed/simple; bh=WdVKiz5WCfE/q6MdyjQMIrjrAhlI8N9YEpO4G00Auos=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=nLdoa76q8bCsodR9mwQoJ5zfwd3AmDXY9CGXhN/nOCM0wik8MPlJd9WRBYVud+EcMlPhhEueESlJ5Vc4bfttE0hevazyOQhBMi/Frvyk4djNrE0vUDKxL9nM1TnMO3JazWm7dKL03Pka7vORjsxujV9tR/DSARj7Gm5qhUXFBAI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ABjLDWM5; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ABjLDWM5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5CA64C4CEF2; Wed, 14 May 2025 22:04:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260263; bh=WdVKiz5WCfE/q6MdyjQMIrjrAhlI8N9YEpO4G00Auos=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=ABjLDWM5VvVnx5K54ZImJImKMtjLDuIxgRSO21ikrQIXj1DnZNX8iUMr8D+BjZR/j J7hb8N6nehBh8ZRMy1KqaDxzWWM3TYjd4wDTkgPsPs9Gwo50CSZHRKvYg2aZbVBQn7 5DvlDF9i/kVi0hFwEU1/gVT2OrXHTaCuuGm5hLGnP5KQY2uOtp8TO/46E+3S5sp8Vv B24VKiTR0hzKp22kmusZDjtNd//xLREf/Md4bBbDFs6l8YFzbFyNUbVd3brjU778cQ E5mLE+sz7v+yxl5xahdRL8eJnyIyaBTdU0QU0ynqIfxh6zpT7l3+jcr5wDPLbg1/zh 54fhCe5mJjVhw== From: Christian Brauner Date: Thu, 15 May 2025 00:03:38 +0200 Subject: [PATCH v7 5/9] pidfs, coredump: add PIDFD_INFO_COREDUMP Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-5-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=12237; i=brauner@kernel.org; h=from:subject:message-id; bh=WdVKiz5WCfE/q6MdyjQMIrjrAhlI8N9YEpO4G00Auos=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCnu4Tb2o5cuakbPvnWf0zid1Yup7FjWKG+UGbpgjc vG+jJ55RykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwEQCDjMyPPt5TTni1N/sje78 RbtMyxrn3V0a6XTfzTKzb3XjnZDfLgx/RaftNZvs5HBb9ZQg+6/b61fLJMqmbis9l+249F9S2NJ 13AA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Extend the PIDFD_INFO_COREDUMP ioctl() with the new PIDFD_INFO_COREDUMP mask flag. This adds the fields @coredump_mask and @coredump_cookie to struct pidfd_info. When a task coredumps the kernel will provide the following information to userspace in @coredump_mask: * PIDFD_COREDUMPED is raised if the task did actually coredump. * PIDFD_COREDUMP_SKIP is raised if the task skipped coredumping (e.g., undumpable). * PIDFD_COREDUMP_USER is raised if this is a regular coredump and doesn't need special care by the coredump server. * PIDFD_COREDUMP_ROOT is raised if the generated coredump should be treated as sensitive and the coredump server should restrict to the generated coredump to sufficiently privileged users. If userspace uses the coredump socket to process coredumps it needs to be able to discern connection from the kernel from connects from userspace (e.g., Python generating it's own coredumps and forwarding them to systemd). The @coredump_cookie extension uses the SO_COOKIE of the new connection. This allows userspace to validate that the connection has been made from the kernel by a crashing task: fd_coredump =3D accept4(fd_socket, NULL, NULL, SOCK_CLOEXEC); getsockopt(fd_coredump, SOL_SOCKET, SO_PEERPIDFD, &fd_peer_pidfd, &fd_pe= er_pidfd_len); struct pidfd_info info =3D { info.mask =3D PIDFD_INFO_EXIT | PIDFD_INFO_COREDUMP, }; ioctl(pidfd, PIDFD_GET_INFO, &info); /* Refuse connections that aren't from a crashing task. */ if (!(info.mask & PIDFD_INFO_COREDUMP) || !(info.coredump_mask & PIDFD_C= OREDUMPED) ) close(fd_coredump); /* * Make sure that the coredump cookie matches the connection cookie. * If they don't it's not the coredump connection from the kernel. * We'll get another connection request in a bit. */ getsocketop(fd_coredump, SOL_SOCKET, SO_COOKIE, &peer_cookie, &peer_cook= ie_len); if (!info.coredump_cookie || (info.coredump_cookie !=3D peer_cookie)) close(fd_coredump); The kernel guarantees that by the time the connection is made the all PIDFD_INFO_COREDUMP info is available. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn --- fs/coredump.c | 34 ++++++++++++++++++++ fs/pidfs.c | 79 ++++++++++++++++++++++++++++++++++++++++++= ++++ include/linux/pidfs.h | 10 ++++++ include/uapi/linux/pidfd.h | 22 +++++++++++++ net/unix/af_unix.c | 7 ++++ 5 files changed, 152 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index e1256ebb89c1..bfc4a32f737c 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -46,7 +46,9 @@ #include #include #include +#include #include +#include #include #include =20 @@ -598,6 +600,8 @@ static int umh_coredump_setup(struct subprocess_info *i= nfo, struct cred *new) if (IS_ERR(pidfs_file)) return PTR_ERR(pidfs_file); =20 + pidfs_coredump(cp); + /* * Usermode helpers are childen of either * system_unbound_wq or of kthreadd. So we know that @@ -876,8 +880,34 @@ void do_coredump(const kernel_siginfo_t *siginfo) goto close_fail; } =20 + /* + * Set the thread-group leader pid which is used for the + * peer credentials during connect() below. Then + * immediately register it in pidfs... + */ + cprm.pid =3D task_tgid(current); + retval =3D pidfs_register_pid(cprm.pid); + if (retval) { + sock_release(socket); + goto close_fail; + } + + /* + * ... and set the coredump information so userspace + * has it available after connect()... + */ + pidfs_coredump(&cprm); + + /* + * ... On connect() the peer credentials are recorded + * and @cprm.pid registered in pidfs... + */ retval =3D kernel_connect(socket, (struct sockaddr *)(&addr), addr_len, O_NONBLOCK | SOCK_COREDUMP); + + /* ... So we can safely put our pidfs reference now... */ + pidfs_put_pid(cprm.pid); + if (retval) { if (retval =3D=3D -EAGAIN) coredump_report_failure("Coredump socket %s receive queue full", addr.