[v2,0/3] cpuset: Allow setscheduler regardless of manipulated task

Message ID	20230630183908.32148-1-mkoutny@suse.com
Headers	show Return-Path: <linux-kselftest-owner@vger.kernel.org> From: =?utf-8?q?Michal_Koutn=C3=BD?= <mkoutny@suse.com> To: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, linux-kselftest@vger.kernel.org Cc: Waiman Long <longman@redhat.com>, Zefan Li <lizefan.x@bytedance.com>, Tejun Heo <tj@kernel.org>, Johannes Weiner <hannes@cmpxchg.org>, Shuah Khan <shuah@kernel.org> Subject: [PATCH v2 0/3] cpuset: Allow setscheduler regardless of manipulated task Date: Fri, 30 Jun 2023 20:39:05 +0200 Message-ID: <20230630183908.32148-1-mkoutny@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	cpuset: Allow setscheduler regardless of manipulated task \| expand [v2,0/3] cpuset: Allow setscheduler regardless of manipulated task [v2,1/3] cpuset: Allow setscheduler regardless of manipulated task [v2,2/3] selftests: cgroup: Minor code reorganizations [v2,3/3] selftests: cgroup: Add cpuset migrations testcase

Message ID

20230630183908.32148-1-mkoutny@suse.com

Headers

From: =?utf-8?q?Michal_Koutn=C3=BD?= <mkoutny@suse.com>
To: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
        linux-kselftest@vger.kernel.org
Cc: Waiman Long <longman@redhat.com>,
        Zefan Li <lizefan.x@bytedance.com>, Tejun Heo <tj@kernel.org>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Shuah Khan <shuah@kernel.org>
Subject: [PATCH v2 0/3] cpuset: Allow setscheduler regardless of manipulated
 task
Date: Fri, 30 Jun 2023 20:39:05 +0200
Message-ID: <20230630183908.32148-1-mkoutny@suse.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

cpuset: Allow setscheduler regardless of manipulated task | expand

Message

Michal Koutný June 30, 2023, 6:39 p.m. UTC

Changes in v2:
- rebased on mainline
- drop is_in_v2_mode()

Changes in v1 (https://lore.kernel.org/r/20230629091146.28801-1-mkoutny@suse.com):
- added selftests
- comments rewording

RFC in https://lore.kernel.org/r/20220623124944.2753-1-mkoutny@suse.com

Michal Koutný (3):
  cpuset: Allow setscheduler regardless of manipulated task
  selftests: cgroup: Minor code reorganizations
  selftests: cgroup: Add cpuset migrations testcase

 MAINTAINERS                                   |   2 +
 kernel/cgroup/cpuset.c                        |  13 +-
 tools/testing/selftests/cgroup/.gitignore     |   1 +
 tools/testing/selftests/cgroup/Makefile       |   2 +
 tools/testing/selftests/cgroup/cgroup_util.c  |   2 +
 tools/testing/selftests/cgroup/cgroup_util.h  |   2 +
 tools/testing/selftests/cgroup/test_core.c    |   2 +-
 tools/testing/selftests/cgroup/test_cpuset.c  | 272 ++++++++++++++++++
 .../selftests/cgroup/test_cpuset_prs.sh       |   2 +-
 9 files changed, 293 insertions(+), 5 deletions(-)
 create mode 100644 tools/testing/selftests/cgroup/test_cpuset.c


base-commit: e55e5df193d247a38a5e1ac65a5316a0adcc22fa

Comments

Waiman Long June 30, 2023, 7:19 p.m. UTC | #1

On 6/30/23 14:39, Michal Koutný wrote:
> When we migrate a task between two cgroups, one of the checks is a
> verification whether we can modify task's scheduler settings
> (cap_task_setscheduler()).
>
> An implicit migration occurs also when enabling a controller on the
> unified hierarchy (think of parent to child migration). The
> aforementioned check may be problematic if the caller of the migration
> (enabling a controller) has no permissions over migrated tasks.
> For instance, a user's cgroup that ends up running a process of a
> different user. Although cgroup permissions are configured favorably,
> the enablement fails due to the foreign process [1].
>
> Change the behavior by relaxing the permissions check on the unified
> hierarchy (or in v2 mode). This is in accordance with unified hierarchy
> attachment behavior when permissions of the source to target cgroups are
> decisive whereas the migrated task is opaque (as opposed to more
> restrictive check in __cgroup1_procs_write()).
>
> [1] https://github.com/systemd/systemd/issues/18293#issuecomment-831205649
>
> Signed-off-by: Michal Koutný <mkoutny@suse.com>
> ---
>   kernel/cgroup/cpuset.c | 13 ++++++++++---
>   1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
> index 58e6f18f01c1..41d3ed14b0f4 100644
> --- a/kernel/cgroup/cpuset.c
> +++ b/kernel/cgroup/cpuset.c
> @@ -2505,9 +2505,16 @@ static int cpuset_can_attach(struct cgroup_taskset *tset)
>   		ret = task_can_attach(task);
>   		if (ret)
>   			goto out_unlock;
> -		ret = security_task_setscheduler(task);
> -		if (ret)
> -			goto out_unlock;
> +
> +		/*
> +		 * Skip rights over task check in v2, migration permission derives
> +		 * from hierarchy ownership in cgroup_procs_write_permission()).
> +		 */
> +		if (!cgroup_subsys_on_dfl(cpuset_cgrp_subsys)) {
> +			ret = security_task_setscheduler(task);
> +			if (ret)
> +				goto out_unlock;
> +		}

I am somewhat hesitant to skip the security_task_setscheduler() check 
for all cgroup v2 task migrations. The check is controlled by SElinux 
which is a different subsystem. I believe the scheduler property here 
refer's to the task cpu affinity and node mask. If you look at 
cpuset_attach(), we have actually skipped the task iteration process to 
change them if cpu affinity and node mask aren't changed at all.

I don't want to introduce a possible security vulnerability because of 
this relaxation. I would suggest you skip it under the same condition of 
no change to cpu affinity and node mask for cgroup v2.

Thanks,
Longman