Re: [PATCH v3 0/8] Various fixes related to ptrace_may_access()

From: Jann Horn <jann@thejh.net>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Roland McGrath <roland@hack.frob.com>,
	John Johansen <john.johansen@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Paul Moore <aul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Janis Danisevskis <jdanis@google.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Benjamin LaHaise <bcrl@kvack.org>,
	Ben Hutchings <ben@decadent.org.uk>,
	Andy Lutomirski <luto@amacapital.net>,
	Krister Johansen <kjlx@templeofstupid.com>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	"security@kernel.org" <security@kernel.org>
Subject: Re: [PATCH v3 0/8] Various fixes related to ptrace_may_access()
Date: Wed, 2 Nov 2016 22:40:34 +0100	[thread overview]
Message-ID: <20161102214034.GG8196@pc.thejh.net> (raw)
In-Reply-To: <20161102183826.GD1112@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

On Wed, Nov 02, 2016 at 07:38:26PM +0100, Oleg Nesterov wrote:
> On 11/01, Linus Torvalds wrote:
> >
> > Oleg, you're really the obvious maintainer choice at least for some of
> > this,
> 
> Well. I still disagree with 1/8, I think we need to fix and cleanup
> the usage of cred_guard_mutex we already have. And to me the additional
> complications added by, say, 4/8 make no sense, we can make a much more
> simple change to avoid this leak "in practice".
> 
> But. I never pretended I understand the security problems. So I won't
> really argue with these changes.

No, I think it's good that you make me think about this stuff properly.
And I do sometimes get overzealous with trying to do thing "completely
correctly".

See the mail I sent earlier today for my opinion on the deadlocking
potential related to 1/8. Basically, I think that my patch doesn't make
things worse and makes subsequent cleanup work, which should fix most
of the current deadlocking trouble, easier. I think that the remaining
edcecase (concurrent PTRACE_ATTACH and execve) would be at least hard
to fix, maybe even unfixable without API changes.
If anyone has ideas on how we could completely prevent userspace from
deadlocking itself there without changing the ABI, please speak up.
Does that make sense? If so, do you want a
cred_guard_mutex->cred_guard_light conversion in this series or
afterwards?

Regarding 4/8, see the other message I just sent.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]