= sun_path); @@ -886,6 +916,10 @@ void do_coredump(const kernel_siginfo_t *siginfo) goto close_fail; } =20 + /* ... and validate that @sk_peer_pid matches @cprm.pid. */ + if (WARN_ON_ONCE(unix_peer(socket->sk)->sk_peer_pid !=3D cprm.pid)) + goto close_fail; + cprm.limit =3D RLIM_INFINITY; cprm.file =3D no_free_ptr(file); #else diff --git a/fs/pidfs.c b/fs/pidfs.c index 3b39e471840b..d7b9a0dd2db6 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -20,6 +20,7 @@ #include #include #include +#include =20 #include "internal.h" #include "mount.h" @@ -33,6 +34,8 @@ static struct kmem_cache *pidfs_cachep __ro_after_init; struct pidfs_exit_info { __u64 cgroupid; __s32 exit_code; + __u32 coredump_mask; + __u64 coredump_cookie; }; =20 struct pidfs_inode { @@ -240,6 +243,22 @@ static inline bool pid_in_current_pidns(const struct p= id *pid) return false; } =20 +static __u32 pidfs_coredump_mask(unsigned long mm_flags) +{ + switch (__get_dumpable(mm_flags)) { + case SUID_DUMP_USER: + return PIDFD_COREDUMP_USER; + case SUID_DUMP_ROOT: + return PIDFD_COREDUMP_ROOT; + case SUID_DUMP_DISABLE: + return PIDFD_COREDUMP_SKIP; + default: + WARN_ON_ONCE(true); + } + + return 0; +} + static long pidfd_info(struct file *file, unsigned int cmd, unsigned long = arg) { struct pidfd_info __user *uinfo =3D (struct pidfd_info __user *)arg; @@ -280,6 +299,13 @@ static long pidfd_info(struct file *file, unsigned int= cmd, unsigned long arg) } } =20 + if (mask & PIDFD_INFO_COREDUMP) { + kinfo.mask |=3D PIDFD_INFO_COREDUMP; + smp_rmb(); + kinfo.coredump_cookie =3D READ_ONCE(pidfs_i(inode)->__pei.coredump_cooki= e); + kinfo.coredump_mask =3D READ_ONCE(pidfs_i(inode)->__pei.coredump_mask); + } + task =3D get_pid_task(pid, PIDTYPE_PID); if (!task) { /* @@ -296,6 +322,16 @@ static long pidfd_info(struct file *file, unsigned int= cmd, unsigned long arg) if (!c) return -ESRCH; =20 + if (!(kinfo.mask & PIDFD_INFO_COREDUMP)) { + task_lock(task); + if (task->mm) { + smp_rmb(); + kinfo.coredump_cookie =3D READ_ONCE(pidfs_i(inode)->__pei.coredump_cook= ie); + kinfo.coredump_mask =3D pidfs_coredump_mask(task->mm->flags); + } + task_unlock(task); + } + /* Unconditionally return identifiers and credentials, the rest only on r= equest */ =20 user_ns =3D current_user_ns(); @@ -559,6 +595,49 @@ void pidfs_exit(struct task_struct *tsk) } } =20 +#if defined(CONFIG_COREDUMP) && defined(CONFIG_UNIX) +void pidfs_coredump_cookie(struct pid *pid, u64 coredump_cookie) +{ + struct pidfs_exit_info *exit_info; + struct dentry *dentry =3D pid->stashed; + struct inode *inode; + + if (WARN_ON_ONCE(!dentry)) + return; + + inode =3D d_inode(dentry); + exit_info =3D &pidfs_i(inode)->__pei; + /* Can't use smp_store_release() because of 32bit. */ + smp_wmb(); + WRITE_ONCE(exit_info->coredump_cookie, coredump_cookie); +} +#endif + +#ifdef CONFIG_COREDUMP +void pidfs_coredump(const struct coredump_params *cprm) +{ + struct pid *pid =3D cprm->pid; + struct pidfs_exit_info *exit_info; + struct dentry *dentry; + struct inode *inode; + __u32 coredump_mask =3D 0; + + dentry =3D pid->stashed; + if (WARN_ON_ONCE(!dentry)) + return; + + inode =3D d_inode(dentry); + exit_info =3D &pidfs_i(inode)->__pei; + /* Note how we were coredumped. */ + coredump_mask =3D pidfs_coredump_mask(cprm->mm_flags); + /* Note that we actually did coredump. */ + coredump_mask |=3D PIDFD_COREDUMPED; + /* If coredumping is set to skip we should never end up here. */ + VFS_WARN_ON_ONCE(coredump_mask & PIDFD_COREDUMP_SKIP); + smp_store_release(&exit_info->coredump_mask, coredump_mask); +} +#endif + static struct vfsmount *pidfs_mnt __ro_after_init; =20 /* diff --git a/include/linux/pidfs.h b/include/linux/pidfs.h index 2676890c4d0d..497997bc5e34 100644 --- a/include/linux/pidfs.h +++ b/include/linux/pidfs.h @@ -2,11 +2,21 @@ #ifndef _LINUX_PID_FS_H #define _LINUX_PID_FS_H =20 +struct coredump_params; + struct file *pidfs_alloc_file(struct pid *pid, unsigned int flags); void __init pidfs_init(void); void pidfs_add_pid(struct pid *pid); void pidfs_remove_pid(struct pid *pid); void pidfs_exit(struct task_struct *tsk); +#ifdef CONFIG_COREDUMP +void pidfs_coredump(const struct coredump_params *cprm); +#endif +#if defined(CONFIG_COREDUMP) && defined(CONFIG_UNIX) +void pidfs_coredump_cookie(struct pid *pid, u64 coredump_cookie); +#elif defined(CONFIG_UNIX) +static inline void pidfs_coredump_cookie(struct pid *pid, u64 coredump_coo= kie) { } +#endif extern const struct dentry_operations pidfs_dentry_operations; int pidfs_register_pid(struct pid *pid); void pidfs_get_pid(struct pid *pid); diff --git a/include/uapi/linux/pidfd.h