linux-stable/fs
Linus Torvalds 74858abbb1 cap-checkpoint-restore-v5.9
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCXygegQAKCRCRxhvAZXjc
 olWZAQCMPbhI/20LA3OYJ6s+BgBEnm89PymvlHcym6Z4AvTungD+KqZonIYuxWgi
 6Ttlv/fzgFFbXgJgbuass5mwFVoN5wM=
 =oK7d
 -----END PGP SIGNATURE-----

Merge tag 'cap-checkpoint-restore-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux

Pull checkpoint-restore updates from Christian Brauner:
 "This enables unprivileged checkpoint/restore of processes.

  Given that this work has been going on for quite some time the first
  sentence in this summary is hopefully more exciting than the actual
  final code changes required. Unprivileged checkpoint/restore has seen
  a frequent increase in interest over the last two years and has thus
  been one of the main topics for the combined containers &
  checkpoint/restore microconference since at least 2018 (cf. [1]).

  Here are just the three most frequent use-cases that were brought forward:

   - The JVM developers are integrating checkpoint/restore into a Java
     VM to significantly decrease the startup time.

   - In high-performance computing environment a resource manager will
     typically be distributing jobs where users are always running as
     non-root. Long-running and "large" processes with significant
     startup times are supposed to be checkpointed and restored with
     CRIU.

   - Container migration as a non-root user.

  In all of these scenarios it is either desirable or required to run
  without CAP_SYS_ADMIN. The userspace implementation of
  checkpoint/restore CRIU already has the pull request for supporting
  unprivileged checkpoint/restore up (cf. [2]).

  To enable unprivileged checkpoint/restore a new dedicated capability
  CAP_CHECKPOINT_RESTORE is introduced. This solution has last been
  discussed in 2019 in a talk by Google at Linux Plumbers (cf. [1]
  "Update on Task Migration at Google Using CRIU") with Adrian and
  Nicolas providing the implementation now over the last months. In
  essence, this allows the CRIU binary to be installed with the
  CAP_CHECKPOINT_RESTORE vfs capability set thereby enabling
  unprivileged users to restore processes.

  To make this possible the following permissions are altered:

   - Selecting a specific PID via clone3() set_tid relaxed from userns
     CAP_SYS_ADMIN to CAP_CHECKPOINT_RESTORE.

   - Selecting a specific PID via /proc/sys/kernel/ns_last_pid relaxed
     from userns CAP_SYS_ADMIN to CAP_CHECKPOINT_RESTORE.

   - Accessing /proc/pid/map_files relaxed from init userns
     CAP_SYS_ADMIN to init userns CAP_CHECKPOINT_RESTORE.

   - Changing /proc/self/exe from userns CAP_SYS_ADMIN to userns
     CAP_CHECKPOINT_RESTORE.

  Of these four changes the /proc/self/exe change deserves a few words
  because the reasoning behind even restricting /proc/self/exe changes
  in the first place is just full of historical quirks and tracking this
  down was a questionable version of fun that I'd like to spare others.

  In short, it is trivial to change /proc/self/exe as an unprivileged
  user, i.e. without userns CAP_SYS_ADMIN right now. Either via ptrace()
  or by simply intercepting the elf loader in userspace during exec.
  Nicolas was nice enough to even provide a POC for the latter (cf. [3])
  to illustrate this fact.

  The original patchset which introduced PR_SET_MM_MAP had no
  permissions around changing the exe link. They too argued that it is
  trivial to spoof the exe link already which is true. The argument
  brought up against this was that the Tomoyo LSM uses the exe link in
  tomoyo_manager() to detect whether the calling process is a policy
  manager. This caused changing the exe links to be guarded by userns
  CAP_SYS_ADMIN.

  All in all this rather seems like a "better guard it with something
  rather than nothing" argument which imho doesn't qualify as a great
  security policy. Again, because spoofing the exe link is possible for
  the calling process so even if this were security relevant it was
  broken back then and would be broken today. So technically, dropping
  all permissions around changing the exe link would probably be
  possible and would send a clearer message to any userspace that relies
  on /proc/self/exe for security reasons that they should stop doing
  this but for now we're only relaxing the exe link permissions from
  userns CAP_SYS_ADMIN to userns CAP_CHECKPOINT_RESTORE.

  There's a final uapi change in here. Changing the exe link used to
  accidently return EINVAL when the caller lacked the necessary
  permissions instead of the more correct EPERM. This pr contains a
  commit fixing this. I assume that userspace won't notice or care and
  if they do I will revert this commit. But since we are changing the
  permissions anyway it seems like a good opportunity to try this fix.

