From: Daniel Colascione <dancol@google.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
Tim Murray <timmurray@google.com>,
Joel Fernandes <joelaf@google.com>,
Suren Baghdasaryan <surenb@google.com>,
Kees Cook <keescook@chromium.org>,
Christian Brauner <christian.brauner@canonical.com>
Subject: Re: [RFC PATCH] Implement /proc/pid/kill
Date: Wed, 31 Oct 2018 15:16:32 +0000 [thread overview]
Message-ID: <CAKOZues0_jMfW8xAa0mC=QS7UnHMzkWb5nCz3S_GDf3RzPg90Q@mail.gmail.com> (raw)
In-Reply-To: <20181031151007.GA21207@redhat.com>
On Wed, Oct 31, 2018 at 3:10 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> On 10/31, Daniel Colascione wrote:
>>
>> > perhaps it would be simpler to do
>> >
>> > my_cred = override_creds(file->f_cred);
>> > kill_pid(...);
>> > revert_creds(my_cred);
>>
>> Thanks for the suggestion. That looks neat, but it's not quite enough.
>> The problem is that check_kill_permission looks for
>> same_thread_group(current, t) _before_ checking kill_of_by_cred,
>
> Yes, you are right.
>
> Looks like kill_pid_info_as_cred() can find another user, but probably
> it needs some changes with or without /proc/pid/kill ...
>
>> There's another problem though: say we open /proc/pid/5/kill *, with
>> proc 5 being an ordinary unprivileged process, e.g., the shell. At
>> open(2) time, the access check passes. Now suppose PID 5 execve(2)s
>> into a setuid process. The kill FD is still open, so the kill FD's
>> holder can send a signal
>
> Confused... why? kill_ok_by_cred() should fail?
Not if we don't run it. :-) I thought you were proposing that we do
*all* access checks in open() and let write() succeed unconditionally,
since that's the model that a lot of FD-mediated resources (like
regular files) use. (MAC notwithstanding.)
Anyway, I sent a v2 patch that I think closes the hole another way. In
v2, we just require that the real user ID that opens a /proc/pid/kill
file is the same one that writes to it. It successfully blocks the
setuid attack above while preserving all the write-time permission
checks and keeping the close correspondence between
write()-on-proc-pid-kill-fd and kill(2). Can you think of any
situation where this scheme breaks? I *think* comparing struct user
addresses instead of numeric UIDs will protect the check against user
namespace shenanigans.
next prev parent reply other threads:[~2018-10-31 15:16 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-29 22:10 [RFC PATCH] Implement /proc/pid/kill Daniel Colascione
2018-10-30 3:21 ` Joel Fernandes
2018-10-30 8:50 ` Daniel Colascione
2018-10-30 10:39 ` Christian Brauner
2018-10-30 10:40 ` Christian Brauner
2018-10-30 10:48 ` Daniel Colascione
2018-10-30 11:04 ` Christian Brauner
2018-10-30 11:12 ` Daniel Colascione
2018-10-30 11:19 ` Christian Brauner
2018-10-31 5:00 ` Eric W. Biederman
2018-10-30 17:01 ` Joel Fernandes
2018-10-30 5:00 ` Aleksa Sarai
2018-10-30 9:05 ` Daniel Colascione
2018-10-30 20:45 ` Aleksa Sarai
2018-10-30 21:42 ` Joel Fernandes
2018-10-30 22:23 ` Aleksa Sarai
2018-10-30 22:33 ` Joel Fernandes
2018-10-30 22:49 ` Aleksa Sarai
2018-10-31 0:42 ` Joel Fernandes
2018-10-31 1:59 ` Daniel Colascione
2018-10-30 23:10 ` Daniel Colascione
2018-10-30 23:23 ` Christian Brauner
2018-10-30 23:55 ` Daniel Colascione
2018-10-31 2:56 ` Aleksa Sarai
2018-10-31 4:24 ` Joel Fernandes
2018-11-01 20:40 ` Joel Fernandes
2018-11-02 9:46 ` Christian Brauner
2018-11-02 14:34 ` Serge E. Hallyn
2018-10-31 0:57 ` Joel Fernandes
2018-10-31 1:56 ` Daniel Colascione
2018-10-31 4:47 ` Eric W. Biederman
2018-10-31 4:44 ` Eric W. Biederman
2018-10-31 12:44 ` Oleg Nesterov
2018-10-31 13:27 ` Daniel Colascione
2018-10-31 15:10 ` Oleg Nesterov
2018-10-31 15:16 ` Daniel Colascione [this message]
2018-10-31 15:49 ` Oleg Nesterov
2018-11-01 11:53 ` David Laight
2018-11-01 15:50 ` Daniel Colascione
2018-10-31 14:37 ` [PATCH v2] " Daniel Colascione
2018-10-31 15:05 ` Joel Fernandes
2018-10-31 17:33 ` Aleksa Sarai
2018-10-31 21:47 ` Joel Fernandes
2018-10-31 15:59 ` [PATCH v3] " Daniel Colascione
2018-10-31 17:54 ` Tycho Andersen
2018-10-31 18:00 ` Daniel Colascione
2018-10-31 18:17 ` Tycho Andersen
2018-10-31 19:33 ` Daniel Colascione
2018-10-31 20:06 ` Tycho Andersen
2018-11-01 11:33 ` David Laight
2018-11-12 1:19 ` Eric W. Biederman
2018-10-31 16:22 ` [RFC PATCH] " Jann Horn
2018-11-01 4:53 ` Andy Lutomirski
2018-11-12 23:13 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKOZues0_jMfW8xAa0mC=QS7UnHMzkWb5nCz3S_GDf3RzPg90Q@mail.gmail.com' \
--to=dancol@google.com \
--cc=christian.brauner@canonical.com \
--cc=ebiederm@xmission.com \
--cc=joelaf@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=surenb@google.com \
--cc=timmurray@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.