tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

firmware_loader: load files from the mount namespace of init

I have an experimental setup where almost every possible system
service (even early startup ones) runs in separate namespace, using a
dedicated, minimal file system. In process of minimizing the contents
of the file systems with regards to modules and firmware files, I
noticed that in my system, the firmware files are loaded from three
different mount namespaces, those of systemd-udevd, init and
systemd-networkd. The logic of the source namespace is not very clear,
it seems to depend on the driver, but the namespace of the current
process is used.

So, this patch tries to make things a bit clearer and changes the
loading of firmware files only from the mount namespace of init. This
may also improve security, though I think that using firmware files as
attack vector could be too impractical anyway.

Later, it might make sense to make the mount namespace configurable,
for example with a new file in /proc/sys/kernel/firmware_config/. That
would allow a dedicated file system only for firmware files and those
need not be present anywhere else. This configurability would make
more sense if made also for kernel modules and /sbin/modprobe. Modules
are already loaded from init namespace (usermodehelper uses kthreadd
namespace) except when directly loaded by systemd-udevd.

Instead of using the mount namespace of the current process to load
firmware files, use the mount namespace of init process.

Link: https://lore.kernel.org/lkml/bb46ebae-4746-90d9-ec5b-fce4c9328c86@gmail.com/
Link: https://lore.kernel.org/lkml/0e3f7653-c59d-9341-9db2-c88f5b988c68@gmail.com/
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Link: https://lore.kernel.org/r/20200123125839.37168-1-toiwoton@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Topi Miettinen and committed by
Greg Kroah-Hartman 901cff7c 469e1906