b/include/uapi/linux/pidfd.h index 8c1511edd0e9..69267c5ae6d0 100644 --- a/include/uapi/linux/pidfd.h +++ b/include/uapi/linux/pidfd.h @@ -25,9 +25,28 @@ #define PIDFD_INFO_CREDS (1UL << 1) /* Always returned, even if not reque= sted */ #define PIDFD_INFO_CGROUPID (1UL << 2) /* Always returned if available, e= ven if not requested */ #define PIDFD_INFO_EXIT (1UL << 3) /* Only returned if requested. */ +#define PIDFD_INFO_COREDUMP (1UL << 4) /* Only returned if requested. */ =20 #define PIDFD_INFO_SIZE_VER0 64 /* sizeof first published struct */ =20 +/* + * Values for @coredump_mask in pidfd_info. + * Only valid if PIDFD_INFO_COREDUMP is set in @mask. + * + * Note, the @PIDFD_COREDUMP_ROOT flag indicates that the generated + * coredump should be treated as sensitive and access should only be + * granted to privileged users. + * + * If the coredump AF_UNIX socket is used for processing coredumps + * @coredump_cookie will be set to the socket SO_COOKIE of the receivers + * client socket. This allows the coredump handler to detect whether an + * incoming coredump connection was initiated from the crashing task. + */ +#define PIDFD_COREDUMPED (1U << 0) /* Did crash and... */ +#define PIDFD_COREDUMP_SKIP (1U << 1) /* coredumping generation was skippe= d. */ +#define PIDFD_COREDUMP_USER (1U << 2) /* coredump was done as the user. */ +#define PIDFD_COREDUMP_ROOT (1U << 3) /* coredump was done as root. */ + /* * The concept of process and threads in userland and the kernel is a conf= using * one - within the kernel every thread is a 'task' with its own individua= l PID, @@ -92,6 +111,9 @@ struct pidfd_info { __u32 fsuid; __u32 fsgid; __s32 exit_code; + __u32 coredump_mask; + __u32 __spare1; + __u64 coredump_cookie; }; =20 #define PIDFS_IOCTL_MAGIC 0xFF diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index a9d1c9ba2961..053d2e48e918 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -99,6 +99,7 @@ #include #include #include +#include #include #include #include @@ -742,6 +743,7 @@ static void unix_release_sock(struct sock *sk, int embr= ion) =20 struct unix_peercred { struct pid *peer_pid; + u64 cookie; const struct cred *peer_cred; }; =20 @@ -777,6 +779,8 @@ static void drop_peercred(struct unix_peercred *peercre= d) static inline void init_peercred(struct sock *sk, const struct unix_peercred *peercred) { + if (peercred->cookie) + pidfs_coredump_cookie(peercred->peer_pid, peercred->cookie); sk->sk_peer_pid =3D peercred->peer_pid; sk->sk_peer_cred =3D peercred->peer_cred; } @@ -1713,6 +1717,9 @@ static int unix_stream_connect(struct socket *sock, s= truct sockaddr *uaddr, unix_peer(newsk) =3D sk; newsk->sk_state =3D TCP_ESTABLISHED; newsk->sk_type =3D sk->sk_type; + /* Prepare a new socket cookie for the receiver. */ + if (flags & SOCK_COREDUMP) + peercred.cookie =3D sock_gen_cookie(newsk); init_peercred(newsk, &peercred); newu =3D unix_sk(newsk); newu->listener =3D other; --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C0242253A8; Wed, 14 May 2025 22:04:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260269; cv=none; b=Ptm39vCn+WcnmuvBNzyclq8jlhBVjFsoEzxjUlWRC77GFKKMvt/lRImD2z8ZzQN8FL5/sAJxahRTwUWWK4CXS/1t4DWVsCI35V+t/kq8HbNqetBF+ER9d4lcrymFvhzdv5uZaZcuSzBVMtVLzEBUkw+rlE0sSXRnFAZWZxDp5eo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260269; c=relaxed/simple; bh=g1fZL9UHjL0fdEg1HQk9U39MiHvgvwYopqxavC+sk70=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=jLcHVdeh4NF/2eJJYVzPvzoZQbJ5p7vvVbTGrz/LRVn52NOmZ9c0DHvFVbndMFRf2cvw76qsX2aj98N560K1DfffpX9AOYGU89gbii2px6ghabnoj6KWejv6nM33yxo2Pc/yJC40j67VUKnMsamGf6Ym7GYT1bIz/xCStN3Mwvg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OKrpacmM; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OKrpacmM" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5156CC4CEE3; Wed, 14 May 2025 22:04:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260269; bh=g1fZL9UHjL0fdEg1HQk9U39MiHvgvwYopqxavC+sk70=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=OKrpacmML91nkBfYMF3/bgtlkVMboBLMScfTioqJiYFHDRym2zTdrxECB8risLyTw b8zfcpLRTMlOLYEZDSOovdavV8aA6CDL5nPD83/ESGredWpNZn5BAxtL5fORYSBExk tIF9DFoH9kzEuHiUJmOy0tZd6dD/lDBAMH0bHZat0RhbT08m6qzGGnMKZFqXLHNujm xu6q72F5r+w0KRDyRYaa7/IeP/jrMcxleAcUu0UBbOcf0pjpkgwcmFjWcUwOlvde4Y 4uoUkq6cy9QmLiyPgVGCJLb6R3B/sUM1/eFbHCOqog/m0GshzXx3SDTsS4iDRAy5kF sC7puHjQDgHbw== From: Christian Brauner Date: Thu, 15 May 2025 00:03:39 +0200 Subject: [PATCH v7 6/9] coredump: show supported coredump modes Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-6-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1120; i=brauner@kernel.org; h=from:subject:message-id; bh=g1fZL9UHjL0fdEg1HQk9U39MiHvgvwYopqxavC+sk70=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCntUvQ8X3b5k6ZxfRq/CTEtdV0c2iu+Rk1x89VWvR mGtWmdGRykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwEScTzIynBM8lSR8MZI3XP/E njeHdz/fZ2p6SeTKYbYQg3PyW+aK8zIyfG5dopHJE3o04am+NadCcO3iP6duZN5f0VLyanVuyrs rrAA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Allow userspace to discover what coredump modes are supported. