From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski <luto@amacapital.net> Cc: Kees Cook <keescook@chromium.org>, Julien Tinnes <jln@google.com>, David Drysdale <drysdale@google.com>, Al Viro <viro@zeniv.linux.org.uk>, Paolo Bonzini <pbonzini@redhat.com>, LSM List <linux-security-module@vger.kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Paul Moore <paul@paul-moore.com>, James Morris <james.l.morris@oracle.com>, Linux API <linux-api@vger.kernel.org>, Meredydd Luff <meredydd@senatehouse.org>, Christoph Hellwig <hch@infradead.org>, "linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data Date: Mon, 28 Jul 2014 14:18:04 -0700 [thread overview] Message-ID: <87vbqhp4hf.fsf@x220.int.ebiederm.org> (raw) In-Reply-To: <CALCETrVChObsQpL6dt-ByiCjbPrtpXAXQgy_apBY-OpGQHaPjg@mail.gmail.com> (Andy Lutomirski's message of "Fri, 25 Jul 2014 10:18:05 -0700") Andy Lutomirski <luto@amacapital.net> writes: > [cc: Eric Biederman] > > Can we do one better and add a flag to prevent any non-self pid > lookups? This might actually be easy on top of the pid namespace work > (e.g. we could change the way that find_task_by_vpid works). > > It's far from just being signals. There's access_process_vm, ptrace, > all the signal functions, clock_gettime (see CPUCLOCK_PID -- yes, this > is ridiculous), and probably some others that I've forgotten about or > never noticed in the first place. So here is the practical question. Are these processes that only can send signals to their thread group allowed to call fork()? If fork is allowed and all pid lookups are restricted to their own thread group that wait, waitpid, and all of the rest of the wait family will never return the pids of their children, and zombies will accumulate. Aka the semantics are fundamentally broken. If fork is not allowed pid namespaces already solve this problem. Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski <luto@amacapital.net> Cc: Kees Cook <keescook@chromium.org>, Julien Tinnes <jln@google.com>, David Drysdale <drysdale@google.com>, Al Viro <viro@zeniv.linux.org.uk>, Paolo Bonzini <pbonzini@redhat.com>, LSM List <linux-security-module@vger.kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Paul Moore <paul@paul-moore.com>, James Morris <james.l.morris@oracle.com>, Linux API <linux-api@vger.kernel.org>, Meredydd Luff <meredydd@senatehouse.org>, Christoph Hellwig <hch@infradead.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data Date: Mon, 28 Jul 2014 14:18:04 -0700 [thread overview] Message-ID: <87vbqhp4hf.fsf@x220.int.ebiederm.org> (raw) In-Reply-To: <CALCETrVChObsQpL6dt-ByiCjbPrtpXAXQgy_apBY-OpGQHaPjg@mail.gmail.com> (Andy Lutomirski's message of "Fri, 25 Jul 2014 10:18:05 -0700") Andy Lutomirski <luto@amacapital.net> writes: > [cc: Eric Biederman] > > Can we do one better and add a flag to prevent any non-self pid > lookups? This might actually be easy on top of the pid namespace work > (e.g. we could change the way that find_task_by_vpid works). > > It's far from just being signals. There's access_process_vm, ptrace, > all the signal functions, clock_gettime (see CPUCLOCK_PID -- yes, this > is ridiculous), and probably some others that I've forgotten about or > never noticed in the first place. So here is the practical question. Are these processes that only can send signals to their thread group allowed to call fork()? If fork is allowed and all pid lookups are restricted to their own thread group that wait, waitpid, and all of the rest of the wait family will never return the pids of their children, and zombies will accumulate. Aka the semantics are fundamentally broken. If fork is not allowed pid namespaces already solve this problem. Eric
