From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>, Julien Tinnes <jln@google.com>,
David Drysdale <drysdale@google.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Paolo Bonzini <pbonzini@redhat.com>,
LSM List <linux-security-module@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Moore <paul@paul-moore.com>,
James Morris <james.l.morris@oracle.com>,
Linux API <linux-api@vger.kernel.org>,
Meredydd Luff <meredydd@senatehouse.org>,
Christoph Hellwig <hch@infradead.org>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data
Date: Mon, 28 Jul 2014 14:18:04 -0700 [thread overview]
Message-ID: <87vbqhp4hf.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CALCETrVChObsQpL6dt-ByiCjbPrtpXAXQgy_apBY-OpGQHaPjg@mail.gmail.com> (Andy Lutomirski's message of "Fri, 25 Jul 2014 10:18:05 -0700")
Andy Lutomirski <luto@amacapital.net> writes:
> [cc: Eric Biederman]
>
> Can we do one better and add a flag to prevent any non-self pid
> lookups? This might actually be easy on top of the pid namespace work
> (e.g. we could change the way that find_task_by_vpid works).
>
> It's far from just being signals. There's access_process_vm, ptrace,
> all the signal functions, clock_gettime (see CPUCLOCK_PID -- yes, this
> is ridiculous), and probably some others that I've forgotten about or
> never noticed in the first place.
So here is the practical question.
Are these processes that only can send signals to their thread group
allowed to call fork()?
If fork is allowed and all pid lookups are restricted to their own
thread group that wait, waitpid, and all of the rest of the wait family
will never return the pids of their children, and zombies will
accumulate. Aka the semantics are fundamentally broken.
If fork is not allowed pid namespaces already solve this problem.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>, Julien Tinnes <jln@google.com>,
David Drysdale <drysdale@google.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Paolo Bonzini <pbonzini@redhat.com>,
LSM List <linux-security-module@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Moore <paul@paul-moore.com>,
James Morris <james.l.morris@oracle.com>,
Linux API <linux-api@vger.kernel.org>,
Meredydd Luff <meredydd@senatehouse.org>,
Christoph Hellwig <hch@infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data
Date: Mon, 28 Jul 2014 14:18:04 -0700 [thread overview]
Message-ID: <87vbqhp4hf.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CALCETrVChObsQpL6dt-ByiCjbPrtpXAXQgy_apBY-OpGQHaPjg@mail.gmail.com> (Andy Lutomirski's message of "Fri, 25 Jul 2014 10:18:05 -0700")
Andy Lutomirski <luto@amacapital.net> writes:
> [cc: Eric Biederman]
>
> Can we do one better and add a flag to prevent any non-self pid
> lookups? This might actually be easy on top of the pid namespace work
> (e.g. we could change the way that find_task_by_vpid works).
>
> It's far from just being signals. There's access_process_vm, ptrace,
> all the signal functions, clock_gettime (see CPUCLOCK_PID -- yes, this
> is ridiculous), and probably some others that I've forgotten about or
> never noticed in the first place.
So here is the practical question.
Are these processes that only can send signals to their thread group
allowed to call fork()?
If fork is allowed and all pid lookups are restricted to their own
thread group that wait, waitpid, and all of the rest of the wait family
will never return the pids of their children, and zombies will
accumulate. Aka the semantics are fundamentally broken.
If fork is not allowed pid namespaces already solve this problem.