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn Reviewed-by: Jann Horn --- fs/coredump.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index bfc4a32f737c..6ee38e3da108 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -1240,6 +1240,12 @@ static int proc_dostring_coredump(const struct ctl_t= able *table, int write, =20 static const unsigned int core_file_note_size_min =3D CORE_FILE_NOTE_SIZE_= DEFAULT; static const unsigned int core_file_note_size_max =3D CORE_FILE_NOTE_SIZE_= MAX; +static char core_modes[] =3D { + "file\npipe" +#ifdef CONFIG_UNIX + "\nsocket" +#endif +}; =20 static const struct ctl_table coredump_sysctls[] =3D { { @@ -1283,6 +1289,13 @@ static const struct ctl_table coredump_sysctls[] =3D= { .extra1 =3D SYSCTL_ZERO, .extra2 =3D SYSCTL_ONE, }, + { + .procname =3D "core_modes", + .data =3D core_modes, + .maxlen =3D sizeof(core_modes) - 1, + .mode =3D 0444, + .proc_handler =3D proc_dostring, + }, }; =20 static int __init init_fs_coredump_sysctls(void) --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D7D6221296; Wed, 14 May 2025 22:04:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260274; cv=none; b=sbpta92qKF7gy4iVab+HwUGrruVdEc+oYhX25BiiOssbavs66YFGqhkUsc9QvgZ2jqN+jgMds/YHeXCnLUPAXvL4RqPAXF3bhwROy8jNV1lEPXVaHMooQn6GKasgEHj972RhD/uUsJVMB+zEiAwabFDTEoTi+s7py9Uw3weZ5pA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260274; c=relaxed/simple; bh=GofPJKcSMTqtWvKIscS1eZ3G1JH+s1zbLWmsYPBuvtI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=MTo1F81qPNF5ldPshU3Ur8jOpi9OOVAWWiCr/7xc4WcLyXbHK1iWuyjHvF+hp2uyXu19QABix+i5VsgH6Yb1m41so93apGq3UE7Ka/pXDkXbvJxKDHLMNpYGaSxohwS3hq/SB664UgFxuvikvLpcVhCntLnfj1TvyURK29+aNjU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=b4VW0Ubv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="b4VW0Ubv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8F0C0C4CEEF; Wed, 14 May 2025 22:04:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260274; bh=GofPJKcSMTqtWvKIscS1eZ3G1JH+s1zbLWmsYPBuvtI=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=b4VW0UbvM1foRVLyhSsYkbutkTtNDGp86d3vZb+EscZ4wdISAFS98lQCq3NzaXiay ZhP0tDP5ZmZ2TC/v97vaS1rvTe++YT0MyFwONocFzQClXNc+fP0gIxz6IpKOjMAdfv Q8K2F5B0m0Wzjt4JFqc+BxmDyzJpkGoDoH+TtN8Cv7tbXaPPn9bE6rxA0L1tSlbEg1 jhCCuNLdGg+fX6Qq9OGJyk+95DUiV3EjaKqxqJdZ+5RhVCPAkx+uwSyjGxDrRu5bD7 itPolyZ6dd+7cXX2Dpb0amdwS9g6WqbrcfcKO4pZLDRvXKYi/J2rZk++3gaUrLiC1b tQK9tYAoQ+dGA== From: Christian Brauner Date: Thu, 15 May 2025 00:03:40 +0200 Subject: [PATCH v7 7/9] coredump: validate socket name as it is written Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-7-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1725; i=brauner@kernel.org; h=from:subject:message-id; bh=GofPJKcSMTqtWvKIscS1eZ3G1JH+s1zbLWmsYPBuvtI=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCntci0xSrJ0wQfNh4ZtD9w89yM3Y/Vzq4yu1Zd+Fn ScaLDsa1lHKwiDGxSArpsji0G4SLrecp2KzUaYGzBxWJpAhDFycAjCRC/0M/z0rNt7Jif9xcMfP WRxXnty4Jm2QLnnrxqdXf7et8pe6cXAhw//84jeTOLYqfTnxO3jRbI5pc+aUr2E2WGrwtW+mg1r 8FlduAA== X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 In contrast to other parameters written into /proc/sys/kernel/core_pattern that never fail we can validate enabling the new AF_UNIX support. This is obviously racy as hell but it's always been that way. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn Reviewed-by: Jann Horn --- fs/coredump.c | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index 6ee38e3da108..d4ff08ef03e5 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -1228,13 +1228,44 @@ void validate_coredump_safety(void) } } =20 +static inline bool check_coredump_socket(void) +{ + if (core_pattern[0] !=3D '@') + return true; + + /* + * Coredump socket must be located in the initial mount + * namespace. Don't give the that impression anything else is + * supported right now. + */ + if (current->nsproxy->mnt_ns !=3D init_task.nsproxy->mnt_ns) + return false; + + /* Must be an absolute path. */ + if (*(core_pattern + 1) !=3D '/') + return false; + + return true; +} + static int proc_dostring_coredump(const struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { - int error =3D proc_dostring(table, write, buffer, lenp, ppos); + int error; + ssize_t retval; + char old_core_pattern[CORENAME_MAX_SIZE]; + + retval =3D strscpy(old_core_pattern, core_pattern, CORENAME_MAX_SIZE); + + error =3D proc_dostring(table, write, buffer, lenp, ppos); + if (error) + return error; + if (!check_coredump_socket()) { + strscpy(core_pattern, old_core_pattern, retval + 1); + return -EINVAL; + } =20 - if (!error) - validate_coredump_safety(); + validate_coredump_safety(); return error; } =20 --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D740E2153D8; Wed, 14 May 2025 