next prev parent reply other threads:[~2014-07-28 21:22 UTC|newest] Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-07-25 13:46 [RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework David Drysdale 2014-07-25 13:46 ` [PATCH 01/11] fs: add O_BENEATH flag to openat(2) David Drysdale 2014-07-25 13:46 ` [PATCH 02/11] selftests: Add test of O_BENEATH & openat(2) David Drysdale 2014-07-25 13:46 ` [PATCH 03/11] capsicum: rights values and structure definitions David Drysdale 2014-07-25 13:47 ` [PATCH 04/11] capsicum: implement fgetr() and friends David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-25 13:47 ` [PATCH 05/11] capsicum: convert callers to use fgetr() etc David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-25 13:47 ` [PATCH 06/11] capsicum: implement sockfd_lookupr() David Drysdale 2014-07-25 13:47 ` [PATCH 07/11] capsicum: convert callers to use sockfd_lookupr() etc David Drysdale 2014-07-25 13:47 ` [PATCH 08/11] capsicum: invoke Capsicum on FD/file conversion David Drysdale 2014-07-25 13:47 ` [PATCH 09/11] capsicum: add syscalls to limit FD rights David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-25 13:47 ` [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-25 14:01 ` Paolo Bonzini 2014-07-25 16:00 ` Andy Lutomirski 2014-07-27 12:08 ` David Drysdale 2014-07-25 13:47 ` [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data David Drysdale 2014-07-25 15:59 ` Andy Lutomirski 2014-07-25 17:10 ` Kees Cook 2014-07-25 17:18 ` Andy Lutomirski 2014-07-25 17:38 ` Kees Cook 2014-07-25 18:24 ` Julien Tinnes 2014-07-25 18:24 ` Julien Tinnes [not found] ` <CAKyRK=j-f92xHTL3+TNr9WOv_y47dkZR=WZkpY_a5YW3Q8HfaQ@mail.gmail.com> 2014-07-25 18:32 ` Andy Lutomirski 2014-07-27 12:10 ` David Drysdale 2014-07-27 12:10 ` David Drysdale 2014-07-27 12:09 ` David Drysdale 2014-07-28 21:18 ` Eric W. Biederman [this message] 2014-07-28 21:18 ` Eric W. Biederman 2014-07-30 4:05 ` Andy Lutomirski 2014-07-30 4:05 ` Andy Lutomirski 2014-07-30 4:08 ` Eric W. Biederman 2014-07-30 4:08 ` Eric W. Biederman 2014-07-30 4:35 ` Andy Lutomirski [not found] ` <8761ifie81.fsf@x220.int.ebiederm.org> 2014-07-30 14:52 ` Andy Lutomirski 2014-07-30 14:52 ` Andy Lutomirski 2014-07-25 13:47 ` [PATCH 1/6] open.2: describe O_BENEATH flag David Drysdale 2014-07-25 13:47 ` [PATCH 2/6] capsicum.7: describe Capsicum capability framework David Drysdale 2014-07-25 13:47 ` [PATCH 3/6] rights.7: Describe Capsicum primary rights David Drysdale 2014-07-25 13:47 ` [PATCH 4/6] cap_rights_limit.2: limit FD rights for Capsicum David Drysdale 2014-07-25 13:47 ` [PATCH 5/6] cap_rights_get.2: retrieve Capsicum fd rights David Drysdale 2014-07-25 13:47 ` [PATCH 6/6] prctl.2: describe PR_SET_OPENAT_BENEATH/PR_GET_OPENAT_BENEATH David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-26 21:04 ` [RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework Eric W. Biederman 2014-07-26 21:04 ` Eric W. Biederman 2014-07-28 12:30 ` Paolo Bonzini 2014-07-28 12:30 ` Paolo Bonzini 2014-07-28 16:04 ` David Drysdale 2014-07-28 21:13 ` Eric W. Biederman 2014-07-28 21:13 ` Eric W. Biederman 2014-07-29 8:43 ` Paolo Bonzini 2014-07-29 8:43 ` Paolo Bonzini 2014-07-29 10:58 ` David Drysdale 2014-07-30 6:22 ` Eric W. Biederman 2014-07-30 6:22 ` Eric W. Biederman 2014-07-30 14:51 ` Andy Lutomirski
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=87vbqhp4hf.fsf@x220.int.ebiederm.org \ --to=ebiederm@xmission.com \ --cc=drysdale@google.com \ --cc=gregkh@linuxfoundation.org \ --cc=hch@infradead.org \ --cc=james.l.morris@oracle.com \ --cc=jln@google.com \ --cc=keescook@chromium.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=meredydd@senatehouse.org \ --cc=paul@paul-moore.com \ --cc=pbonzini@redhat.com \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.