From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC7BAC3F2D2 for ; Mon, 2 Mar 2020 07:48:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7D749246B4 for ; Mon, 2 Mar 2020 07:48:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727032AbgCBHs2 (ORCPT ); Mon, 2 Mar 2020 02:48:28 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:47552 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725446AbgCBHs2 (ORCPT ); Mon, 2 Mar 2020 02:48:28 -0500 Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j8fns-0001Sk-QB; Mon, 02 Mar 2020 07:47:52 +0000 Date: Mon, 2 Mar 2020 08:47:51 +0100 From: Christian Brauner To: Jann Horn Cc: Bernd Edlinger , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , "Eric W. Biederman" , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Kees Cook , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" Subject: Re: [PATCH] exec: Fix a deadlock in ptrace Message-ID: <20200302074751.evhnq3b5zvtbaqu4@wittgenstein> References: <20200301185244.zkofjus6xtgkx4s3@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 01, 2020 at 09:00:22PM +0100, Jann Horn wrote: > On Sun, Mar 1, 2020 at 7:52 PM Christian Brauner > wrote: > > On Sun, Mar 01, 2020 at 07:21:03PM +0100, Jann Horn wrote: > > > On Sun, Mar 1, 2020 at 12:27 PM Bernd Edlinger > > > wrote: > > > > The proposed solution is to have a second mutex that is > > > > used in mm_access, so it is allowed to continue while the > > > > dying threads are not yet terminated. > > > > > > Just for context: When I proposed something similar back in 2016, > > > https://lore.kernel.org/linux-fsdevel/20161102181806.GB1112@redhat.com/ > > > was the resulting discussion thread. At least back then, I looked > > > through the various existing users of cred_guard_mutex, and the only > > > places that couldn't be converted to the new second mutex were > > > PTRACE_ATTACH and SECCOMP_FILTER_FLAG_TSYNC. > > > > > > > > > The ideal solution would IMO be something like this: Decide what the > > > new task's credentials should be *before* reaching de_thread(), > > > install them into a second cred* on the task (together with the new > > > dumpability), drop the cred_guard_mutex, and let ptrace_may_access() > > > check against both. After that, some further restructuring might even > > > > Hm, so essentially a private ptrace_access_cred member in task_struct? > > And a second dumpability field, because that changes together with the > creds during execve. (Btw, currently the dumpability is in the > mm_struct, but that's kinda wrong. The mm_struct is removed from a > task on exit while access checks can still be performed against it, and > currently ptrace_may_access() just lets the access go through in that > case, which weakens the protection offered by PR_SET_DUMPABLE when > used for security purposes. I think it ought to be moved over into the > task_struct.) > > > That would presumably also involve altering various LSM hooks to look at > > ptrace_access_cred. > > When I tried to implement this in the past, I changed the LSM hook to > take the target task's cred* as an argument, and then called the LSM > hook twice from ptrace_may_access(). IIRC having the target task's > creds as an argument works for almost all the LSMs, with the exception > of Yama, which doesn't really care about the target task's creds, so > you have to pass in both the task_struct* and the cred*. It seems we should try PoCing this. Christian