22:04:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260280; cv=none; b=dhwMPkH54szJuhLOHTDfAf3KnTKEnWSWtznrCdZ0vCtvWztH50RQvSOzF1Eyh7xpWvReIA3JTVYXb5SsOnCrfq7bTdehpLDnVGCi3DXoDzI0M/GyHRVs6QROYykYQODpdJthwIzU37PajcWYi6x52wF4JoItB3HIsyLpsvZTp3M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260280; c=relaxed/simple; bh=WF46UsPN75VDjMGLBPpKqGhF8yXGNp/YIhfAlM9Ro+U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=IG9u3ra5NFGEVdrBHRcHQtpmnHG4ef4xR5e3rfXCp/TO7WkVLWGAIf2YSBSAqz9CAMokQM27dt/FvOY7jX1bw7cWdQfD47TSvt24gsUYy9FlhqVS5Mg0hojgjPpO+u/g++QjcKCA1PmNUNN03lmnsqKl4DMnyBP/gLLeElwCqtg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PUdZ7K0j; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PUdZ7K0j" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B4B48C4CEE3; Wed, 14 May 2025 22:04:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260279; bh=WF46UsPN75VDjMGLBPpKqGhF8yXGNp/YIhfAlM9Ro+U=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=PUdZ7K0j17nsI5ayN7DSVjltWpYjm6oTU1mp9NUMsiQ9ampYAeKPhPeTt5brHKqQh b1YCx1yrkI4VntLHgZSntgzZxTZm/caerNwwEbZfo3cmjqmUAAc+WZtu2wrI3aEliM ri/vW74f+MTIsZTTIZ9s9SYep4C/tnT4eUj+KgBI15odyyFD3ZMQTMMsWqMdoD3TBE BQo0NsjZUHoei2FKsRI6FKvdPXAoQNC2wdOgDR1y60rz7ozbuM8mS24iiXkbAH+g6f SGDX5xFhxlvhWX7rj2wfQa8CG5G5AJztoexZMQcmzdeXHoign0VYTe4epLf9WTRdY2 WYn7RL2x4q9UA== From: Christian Brauner Date: Thu, 15 May 2025 00:03:41 +0200 Subject: [PATCH v7 8/9] selftests/pidfd: add PIDFD_INFO_COREDUMP infrastructure Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-8-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1381; i=brauner@kernel.org; h=from:subject:message-id; bh=WF46UsPN75VDjMGLBPpKqGhF8yXGNp/YIhfAlM9Ro+U=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCntKiHV/2tWx+UDRFq9PT75FCXS2rnSs5PT8MNHWi tPMcK1VRykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwEQKixkZ1mqXeZYdZTVnDI+1 0p/xf7HU1aasrZ6W2dVuX6avPCwby/DPxi1xptY83v/HVkpxXs2729aYl3PifPG23QrbV8S9cGr hAgA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add PIDFD_INFO_COREDUMP infrastructure so we can use it in tests. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn --- tools/testing/selftests/pidfd/pidfd.h | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tools/testing/selftests/pidfd/pidfd.h b/tools/testing/selftest= s/pidfd/pidfd.h index 55bcf81a2b9a..887c74007086 100644 --- a/tools/testing/selftests/pidfd/pidfd.h +++ b/tools/testing/selftests/pidfd/pidfd.h @@ -131,6 +131,26 @@ #define PIDFD_INFO_EXIT (1UL << 3) /* Always returned if available, even= if not requested */ #endif =20 +#ifndef PIDFD_INFO_COREDUMP +#define PIDFD_INFO_COREDUMP (1UL << 4) +#endif + +#ifndef PIDFD_COREDUMPED +#define PIDFD_COREDUMPED (1U << 0) /* Did crash and... */ +#endif + +#ifndef PIDFD_COREDUMP_SKIP +#define PIDFD_COREDUMP_SKIP (1U << 1) /* coredumping generation was skippe= d. */ +#endif + +#ifndef PIDFD_COREDUMP_USER +#define PIDFD_COREDUMP_USER (1U << 2) /* coredump was done as the user. */ +#endif + +#ifndef PIDFD_COREDUMP_ROOT +#define PIDFD_COREDUMP_ROOT (1U << 3) /* coredump was done as root. */ +#endif + #ifndef PIDFD_THREAD #define PIDFD_THREAD O_EXCL #endif @@ -150,6 +170,9 @@ struct pidfd_info { __u32 fsuid; __u32 fsgid; __s32 exit_code; + __u32 coredump_mask; + __u32 __spare1; + __u64 coredump_cookie; }; =20 /* --=20 2.47.2 From nobody Fri Dec 19 19:15:36 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B5D31E3DF2; Wed, 14 May 2025 22:04:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260286; cv=none; b=S/5wGnxCPtKu28kuhMFznud/c816stXYOH4vsYIiRDwR72muFQT4oZFw6PTFlXUTuza7gHgbv1Is9NT0OTK8XBiZl7X/BsPu6UBfiiUIGJShujPhHEy9knvp3s342AoMIOg6kFzyZNXFEuahQxjIhclG6R87ErawzH/H/1PNz7w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747260286; c=relaxed/simple; bh=cMw9+HWp3moZEEWC4MSD6FohmFLx1ThavaBKD/Br6y8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=s8cpVix21unU3v2UilSyYivKYxVZJhtRyQsQ3glmBF8uR6I3L08tw+o9SDE9Qrok8VNfkkuwx4q7RZtDuYqgC1jnvwkylY4JxJd4T04QPVEaS/hwC2A5EDFOb4vJAL7RmuA8OkhgNwWyXvo/60/TP6kZbFKW/+VWM2eG8Lh1gAQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gxg69PNT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gxg69PNT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 44C19C4CEEF; Wed, 14 May 2025 22:04:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747260285; bh=cMw9+HWp3moZEEWC4MSD6FohmFLx1ThavaBKD/Br6y8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=gxg69PNTFLbdZ3RPo8za+Gg695ZOlbKjDW4KwnhTIsB+nSYaYyvlyH+LayoT0S+ID s4qoMIU0gbvqAYnAVuxcx5BT+Kf9TZLj+Yn2JMSk40Sy3o8/f34dVA3mJ++H8Ia3XM t6jRrUUg8nqkIUq7cK6pfQI+aUdJgce1l0gr9gv3tvg9b4QBlyFH9LOrEwqhC4HpFi JzGV/HSZKKsis0pmWqRmW77NX+fRu3UDEKzV/sE4ThWR55YkJwXRfOe8vm+iRZt/rx stJL5ebBmAt31/1i1jNmVdEU15SXA0WhM3uOn21jW0B1wFvwvLVABp7Htbt8IPNoAJ oiJqgFUA7c8rg== From: Christian Brauner Date: Thu, 15 May 2025 00:03:42 +0200 Subject: [PATCH v7 9/9] selftests/coredump: add tests for AF_UNIX coredumps Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250515-work-coredump-socket-v7-9-0a1329496c31@kernel.org> References: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> In-Reply-To: <20250515-work-coredump-socket-v7-0-0a1329496c31@kernel.org> To: linux-fsdevel@vger.kernel.org, Jann Horn , Daniel Borkmann , Kuniyuki Iwashima Cc: Eric Dumazet , Oleg Nesterov , "David S. Miller" , Alexander Viro , Daan De Meyer , David