A quick question:

Right now, certain types of credential changes are allowed to diverge for per-thread credentials, but others aren't. For example, RES UID and GIDs are handled, as are additional groups. What are the implications of not making other properties such as jail, audit, and MAC labels per-thread?

Is this change safe without holding the process lock? Historically, p_ucred hasn't been a stable pointer without it.

clearly I overlooked this, I'm going to restore the previous mechanism: thread local storage of the process credential (the old use of td->td_ucred but in a new td->p_ucred)

In D18930#404405, @rwatson wrote:

A quick question:

Right now, certain types of credential changes are allowed to diverge for per-thread credentials, but others aren't. For example, RES UID and GIDs are handled, as are additional groups. What are the implications of not making other properties such as jail, audit, and MAC labels per-thread?

I'm going to need to investigate these subsystems in order to prove there aren't any harmful implications.

I don't have an opinion about the userspace API. It does seem a little bit fishy that there is no tight control from that end. I would expect a fully-privileged daemon to get create a credfd an allow certain uids/gids to be switched to. Then it can drop privs. But again, I did not think this through.

As for the current code, thread_cow_update use to revert threads is an abuse imo. There should be a dedicated func to take care of it, which would also be called by this one.

I think struct thread should get extended -- what's td_ucred in the current kernel should be moved to td_pucred. I.e. td_pucred is a pointer to refed proc credentials. Threads which don't use per-thread creds would happen to have td_ucred == td_pucred. Such an approach would mitigate a lot of complexity. In particular code which reports creds an branche on TD_IS_SUGID can blindly go for td_pucred. This also allows cred testing without grabbing the proc lock. I think this approach is significantly more future-proof as it does not add the new constraint (process lock) to code which needs to check non-sugid creds.

Even without the pointer it would probably be better to

if (!TD_IS_SUGID(td) {
     cred = td->td_ucred;
} else {
     PROC_LOCK(p);
     cred = crhold(p->p_cred);
     PROC_UNLOCK(p);
}
.....

That's an error-prone approach. You should always have separate references for both ucred and pucred.

In D18930#406796, @mjg wrote:

I don't have an opinion about the userspace API. It does seem a little bit fishy that there is no tight control from that end. I would expect a fully-privileged daemon to get create a credfd an allow certain uids/gids to be switched to. Then it can drop privs. But again, I did not think this through.

I'm not sure what you mean by this? To clarify the current design: a root process can set individual thread credentials, and then can drop process credentials, in this case the thread will not be able to revert back its credentials.

So I'm in the process of reviewing this. I don't have a complete review yet, but I do have some comments.

In D18930#409547, @jack_gandi.net wrote:

In D18930#406796, @mjg wrote:

I don't have an opinion about the userspace API. It does seem a little bit fishy that there is no tight control from that end. I would expect a fully-privileged daemon to get create a credfd an allow certain uids/gids to be switched to. Then it can drop privs. But again, I did not think this through.

I'm not sure what you mean by this? To clarify the current design: a root process can set individual thread credentials, and then can drop process credentials, in this case the thread will not be able to revert back its credentials.

I'm saying a better design would have possible credentials ready for use and would tell the thread what to switch to. One way to do it would be to create a new facility -- credential file descriptor. Instead of setcred accepting some numbers, you would accept the fd. There are at least 2 major wins here: 1. creds can be prepared upfront and root privs dropped (assuming the total number of creds is low enough to make it viable) 2. the kernel has all the data allocated so it's a matter of just referencing it. instead of costly construction of new creds, you just td->td_ucred = crhold(newcreds); and of course deref old ones. However, I don't insist on this. Some form of cred caching may be useful here though.

I've tried to justify the current implementation as best I can to see if it can get past the finish line instead of going for a credfd solution (which I don't think I'll have the will to design and implement).
For the credfd solution, I agree with the wins, although I think it would be expensive to prepare everything upfront, also that design doesn't solve the copy-on-write problem you mentioned.

I haven't looked too closely at the actual diff. I assume Eric tagged me into this for some reason, so I'll echo my earlier remarks:

We ended up with special credential file descriptors, rather than using uid_t's and gid_t's directly, because of a need for compatibility with arbitrary Windows LDAP users ("SID"s?) not present in the local id database.

