From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751116AbcGLVms (ORCPT ); Tue, 12 Jul 2016 17:42:48 -0400 Received: from mail-lf0-f41.google.com ([209.85.215.41]:35426 "EHLO mail-lf0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750784AbcGLVmq (ORCPT ); Tue, 12 Jul 2016 17:42:46 -0400 Date: Wed, 13 Jul 2016 00:42:26 +0300 From: Cyrill Gorcunov To: "Eric W. Biederman" Cc: Stanislav Kinsburskiy , peterz@infradead.org, mingo@redhat.com, mhocko@suse.com, keescook@chromium.org, linux-kernel@vger.kernel.org, mguzik@redhat.com, bsegall@google.com, john.stultz@linaro.org, oleg@redhat.com, matthltc@us.ibm.com, akpm@linux-foundation.org, luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link Message-ID: <20160712214226.GF3661@uranus.lan> References: <20160712152940.24895.61315.stgit@localhost.localdomain> <20160712164800.GD3661@uranus.lan> <87inwa2406.fsf@x220.int.ebiederm.org> <20160712172933.GE3661@uranus.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160712172933.GE3661@uranus.lan> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 12, 2016 at 08:29:33PM +0300, Cyrill Gorcunov wrote: > On Tue, Jul 12, 2016 at 11:52:09AM -0500, Eric W. Biederman wrote: > > > > > > Persistent exe-link doesn't guarantee anything if you have rights to ptrace > > > task and inject own code into (from security POV). So lets rip it out. > > > > > > Acked-by: Cyrill Gorcunov > > > > I believe the original concern was someone injecting a code into a > > process and playing silly buggers with the exe link. Someone who does > > not have ptrace capability. > > If you manage to inject code into a process, that's all, you're > compromised, preventing changing exe-link several times wont help > much I fear. Current limit -- one may change it once, Stas' patch > simply removes this limitation. The ability to change it only _once_ > may be suitable for some kind of monitor daemon I guess but this > monitor should detect any change in exe-link state and notify > node's admin, otherwise it's simply useless. > > > It is completely not ok to change this until someone goes back to the > > original conversation and looks at the original threat model, and > > refutes it. Btw, if the persistency of exe link is _that_ important (in which I'm really doubting) we always can use some of sysctl flag on host which would control it [by default it might be turned off but for those who really rely on exelink status, for some reason, the sysctl might be set up and prevent any exelink modification].