Rheinsberg , Jakub Kicinski , Jan Kara , Lennart Poettering , Luca Boccassi , Mike Yuan , Paolo Abeni , Simon Horman , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Christian Brauner , Alexander Mikhalitsyn X-Mailer: b4 0.15-dev-c25d1 X-Developer-Signature: v=1; a=openpgp-sha256; l=15862; i=brauner@kernel.org; h=from:subject:message-id; bh=cMw9+HWp3moZEEWC4MSD6FohmFLx1ThavaBKD/Br6y8=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWSoCnveNzkUmVi29MOcyWezHX55OrGa7jE2urjd987Sh 9bq8uodHaUsDGJcDLJiiiwO7Sbhcst5KjYbZWrAzGFlAhnCwMUpABNRsmBk6F/aeqix+4Hlg+8N X3Idr0zcmFV6/+OUsvXvFl7bMd1ppiojw6wHK2c9uMGTyfjr5aEVL08EBJ35oxeRyBZ1Vsquo2a NNCMA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Add a simple test for generating coredumps via AF_UNIX sockets. Signed-off-by: Christian Brauner Acked-by: Luca Boccassi Reviewed-by: Alexander Mikhalitsyn --- tools/testing/selftests/coredump/stackdump_test.c | 514 ++++++++++++++++++= +++- 1 file changed, 513 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/coredump/stackdump_test.c b/tools/test= ing/selftests/coredump/stackdump_test.c index fe3c728cd6be..42ddcf0bdaf2 100644 --- a/tools/testing/selftests/coredump/stackdump_test.c +++ b/tools/testing/selftests/coredump/stackdump_test.c @@ -1,14 +1,20 @@ // SPDX-License-Identifier: GPL-2.0 =20 #include +#include #include #include #include #include +#include #include +#include +#include +#include #include =20 #include "../kselftest_harness.h" +#include "../pidfd/pidfd.h" =20 #define STACKDUMP_FILE "stack_values" #define STACKDUMP_SCRIPT "stackdump" @@ -35,6 +41,7 @@ static void crashing_child(void) FIXTURE(coredump) { char original_core_pattern[256]; + pid_t pid_coredump_server; }; =20 FIXTURE_SETUP(coredump) @@ -44,6 +51,7 @@ FIXTURE_SETUP(coredump) char *dir; int ret; =20 + self->pid_coredump_server =3D -ESRCH; file =3D fopen("/proc/sys/kernel/core_pattern", "r"); ASSERT_NE(NULL, file); =20 @@ -61,10 +69,17 @@ FIXTURE_TEARDOWN(coredump) { const char *reason; FILE *file; - int ret; + int ret, status; =20 unlink(STACKDUMP_FILE); =20 + if (self->pid_coredump_server > 0) { + kill(self->pid_coredump_server, SIGTERM); + waitpid(self->pid_coredump_server, &status, 0); + } + unlink("/tmp/coredump.file"); + unlink("/tmp/coredump.socket"); + file =3D fopen("/proc/sys/kernel/core_pattern", "w"); if (!file) { reason =3D "Unable to open core_pattern"; @@ -154,4 +169,501 @@ TEST_F_TIMEOUT(coredump, stackdump, 120) fclose(file); } =20 +TEST_F(coredump, socket) +{ + int fd, pidfd, ret, status; + FILE *file; + pid_t pid, pid_coredump_server; + struct stat st; + char core_file[PATH_MAX]; + struct pidfd_info info =3D {}; + int ipc_sockets[2]; + char c; + const struct sockaddr_un coredump_sk =3D { + .sun_family =3D AF_UNIX, + .sun_path =3D "/tmp/coredump.socket", + }; + size_t coredump_sk_len =3D offsetof(struct sockaddr_un, sun_path) + + sizeof("/tmp/coredump.socket"); + + ret =3D socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, ipc_sockets); + ASSERT_EQ(ret, 0); + + file =3D fopen("/proc/sys/kernel/core_pattern", "w"); + ASSERT_NE(file, NULL); + + ret =3D fprintf(file, "@/tmp/coredump.socket"); + ASSERT_EQ(ret, strlen("@/tmp/coredump.socket")); + ASSERT_EQ(fclose(file), 0); + + pid_coredump_server =3D fork(); + ASSERT_GE(pid_coredump_server, 0); + if (pid_coredump_server =3D=3D 0) { + int fd_server, fd_coredump, fd_peer_pidfd, fd_core_file; + __u64 peer_cookie; + socklen_t fd_peer_pidfd_len, peer_cookie_len; + + close(ipc_sockets[0]); + + fd_server =3D socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (fd_server < 0) + _exit(EXIT_FAILURE); + + ret =3D bind(fd_server, (const struct sockaddr *)&coredump_sk, coredump_= sk_len); + if (ret < 0) { + fprintf(stderr, "Failed to bind coredump socket\n"); + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + ret =3D listen(fd_server, 1); + if (ret < 0) { + fprintf(stderr, "Failed to listen on coredump socket\n"); + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + if (write_nointr(ipc_sockets[1], "1", 1) < 0) { + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + close(ipc_sockets[1]); + + fd_coredump =3D accept4(fd_server, NULL, NULL, SOCK_CLOEXEC); + if (fd_coredump < 0) { + fprintf(stderr, "Failed to accept coredump socket connection\n"); + close(fd_server); + _exit(EXIT_FAILURE); + } + + peer_cookie_len =3D sizeof(peer_cookie); + ret =3D getsockopt(fd_coredump, SOL_SOCKET, SO_COOKIE, + &peer_cookie, &peer_cookie_len); + if (ret < 0) { + fprintf(stderr, "%m - Failed to retrieve cookie for coredump socket con= nection\n"); + close(fd_coredump); + close(fd_server); + _exit(EXIT_FAILURE); + } + + fd_peer_pidfd_len =3D sizeof(fd_peer_pidfd); + ret =3D getsockopt(fd_coredump, SOL_SOCKET, SO_PEERPIDFD, + &fd_peer_pidfd, &fd_peer_pidfd_len); + if (ret < 0) { + fprintf(stderr, "%m - Failed to retrieve peer pidfd for coredump socket= connection\n"); + close(fd_coredump); + close(fd_server); + _exit(EXIT_FAILURE); + } + + memset(&info, 0, sizeof(info)); + info.mask =3D PIDFD_INFO_EXIT | PIDFD_INFO_COREDUMP; + ret =3D ioctl(fd_peer_pidfd, PIDFD_GET_INFO, &info); + if (ret < 0) { + fprintf(stderr, "Failed to retrieve pidfd info from peer pidfd for core= dump socket connection\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + if (!