From: Christian Brauner <christian@brauner.io>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: ebiederm@xmission.com, linux-kernel@vger.kernel.org,
serge@hallyn.com, jannh@google.com, luto@kernel.org,
akpm@linux-foundation.org, oleg@redhat.com,
viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
linux-api@vger.kernel.org, dancol@google.com,
timmurray@google.com, linux-man@vger.kernel.org,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v1 2/2] signal: add procfd_signal() syscall
Date: Mon, 19 Nov 2018 21:55:20 +0100 [thread overview]
Message-ID: <20181119205518.btew3vxwgva4w3zh@brauner.io> (raw)
In-Reply-To: <20181119202857.k5zw742xjfrw677j@yavin>
On Tue, Nov 20, 2018 at 07:28:57AM +1100, Aleksa Sarai wrote:
> On 2018-11-19, Christian Brauner <christian@brauner.io> wrote:
> > + if (info) {
> > + ret = __copy_siginfo_from_user(sig, &kinfo, info);
> > + if (unlikely(ret))
> > + goto err;
> > + /*
> > + * Not even root can pretend to send signals from the kernel.
> > + * Nor can they impersonate a kill()/tgkill(), which adds
> > + * source info.
> > + */
> > + ret = -EPERM;
> > + if ((kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL) &&
> > + (task_pid(current) != pid))
> > + goto err;
> > + } else {
> > + prepare_kill_siginfo(sig, &kinfo);
> > + }
>
> I wonder whether we should also have a pidns restriction here, since
> currently it isn't possible for a container process using a pidns to
> signal processes outside its pidns. AFAICS, this isn't done through an
> explicit check -- it's a side-effect of processes in a pidns not being
> able to address non-descendant-pidns processes.
>
> But maybe it's reasonable to allow sending a procfd to a different pidns
> and the same operations working on it? If we extend the procfd API to
No, I don't think so. I really don't want any fancy semantics in here.
Fancy doesn't get merged and fancy is hard to maintain. So we should do
something like:
if (proc_pid_ns() != current_pid_ns)
return EINVAL
> allow process creation this would allow a container to create a process
> outside its pidns.
>
> --
> Aleksa Sarai
> Senior Software Engineer (Containers)
> SUSE Linux GmbH
> <https://www.cyphar.com/>
next prev parent reply other threads:[~2018-11-19 20:55 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-19 10:32 [PATCH v1 0/2] proc: allow signaling processes via file descriptors Christian Brauner
2018-11-19 10:32 ` [PATCH v1 1/2] proc: get process file descriptor from /proc/<pid> Christian Brauner
2018-11-19 15:32 ` Andy Lutomirski
2018-11-19 18:20 ` Christian Brauner
2018-11-19 10:32 ` [PATCH v1 2/2] signal: add procfd_signal() syscall Christian Brauner
2018-11-19 15:45 ` Andy Lutomirski
2018-11-19 15:57 ` Daniel Colascione
2018-11-19 18:39 ` Christian Brauner
2018-11-19 15:59 ` Daniel Colascione
2018-11-19 18:29 ` Christian Brauner
2018-11-19 19:02 ` Eric W. Biederman
2018-11-19 19:31 ` Christian Brauner
2018-11-19 19:39 ` Daniel Colascione
2018-11-19 17:10 ` Eugene Syromiatnikov
2018-11-19 18:23 ` Christian Brauner
2018-11-19 17:14 ` Eugene Syromiatnikov
2018-11-19 20:28 ` Aleksa Sarai
2018-11-19 20:55 ` Christian Brauner [this message]
2018-11-19 21:13 ` Christian Brauner
2018-11-19 21:18 ` Aleksa Sarai
2018-11-19 21:20 ` Christian Brauner
2018-11-19 21:21 ` Christian Brauner
2018-11-19 21:25 ` Aleksa Sarai
2018-11-19 21:26 ` Daniel Colascione
2018-11-19 21:36 ` Aleksa Sarai
2018-11-19 21:37 ` Christian Brauner
2018-11-19 21:41 ` Daniel Colascione
2018-11-20 4:59 ` Eric W. Biederman
2018-11-20 10:31 ` Christian Brauner
2018-11-21 21:39 ` Serge E. Hallyn
2018-11-19 21:23 ` Aleksa Sarai
2018-11-22 7:41 ` Serge E. Hallyn
2018-11-19 22:39 ` Tycho Andersen
2018-11-19 22:49 ` Daniel Colascione
2018-11-19 23:07 ` Tycho Andersen
2018-11-20 0:27 ` Andy Lutomirski
2018-11-20 0:32 ` Christian Brauner
2018-11-20 0:34 ` Andy Lutomirski
2018-11-20 0:49 ` Daniel Colascione
2018-11-22 7:48 ` Serge E. Hallyn
2018-11-19 23:35 ` kbuild test robot
2018-11-19 23:35 ` kbuild test robot
2018-11-19 23:37 ` kbuild test robot
2018-11-19 23:37 ` kbuild test robot
2018-11-19 23:45 ` Christian Brauner
2018-11-28 21:45 ` Joey Pabalinas
2018-11-28 22:05 ` Christian Brauner
2018-11-28 23:02 ` Joey Pabalinas
2018-11-19 10:32 ` [PATCH] procfd_signal.2: document procfd_signal syscall Christian Brauner
2018-11-20 13:29 ` Michael Kerrisk (man-pages)
2018-11-28 20:59 ` Florian Weimer
2018-11-28 21:12 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181119205518.btew3vxwgva4w3zh@brauner.io \
--to=christian@brauner.io \
--cc=akpm@linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=dancol@google.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=timmurray@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.