lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201013200521.5dplf5ohey64qmcx@wittgenstein>
Date:   Tue, 13 Oct 2020 22:05:21 +0200
From:   Christian Brauner <christian.brauner@...ntu.com>
To:     Andrei Vagin <avagin@...il.com>
Cc:     Michael Weiß <michael.weiss@...ec.fraunhofer.de>,
        Thomas Gleixner <tglx@...utronix.de>,
        Dmitry Safonov <0x7f454c46@...il.com>,
        linux-kernel@...r.kernel.org,
        "J. Bruce Fields" <bfields@...ldses.org>,
        Chuck Lever <chuck.lever@...cle.com>,
        Trond Myklebust <trond.myklebust@...merspace.com>,
        Anna Schumaker <anna.schumaker@...app.com>
Subject: Re: [PATCH v2 2/4] time: make getboottime64 aware of time namespace

On Sat, Oct 10, 2020 at 12:19:14AM -0700, Andrei Vagin wrote:
> On Fri, Oct 09, 2020 at 03:28:15PM +0200, Christian Brauner wrote:
> > On Thu, Oct 08, 2020 at 07:39:42AM +0200, Michael Weiß wrote:
> > > getboottime64() provides the time stamp of system boot. In case of
> > > time namespaces, the offset to the boot time stamp was not applied
> > > earlier. However, getboottime64 is used e.g., in /proc/stat to print
> > > the system boot time to userspace. In container runtimes which utilize
> > > time namespaces to virtualize boottime of a container, this leaks
> > > information about the host system boot time.
> > > 
> > > Therefore, we make getboottime64() to respect the time namespace offset
> > > for boottime by subtracting the boottime offset.
> > > 
> > > Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
> > > ---
> > >  kernel/time/timekeeping.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
> > > index 4c47f388a83f..67530cdb389e 100644
> > > --- a/kernel/time/timekeeping.c
> > > +++ b/kernel/time/timekeeping.c
> > > @@ -17,6 +17,7 @@
> > >  #include <linux/clocksource.h>
> > >  #include <linux/jiffies.h>
> > >  #include <linux/time.h>
> > > +#include <linux/time_namespace.h>
> > >  #include <linux/tick.h>
> > >  #include <linux/stop_machine.h>
> > >  #include <linux/pvclock_gtod.h>
> > > @@ -2154,6 +2155,8 @@ void getboottime64(struct timespec64 *ts)
> > >  {
> > >  	struct timekeeper *tk = &tk_core.timekeeper;
> > >  	ktime_t t = ktime_sub(tk->offs_real, tk->offs_boot);
> > > +	/* shift boot time stamp according to the timens offset */
> > > +	t = timens_ktime_to_host(CLOCK_BOOTTIME, t);
> > 
> > Note that getbootime64() is mostly used in net/sunrpc and I don't know
> > if this change has any security implications for them.
> 
> I would prefer to not patch kernel internal functions if they are used
> not only to expose time to the userspace.
> 
> I think when kernel developers sees the getboottime64 function, they
> will expect that it returns the real time of kernel boot. They will
> not expect that it is aware of time namespaces and a returned time will
> depend on a task in which context it will be called.
> 
> IMHO, as a minimum, we need to update the documentation for this function or
> even adjust a function name.
> 
> And I think we need to consider an option to not change getbootime64 and
> apply a timens offset right in the show_stat(fs/proc/stat.c) function.

This is why I asked about this since I assumed this would break
someone's use-case. :)

In any case, if I understand correctly then we want the same thing: just
change fs/proc/stat.c i.e. have a a specific helper that applies the
correct offset.

Christian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