From: Oleg Nesterov <oleg@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Aleksa Sarai <asarai@suse.com>,
Andy Lutomirski <luto@amacapital.net>,
Attila Fazekas <afazekas@redhat.com>, Jann Horn <jann@thejh.net>,
Kees Cook <keescook@chromium.org>,
Michal Hocko <mhocko@kernel.org>,
Ulrich Obergfell <uobergfe@redhat.com>,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
Eugene Syromiatnikov <esyr@redhat.com>
Subject: Re: scope of cred_guard_mutex.
Date: Thu, 6 Apr 2017 17:55:40 +0200 [thread overview]
Message-ID: <20170406155540.GC7444@redhat.com> (raw)
In-Reply-To: <87fuhpjeco.fsf_-_@xmission.com>
On 04/03, Eric W. Biederman wrote:
>
> Oleg Nesterov <oleg@redhat.com> writes:
>
> >> I reviewed the code and cred_guard_mutex needs to cover what it covers.
> >
> > I strongly, strongly disagree. Its scope is unnecessary huge, we should narrow
> > it in any case, even if the current code was not bugy. But this is almost
> > offtopic, lets discuss this separately.
And let me repeat/clarify.
I meant, I see absolutely no reason to do copy_strings() with this mutex held,
for example. And note that copy_strings() can use a lot of memory/time, it can
trigger oom,swapping, etc. I also think that we can probably do
check_unsafe_exec() which in particular sets LSM_UNSAFE_ at bit later, but I
am less sure about this and this needs more work.
And perhaps more changes like this to narrow the scope of this mutex. And I
thought you were already agree with this?
> You have asked why I have problems with your patch and so I am going to
> try to explain. Partly I want to see a clean set of patches that we
> can merge into Linus's tree before we make any compromises.
Sure, me too. I do not see a simple and clean fix, your attempts were wrong
so far and imo were worse even if they were correct.
And this makes me think again that we need to restart this discusion with
more CC's.
> Partly I object because your understanding and my understanding of
> cred_guard_mutex are very different.
>
> As I read and understand the code the job of cred_guard_mutex is to keep
> ptrace (and other threads of the proccess) from interferring in
> exec and to ensure old resources are accessed with permission checks
> using our original credentials and that new and modified resources are
> accessed with permission checks using our new credentials.
Yes, this is clear.
> I object to your patch in particular because you deliberately mess up
> the part of only making old resources available with old creds and
> new resources available with new creds.
Could you spell please? I don't understand.
> AKA What I see neededing to be protected looks something like:
> mutex_lock();
> new_cred = compute_new_cred(tsk);
> new_mm = compute_new_mm(tsk);
> tsk->mm = new_mm;
> tsk->cred = new_cred;
> zap_other_threads(tsk);
> update_sighand(tsk);
> update_signal(tsk);
> do_close_on_exec();
> update_tsk_fields(tsk);
> mutex_unlock();
>
> The only way I can see of reducing the scope of cred_guard_mutex is
> performing work in such a way that ptrace and the other threads can't
> interfere and then taking the lock. Computing the new mm and the new
> credentials are certainly candidates for that kind of treatment.
OK. And yes, I am not sure this all is optimal, but didn't I say from
the very beginning that unlikely we can change this?
Now let me quote your next email:
On 04/05, Eric W. Biederman wrote:
>
> We have barely begun. You have not shown anyone what your idea of a
> clean fix actually is. All I have seen from you is a quick hack that is
> a hack that is back-portable.
Yes. I really tried to make a back-portable fix. Otherwise I would start
with ->notify_count cleanups.
> With your change exec still blocks waiting for zombies.
And this is what we currently do. Whether we should do this may be debatable,
but why do you blame my patch?
> Furthermore you have to violate the reasonable rule that:
> * pre-exec resources are guarded with the pre-exec process cred.
> * post-exec resources are guarded with the post-exec process cred.
For example?
> So from a userspace perspective I think your semantics are absolutely
> insane.
Which semantics were changed by my patch?
> - You made comments about cred_guard_mutex and it's scope that when I
> reviewed the code were false.
Which of my comments was wrong?
> We can optimize it
And this is what I meant when I said "we should narrow it in any case"
> but we can't change what is protected
I am not that sure. But a) I did not even try to suggest to change anything
in this area right now, and b) I said that unlikely this is possible.
