Re: [PATCH v2 2/4] time: make getboottime64 aware of time namespace

From: Christian Brauner
Date: Tue Oct 13 2020 - 16:05:37 EST

Next message: Christian Brauner: "Re: [PATCH] binder: fix UAF when releasing todo list"
Previous message: Lukasz Stelmach: "Re: [PATCH v2 2/4] net: ax88796c: ASIX AX88796C SPI Ethernet Adapter Driver"
In reply to: Thomas Gleixner: "Re: [PATCH v2 2/4] time: make getboottime64 aware of time namespace"
Next in thread: Christian Brauner: "Re: [PATCH v2 0/4] time namespace aware system boot time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Oct 10, 2020 at 12:19:14AM -0700, Andrei Vagin wrote:
> On Fri, Oct 09, 2020 at 03:28:15PM +0200, Christian Brauner wrote:
> > On Thu, Oct 08, 2020 at 07:39:42AM +0200, Michael Weiß wrote:
> > > getboottime64() provides the time stamp of system boot. In case of
> > > time namespaces, the offset to the boot time stamp was not applied
> > > earlier. However, getboottime64 is used e.g., in /proc/stat to print
> > > the system boot time to userspace. In container runtimes which utilize
> > > time namespaces to virtualize boottime of a container, this leaks
> > > information about the host system boot time.
> > >
> > > Therefore, we make getboottime64() to respect the time namespace offset
> > > for boottime by subtracting the boottime offset.
> > >
> > > Signed-off-by: Michael Weiß <michael.weiss@xxxxxxxxxxxxxxxxxxx>
> > > ---
> > > kernel/time/timekeeping.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
> > > index 4c47f388a83f..67530cdb389e 100644
> > > --- a/kernel/time/timekeeping.c
> > > +++ b/kernel/time/timekeeping.c
> > > @@ -17,6 +17,7 @@
> > > #include <linux/clocksource.h>
> > > #include <linux/jiffies.h>
> > > #include <linux/time.h>
> > > +#include <linux/time_namespace.h>
> > > #include <linux/tick.h>
> > > #include <linux/stop_machine.h>
> > > #include <linux/pvclock_gtod.h>
> > > @@ -2154,6 +2155,8 @@ void getboottime64(struct timespec64 *ts)
> > > {
> > > struct timekeeper *tk = &tk_core.timekeeper;
> > > ktime_t t = ktime_sub(tk->offs_real, tk->offs_boot);
> > > + /* shift boot time stamp according to the timens offset */
> > > + t = timens_ktime_to_host(CLOCK_BOOTTIME, t);
> >
> > Note that getbootime64() is mostly used in net/sunrpc and I don't know
> > if this change has any security implications for them.
>
> I would prefer to not patch kernel internal functions if they are used
> not only to expose time to the userspace.
>
> I think when kernel developers sees the getboottime64 function, they
> will expect that it returns the real time of kernel boot. They will
> not expect that it is aware of time namespaces and a returned time will
> depend on a task in which context it will be called.
>
> IMHO, as a minimum, we need to update the documentation for this function or
> even adjust a function name.
>
> And I think we need to consider an option to not change getbootime64 and
> apply a timens offset right in the show_stat(fs/proc/stat.c) function.

This is why I asked about this since I assumed this would break
someone's use-case. :)

In any case, if I understand correctly then we want the same thing: just
change fs/proc/stat.c i.e. have a a specific helper that applies the
correct offset.

Christian

Next message: Christian Brauner: "Re: [PATCH] binder: fix UAF when releasing todo list"
Previous message: Lukasz Stelmach: "Re: [PATCH v2 2/4] net: ax88796c: ASIX AX88796C SPI Ethernet Adapter Driver"
In reply to: Thomas Gleixner: "Re: [PATCH v2 2/4] time: make getboottime64 aware of time namespace"
Next in thread: Christian Brauner: "Re: [PATCH v2 0/4] time namespace aware system boot time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]