| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Oct 2020 22:05:21 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: Andrei Vagin <avagin@...il.com>
Cc: Michael Weiß <michael.weiss@...ec.fraunhofer.de>,
Thomas Gleixner <tglx@...utronix.de>,
Dmitry Safonov <0x7f454c46@...il.com>,
linux-kernel@...r.kernel.org,
"J. Bruce Fields" <bfields@...ldses.org>,
Chuck Lever <chuck.lever@...cle.com>,
Trond Myklebust <trond.myklebust@...merspace.com>,
Anna Schumaker <anna.schumaker@...app.com>
Subject: Re: [PATCH v2 2/4] time: make getboottime64 aware of time namespace
On Sat, Oct 10, 2020 at 12:19:14AM -0700, Andrei Vagin wrote:
> On Fri, Oct 09, 2020 at 03:28:15PM +0200, Christian Brauner wrote:
> > On Thu, Oct 08, 2020 at 07:39:42AM +0200, Michael Weiß wrote:
> > > getboottime64() provides the time stamp of system boot. In case of
> > > time namespaces, the offset to the boot time stamp was not applied
> > > earlier. However, getboottime64 is used e.g., in /proc/stat to print
> > > the system boot time to userspace. In container runtimes which utilize
> > > time namespaces to virtualize boottime of a container, this leaks
> > > information about the host system boot time.
> > >
> > > Therefore, we make getboottime64() to respect the time namespace offset
> > > for boottime by subtracting the boottime offset.
> > >
> > > Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
> > > ---
> > > kernel/time/timekeeping.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
> > > index 4c47f388a83f..67530cdb389e 100644
> > > --- a/kernel/time/timekeeping.c
> > > +++ b/kernel/time/timekeeping.c
> > > @@ -17,6 +17,7 @@
> > > #include <linux/clocksource.h>
> > > #include <linux/jiffies.h>
> > > #include <linux/time.h>
> > > +#include <linux/time_namespace.h>
> > > #include <linux/tick.h>
> > > #include <linux/stop_machine.h>
> > > #include <linux/pvclock_gtod.h>
> > > @@ -2154,6 +2155,8 @@ void getboottime64(struct timespec64 *ts)
> > > {
> > > struct timekeeper *tk = &tk_core.timekeeper;
> > > ktime_t t = ktime_sub(tk->offs_real, tk->offs_boot);
> > > + /* shift boot time stamp according to the timens offset */
> > > + t = timens_ktime_to_host(CLOCK_BOOTTIME, t);
> >
> > Note that getbootime64() is mostly used in net/sunrpc and I don't know
> > if this change has any security implications for them.
>
> I would prefer to not patch kernel internal functions if they are used
> not only to expose time to the userspace.
>
> I think when kernel developers sees the getboottime64 function, they
> will expect that it returns the real time of kernel boot. They will
> not expect that it is aware of time namespaces and a returned time will
> depend on a task in which context it will be called.
>
> IMHO, as a minimum, we need to update the documentation for this function or
> even adjust a function name.
>
> And I think we need to consider an option to not change getbootime64 and
> apply a timens offset right in the show_stat(fs/proc/stat.c) function.
This is why I asked about this since I assumed this would break
someone's use-case. :)
In any case, if I understand correctly then we want the same thing: just
change fs/proc/stat.c i.e. have a a specific helper that applies the
correct offset.
Christian
Powered by blists - more mailing lists