4

Task

I have a small kernel module I wrote for my RaspBerry Pi 2 which implements an additional system call for generating power consumption metrics. I would like to modify the system call so that it only gets invoked if a special user (such as "root" or user "pi") issues it. Otherwise, the call just skips the bulk of its body and returns success.

Background Work

I've read into the issue at length, and I've found a similar question on SO, but there are numerous problems with it, from my perspective (noted below).

Question

  • The linked question notes that struct task_struct contains a pointer element to struct cred, as defined in linux/sched.h and linux/cred.h. The latter of the two headers doesn't exist on my system(s), and the former doesn't show any declaration of a pointer to a struct cred element. Does this make sense?
    • Silly mistake. This is present in its entirety in the kernel headers (ie: /usr/src/linux-headers-$(uname -r)/include/linux/cred.h), I was searching in gcc-build headers in /usr/include/linux.
  • Even if the above worked, it doesn't mention if I would be getting the the real, effective, or saved UID for the process. Is it even possible to get each of these three values from within the system call?
    • cred.h already contains all of these.
  • Is there a safe way in the kernel module to quickly determine which groups the user belongs to without parsing /etc/group?
    • cred.h already contains all of these.

Update

So, the only valid question remaining is the following:

Note, that iterating through processes and reading process's credentials should be done under RCU-critical section.

Cloud
  • 18,753
  • 15
  • 79
  • 153

2 Answers2

3

First, adding a new system call is rarely the right way to do things. It's best to do things via the existing mechanisms because you'll benefit from already-existing tools on both sides: existing utility functions in the kernel, existing libc and high-level language support in userland. Files are a central concept in Linux (like other Unix systems) and most data is exchanged via files, either device files or special filesystems such as proc and sysfs.

I would like to modify the system call so that it only gets invoked if a special user (such as "root" or user "pi") issues it.

You can't do this in the kernel. Not only is it wrong from a design point of view, but it isn't even possible. The kernel knows nothing about user names. The only knowledge about users in the kernel in that some privileged actions are reserved to user 0 in the root namespace (don't forget that last part! And if that's new to you it's a sign that you shouldn't be doing advanced things like adding system calls). (Many actions actually look for a capability rather than being root.)

What you want to use is sysfs. Read the kernel documentation and look for non-ancient online tutorials or existing kernel code (code that uses sysfs is typically pretty clean nowadays). With sysfs, you expose information through files under /sys. Access control is up to userland — have a sane default in the kernel and do things like calling chgrp, chmod or setfacl in the boot scripts. That's one of the many wheels that you don't need to reinvent on the user side when using the existing mechanisms.

The sysfs show method automatically takes a lock around the file, so only one kernel thread can be executing it at a time. That's one of the many wheels that you don't need to reinvent on the kernel side when using the existing mechanisms.

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
  • Minor typo "you can do this in the kernel". Does the kernel understand non-zero PID/GID values at least, even if it can't map them to the user name string in `/etc/passwd`? Thank you. – Cloud Aug 25 '16 at 05:10
  • @DevNull The kernel maintains UID and GID values, but it doesn't know what they mean, apart from 0 = the user who is allowed to do a lot of things that others can't. But keep in mind that a UID/GID is only meaningful in a namespace: it isn't an integer, but a pair {namespace, integer}. There may well be multiple `/etc/passwd` in different virtual environments in userland, a UID value alone means nothing. – Gilles 'SO- stop being evil' Aug 25 '16 at 07:20
2

The linked question concerns a fundamentally different issue. To quote:

Please note that the uid that I want to get is NOT of the current process.

Clearly, a thread which is not the currently executing thread can in principle exit at any point or change credentials. Measures need to be taken to ensure the stability of whatever we are fiddling with. RCU is often the right answer. The answer provided there is somewhat wrong in the sense that there are other ways as well.

Meanwhile, if you want to operate on the thread executing the very code, you can know it wont exit (because it is executing your code as opposed to an exit path). A question arises what about the stability of credentials -- good news, they are also guaranteed to be there and can be accessed with no preparation whatsoever. This can be easily verified by checking the code doing credential switching.

We are left with the question what primitives can be used to do the access. To that end one can use make_kuid, uid_eq and similar primitives.

The real question is why is this a syscall as opposed to just a /proc file.

See this blogpost for somewhat elaborated description of credential handling: http://codingtragedy.blogspot.com/2015/04/weird-stuff-thread-credentials-in-linux.html