  With these changes merged unprivileged checkpoint/restore will be
  possible and has already been tested by various users"

[1] LPC 2018
     1. "Task Migration at Google Using CRIU"
        https://www.youtube.com/watch?v=yI_1cuhoDgA&t=12095
     2. "Securely Migrating Untrusted Workloads with CRIU"
        https://www.youtube.com/watch?v=yI_1cuhoDgA&t=14400
     LPC 2019
     1. "CRIU and the PID dance"
         https://www.youtube.com/watch?v=LN2CUgp8deo&list=PLVsQ_xZBEyN30ZA3Pc9MZMFzdjwyz26dO&index=9&t=2m48s
     2. "Update on Task Migration at Google Using CRIU"
        https://www.youtube.com/watch?v=LN2CUgp8deo&list=PLVsQ_xZBEyN30ZA3Pc9MZMFzdjwyz26dO&index=9&t=1h2m8s

[2] https://github.com/checkpoint-restore/criu/pull/1155

[3] https://github.com/nviennot/run_as_exe

* tag 'cap-checkpoint-restore-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
  selftests: add clone3() CAP_CHECKPOINT_RESTORE test
  prctl: exe link permission error changed from -EINVAL to -EPERM
  prctl: Allow local CAP_CHECKPOINT_RESTORE to change /proc/self/exe
  proc: allow access in init userns for map_files with CAP_CHECKPOINT_RESTORE
  pid_namespace: use checkpoint_restore_ns_capable() for ns_last_pid
  pid: use checkpoint_restore_ns_capable() for set_tid
  capabilities: Introduce CAP_CHECKPOINT_RESTORE
2020-08-04 15:02:07 -07:00
..
9p
adfs block: move struct block_device to blk_types.h 2020-06-24 09:16:02 -06:00
affs block: move block-related definitions out of fs.h 2020-06-24 09:16:02 -06:00
afs Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
autofs autofs: switch to kernel_write 2020-07-08 08:27:56 +02:00
befs block: move struct block_device to blk_types.h 2020-06-24 09:16:02 -06:00
bfs
btrfs These are the latest RCU bits for v5.9: 2020-08-03 14:31:33 -07:00
cachefiles cachefiles: switch to kernel_write 2020-07-08 08:27:56 +02:00
ceph ceph: skip checking caps when session reconnecting and releasing reqs 2020-06-01 13:22:53 +02:00
cifs Revert "cifs: Fix the target file was deleted when rename failed." 2020-07-23 15:44:11 -05:00
coda
configfs A fair amount of stuff this time around, dominated by yet another massive 2020-06-01 15:45:27 -07:00
cramfs
crypto fscrypt: don't load ->i_crypt_info before it's known to be valid 2020-07-30 14:21:50 -07:00
debugfs
devpts
dlm treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
ecryptfs A fair amount of stuff this time around, dominated by yet another massive 2020-06-01 15:45:27 -07:00
efivarfs efi/efivars: Expose RT service availability via efivars abstraction 2020-07-09 10:14:29 +03:00
efs block: move struct block_device to blk_types.h 2020-06-24 09:16:02 -06:00
erofs treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
exfat exfat: fix name_hash computation on big endian systems 2020-07-21 10:44:19 +09:00
exportfs
ext2 mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
ext4 ext4: add inline encryption support 2020-07-08 10:29:43 -07:00
f2fs Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
fat treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
freevxfs
fscache Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
fuse Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
gfs2 Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
hfs block: move block-related definitions out of fs.h 2020-06-24 09:16:02 -06:00
hfsplus treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
hostfs
hpfs hpfs: fix warning due to superfluous semicolon 2020-06-06 10:08:17 -07:00
hugetlbfs mmap locking API: convert mmap_sem API comments 2020-06-09 09:39:14 -07:00
iomap New code for 5.8: 2020-06-13 12:44:30 -07:00
isofs Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
jbd2 This is the second round of ext4 commits for 5.8 merge window. It 2020-06-15 09:32:10 -07:00
jffs2 treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
jfs block: move struct block_device to blk_types.h 2020-06-24 09:16:02 -06:00
kernfs mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
lockd
minix
nfs Merge branches 'pm-sleep', 'pm-domains', 'powercap' and 'pm-tools' 2020-08-03 13:12:44 +02:00
nfs_common
nfsd Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
nilfs2 nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() 2020-06-10 19:14:17 -07:00
nls treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
notify treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ntfs block: move block-related definitions out of fs.h 2020-06-24 09:16:02 -06:00
ocfs2 treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
omfs treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
openpromfs
orangefs orangefs: a conversion and a cleanup... 2020-06-05 16:44:36 -07:00
overlayfs Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
