From: Frederic Weisbecker <frederic@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Frederic Weisbecker <fweisbec@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Ingo Molnar <mingo@kernel.org>,
Kees Cook <keescook@chromium.org>
Subject: Re: [patch 0/6] posix-cpu-timers: Fallout fixes and permission tightening
Date: Thu, 5 Sep 2019 17:21:57 +0200 [thread overview]
Message-ID: <20190905152156.GC18251@lenoir> (raw)
In-Reply-To: <alpine.DEB.2.21.1909051650030.1902@nanos.tec.linutronix.de>
On Thu, Sep 05, 2019 at 04:57:10PM +0200, Thomas Gleixner wrote:
> On Thu, 5 Sep 2019, Frederic Weisbecker wrote:
> > On Thu, Sep 05, 2019 at 02:03:39PM +0200, Thomas Gleixner wrote:
> > > Sysbot triggered an issue in the posix timer rework which was trivial to
> > > fix, but after running another test case I discovered that the rework broke
> > > the permission checks subtly. That's also a straightforward fix.
> > >
> > > Though when staring at it I discovered that the permission checks for
> > > process clocks and process timers are completely bonkers. The only
> > > requirement is that the target PID is a group leader. Which means that any
> > > process can read the clocks and attach timers to any other process without
> > > priviledge restrictions.
> > >
> > > That's just wrong because the clocks and timers can be used to observe
> > > behaviour and both reading the clocks and arming timers adds overhead and
> > > influences runtime performance of the target process.
> >
> > Yeah I stumbled upon that by the past and found out the explanation behind
> > in old history: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/kernel/posix-cpu-timers.c?id=a78331f2168ef1e67b53a0f8218c70a19f0b2a4c
> >
> > "This makes no constraint on who can see whose per-process clocks. This
> > information is already available for the VIRT and PROF (i.e. utime and stime)
> > information via /proc. I am open to suggestions on if/how security
> > constraints on who can see whose clocks should be imposed."
> >
> > I'm all for mitigating that, let's just hope that won't break some ABIs.
>
> Well, reading clocks is one part of the issue. Arming timers on any process
> is a different story.
Exactly!
>
> Also /proc/$PID access can be restricted nowadays. So that posic clock
> stuff should at least have exactly the same restrictions.
Yeah definetly.
>
> Thanks,
>
> tglx
>
next prev parent reply other threads:[~2019-09-05 15:22 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-05 12:03 [patch 0/6] posix-cpu-timers: Fallout fixes and permission tightening Thomas Gleixner
2019-09-05 12:03 ` [patch 1/6] posix-cpu-timers: Always clear head pointer on dequeue Thomas Gleixner
2019-09-05 15:49 ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 2/6] posix-cpu-timers: Fix permission check regression Thomas Gleixner
2019-09-05 17:31 ` Frederic Weisbecker
2019-09-05 18:55 ` Thomas Gleixner
2019-09-05 21:15 ` [patch V2 " Thomas Gleixner
2019-09-09 15:13 ` Frederic Weisbecker
2019-09-10 11:18 ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2019-09-05 12:03 ` [patch 3/6] posix-cpu-timers: Restrict timer_create() permissions Thomas Gleixner
2019-09-21 0:44 ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 4/6] posix-cpu-timers: Restrict clock_gettime() permissions Thomas Gleixner
2019-09-23 13:39 ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 5/6] posix-cpu-timers: Sanitize thread clock permissions Thomas Gleixner
2019-09-05 12:21 ` Peter Zijlstra
2019-09-05 14:11 ` Thomas Gleixner
2019-09-23 14:03 ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 6/6] posix-cpu-timers: Make PID=0 and PID=self handling consistent Thomas Gleixner
2019-09-23 14:13 ` Frederic Weisbecker
2019-09-23 14:17 ` Thomas Gleixner
2019-09-05 14:48 ` [patch 0/6] posix-cpu-timers: Fallout fixes and permission tightening Frederic Weisbecker
2019-09-05 14:57 ` Thomas Gleixner
2019-09-05 15:21 ` Frederic Weisbecker [this message]
2019-09-05 20:32 ` Kees Cook
2019-09-05 21:13 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190905152156.GC18251@lenoir \
--to=frederic@kernel.org \
--cc=fweisbec@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).