From: Solar Designer <solar@openwall.com>
To: NeilBrown <neilb@suse.de>
Cc: Vasiliy Kulikov <segoon@openwall.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
kernel-hardening@lists.openwall.com,
James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
Jiri Slaby <jslaby@suse.cz>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Eric Paris <eparis@redhat.com>, Willy Tarreau <w@1wt.eu>,
Sebastian Krahmer <krahmer@suse.de>
Subject: Re: [kernel-hardening] [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common()
Date: Tue, 26 Jul 2011 05:16:29 +0400 [thread overview]
Message-ID: <20110726011629.GA24610@openwall.com> (raw)
In-Reply-To: <20110726104713.37273143@notabene.brown>
On Tue, Jul 26, 2011 at 10:47:13AM +1000, NeilBrown wrote:
> On Tue, 26 Jul 2011 03:40:13 +0400 Solar Designer <solar@openwall.com> wrote:
> > On Mon, Jul 25, 2011 at 09:14:23PM +0400, Vasiliy Kulikov wrote:
> > > @@ -1433,6 +1433,19 @@ static int do_execve_common(const char *filename,
> > > struct files_struct *displaced;
> > > bool clear_in_exec;
> > > int retval;
> > > + const struct cred *cred = current_cred();
> > > +
> > > + /*
> > > + * We move the actual failure in case of RLIMIT_NPROC excess from
> > > + * set*uid() to execve() because too many poorly written programs
> > > + * don't check setuid() return code. Here we additionally recheck
> > > + * whether NPROC limit is still exceeded.
> > > + */
> > > + if ((current->flags & PF_NPROC_EXCEEDED) &&
> > > + atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
> > > + retval = -EAGAIN;
> > > + goto out_ret;
> > > + }
> >
> > Do you possibly need:
> >
> > current->flags &= ~PF_NPROC_EXCEEDED;
> >
> > somewhere after this point?
> >
> > I think it's weird to have past set_user() failure affect other than the
> > very next execve().
>
> So we are hoping that no program uses execvp() or similar...
Why? No, we don't, unless I am missing something.
> Maybe that is
> reasonable but "in for a penny, in for a pound" - I'd fail them all.
>
> I think the flag should only be cleared once we notice that the limit is no
> longer exceeded. So clearing the flag can appear *after* the code you quote
> above, but not in the middle of it.
Definitely. In case execve() fails because of the limit, the flag
remains set, so a second execve() by the process will fail too.
> > Perhaps also reset the flag on fork() because we have an RLIMIT_NPROC
> > check on fork() anyway.
>
> I agree it should be cleared here too.
Great. Just to clarify my own words: on fork(), clear the flag in the
child process only.
> But there is still the issue of 'zygot' like services....
Here's my take on it:
1. It is not known (from the discussion so far) whether Android/Zygote
even cares about RLIMIT_NPROC specifically or not. The code is very
generic, usable for any rlimits, and the rationale behind it might have
been to be able to apply certain other limits. I don't know whether or
not there exists a system that actually sets RLIMIT_NPROC via that
mechanism and expects it working.
2. If desired, Android/Zygote will be able to check the
PF_NPROC_EXCEEDED flag, via procfs or via a prctl() interface that we
might introduce. Or it may simply pass an extra fork().
> Let me try another suggestion. Instead of catching the error in
> do_execve_common, how about we catch it in do_mmap_pgoff.
> i.e. if the flag is set and an attempt it made to create an executable
> mapping, we check the user->processes against the limit then - either failing
> or clearing the flag and succeeding.
>
> This will stop an execve, and an attempt to load a shared library and call it.
This sounds too hackish to me, although if others are (unexpectedly) OK
with it, I don't mind.
Thanks,
Alexander
next prev parent reply other threads:[~2011-07-26 1:16 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-12 13:09 RLIMIT_NPROC check in set_user() Vasiliy Kulikov
2011-07-06 17:36 ` Vasiliy Kulikov
2011-07-06 18:01 ` Linus Torvalds
2011-07-06 18:59 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-07 7:56 ` Vasiliy Kulikov
2011-07-07 8:19 ` Vasiliy Kulikov
2011-07-12 13:27 ` [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common() Vasiliy Kulikov
2011-07-12 21:16 ` Linus Torvalds
2011-07-12 23:14 ` NeilBrown
2011-07-13 6:31 ` Solar Designer
2011-07-13 7:06 ` NeilBrown
2011-07-13 20:46 ` Linus Torvalds
2011-07-14 0:11 ` James Morris
2011-07-14 1:27 ` NeilBrown
2011-07-14 15:06 ` Solar Designer
2011-07-15 3:30 ` NeilBrown
2011-07-15 5:35 ` Willy Tarreau
2011-07-15 6:31 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-15 7:06 ` NeilBrown
2011-07-15 7:38 ` Vasiliy Kulikov
2011-07-15 13:04 ` Solar Designer
2011-07-15 13:58 ` [kernel-hardening] " Stephen Smalley
2011-07-15 15:26 ` Vasiliy Kulikov
2011-07-15 19:54 ` Stephen Smalley
2011-07-21 4:09 ` NeilBrown
2011-07-21 12:48 ` Solar Designer
2011-07-21 18:21 ` Linus Torvalds
2011-07-21 19:39 ` [kernel-hardening] " Solar Designer
2011-07-25 17:14 ` Vasiliy Kulikov
2011-07-25 23:40 ` [kernel-hardening] " Solar Designer
2011-07-26 0:47 ` NeilBrown
2011-07-26 1:16 ` Solar Designer [this message]
2011-07-26 4:11 ` NeilBrown
2011-07-26 14:48 ` [patch v2] " Vasiliy Kulikov
2011-07-27 2:15 ` NeilBrown
2011-07-29 7:07 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-29 8:06 ` Vasiliy Kulikov
2011-07-29 8:11 ` [patch v3] " Vasiliy Kulikov
2011-07-29 8:17 ` James Morris
2011-07-14 1:30 ` [PATCH] " KOSAKI Motohiro
2011-07-13 5:36 ` KOSAKI Motohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110726011629.GA24610@openwall.com \
--to=solar@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=eparis@redhat.com \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=jslaby@suse.cz \
--cc=kernel-hardening@lists.openwall.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=krahmer@suse.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@suse.de \
--cc=sds@tycho.nsa.gov \
--cc=segoon@openwall.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).