proc cap-checkpoint-restore-v5.9 2020-08-04 15:02:07 -07:00
pstore pstore: Fix linking when crypto API disabled 2020-07-06 19:42:31 -07:00
qnx4
qnx6 fs: convert mpage_readpages to mpage_readahead 2020-06-02 10:59:07 -07:00
quota block: move block-related definitions out of fs.h 2020-06-24 09:16:02 -06:00
ramfs
reiserfs block: move block-related definitions out of fs.h 2020-06-24 09:16:02 -06:00
romfs treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
squashfs squashfs: fix length field overlap check in metadata reading 2020-07-24 12:42:41 -07:00
sysfs RDMA 5.8 merge window pull request 2020-06-05 14:05:57 -07:00
sysv
tracefs
ubifs treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
udf treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
ufs
unicode
vboxsf
verity fs-verity: use smp_load_acquire() for ->i_verity_info 2020-07-21 16:02:41 -07:00
xfs Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
zonefs zonefs: count pages after truncating the iterator 2020-07-20 17:59:31 +09:00
aio.c aio: Replace zero-length array with flexible-array 2020-06-15 23:08:25 -05:00
anon_inodes.c
attr.c
bad_inode.c fs: move the fiemap definitions out of fs.h 2020-06-03 23:16:55 -04:00
binfmt_aout.c
binfmt_elf.c Merge branch 'uaccess.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:02:54 -07:00
binfmt_elf_fdpic.c Merge branch 'uaccess.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:02:54 -07:00
binfmt_em86.c Merge branch 'akpm' (patches from Andrew) 2020-06-04 19:18:29 -07:00
binfmt_flat.c Merge branch 'uaccess.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:02:54 -07:00
binfmt_misc.c Merge branch 'akpm' (patches from Andrew) 2020-06-04 19:18:29 -07:00
binfmt_script.c Merge branch 'akpm' (patches from Andrew) 2020-06-04 19:18:29 -07:00
block_dev.c for-5.9/io_uring-20200802 2020-08-03 13:01:22 -07:00
buffer.c for-5.9/block-20200802 2020-08-03 11:57:03 -07:00
char_dev.c
compat.c
compat_binfmt_elf.c Split the old READ_IMPLIES_EXEC workaround from executable PT_GNU_STACK 2020-06-05 13:45:21 -07:00
coredump.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
d_path.c
dax.c
dcache.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
dcookies.c
direct-io.c block: remove the bd_queue field from struct block_device 2020-07-01 08:08:20 -06:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c exec: Implement kernel_execve 2020-07-21 08:24:52 -05:00
fcntl.c
fhandle.c
file.c fs: Expand __receive_fd() to accept existing fd 2020-07-13 11:03:45 -07:00
file_table.c Revert "fs: Do not check if there is a fsnotify watcher on pseudo inodes" 2020-06-29 09:40:55 -07:00
filesystems.c
fs-writeback.c A lot of bug fixes and cleanups for ext4, including: 2020-06-05 16:19:28 -07:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
inode.c AFS Changes 2020-06-05 16:26:36 -07:00
internal.h block: move block-related definitions out of fs.h 2020-06-24 09:16:02 -06:00
io-wq.c io-wq: update hash bits 2020-07-25 09:47:44 -06:00
io-wq.h io_uring/io-wq: move RLIMIT_FSIZE to io-wq 2020-07-24 13:00:44 -06:00
io_uring.c for-5.9/io_uring-20200802 2020-08-03 13:01:22 -07:00
ioctl.c fs: remove the access_ok() check in ioctl_fiemap 2020-06-03 23:16:55 -04:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Kconfig.binfmt treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
libfs.c
locks.c File locking fix for v5.9. 2020-08-03 10:46:41 -07:00
Makefile
mbcache.c
mount.h
mpage.c fs: convert mpage_readpages to mpage_readahead 2020-06-02 10:59:07 -07:00
namei.c vfs: clean up posix_acl_permission() logic aroudn MAY_NOT_BLOCK 2020-06-08 11:04:19 -07:00
namespace.c fuse: reject options on reconfigure via fsconfig(2) 2020-07-14 14:45:41 +02:00
no-block.c
nsfs.c
open.c Merge branch 'akpm' (patches from Andrew) 2020-06-02 12:21:36 -07:00
pipe.c Notifications over pipes + Keyring notifications 2020-06-13 09:56:21 -07:00
pnode.c
pnode.h
posix_acl.c vfs: clean up posix_acl_permission() logic aroudn MAY_NOT_BLOCK 2020-06-08 11:04:19 -07:00
proc_namespace.c Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-06-04 13:54:34 -07:00
read_write.c fs: remove __vfs_read 2020-07-08 08:27:57 +02:00
readdir.c
select.c pselect6() and friends: take handling the combined 6th/7th args into helper 2020-05-29 19:10:42 -04:00
seq_file.c fs/seq_file.c: seq_read: Update pr_info_ratelimited 2020-06-04 19:06:25 -07:00
signalfd.c
splice.c Notifications over pipes + Keyring notifications 2020-06-13 09:56:21 -07:00
stack.c
stat.c New code for 5.8: 2020-06-02 19:45:12 -07:00
statfs.c
super.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:09:11 -07:00
sync.c overlayfs update for 5.8 2020-06-09 15:40:50 -07:00
timerfd.c
userfaultfd.c userfaultfd: simplify fault handling 2020-08-03 11:25:16 -07:00
utimes.c
xattr.c