From: Linus Torvalds <torvalds@linux-foundation.org>
To: Jann Horn <jannh@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
Bernd Edlinger <bernd.edlinger@hotmail.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Waiman Long <longman@redhat.com>, Ingo Molnar <mingo@kernel.org>,
Will Deacon <will@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Alexey Gladkov <gladkov.alexey@gmail.com>
Subject: Re: [GIT PULL] Please pull proc and exec work for 5.7-rc1
Date: Tue, 28 Apr 2020 15:14:39 -0700 [thread overview]
Message-ID: <CAHk-=whTgFbjGTP=CqMWs_LOkY7bWvLQGYKwKx86amdbMovAkw@mail.gmail.com> (raw)
In-Reply-To: <CAG48ez3EQOvdbzu9aO-cEAJwF_=fJzn1Cg0LMs3ruc=5r1ie5w@mail.gmail.com>
On Tue, Apr 28, 2020 at 2:53 PM Jann Horn <jannh@google.com> wrote:
>
> You don't need LSM_UNSAFE_PTRACE if the tracer has already passed a
> ptrace_may_access() check against the post-execve creds of the target
> - that's no different from having done PTRACE_ATTACH after execve is
> over.
Hmm. That sounds believable, I guess.
But along these ways, I'm starting to think that we might perhaps skip
the lock entirely.
What if we made the rule instead be:
- we move check_unsafe_exec() down. As far as I can tell, there's no
reason it's that early - the flags it sets aren't actually used until
when we actually do that final set_creds..
- we add a "next cred" pointer to the signal struct (or task struct)
- make the rule be that check_unsafe_exec() checks p->ptrace under
the tasklist_lock (or sighand lock - whatever ends up being most
convenient)
- set "next cred" to be the known next cred there too under the lock.
We call this small locked region the "cred sync point".
- ptrace will check if we have the "in_exec" flag set and have one of
those "next cred" pointers, in which case it checks both the old and
the next credentials.
No cred_guard_mutex at all, instead the rule is that as execve() goes
through that "cred sync point", we have two cases
(a) either ptrace has attached (because task->ptrace is set), and it
does the LSM_UNSAFE_PTRACE dance.
or
(b) it knows that ptrace will check the next creds if it races with execve.
And then after execve has installed the final new creds, it just
clears the "next cred" pointer again, because at that point it knows
that now any subsequent PTRACE_ATTACH will be checking the new creds.
So instead of taking and dropping the cred_guard_mutex, we'd basically
get rid of it entirely.
Yeah, I didn't look at the seccomp case, but I guess the issues will be similar.
Linus
next prev parent reply other threads:[~2020-04-28 22:15 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87blobnq02.fsf@x220.int.ebiederm.org>
2020-04-02 19:04 ` [GIT PULL] Please pull proc and exec work for 5.7-rc1 Linus Torvalds
2020-04-02 19:31 ` Bernd Edlinger
2020-04-02 19:52 ` Linus Torvalds
2020-04-02 20:59 ` Bernd Edlinger
2020-04-02 21:46 ` Linus Torvalds
2020-04-02 23:01 ` Eric W. Biederman
2020-04-02 23:42 ` Bernd Edlinger
2020-04-02 23:45 ` Eric W. Biederman
2020-04-02 23:49 ` Bernd Edlinger
2020-04-02 23:45 ` Linus Torvalds
2020-04-02 23:44 ` Linus Torvalds
2020-04-03 0:05 ` Eric W. Biederman
2020-04-07 1:29 ` [RFC][PATCH 0/3] exec_update_mutex related cleanups Eric W. Biederman
2020-04-07 1:31 ` [PATCH 1/3] binfmt: Move install_exec_creds after setup_new_exec to match binfmt_elf Eric W. Biederman
2020-04-07 15:58 ` Kees Cook
2020-04-07 16:11 ` Christian Brauner
2020-04-08 17:25 ` Linus Torvalds
2020-04-08 19:51 ` Eric W. Biederman
