From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750905AbeAPVNr (ORCPT + 1 other); Tue, 16 Jan 2018 16:13:47 -0500 Received: from mx1.redhat.com ([209.132.183.28]:37246 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750750AbeAPVNp (ORCPT ); Tue, 16 Jan 2018 16:13:45 -0500 Date: Tue, 16 Jan 2018 22:13:41 +0100 From: Oleg Nesterov To: Kirill Tkhai Cc: linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, jslaby@suse.com, viro@zeniv.linux.org.uk, keescook@chromium.org, serge@hallyn.com, james.l.morris@oracle.com, luto@kernel.org, john.johansen@canonical.com, mingo@kernel.org, akpm@linux-foundation.org, mhocko@suse.com, peterz@infradead.org Subject: Re: [PATCH 3/4] tty: Iterate only thread group leaders in __do_SAK() Message-ID: <20180116211341.GA4008@redhat.com> References: <151568564127.6090.3546718160925256054.stgit@localhost.localdomain> <151568582337.6090.931248807289363396.stgit@localhost.localdomain> <20180111183412.GA18725@redhat.com> <9a854275-7a72-fc54-99fa-66161732fbf9@virtuozzo.com> <50c23f46-f4ad-b6c8-b7bc-0a8d8449c62f@virtuozzo.com> <20180112164234.GA21532@redhat.com> <20180115205106.GA30922@redhat.com> <7a97e041-0079-54fb-165b-f3d3506bccfd@virtuozzo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7a97e041-0079-54fb-165b-f3d3506bccfd@virtuozzo.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 16 Jan 2018 21:13:45 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On 01/16, Kirill Tkhai wrote: > > On 15.01.2018 23:51, Oleg Nesterov wrote: > > > >> kill: > >> - force_sig(SIGKILL, p); > >> + send_sig(SIGKILL, p, 1); > > > > Agreed, I didn't actually want to use force_sig(SIGKILL), copy-and-paste error. > > force_sig() is still safe under tasklist_lock as release_task() unhashes a task > from the lists and destroys sighand at the same time under it. So, it seems > there is no a problem :) I didn't mean it is unsafe. The problem is that force_sig() replaced send_sig() to avoid tasklist_lock which we no longer take in send-signal paths. Another problem is that it differs from send_sig(SIGKILL) used in other places and this difference (ability to kill SIGNAL_UNKILLABLE tasks) was added by accident, that was my point. > Anyway, we could use send_sig_info(SIGKILL, SEND_SIG_FORCED, p) instead of that > in the patch like you suggested below. Probably, but this needs another/separate change. > Also we skip global init on session iteration. This could be useful for debugging, > when init is "/bin/bash" and some task started on top of bash is hunged. We will need this only after we use SEND_SIG_FORCED, send_sig(SIGKILL) won't kill init. > > This looks strange, and probably unintentional. So it seems yoou should start > > with "revert 20ac94378 [PATCH] do_SAK: Don't recursively take the tasklist_lock" ? > > The original reason for that commit has gone a long ago. > > If we revert it, lock_task_sighand() will be nested with task_lock(). This is safe. lock_task_sighand() is irq-safe (just like ->siglock) and it is actually used in irqs. Thus it is safe to use it under task_lock() which doesn't disable irqs. And, > Yeah, it's not for > a long time, next commit will change that. Yes, there is no reason to send SIGKILL under task_lock(). > > At the same time, I do not know if we actually want to kill sub-namespace inits > > or not. If yes, we can use SEND_SIG_FORCED (better than ugly force_sig()) but > > skip the global init. But this will need yet another change. > > From https://www.kernel.org/doc/Documentation/SAK.txt: > > "An operating system's Secure Attention Key is a security tool which is > provided as protection against trojan password capturing programs. It > is an undefeatable way of killing all programs which could be > masquerading as login applications" > > It seems, since not privileged user is able to create pid_ns to start > a "trojan password capturing program", we have to kill sub-namespace inits too. Agreed, that is why I suggested SEND_SIG_FORCED. However. this is the user-visible change and who knows, perhaps it is too late to change the current behaviour. So I think we should do this after cleanups, this way we can easily revert it later in (unlikely) case someone complains. But, Kirill, this is up to you, I won't insist. Oleg.