Oleg.
next prev parent reply other threads:[~2017-04-06 15:56 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 14:14 [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-02-13 14:15 ` [PATCH 1/2] exec: don't wait for zombie threads with cred_guard_mutex held Oleg Nesterov
2017-02-13 16:12 ` kbuild test robot
2017-02-13 16:47 ` Oleg Nesterov
2017-02-13 16:39 ` kbuild test robot
2017-02-13 17:27 ` Mika Penttilä
2017-02-13 18:01 ` Oleg Nesterov
2017-02-13 18:04 ` [PATCH V2 " Oleg Nesterov
2017-02-16 11:42 ` Eric W. Biederman
2017-02-20 15:22 ` Oleg Nesterov
2017-02-20 15:36 ` Oleg Nesterov
2017-02-20 22:30 ` Eric W. Biederman
2017-02-21 17:53 ` Oleg Nesterov
2017-02-21 20:20 ` Eric W. Biederman
2017-02-22 17:41 ` Oleg Nesterov
2017-02-17 4:42 ` Eric W. Biederman
2017-02-20 15:50 ` Oleg Nesterov
2017-02-13 14:15 ` [PATCH 2/2] ptrace: ensure PTRACE_EVENT_EXIT won't stop if the tracee is killed by exec Oleg Nesterov
2017-02-24 16:03 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-03-03 1:05 ` Eric W. Biederman
2017-03-03 17:33 ` Oleg Nesterov
2017-03-03 18:23 ` Eric W. Biederman
2017-03-03 18:59 ` Eric W. Biederman
2017-03-03 20:06 ` Eric W. Biederman
2017-03-03 20:11 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Eric W. Biederman
2017-03-04 17:03 ` Oleg Nesterov
2017-03-30 8:07 ` Eric W. Biederman
2017-04-01 5:11 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Eric W. Biederman
2017-04-01 5:14 ` [RFC][PATCH 1/2] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-01 5:16 ` [RFC][PATCH 2/2] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-02 15:35 ` Oleg Nesterov
2017-04-02 18:53 ` Eric W. Biederman
2017-04-03 18:12 ` Oleg Nesterov
2017-04-03 21:04 ` Eric W. Biederman
2017-04-05 16:44 ` Oleg Nesterov
2017-04-02 15:38 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Oleg Nesterov
2017-04-02 22:50 ` [RFC][PATCH v2 0/5] " Eric W. Biederman
2017-04-02 22:51 ` [RFC][PATCH v2 1/5] ptrace: Don't wait in PTRACE_O_TRACEEXIT for exec or coredump Eric W. Biederman
2017-04-05 16:19 ` Oleg Nesterov
2017-04-02 22:51 ` [RFC][PATCH v2 2/5] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-02 22:52 ` [RFC][PATCH v2 3/5] clone: Disallown CLONE_THREAD with a shared sighand_struct Eric W. Biederman
2017-04-05 16:24 ` Oleg Nesterov
2017-04-05 17:34 ` Eric W. Biederman
2017-04-05 18:11 ` Oleg Nesterov
2017-04-02 22:53 ` [RFC][PATCH v2 4/5] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-05 16:15 ` Oleg Nesterov
2017-04-02 22:57 ` [RFC][PATCH v2 5/5] signal: Don't allow accessing signal_struct by old threads after exec Eric W. Biederman
2017-04-05 16:18 ` Oleg Nesterov
2017-04-05 18:16 ` Eric W. Biederman
2017-04-06 15:48 ` Oleg Nesterov
2017-04-02 16:15 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Oleg Nesterov
2017-04-02 21:07 ` Eric W. Biederman
2017-04-03 18:37 ` Oleg Nesterov
2017-04-03 22:49 ` Eric W. Biederman
2017-04-03 22:49 ` scope of cred_guard_mutex Eric W. Biederman
2017-04-05 16:08 ` Oleg Nesterov
2017-04-05 16:11 ` Kees Cook
2017-04-05 17:53 ` Eric W. Biederman
2017-04-05 18:15 ` Oleg Nesterov
2017-04-06 15:55 ` Oleg Nesterov [this message]
2017-04-07 22:07 ` Kees Cook
2017-09-04 3:19 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Robert O'Callahan
2017-03-04 16:54 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170406155540.GC7444@redhat.com \
--to=oleg@redhat.com \
--cc=afazekas@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=asarai@suse.com \
--cc=ebiederm@xmission.com \
--cc=esyr@redhat.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mhocko@kernel.org \
--cc=uobergfe@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).