From: Jann Horn <jannh@google.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: Andrei Vagin <avagin@gmail.com>,
kernel list <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
linux-um@lists.infradead.org, criu@openvz.org,
Andrei Vagin <avagin@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Ingo Molnar <mingo@redhat.com>, Jeff Dike <jdike@addtoit.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Oleg Nesterov <oleg@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Richard Weinberger <richard@nod.at>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH 0/4 POC] Allow executing code and syscalls in another address space
Date: Wed, 14 Apr 2021 13:24:30 +0200 [thread overview]
Message-ID: <CAG48ez2z0a4x2GfHv9L0HmO1-uzsKtfOF40erPb8ADR-m+itbg@mail.gmail.com> (raw)
In-Reply-To: <87blahb1pr.fsf@oldenburg.str.redhat.com>
On Wed, Apr 14, 2021 at 12:27 PM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Andrei Vagin:
>
> > We already have process_vm_readv and process_vm_writev to read and write
> > to a process memory faster than we can do this with ptrace. And now it
> > is time for process_vm_exec that allows executing code in an address
> > space of another process. We can do this with ptrace but it is much
> > slower.
> >
> > = Use-cases =
>
> We also have some vaguely related within the same address space: running
> code on another thread, without modifying its stack, while it has signal
> handlers blocked, and without causing system calls to fail with EINTR.
> This can be used to implement certain kinds of memory barriers.
That's what the membarrier() syscall is for, right? Unless you don't
want to register all threads for expedited membarrier use?
> It is
> also necessary to implement set*id with POSIX semantics in userspace.
> (Linux only changes the current thread credentials, POSIX requires
> process-wide changes.) We currently use a signal for set*id, but it has
> issues (it can be blocked, the signal could come from somewhere, etc.).
> We can't use signals for barriers because of the EINTR issue, and
> because the signal context is stored on the stack.
This essentially becomes a question of "how much is set*id allowed to
block and what level of guarantee should there be by the time it
returns that no threads will perform privileged actions anymore after
it returns", right?
Like, if some piece of kernel code grabs a pointer to the current
credentials or acquires a temporary reference to some privileged
resource, then blocks on reading an argument from userspace, and then
performs a privileged action using the previously-grabbed credentials
or resource, what behavior do you want? Should setuid() block until
that privileged action has completed? Should it abort that action
(which is kinda what you get with the signals approach)? Should it
just return immediately even though an attacker who can write to
process memory at that point might still be able to influence a
privileged operation that hasn't read all its inputs yet? Should the
kernel be designed to keep track of whether it is currently holding a
privileged resource? Or should the kernel just specifically permit
credential changes in specific places where it is known that a task
might block for a long time and it is not holding any privileged
resources (kinda like the approach taken for freezer stuff)?
If userspace wants multithreaded setuid() without syscall aborting,
things get gnarly really fast; and having an interface to remotely
perform operations under another task's context isn't really relevant
to the core problem here, I think.
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: Andrei Vagin <avagin@gmail.com>,
kernel list <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
linux-um@lists.infradead.org, criu@openvz.org,
Andrei Vagin <avagin@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Ingo Molnar <mingo@redhat.com>, Jeff Dike <jdike@addtoit.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Oleg Nesterov <oleg@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Richard Weinberger <richard@nod.at>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH 0/4 POC] Allow executing code and syscalls in another address space
Date: Wed, 14 Apr 2021 13:24:30 +0200 [thread overview]
Message-ID: <CAG48ez2z0a4x2GfHv9L0HmO1-uzsKtfOF40erPb8ADR-m+itbg@mail.gmail.com> (raw)
In-Reply-To: <87blahb1pr.fsf@oldenburg.str.redhat.com>
On Wed, Apr 14, 2021 at 12:27 PM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Andrei Vagin:
>
> > We already have process_vm_readv and process_vm_writev to read and write
> > to a process memory faster than we can do this with ptrace. And now it
> > is time for process_vm_exec that allows executing code in an address
> > space of another process. We can do this with ptrace but it is much
> > slower.
> >
> > = Use-cases =
>
> We also have some vaguely related within the same address space: running
> code on another thread, without modifying its stack, while it has signal
> handlers blocked, and without causing system calls to fail with EINTR.
> This can be used to implement certain kinds of memory barriers.
That's what the membarrier() syscall is for, right? Unless you don't
want to register all threads for expedited membarrier use?
> It is
> also necessary to implement set*id with POSIX semantics in userspace.
> (Linux only changes the current thread credentials, POSIX requires
> process-wide changes.) We currently use a signal for set*id, but it has
> issues (it can be blocked, the signal could come from somewhere, etc.).
> We can't use signals for barriers because of the EINTR issue, and
> because the signal context is stored on the stack.
This essentially becomes a question of "how much is set*id allowed to
block and what level of guarantee should there be by the time it
returns that no threads will perform privileged actions anymore after
it returns", right?
Like, if some piece of kernel code grabs a pointer to the current
credentials or acquires a temporary reference to some privileged
resource, then blocks on reading an argument from userspace, and then
performs a privileged action using the previously-grabbed credentials
or resource, what behavior do you want? Should setuid() block until
that privileged action has completed? Should it abort that action
(which is kinda what you get with the signals approach)? Should it
just return immediately even though an attacker who can write to
process memory at that point might still be able to influence a
privileged operation that hasn't read all its inputs yet? Should the
kernel be designed to keep track of whether it is currently holding a
privileged resource? Or should the kernel just specifically permit
credential changes in specific places where it is known that a task
might block for a long time and it is not holding any privileged
resources (kinda like the approach taken for freezer stuff)?
