All of lore.kernel.org
 help / color / mirror / Atom feed
From: ebiederm@xmission.com (Eric W. Biederman)
To: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>,
	peterz@infradead.org, mingo@redhat.com, mhocko@suse.com,
	keescook@chromium.org, linux-kernel@vger.kernel.org,
	mguzik@redhat.com, bsegall@google.com, john.stultz@linaro.org,
	oleg@redhat.com, matthltc@us.ibm.com, akpm@linux-foundation.org,
	luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com
Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link
Date: Mon, 25 Jul 2016 14:56:43 -0500	[thread overview]
Message-ID: <87a8h58pac.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20160725192242.GA26208@uranus> (Cyrill Gorcunov's message of "Mon, 25 Jul 2016 22:22:42 +0300")

Cyrill Gorcunov <gorcunov@gmail.com> writes:

> On Mon, Jul 25, 2016 at 01:21:51PM -0500, Eric W. Biederman wrote:
>> Stanislav Kinsburskiy <skinsbursky@virtuozzo.com> writes:
>> 
>> > Gentlemen,
>> >
>> > Looks like there are no objections to this patch.
>> 
>> There has been objection.
>> 
>> The only justification for the change that has been put forward is
>> someone doing a restore lazily.  I don't see a reason why you can't call
>> prctl_set_mm_exe_file until you have the file in place instead of a
>> place holder that sounds like a trivial solution to any restore issues.
>> 
>> The truth is an unlimited settable exe link is essentially meaningless,
>> as you can't depend on it for anything.  One shot seems the best
>> compromise I have seen put forward between the definite
>> checkpoint/restart requirement to set the this value and the general
>> need to have something that makes sense and people can depend on for
>> system management.
>>
>> Also there is a big fat bug in prctl_set_mm_exe_file.  It doesn't
>> validate that the new file is a actually mmaped executable.  We would
>> definitely need that to be fixed before even considering removing the
>> limit.
>
> Could you please elaborate? We check for inode being executable,
> what else needed?

That the inode is mmaped into the process with executable mappings.

Effectively what we check the old mapping for and refuse to remove the old
mm_exe_file if it exists.

I think a reasonable argument can be made that if the file is
executable, and it is mmaped with executable pages that exe_file is not
a complete lie.

Which is the important part.  At the end of the day how much can
userspace trust /proc/pid/exe?  If we are too lax it is just a random
file descriptor we can not trust at all.  At which point there is
exactly no point in preserving it in checkpoint/restart, because nothing
will trust or look at it.

If the only user is checkpoint/restart perhaps it should be only ptrace
that can set this and not the process itself with a prctl.  I don't
know.  All I know is that we should work on making it a very trustable
value even though in some specific instances we can set it.

Eric

  reply	other threads:[~2016-07-25 20:09 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-12 15:30 [PATCH] prctl: remove one-shot limitation for changing exe link Stanislav Kinsburskiy
2016-07-12 16:42 ` Oleg Nesterov
2016-07-12 16:52   ` Stanislav Kinsburskiy
2016-07-12 17:01     ` Oleg Nesterov
2016-07-12 16:48 ` Cyrill Gorcunov
2016-07-12 16:52   ` Eric W. Biederman
2016-07-12 17:29     ` Cyrill Gorcunov
2016-07-12 21:42       ` Cyrill Gorcunov
2016-07-13 10:47     ` Stanislav Kinsburskiy
2016-07-18 20:11     ` One Thousand Gnomes
2016-07-20 11:30       ` Stanislav Kinsburskiy
     [not found] ` <8a863273-c571-63d6-c0c3-637dff5645a3@virtuozzo.com>
2016-07-25 18:21   ` Eric W. Biederman
2016-07-25 19:22     ` Cyrill Gorcunov
2016-07-25 19:56       ` Eric W. Biederman [this message]
2016-07-26  8:34         ` Cyrill Gorcunov
2016-07-30 17:31           ` Eric W. Biederman
2016-07-30 20:28             ` Mateusz Guzik
2016-07-31 18:45               ` Eric W. Biederman
2016-07-31 18:45               ` Eric W. Biederman
2016-08-22 15:40                 ` Richard Guy Briggs
2016-07-31 22:43             ` Cyrill Gorcunov
2016-07-31 22:49               ` Andy Lutomirski
2016-08-01  9:04             ` Cyrill Gorcunov
2016-08-10 10:48             ` Stanislav Kinsburskiy
2016-07-26 10:21     ` Stanislav Kinsburskiy
2016-07-12 15:42 Stanislav Kinsburskiy
     [not found] <1d254efe-5410-40c4-af4b-9e898682d0b3@email.android.com>
2016-07-13 10:15 ` Oleg Nesterov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87a8h58pac.fsf@x220.int.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=akpm@linux-foundation.org \
    --cc=bsegall@google.com \
    --cc=gorcunov@gmail.com \
    --cc=john.stultz@linaro.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=matthltc@us.ibm.com \
    --cc=mguzik@redhat.com \
    --cc=mhocko@suse.com \
    --cc=mingo@redhat.com \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    --cc=skinsbursky@virtuozzo.com \
    --cc=vbabka@suse.cz \
    --cc=xemul@virtuozzo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.