(info.mask & PIDFD_INFO_COREDUMP)) { + fprintf(stderr, "Missing coredump information from coredumping task\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + if (!(info.coredump_mask & PIDFD_COREDUMPED)) { + fprintf(stderr, "Received connection from non-coredumping task\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + if (!info.coredump_cookie) { + fprintf(stderr, "Missing coredump cookie\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + if (info.coredump_cookie !=3D peer_cookie) { + fprintf(stderr, "Mismatching coredump cookies\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + fd_core_file =3D creat("/tmp/coredump.file", 0644); + if (fd_core_file < 0) { + fprintf(stderr, "Failed to create coredump file\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + for (;;) { + char buffer[4096]; + ssize_t bytes_read, bytes_write; + + bytes_read =3D read(fd_coredump, buffer, sizeof(buffer)); + if (bytes_read < 0) { + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + close(fd_core_file); + _exit(EXIT_FAILURE); + } + + if (bytes_read =3D=3D 0) + break; + + bytes_write =3D write(fd_core_file, buffer, bytes_read); + if (bytes_read !=3D bytes_write) { + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + close(fd_core_file); + _exit(EXIT_FAILURE); + } + } + + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + close(fd_core_file); + _exit(EXIT_SUCCESS); + } + self->pid_coredump_server =3D pid_coredump_server; + + EXPECT_EQ(close(ipc_sockets[1]), 0); + ASSERT_EQ(read_nointr(ipc_sockets[0], &c, 1), 1); + EXPECT_EQ(close(ipc_sockets[0]), 0); + + pid =3D fork(); + ASSERT_GE(pid, 0); + if (pid =3D=3D 0) + crashing_child(); + + pidfd =3D sys_pidfd_open(pid, 0); + ASSERT_GE(pidfd, 0); + + waitpid(pid, &status, 0); + ASSERT_TRUE(WIFSIGNALED(status)); + ASSERT_TRUE(WCOREDUMP(status)); + + info.mask =3D PIDFD_INFO_EXIT | PIDFD_INFO_COREDUMP; + ASSERT_EQ(ioctl(pidfd, PIDFD_GET_INFO, &info), 0); + ASSERT_GT((info.mask & PIDFD_INFO_COREDUMP), 0); + ASSERT_GT((info.coredump_mask & PIDFD_COREDUMPED), 0); + + waitpid(pid_coredump_server, &status, 0); + self->pid_coredump_server =3D -ESRCH; + ASSERT_TRUE(WIFEXITED(status)); + ASSERT_EQ(WEXITSTATUS(status), 0); + + ASSERT_EQ(stat("/tmp/coredump.file", &st), 0); + ASSERT_GT(st.st_size, 0); + /* + * We should somehow validate the produced core file. + * For now just allow for visual inspection + */ + system("file /tmp/coredump.file"); +} + +TEST_F(coredump, socket_detect_userspace_client) +{ + int fd, pidfd, ret, status; + FILE *file; + pid_t pid, pid_coredump_server; + struct stat st; + char core_file[PATH_MAX]; + struct pidfd_info info =3D {}; + int ipc_sockets[2]; + char c; + const struct sockaddr_un coredump_sk =3D { + .sun_family =3D AF_UNIX, + .sun_path =3D "/tmp/coredump.socket", + }; + size_t coredump_sk_len =3D offsetof(struct sockaddr_un, sun_path) + + sizeof("/tmp/coredump.socket"); + + file =3D fopen("/proc/sys/kernel/core_pattern", "w"); + ASSERT_NE(file, NULL); + + ret =3D fprintf(file, "@/tmp/coredump.socket"); + ASSERT_EQ(ret, strlen("@/tmp/coredump.socket")); + ASSERT_EQ(fclose(file), 0); + + ret =3D socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, ipc_sockets); + ASSERT_EQ(ret, 0); + + pid_coredump_server =3D fork(); + ASSERT_GE(pid_coredump_server, 0); + if (pid_coredump_server =3D=3D 0) { + int fd_server, fd_coredump, fd_peer_pidfd, fd_core_file; + __u64 peer_cookie; + socklen_t fd_peer_pidfd_len, peer_cookie_len; + + close(ipc_sockets[0]); + + fd_server =3D socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (fd_server < 0) + _exit(EXIT_FAILURE); + + ret =3D bind(fd_server, (const struct sockaddr *)&coredump_sk, coredump_= sk_len); + if (ret < 0) { + fprintf(stderr, "Failed to bind coredump socket\n"); + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + ret =3D listen(fd_server, 1); + if (ret < 0) { + fprintf(stderr, "Failed to listen on coredump socket\n"); + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + if (write_nointr(ipc_sockets[1], "1", 1) < 0) { + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + close(ipc_sockets[1]); + + fd_coredump =3D accept4(fd_server, NULL, NULL, SOCK_CLOEXEC); + if (fd_coredump < 0) { + fprintf(stderr, "Failed to accept coredump socket connection\n"); + close(fd_server); + _exit(EXIT_FAILURE); + } + + peer_cookie_len =3D sizeof(peer_cookie); + ret =3D getsockopt(fd_coredump, SOL_SOCKET, SO_COOKIE, + &peer_cookie, &peer_cookie_len); + if (ret < 0) { + fprintf(stderr, "%m - Failed to retrieve cookie for coredump socket con= nection\n"); + close(fd_coredump); + close(fd_server); + _exit(EXIT_FAILURE); + } + + fd_peer_pidfd_len =3D sizeof(fd_peer_pidfd); + ret =3D getsockopt(fd_coredump, SOL_SOCKET, SO_PEERPIDFD, + &fd_peer_pidfd, &fd_peer_pidfd_len); + if (ret < 0) { + fprintf(stderr, "%m - Failed to retrieve peer pidfd for coredump socket= connection\n"); + close(fd_coredump); + close(fd_server); + _exit(EXIT_FAILURE); + } + + memset(&info, 0, sizeof(info)); + info.mask =3D PIDFD_INFO_EXIT | PIDFD_INFO_COREDUMP; + ret =3D ioctl(fd_peer_pidfd, PIDFD_GET_INFO, &info); + if (ret < 0) { + fprintf(stderr, "Failed to retrieve pidfd info from peer pidfd for core= dump socket connection\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + if (!