From: Daniel Colascione <dancol@google.com>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: Andy Lutomirski <luto@kernel.org>,
Randy Dunlap <rdunlap@infradead.org>,
Christian Brauner <christian@brauner.io>,
"Eric W. Biederman" <ebiederm@xmission.com>,
LKML <linux-kernel@vger.kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Jann Horn <jannh@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Tim Murray <timmurray@google.com>,
Kees Cook <keescook@chromium.org>,
Jan Engelhardt <jengelh@inai.de>
Subject: Re: [PATCH] proc: allow killing processes via file descriptors
Date: Sun, 18 Nov 2018 17:16:23 -0800 [thread overview]
Message-ID: <CAKOZuevHoEAZdnQmuGiwpLcfxSBq3M8T0ZeQFG+Do2aCFcZfQQ@mail.gmail.com> (raw)
In-Reply-To: <CAKOZueve_r5h9_B2YV5RzJYjTf-yS5uZfAbz+Ftqy5jFSk6Xdw@mail.gmail.com>
On Sun, Nov 18, 2018 at 4:53 PM, Daniel Colascione <dancol@google.com> wrote:
>> Sure, I'd propose that ptrace_may_access() is what we should use for
>> operation permission checks.
>
> The tricky part is that ptrace_may_access takes a struct task. We want
> logic that's *like* ptrace_may_access, but that works posthumously.
> It's especially tricky because there's an LSM hook that lets
> __ptrace_may_access do arbitrary things. And we can't just run that
> hook upon process death, since *after* a process dies, a process
> holding an exithand FD (or whatever we call it) may pass that FD to
> another process, and *that* process can read(2) from it.
>
> Another option is doing the exithand access check at open time. I
> think that's probably fine, and it would make things a lot simpler.
> But if we use this option, we should understand what we're doing, and
> get some security-conscious people to think through the implications.
A ptrace check is also probably too strict. Yama's ptrace_scope
feature will block ptrace between unrelated processes within a single
user context, but applying this restriction to exit code monitoring
seems too severe to me.
next prev parent reply other threads:[~2018-11-19 1:16 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-18 11:17 [PATCH] proc: allow killing processes via file descriptors Christian Brauner
2018-11-18 13:59 ` Daniel Colascione
2018-11-18 15:38 ` Andy Lutomirski
2018-11-18 15:53 ` Daniel Colascione
2018-11-18 16:17 ` Andy Lutomirski
2018-11-18 16:29 ` Daniel Colascione
2018-11-18 17:13 ` Andy Lutomirski
2018-11-18 17:17 ` Daniel Colascione
2018-11-18 17:43 ` Eric W. Biederman
2018-11-18 17:45 ` Andy Lutomirski
2018-11-18 17:56 ` Daniel Colascione
2018-11-18 16:33 ` Randy Dunlap
2018-11-18 16:48 ` Daniel Colascione
2018-11-18 17:09 ` Andy Lutomirski
2018-11-18 17:24 ` Daniel Colascione
2018-11-18 17:42 ` Andy Lutomirski
2018-11-18 17:51 ` Daniel Colascione
2018-11-18 18:28 ` Andy Lutomirski
2018-11-18 18:43 ` Daniel Colascione
2018-11-18 19:05 ` Aleksa Sarai
2018-11-18 19:44 ` Daniel Colascione
2018-11-18 20:15 ` Christian Brauner
2018-11-18 20:21 ` Daniel Colascione
2018-11-18 20:28 ` Andy Lutomirski
2018-11-18 20:32 ` Daniel Colascione
2018-11-19 1:43 ` Andy Lutomirski
2018-11-18 20:43 ` Christian Brauner
2018-11-18 20:54 ` Daniel Colascione
2018-11-18 21:23 ` Christian Brauner
2018-11-18 21:30 ` Christian Brauner
2018-11-19 0:31 ` Daniel Colascione
2018-11-19 0:40 ` Christian Brauner
2018-11-19 0:09 ` Aleksa Sarai
2018-11-19 0:53 ` Daniel Colascione
2018-11-19 1:16 ` Daniel Colascione [this message]
2018-11-19 16:13 ` Dmitry Safonov
2018-11-19 16:26 ` [PATCH] proc: allow killing processes via file descriptors (Larger pids) Eric W. Biederman
2018-11-19 16:27 ` [PATCH] proc: allow killing processes via file descriptors Daniel Colascione
2018-11-19 20:21 ` Aleksa Sarai
2018-11-19 2:47 ` Al Viro
2018-11-19 3:01 ` Andy Lutomirski
2018-11-18 17:41 ` Christian Brauner
2018-11-18 17:44 ` Andy Lutomirski
2018-11-18 18:07 ` Daniel Colascione
2018-11-18 18:15 ` Andy Lutomirski
2018-11-18 18:31 ` Daniel Colascione
2018-11-18 19:24 ` Christian Brauner
2018-11-19 0:08 ` Aleksa Sarai
2018-11-19 1:14 ` Daniel Colascione
2018-11-19 1:14 ` Daniel Colascione
2018-11-18 16:03 ` Daniel Colascione
2018-11-19 10:56 ` kbuild test robot
2018-11-19 10:56 ` kbuild test robot
2018-11-19 14:15 ` David Laight
2018-11-19 15:49 ` Dave Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKOZuevHoEAZdnQmuGiwpLcfxSBq3M8T0ZeQFG+Do2aCFcZfQQ@mail.gmail.com \
--to=dancol@google.com \
--cc=akpm@linux-foundation.org \
--cc=christian@brauner.io \
--cc=cyphar@cyphar.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jengelh@inai.de \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oleg@redhat.com \
--cc=rdunlap@infradead.org \
--cc=serge@hallyn.com \
--cc=timmurray@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.