On Tue, Mar 18, 2025 at 12:30:18PM +0000, Parav Pandit wrote: > > > > From: Jason Gunthorpe <jgg@xxxxxxxxxx> > > Sent: Tuesday, March 18, 2025 4:51 PM > > > > On Tue, Mar 18, 2025 at 03:43:07AM +0000, Parav Pandit wrote: > > > > > > I would say no, that is not our model in RDMA. The process that > > > > opens the file is irrelevant. We only check the current system call > > > > context for capability, much like any other systemcall. > > > > > > > Eric explained the motivation [1] and [2] for this fix is: > > > A lesser privilege process A opens the fd (currently caps are not > > > checked), passes the fd to a higher privilege process B. > > > > > And somehow let process B pass the needed capabilities check for > > > resource creation, after which process A continue to use the resource > > > without capability. > > > > Yes, I'd say that is fine within our model, and may even be desirable in some > > cases. > > Is this subsystem specific? Probably.. How a FD works and it's security model is very specific to each FD type. > I was thinking it is generic enough to all configurations done through ioctl(). > For example, I don't see any difference between [1] and rdma. > > [1] https://github.com/torvalds/linux/blob/76b6905c11fd3c6dc4562aefc3e8c4429fefae1e/block/ioctl.c#L441 Isn't that the same thing? roset is an ioctl on a block char dev file descriptor. It doesn't check the capability of the process that opened the file. > > We don't use a file descriptor linked security model, it is always secured based > > on the individual ioctl system call. The file descriptor is just a way to route the > > system calls. > If I understood right, Eric suggests to improve this model by file level additional checks. Yes, but I'm not sure it is an improvement, or that it won't cause regressions. > > You would not say that if process B creates a CAP_NET_RAW socket FD and > > passes it to process A without CAP_NET_RAW then A should not be able to > > use the FD. > Well, process B is higher privilege which shared the socket FD. Yes, and? > This is what I was asking in this patch to Eric above, should we have the min() check of both the process? No. We don't do it above for sockets, we shouldn't do it for RDMA objects either. Jason