If userspace wants multithreaded setuid() without syscall aborting,
things get gnarly really fast; and having an interface to remotely
perform operations under another task's context isn't really relevant
to the core problem here, I think.
_______________________________________________
linux-um mailing list
linux-um@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-um
next prev parent reply other threads:[~2021-04-14 11:25 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-14 5:52 [PATCH 0/4 POC] Allow executing code and syscalls in another address space Andrei Vagin
2021-04-14 5:52 ` Andrei Vagin
2021-04-14 5:52 ` [PATCH 1/4] signal: add a helper to restore a process state from sigcontex Andrei Vagin
2021-04-14 5:52 ` Andrei Vagin
2021-04-14 5:52 ` [PATCH 2/4] arch/x86: implement the process_vm_exec syscall Andrei Vagin
2021-04-14 5:52 ` Andrei Vagin
2021-04-14 17:09 ` Oleg Nesterov
2021-04-14 17:09 ` Oleg Nesterov
2021-04-23 6:59 ` Andrei Vagin
2021-04-23 6:59 ` Andrei Vagin
2021-06-28 16:13 ` Jann Horn
2021-06-28 16:13 ` Jann Horn
2021-06-28 16:30 ` Andy Lutomirski
2021-06-28 17:14 ` Jann Horn
2021-06-28 17:14 ` Jann Horn
2021-06-28 18:18 ` Eric W. Biederman
2021-06-28 18:18 ` Eric W. Biederman
2021-06-29 1:01 ` Andrei Vagin
2021-06-29 1:01 ` Andrei Vagin
2021-07-02 6:22 ` Andrei Vagin
2021-07-02 6:22 ` Andrei Vagin
2021-07-02 11:51 ` Jann Horn
2021-07-02 11:51 ` Jann Horn
2021-07-02 11:51 ` Jann Horn
2021-07-02 20:40 ` Andy Lutomirski
2021-07-02 20:40 ` Andy Lutomirski
2021-07-02 8:51 ` Peter Zijlstra
2021-07-02 8:51 ` Peter Zijlstra
2021-07-02 22:21 ` Andrei Vagin
2021-07-02 22:21 ` Andrei Vagin
2021-07-02 20:56 ` Jann Horn
2021-07-02 20:56 ` Jann Horn
2021-07-02 22:48 ` Andrei Vagin
2021-07-02 22:48 ` Andrei Vagin
2021-04-14 5:52 ` [PATCH 3/4] arch/x86: allow to execute syscalls via process_vm_exec Andrei Vagin
2021-04-14 5:52 ` Andrei Vagin
2021-04-14 5:52 ` [PATCH 4/4] selftests: add tests for process_vm_exec Andrei Vagin
2021-04-14 5:52 ` Andrei Vagin
2021-04-14 6:46 ` [PATCH 0/4 POC] Allow executing code and syscalls in another address space Jann Horn
2021-04-14 6:46 ` Jann Horn
2021-04-14 22:10 ` Andrei Vagin
2021-04-14 22:10 ` Andrei Vagin
2021-07-02 6:57 ` Andrei Vagin
2021-07-02 6:57 ` Andrei Vagin
2021-07-02 15:12 ` Jann Horn
2021-07-02 15:12 ` Jann Horn
2021-07-02 15:12 ` Jann Horn
2021-07-18 0:38 ` Andrei Vagin
2021-07-18 0:38 ` Andrei Vagin
2021-04-14 7:22 ` Anton Ivanov
2021-04-14 7:22 ` Anton Ivanov
2021-04-14 7:34 ` Johannes Berg
2021-04-14 7:34 ` Johannes Berg
2021-04-14 9:24 ` Benjamin Berg
2021-04-14 9:24 ` Benjamin Berg
2021-04-14 10:27 ` Florian Weimer
2021-04-14 10:27 ` Florian Weimer
2021-04-14 11:24 ` Jann Horn [this message]
2021-04-14 11:24 ` Jann Horn
2021-04-14 12:20 ` Florian Weimer
2021-04-14 12:20 ` Florian Weimer
2021-04-14 13:58 ` Jann Horn
2021-04-14 13:58 ` Jann Horn
2021-04-16 19:29 ` Kirill Smelkov
2021-04-16 19:29 ` Kirill Smelkov
2021-04-17 16:28 ` sbaugh
2021-04-17 16:28 ` sbaugh
2021-07-02 22:44 ` Andy Lutomirski
2021-07-02 22:44 ` Andy Lutomirski
2021-07-18 1:34 ` Andrei Vagin
2021-07-18 1:34 ` Andrei Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez2z0a4x2GfHv9L0HmO1-uzsKtfOF40erPb8ADR-m+itbg@mail.gmail.com \
--to=jannh@google.com \
--cc=0x7f454c46@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=anton.ivanov@cambridgegreys.com \
--cc=avagin@gmail.com \
--cc=avagin@google.com \
--cc=christian.brauner@ubuntu.com \
--cc=criu@openvz.org \
--cc=fweimer@redhat.com \
--cc=jdike@addtoit.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-um@lists.infradead.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=richard@nod.at \
--cc=rppt@linux.ibm.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.