From: Tycho Andersen <tycho@tycho.ws>
To: Daniel Colascione <dancol@google.com>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
Tim Murray <timmurray@google.com>,
Joel Fernandes <joelaf@google.com>,
Suren Baghdasaryan <surenb@google.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Christian Brauner <christian.brauner@canonical.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Oleg Nesterov <oleg@redhat.com>
Subject: Re: [PATCH v3] Implement /proc/pid/kill
Date: Wed, 31 Oct 2018 12:17:17 -0600 [thread overview]
Message-ID: <20181031181717.GD2180@cisco> (raw)
In-Reply-To: <CAKOZuevrFxWLY1J1DVPNGaEy8UbkD1r_M9T9FQTOtSrqp-G0qw@mail.gmail.com>
On Wed, Oct 31, 2018 at 06:00:49PM +0000, Daniel Colascione wrote:
> On Wed, Oct 31, 2018 at 5:54 PM, Tycho Andersen <tycho@tycho.ws> wrote:
> > Why not just use an ioctl() like Jann suggested instead of this big
> > security check? Then we avoid the whole setuid writer thing entirely,
>
> Don't you think a system call would be better than a new ioctl?
We already have a kill() system call :)
> With either an ioctl or a new system call, though, the shell would
> need a helper program to use the facility, whereas with the existing
> approach, the shell can use the new facility without any additional
> binaries.
...and a binary to use it!
The nice thing about an ioctl is that it avoids this class of attacks
entirely.
> > and we can pass the fd around if we want to.
>
> You can pass the FD around today --- specifically, you just pass the
> /proc/pid directory FD, not the /proc/pid/kill FD. The /proc/pid
> directory FD acts as a process handle. (It's literally a reference to
> a struct pid.) Anyone who receives one of these process handle FDs and
> who wants to use the corresponding kill file can open the kill fd with
> openat(2). What you can't do is pass the /proc/pid/kill FD to another
> security context and use it, but when would you ever want to do that?
Perhaps I don't have a good imagination, because it's not clear to me
when I'd ever use this from a shell instead of the kill binary,
either. Using this from the shell is still racy, because if I do
something like:
echo 9 > /proc/$pid/kill
There's exactly the same race that there is with kill, that $pid might
be something else. Of course I could do some magic with bind mounts or
my pwd or something to keep it alive, but I can already do that today
with kill.
I can understand the desire to have a race free way to do this, but
"it must use write(2)" seems a little unnecessary, given that the
shell use case isn't particularly convincing to me.
Tycho
next prev parent reply other threads:[~2018-10-31 18:17 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-29 22:10 [RFC PATCH] Implement /proc/pid/kill Daniel Colascione
2018-10-30 3:21 ` Joel Fernandes
2018-10-30 8:50 ` Daniel Colascione
2018-10-30 10:39 ` Christian Brauner
2018-10-30 10:40 ` Christian Brauner
2018-10-30 10:48 ` Daniel Colascione
2018-10-30 11:04 ` Christian Brauner
2018-10-30 11:12 ` Daniel Colascione
2018-10-30 11:19 ` Christian Brauner
2018-10-31 5:00 ` Eric W. Biederman
2018-10-30 17:01 ` Joel Fernandes
2018-10-30 5:00 ` Aleksa Sarai
2018-10-30 9:05 ` Daniel Colascione
2018-10-30 20:45 ` Aleksa Sarai
2018-10-30 21:42 ` Joel Fernandes
2018-10-30 22:23 ` Aleksa Sarai
2018-10-30 22:33 ` Joel Fernandes
2018-10-30 22:49 ` Aleksa Sarai
2018-10-31 0:42 ` Joel Fernandes
2018-10-31 1:59 ` Daniel Colascione
2018-10-30 23:10 ` Daniel Colascione
2018-10-30 23:23 ` Christian Brauner
2018-10-30 23:55 ` Daniel Colascione
2018-10-31 2:56 ` Aleksa Sarai
2018-10-31 4:24 ` Joel Fernandes
2018-11-01 20:40 ` Joel Fernandes
2018-11-02 9:46 ` Christian Brauner
2018-11-02 14:34 ` Serge E. Hallyn
2018-10-31 0:57 ` Joel Fernandes
2018-10-31 1:56 ` Daniel Colascione
2018-10-31 4:47 ` Eric W. Biederman
2018-10-31 4:44 ` Eric W. Biederman
2018-10-31 12:44 ` Oleg Nesterov
2018-10-31 13:27 ` Daniel Colascione
2018-10-31 15:10 ` Oleg Nesterov
2018-10-31 15:16 ` Daniel Colascione
2018-10-31 15:49 ` Oleg Nesterov
2018-11-01 11:53 ` David Laight
2018-11-01 15:50 ` Daniel Colascione
2018-10-31 14:37 ` [PATCH v2] " Daniel Colascione
2018-10-31 15:05 ` Joel Fernandes
2018-10-31 17:33 ` Aleksa Sarai
2018-10-31 21:47 ` Joel Fernandes
2018-10-31 15:59 ` [PATCH v3] " Daniel Colascione
2018-10-31 17:54 ` Tycho Andersen
2018-10-31 18:00 ` Daniel Colascione
2018-10-31 18:17 ` Tycho Andersen [this message]
2018-10-31 19:33 ` Daniel Colascione
2018-10-31 20:06 ` Tycho Andersen
2018-11-01 11:33 ` David Laight
2018-11-12 1:19 ` Eric W. Biederman
2018-10-31 16:22 ` [RFC PATCH] " Jann Horn
2018-11-01 4:53 ` Andy Lutomirski
2018-11-12 23:13 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181031181717.GD2180@cisco \
--to=tycho@tycho.ws \
--cc=christian.brauner@canonical.com \
--cc=cyphar@cyphar.com \
--cc=dancol@google.com \
--cc=ebiederm@xmission.com \
--cc=joelaf@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=surenb@google.com \
--cc=timmurray@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.