The APIs we use today look like:

663     AUE_NULL        STD     { int modifytcred2(int fd, \
                                    struct native_token *token, \
                                    int flags); }
664     AUE_NULL        STD     { int modifytcred(int fd1, int fd2, \
                                    int flags); }
665     AUE_NULL        STD     { int accesstcred(char *path, int flags, \
                                    int fd); }
666     AUE_NULL        STD     { int buildtcred(struct native_token *token, \
                                    int current); }
667     AUE_NULL        STD     { int gettcred(char *user, int thread); }
668     AUE_NULL        STD     { int settcred(int fd, int flags, \
                                    struct native_token *token); }
669     AUE_NULL        STD     { int reverttcred(void); }
670     AUE_NULL        STD     { int restricttcred(int fd, struct
native_token *token); }

Which lines up with mjg's concern, I think.

To expand on that a bit, struct native_token are constructed in userspace and contain any relevant authorization information. It is associated with a set of userspace manipulation APIs below. Not all of this is necessary relevant to FreeBSD, and it's possible FreeBSD would want to expand (something like) this with MAC label, jail, etc.

/**
 * Native token.
 * Represents the authorization information of a thread.
 *
 * @ingroup native_token
 */
struct native_token {
        u_int            nt_fields;     /* valid fields */
#define NTOKEN_UID         0x00000001
#define NTOKEN_GID         0x00000002
#define NTOKEN_SID         0x00000004
#define NTOKEN_GSID        0x00000008
#define NTOKEN_GROUPS      0x00000010
#define NTOKEN_IPRIVS      0x00000020
#define NTOKEN_LADDR       0x00000040
#define NTOKEN_RADDR       0x00000080
#define NTOKEN_PROTOCOL    0x00000100
#define NTOKEN_ZID         0x00000200
#define NTOKEN_FIELD_MASK  0x000003FF
#define NTOKEN_USEUID      0x00010000
#define NTOKEN_USEGID      0x00020000
#define NTOKEN_DENYIFS     0x00040000
#define NTOKEN_BACKUP      0x00080000   /* Used with ISI_PRIV_IFS_BACKUP */
#define NTOKEN_RESTORE     0x00100000   /* Used with ISI_PRIV_IFS_RESTORE */
#define NTOKEN_FLAG_MASK   0x001F0000
        uid_t            nt_uid;        /* user id */
        struct persona  *nt_sid;        /* user sid */
        gid_t            nt_gid;        /* group id */
        struct persona  *nt_gsid;       /* group sid */
        struct persona **nt_groups;     /* group personae */
        short            nt_ngroups;    /* number of groups */
        struct isi_priv *nt_iprivs;     /* isilon privileges */
        short            nt_niprivs;    /* number of isilon privileges */
        zid_t            nt_zid;        /* zone id */
        struct in6_addr  nt_laddr;      /* local IP address */
        struct in6_addr  nt_raddr;      /* remote client IP address */
        short            nt_protocol;   /* see enum isp_protocol */
};
...
struct native_token * ntoken_get(void) __malloc_like;
void ntoken_clear(struct native_token *token);
void ntoken_free(struct native_token *token);
bool ntoken_extend_groups(struct native_token *token, int ngroups);
bool ntoken_extend_iprivs(struct native_token *token, int niprivs);
struct fmt_conv_ctx native_token_fmt(const struct native_token *p);
struct fmt_conv_ctx native_token_json_fmt(const struct native_token *p);
struct native_token *ntoken_copy(const struct native_token *nt);
bool ntoken_copy_contents(struct native_token *dest, const struct native_token *src);
bool ntoken_copy_partial(struct native_token *token, const struct native_token *nt, uint32_t fields);
/**
 * Compare two tokens. @a nt2 matches @a nt1 if all fields in @a nt1 match
 * those in @a nt2.  @a nt2 might have more fields defined than @a nt1
 */
bool ntoken_matches(const struct native_token *nt1,
    const struct native_token *nt2);
bool ntoken_equal(const struct native_token *nt1,
    const struct native_token *nt2);

/**
 * Convert a fd credential into a native token
 * @ingroup native_token
 */
struct native_token *fd_to_ntoken(int fd);

(IPv4 IPs are v4mapped into the in6 laddr/raddr; fmt_print() is basically sbuf, but fmt_conv_ctx is a nice extension allowing structure formatting of sorts with %{}.)

Hello FreeBSD maintainers,

I'm not employed at Gandi anymore so I haven't been working on this patch, and have no intention to in the future. You can close this revision. However, It would be nice to keep the revision public so the next person working on per-thread credentials can draw inspiration and maybe choose a different implementation.

Thank you for taking the time to review this, and for merging the other patches that got through! farewell