+190 -8
+4 -2
drivers/base/firmware_loader/main.c
··· 493 493 } 494 494 495 495 fw_priv->size = 0; 496 - rc = kernel_read_file_from_path(path, &buffer, &size, 497 - msize, id); 496 + 497 + /* load firmware files from the mount namespace of init */ 498 + rc = kernel_read_file_from_path_initns(path, &buffer, 499 + &size, msize, id); 498 500 if (rc) { 499 501 if (rc != -ENOENT) 500 502 dev_warn(device, "loading %s failed with error %d\n",
+26
fs/exec.c
··· 985 985 } 986 986 EXPORT_SYMBOL_GPL(kernel_read_file_from_path); 987 987 988 + int kernel_read_file_from_path_initns(const char *path, void **buf, 989 + loff_t *size, loff_t max_size, 990 + enum kernel_read_file_id id) 991 + { 992 + struct file *file; 993 + struct path root; 994 + int ret; 995 + 996 + if (!path || !*path) 997 + return -EINVAL; 998 + 999 + task_lock(&init_task); 1000 + get_fs_root(init_task.fs, &root); 1001 + task_unlock(&init_task); 1002 + 1003 + file = file_open_root(root.dentry, root.mnt, path, O_RDONLY, 0); 1004 + path_put(&root); 1005 + if (IS_ERR(file)) 1006 + return PTR_ERR(file); 1007 + 1008 + ret = kernel_read_file(file, buf, size, max_size, id); 1009 + fput(file); 1010 + return ret; 1011 + } 1012 + EXPORT_SYMBOL_GPL(kernel_read_file_from_path_initns); 1013 + 988 1014 int kernel_read_file_from_fd(int fd, void **buf, loff_t *size, loff_t max_size, 989 1015 enum kernel_read_file_id id) 990 1016 {
+2
include/linux/fs.h
··· 3012 3012 enum kernel_read_file_id); 3013 3013 extern int kernel_read_file_from_path(const char *, void **, loff_t *, loff_t, 3014 3014 enum kernel_read_file_id); 3015 + extern int kernel_read_file_from_path_initns(const char *, void **, loff_t *, loff_t, 3016 + enum kernel_read_file_id); 3015 3017 extern int kernel_read_file_from_fd(int, void **, loff_t *, loff_t, 3016 3018 enum kernel_read_file_id); 3017 3019 extern ssize_t kernel_read(struct file *, void *, size_t, loff_t *);
+3 -6
tools/testing/selftests/firmware/Makefile
··· 1 1 # SPDX-License-Identifier: GPL-2.0-only 2 2 # Makefile for firmware loading selftests 3 - 4 - # No binaries, but make sure arg-less "make" doesn't trigger "run_tests" 5 - all: 3 + CFLAGS = -Wall \ 4 + -O2 6 5 7 6 TEST_PROGS := fw_run_tests.sh 8 7 TEST_FILES := fw_fallback.sh fw_filesystem.sh fw_lib.sh 8 + TEST_GEN_FILES := fw_namespace 9 9 10 10 include ../lib.mk 11 - 12 - # Nothing to clean up. 13 - clean:
+151
tools/testing/selftests/firmware/fw_namespace.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* Test triggering of loading of firmware from different mount 3 + * namespaces. Expect firmware to be always loaded from the mount 4 + * namespace of PID 1. */ 5 + #define _GNU_SOURCE 6 + #include <errno.h> 7 + #include <fcntl.h> 8 + #include <sched.h> 9 + #include <stdarg.h> 10 + #include <stdbool.h> 11 + #include <stdio.h> 12 + #include <stdlib.h> 13 + #include <string.h> 14 + #include <sys/mount.h> 15 + #include <sys/stat.h> 16 + #include <sys/types.h> 17 + #include <sys/wait.h> 18 + #include <unistd.h> 19 + 20 + #ifndef CLONE_NEWNS 21 + # define CLONE_NEWNS 0x00020000 22 + #endif 23 + 24 + static char *fw_path = NULL; 25 + 26 + static void die(char *fmt, ...) 27 + { 28 + va_list ap; 29 + 30 + va_start(ap, fmt); 31 + vfprintf(stderr, fmt, ap); 32 + va_end(ap); 33 + if (fw_path) 34 + unlink(fw_path); 35 + umount("/lib/firmware"); 36 + exit(EXIT_FAILURE); 37 + } 38 + 39 + static void trigger_fw(const char *fw_name, const char *sys_path) 40 + { 41 + int fd; 42 + 43 + fd = open(sys_path, O_WRONLY); 44 + if (fd < 0) 45 + die("open failed: %s\n", 46 + strerror(errno)); 47 + if (write(fd, fw_name, strlen(fw_name)) != strlen(fw_name)) 48 + exit(EXIT_FAILURE); 49 + close(fd); 50 + } 51 + 52 + static void setup_fw(const char *fw_path) 53 + { 54 + int fd; 55 + const char fw[] = "ABCD0123"; 56 + 57 + fd = open(fw_path, O_WRONLY | O_CREAT, 0600); 58 + if (fd < 0) 59 + die("open failed: %s\n", 60 + strerror(errno)); 61 + if (write(fd, fw, sizeof(fw) -1) != sizeof(fw) -1) 62 + die("write failed: %s\n", 63 + strerror(errno)); 64 + close(fd); 65 + } 66 + 67 + static bool test_fw_in_ns(const char *fw_name, const char *sys_path, bool block_fw_in_parent_ns) 68 + { 69 + pid_t child; 70 + 71 + if (block_fw_in_parent_ns) 72 + if (mount("test", "/lib/firmware", "tmpfs", MS_RDONLY, NULL) == -1) 73 + die("blocking firmware in parent ns failed\n"); 74 + 75 + child = fork(); 76 + if (child == -1) { 77 + die("fork failed: %s\n", 78 + strerror(errno)); 79 + } 80 + if (child != 0) { /* parent */ 81 + pid_t pid; 82 + int status; 83 + 84 + pid = waitpid(child, &status, 0); 85 + if (pid == -1) { 86 + die("waitpid failed: %s\n", 87 + strerror(errno)); 88 + } 89 + if (pid != child) { 90 + die("waited for %d got %d\n", 91 + child, pid); 92 + } 93 + if (!WIFEXITED(status)) { 94 + die("child did not terminate cleanly\n"); 95 + } 96 + if (block_fw_in_parent_ns) 97 + umount("/lib/firmware"); 98 + return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false; 99 + } 100 + 101 + if (unshare(CLONE_NEWNS) != 0) { 102 + die("unshare(CLONE_NEWNS) failed: %s\n", 103 + strerror(errno)); 104 + } 105 + if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) == -1) 106 + die("remount root in child ns failed\n"); 107 + 108 + if (!block_fw_in_parent_ns) { 109 + if (mount("test", "/lib/firmware", "tmpfs", MS_RDONLY, NULL) == -1) 110 + die("blocking firmware in child ns failed\n"); 111 + } else 112 + umount("/lib/firmware"); 113 + 114 + trigger_fw(fw_name, sys_path); 115 + 116 + exit(EXIT_SUCCESS); 117 + } 118 + 119 + int main(int argc, char **argv) 120 + { 121 + const char *fw_name = "test-firmware.bin"; 122 + char *sys_path; 123 + if (argc != 2) 124 + die("usage: %s sys_path\n", argv[0]); 125 + 126 + /* Mount tmpfs to /lib/firmware so we don't have to assume 127 + that it is writable for us.*/ 128 + if (mount("test", "/lib/firmware", "tmpfs", 0, NULL) == -1) 129 + die("mounting tmpfs to /lib/firmware failed\n"); 130 + 131 + sys_path = argv[1]; 132 + asprintf(&fw_path, "/lib/firmware/%s", fw_name); 133 + 134 + setup_fw(fw_path); 135 + 136 + setvbuf(stdout, NULL, _IONBF, 0); 137 + /* Positive case: firmware in PID1 mount namespace */ 138 + printf("Testing with firmware in parent namespace (assumed to be same file system as PID1)\n"); 139 + if (!test_fw_in_ns(fw_name, sys_path, false)) 140 + die("error: failed to access firmware\n"); 141 + 142 + /* Negative case: firmware in child mount namespace, expected to fail */ 143 + printf("Testing with firmware in child namespace\n"); 144 + if (test_fw_in_ns(fw_name, sys_path, true)) 145 + die("error: firmware access did not fail\n"); 146 + 147 + unlink(fw_path); 148 + free(fw_path); 149 + umount("/lib/firmware"); 150 + exit(EXIT_SUCCESS); 151 + }
+4
tools/testing/selftests/firmware/fw_run_tests.sh
··· 61 61 check_mods 62 62 check_setup 63 63 64 + echo "Running namespace test: " 65 + $TEST_DIR/fw_namespace $DIR/trigger_request 66 + echo "OK" 67 + 64 68 if [ -f $FW_FORCE_SYSFS_FALLBACK ]; then 65 69 run_test_config_0001 66 70 run_test_config_0002