From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754912AbcGLR3j (ORCPT ); Tue, 12 Jul 2016 13:29:39 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:35002 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754245AbcGLR3i (ORCPT ); Tue, 12 Jul 2016 13:29:38 -0400 Date: Tue, 12 Jul 2016 20:29:33 +0300 From: Cyrill Gorcunov To: "Eric W. Biederman" Cc: Stanislav Kinsburskiy , peterz@infradead.org, mingo@redhat.com, mhocko@suse.com, keescook@chromium.org, linux-kernel@vger.kernel.org, mguzik@redhat.com, bsegall@google.com, john.stultz@linaro.org, oleg@redhat.com, matthltc@us.ibm.com, akpm@linux-foundation.org, luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link Message-ID: <20160712172933.GE3661@uranus.lan> References: <20160712152940.24895.61315.stgit@localhost.localdomain> <20160712164800.GD3661@uranus.lan> <87inwa2406.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87inwa2406.fsf@x220.int.ebiederm.org> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 12, 2016 at 11:52:09AM -0500, Eric W. Biederman wrote: > > > > Persistent exe-link doesn't guarantee anything if you have rights to ptrace > > task and inject own code into (from security POV). So lets rip it out. > > > > Acked-by: Cyrill Gorcunov > > I believe the original concern was someone injecting a code into a > process and playing silly buggers with the exe link. Someone who does > not have ptrace capability. If you manage to inject code into a process, that's all, you're compromised, preventing changing exe-link several times wont help much I fear. Current limit -- one may change it once, Stas' patch simply removes this limitation. The ability to change it only _once_ may be suitable for some kind of monitor daemon I guess but this monitor should detect any change in exe-link state and notify node's admin, otherwise it's simply useless. > It is completely not ok to change this until someone goes back to the > original conversation and looks at the original threat model, and > refutes it.