Eric
next prev parent reply other threads:[~2014-07-28 21:22 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-25 13:46 [RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework David Drysdale
2014-07-25 13:46 ` [PATCH 01/11] fs: add O_BENEATH flag to openat(2) David Drysdale
2014-07-25 13:46 ` [PATCH 02/11] selftests: Add test of O_BENEATH & openat(2) David Drysdale
2014-07-25 13:46 ` [PATCH 03/11] capsicum: rights values and structure definitions David Drysdale
2014-07-25 13:47 ` [PATCH 04/11] capsicum: implement fgetr() and friends David Drysdale
2014-07-25 13:47 ` David Drysdale
2014-07-25 13:47 ` [PATCH 05/11] capsicum: convert callers to use fgetr() etc David Drysdale
2014-07-25 13:47 ` David Drysdale
2014-07-25 13:47 ` [PATCH 06/11] capsicum: implement sockfd_lookupr() David Drysdale
2014-07-25 13:47 ` [PATCH 07/11] capsicum: convert callers to use sockfd_lookupr() etc David Drysdale
2014-07-25 13:47 ` [PATCH 08/11] capsicum: invoke Capsicum on FD/file conversion David Drysdale
2014-07-25 13:47 ` [PATCH 09/11] capsicum: add syscalls to limit FD rights David Drysdale
2014-07-25 13:47 ` David Drysdale
2014-07-25 13:47 ` [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH David Drysdale
2014-07-25 13:47 ` David Drysdale
2014-07-25 14:01 ` Paolo Bonzini
2014-07-25 16:00 ` Andy Lutomirski
2014-07-27 12:08 ` David Drysdale
2014-07-25 13:47 ` [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data David Drysdale
2014-07-25 15:59 ` Andy Lutomirski
2014-07-25 17:10 ` Kees Cook
2014-07-25 17:18 ` Andy Lutomirski
2014-07-25 17:38 ` Kees Cook
2014-07-25 18:24 ` Julien Tinnes
2014-07-25 18:24 ` Julien Tinnes
[not found] ` <CAKyRK=j-f92xHTL3+TNr9WOv_y47dkZR=WZkpY_a5YW3Q8HfaQ@mail.gmail.com>
2014-07-25 18:32 ` Andy Lutomirski
2014-07-27 12:10 ` David Drysdale
2014-07-27 12:10 ` David Drysdale
2014-07-27 12:09 ` David Drysdale
2014-07-28 21:18 ` Eric W. Biederman [this message]
2014-07-28 21:18 ` Eric W. Biederman
2014-07-30 4:05 ` Andy Lutomirski
2014-07-30 4:05 ` Andy Lutomirski
2014-07-30 4:08 ` Eric W. Biederman
2014-07-30 4:08 ` Eric W. Biederman
2014-07-30 4:35 ` Andy Lutomirski
[not found] ` <8761ifie81.fsf@x220.int.ebiederm.org>
2014-07-30 14:52 ` Andy Lutomirski
2014-07-30 14:52 ` Andy Lutomirski
2014-07-25 13:47 ` [PATCH 1/6] open.2: describe O_BENEATH flag David Drysdale
2014-07-25 13:47 ` [PATCH 2/6] capsicum.7: describe Capsicum capability framework David Drysdale
2014-07-25 13:47 ` [PATCH 3/6] rights.7: Describe Capsicum primary rights David Drysdale
2014-07-25 13:47 ` [PATCH 4/6] cap_rights_limit.2: limit FD rights for Capsicum David Drysdale
2014-07-25 13:47 ` [PATCH 5/6] cap_rights_get.2: retrieve Capsicum fd rights David Drysdale
2014-07-25 13:47 ` [PATCH 6/6] prctl.2: describe PR_SET_OPENAT_BENEATH/PR_GET_OPENAT_BENEATH David Drysdale
2014-07-25 13:47 ` David Drysdale
2014-07-26 21:04 ` [RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework Eric W. Biederman
2014-07-26 21:04 ` Eric W. Biederman
2014-07-28 12:30 ` Paolo Bonzini
2014-07-28 12:30 ` Paolo Bonzini
2014-07-28 16:04 ` David Drysdale
2014-07-28 21:13 ` Eric W. Biederman
2014-07-28 21:13 ` Eric W. Biederman
2014-07-29 8:43 ` Paolo Bonzini
2014-07-29 8:43 ` Paolo Bonzini
2014-07-29 10:58 ` David Drysdale
2014-07-30 6:22 ` Eric W. Biederman
2014-07-30 6:22 ` Eric W. Biederman
2014-07-30 14:51 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vbqhp4hf.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=drysdale@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=james.l.morris@oracle.com \
--cc=jln@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=meredydd@senatehouse.org \
--cc=paul@paul-moore.com \
--cc=pbonzini@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.