(info.mask & PIDFD_INFO_COREDUMP)) { + fprintf(stderr, "Missing coredump information from coredumping task\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + if (info.coredump_mask & PIDFD_COREDUMPED) { + fprintf(stderr, "Received unexpected connection from coredumping task\n= "); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + if (info.coredump_cookie) { + fprintf(stderr, "Received unexpected coredump cookie\n"); + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + _exit(EXIT_FAILURE); + } + + close(fd_coredump); + close(fd_server); + close(fd_peer_pidfd); + close(fd_core_file); + _exit(EXIT_SUCCESS); + } + self->pid_coredump_server =3D pid_coredump_server; + + EXPECT_EQ(close(ipc_sockets[1]), 0); + ASSERT_EQ(read_nointr(ipc_sockets[0], &c, 1), 1); + EXPECT_EQ(close(ipc_sockets[0]), 0); + + pid =3D fork(); + ASSERT_GE(pid, 0); + if (pid =3D=3D 0) { + int fd_socket; + ssize_t ret; + + fd_socket =3D socket(AF_UNIX, SOCK_STREAM, 0); + if (fd_socket < 0) + _exit(EXIT_FAILURE); + + + ret =3D connect(fd_socket, (const struct sockaddr *)&coredump_sk, coredu= mp_sk_len); + if (ret < 0) + _exit(EXIT_FAILURE); + + (void *)write(fd_socket, &(char){ 0 }, 1); + close(fd_socket); + _exit(EXIT_SUCCESS); + } + + pidfd =3D sys_pidfd_open(pid, 0); + ASSERT_GE(pidfd, 0); + + waitpid(pid, &status, 0); + ASSERT_TRUE(WIFEXITED(status)); + ASSERT_EQ(WEXITSTATUS(status), 0); + + info.mask =3D PIDFD_INFO_EXIT | PIDFD_INFO_COREDUMP; + ASSERT_EQ(ioctl(pidfd, PIDFD_GET_INFO, &info), 0); + ASSERT_GT((info.mask & PIDFD_INFO_COREDUMP), 0); + ASSERT_EQ((info.coredump_mask & PIDFD_COREDUMPED), 0); + + waitpid(pid_coredump_server, &status, 0); + self->pid_coredump_server =3D -ESRCH; + ASSERT_TRUE(WIFEXITED(status)); + ASSERT_EQ(WEXITSTATUS(status), 0); + + ASSERT_NE(stat("/tmp/coredump.file", &st), 0); + ASSERT_EQ(errno, ENOENT); +} + +TEST_F(coredump, socket_enoent) +{ + int pidfd, ret, status; + FILE *file; + pid_t pid; + char core_file[PATH_MAX]; + + file =3D fopen("/proc/sys/kernel/core_pattern", "w"); + ASSERT_NE(file, NULL); + + ret =3D fprintf(file, "@/tmp/coredump.socket"); + ASSERT_EQ(ret, strlen("@/tmp/coredump.socket")); + ASSERT_EQ(fclose(file), 0); + + pid =3D fork(); + ASSERT_GE(pid, 0); + if (pid =3D=3D 0) + crashing_child(); + + pidfd =3D sys_pidfd_open(pid, 0); + ASSERT_GE(pidfd, 0); + + waitpid(pid, &status, 0); + ASSERT_TRUE(WIFSIGNALED(status)); + ASSERT_FALSE(WCOREDUMP(status)); +} + +TEST_F(coredump, socket_no_listener) +{ + int pidfd, ret, status; + FILE *file; + pid_t pid, pid_coredump_server; + int ipc_sockets[2]; + char c; + const struct sockaddr_un coredump_sk =3D { + .sun_family =3D AF_UNIX, + .sun_path =3D "/tmp/coredump.socket", + }; + size_t coredump_sk_len =3D offsetof(struct sockaddr_un, sun_path) + + sizeof("/tmp/coredump.socket"); + + ret =3D socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, ipc_sockets); + ASSERT_EQ(ret, 0); + + file =3D fopen("/proc/sys/kernel/core_pattern", "w"); + ASSERT_NE(file, NULL); + + ret =3D fprintf(file, "@/tmp/coredump.socket"); + ASSERT_EQ(ret, strlen("@/tmp/coredump.socket")); + ASSERT_EQ(fclose(file), 0); + + pid_coredump_server =3D fork(); + ASSERT_GE(pid_coredump_server, 0); + if (pid_coredump_server =3D=3D 0) { + int fd_server, fd_coredump, fd_peer_pidfd, fd_core_file; + __u64 peer_cookie; + socklen_t fd_peer_pidfd_len, peer_cookie_len; + + close(ipc_sockets[0]); + + fd_server =3D socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (fd_server < 0) + _exit(EXIT_FAILURE); + + ret =3D bind(fd_server, (const struct sockaddr *)&coredump_sk, coredump_= sk_len); + if (ret < 0) { + fprintf(stderr, "Failed to bind coredump socket\n"); + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + if (write_nointr(ipc_sockets[1], "1", 1) < 0) { + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_FAILURE); + } + + close(fd_server); + close(ipc_sockets[1]); + _exit(EXIT_SUCCESS); + } + self->pid_coredump_server =3D pid_coredump_server; + + EXPECT_EQ(close(ipc_sockets[1]), 0); + ASSERT_EQ(read_nointr(ipc_sockets[0], &c, 1), 1); + EXPECT_EQ(close(ipc_sockets[0]), 0); + + pid =3D fork(); + ASSERT_GE(pid, 0); + if (pid =3D=3D 0) + crashing_child(); + + pidfd =3D sys_pidfd_open(pid, 0); + ASSERT_GE(pidfd, 0); + + waitpid(pid, &status, 0); + ASSERT_TRUE(WIFSIGNALED(status)); + ASSERT_FALSE(WCOREDUMP(status)); + + waitpid(pid_coredump_server, &status, 0); + self->pid_coredump_server =3D -ESRCH; + ASSERT_TRUE(WIFEXITED(status)); + ASSERT_EQ(WEXITSTATUS(status), 0); +} + TEST_HARNESS_MAIN --=20 2.47.2