From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752839AbcGYUJ6 (ORCPT ); Mon, 25 Jul 2016 16:09:58 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:46335 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752463AbcGYUJ5 (ORCPT ); Mon, 25 Jul 2016 16:09:57 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Cyrill Gorcunov Cc: Stanislav Kinsburskiy , peterz@infradead.org, mingo@redhat.com, mhocko@suse.com, keescook@chromium.org, linux-kernel@vger.kernel.org, mguzik@redhat.com, bsegall@google.com, john.stultz@linaro.org, oleg@redhat.com, matthltc@us.ibm.com, akpm@linux-foundation.org, luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com References: <20160712152940.24895.61315.stgit@localhost.localdomain> <8a863273-c571-63d6-c0c3-637dff5645a3@virtuozzo.com> <87y44pbmtc.fsf@x220.int.ebiederm.org> <20160725192242.GA26208@uranus> Date: Mon, 25 Jul 2016 14:56:43 -0500 In-Reply-To: <20160725192242.GA26208@uranus> (Cyrill Gorcunov's message of "Mon, 25 Jul 2016 22:22:42 +0300") Message-ID: <87a8h58pac.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1bRmCC-0004rN-Cu;;;mid=<87a8h58pac.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19NP/4guNG/ESyj4/nWe+wFSxLPq1dzWvs= X-SA-Exim-Connect-IP: 67.3.204.119 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa03 1397; Body=1 Fuz1=1 Fuz2=1] * 1.2 XMSubMetaSxObfu_02 Obfuscated Sexy AdVerb * 1.0 XMSubMetaSx_00 1+ Sexy Words X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Cyrill Gorcunov X-Spam-Relay-Country: X-Spam-Timing: total 1764 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 7 (0.4%), b_tie_ro: 5 (0.3%), parse: 1.33 (0.1%), extract_message_metadata: 51 (2.9%), get_uri_detail_list: 3.2 (0.2%), tests_pri_-1000: 15 (0.9%), tests_pri_-950: 2.1 (0.1%), tests_pri_-900: 1.70 (0.1%), tests_pri_-400: 97 (5.5%), check_bayes: 95 (5.4%), b_tokenize: 30 (1.7%), b_tok_get_all: 24 (1.4%), b_comp_prob: 6 (0.3%), b_tok_touch_all: 19 (1.1%), b_finish: 0.87 (0.0%), tests_pri_0: 1572 (89.1%), check_dkim_signature: 0.88 (0.0%), check_dkim_adsp: 26 (1.5%), tests_pri_500: 11 (0.6%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Cyrill Gorcunov writes: > On Mon, Jul 25, 2016 at 01:21:51PM -0500, Eric W. Biederman wrote: >> Stanislav Kinsburskiy writes: >> >> > Gentlemen, >> > >> > Looks like there are no objections to this patch. >> >> There has been objection. >> >> The only justification for the change that has been put forward is >> someone doing a restore lazily. I don't see a reason why you can't call >> prctl_set_mm_exe_file until you have the file in place instead of a >> place holder that sounds like a trivial solution to any restore issues. >> >> The truth is an unlimited settable exe link is essentially meaningless, >> as you can't depend on it for anything. One shot seems the best >> compromise I have seen put forward between the definite >> checkpoint/restart requirement to set the this value and the general >> need to have something that makes sense and people can depend on for >> system management. >> >> Also there is a big fat bug in prctl_set_mm_exe_file. It doesn't >> validate that the new file is a actually mmaped executable. We would >> definitely need that to be fixed before even considering removing the >> limit. > > Could you please elaborate? We check for inode being executable, > what else needed? That the inode is mmaped into the process with executable mappings. Effectively what we check the old mapping for and refuse to remove the old mm_exe_file if it exists. I think a reasonable argument can be made that if the file is executable, and it is mmaped with executable pages that exe_file is not a complete lie. Which is the important part. At the end of the day how much can userspace trust /proc/pid/exe? If we are too lax it is just a random file descriptor we can not trust at all. At which point there is exactly no point in preserving it in checkpoint/restart, because nothing will trust or look at it. If the only user is checkpoint/restart perhaps it should be only ptrace that can set this and not the process itself with a prctl. I don't know. All I know is that we should work on making it a very trustable value even though in some specific instances we can set it. Eric