2020-04-07 1:31 ` [PATCH 2/3] exec: Make unlocking exec_update_mutex explict Eric W. Biederman
2020-04-07 16:02 ` Kees Cook
2020-04-07 16:17 ` Christian Brauner
2020-04-07 16:21 ` Eric W. Biederman
2020-04-07 1:32 ` [PATCH 3/3] exec: Rename the flag called_exec_mmap point_of_no_return Eric W. Biederman
2020-04-07 16:03 ` Kees Cook
2020-04-07 16:21 ` Christian Brauner
2020-04-07 16:22 ` [RFC][PATCH 0/3] exec_update_mutex related cleanups Christian Brauner
2020-04-08 17:26 ` Linus Torvalds
2020-04-03 5:09 ` [GIT PULL] Please pull proc and exec work for 5.7-rc1 Bernd Edlinger
2020-04-03 19:26 ` Linus Torvalds
2020-04-03 20:41 ` Waiman Long
2020-04-03 20:59 ` Linus Torvalds
2020-04-03 23:16 ` Waiman Long
2020-04-03 23:23 ` Waiman Long
2020-04-04 1:30 ` Linus Torvalds
2020-04-04 2:02 ` Waiman Long
2020-04-04 2:28 ` Linus Torvalds
2020-04-04 6:34 ` Bernd Edlinger
2020-04-05 6:34 ` Bernd Edlinger
2020-04-05 19:35 ` Linus Torvalds
2020-04-05 2:42 ` Waiman Long
2020-04-05 3:35 ` Bernd Edlinger
2020-04-05 3:45 ` Waiman Long
2020-04-06 13:13 ` Will Deacon
2020-04-04 4:23 ` Bernd Edlinger
2020-04-06 22:17 ` Eric W. Biederman
2020-04-07 19:50 ` Linus Torvalds
2020-04-07 20:29 ` Bernd Edlinger
2020-04-07 20:47 ` Linus Torvalds
2020-04-08 15:14 ` Eric W. Biederman
2020-04-08 15:21 ` Bernd Edlinger
2020-04-08 16:34 ` Linus Torvalds
2020-04-09 14:58 ` Eric W. Biederman
2020-04-09 15:15 ` Bernd Edlinger
2020-04-09 16:15 ` Linus Torvalds
2020-04-09 16:24 ` Linus Torvalds
2020-04-09 17:03 ` Eric W. Biederman
2020-04-09 17:17 ` Bernd Edlinger
2020-04-09 17:37 ` Linus Torvalds
2020-04-09 17:46 ` Bernd Edlinger
2020-04-09 18:36 ` Linus Torvalds
2020-04-09 19:42 ` Linus Torvalds
2020-04-09 19:57 ` Bernd Edlinger
2020-04-09 20:04 ` Linus Torvalds
2020-04-09 20:36 ` Bernd Edlinger
2020-04-09 21:00 ` Eric W. Biederman
2020-04-09 21:17 ` Linus Torvalds
2020-04-09 23:52 ` Bernd Edlinger
2020-04-10 0:30 ` Linus Torvalds
2020-04-10 0:32 ` Linus Torvalds
2020-04-11 4:07 ` Bernd Edlinger
2020-04-11 18:20 ` Oleg Nesterov
2020-04-11 18:29 ` Linus Torvalds
2020-04-11 18:31 ` Linus Torvalds
2020-04-11 19:15 ` Bernd Edlinger
2020-04-11 20:07 ` Linus Torvalds
2020-04-11 21:16 ` Bernd Edlinger
[not found] ` <CAHk-=wgWHkBzFazWJj57emHPd3Dg9SZHaZqoO7-AD+UbBTJgig@mail.gmail.com>
2020-04-11 21:57 ` Linus Torvalds
2020-04-12 6:01 ` Bernd Edlinger
2020-04-12 19:50 ` Oleg Nesterov
2020-04-12 20:14 ` Linus Torvalds
2020-04-28 2:56 ` Bernd Edlinger
2020-04-28 17:07 ` Linus Torvalds
2020-04-28 19:08 ` Oleg Nesterov
2020-04-28 20:35 ` Linus Torvalds
2020-04-28 21:06 ` Jann Horn
2020-04-28 21:36 ` Linus Torvalds
2020-04-28 21:53 ` Jann Horn
2020-04-28 22:14 ` Linus Torvalds [this message]
2020-04-28 23:36 ` Jann Horn
2020-04-29 17:58 ` Linus Torvalds
2020-04-29 18:33 ` Jann Horn
2020-04-29 18:57 ` Linus Torvalds
2020-04-29 19:23 ` Bernd Edlinger
2020-04-29 19:26 ` Jann Horn
2020-04-29 20:19 ` Bernd Edlinger
2020-04-29 21:06 ` Jann Horn
2020-04-29 22:38 ` Linus Torvalds
2020-04-29 23:22 ` Linus Torvalds
2020-04-29 23:59 ` Jann Horn
2020-04-30 1:08 ` Bernd Edlinger
2020-04-30 2:20 ` Linus Torvalds
2020-04-30 3:00 ` Jann Horn
2020-04-30 3:25 ` Linus Torvalds
2020-04-30 3:41 ` Jann Horn
2020-04-30 3:50 ` Linus Torvalds
2020-04-30 13:37 ` Linus Torvalds
2020-04-30 2:16 ` Linus Torvalds
2020-04-30 13:39 ` Bernd Edlinger
2020-04-30 13:47 ` Linus Torvalds
2020-04-30 14:29 ` Bernd Edlinger
2020-04-30 16:40 ` Linus Torvalds
2020-05-02 4:11 ` Bernd Edlinger
2020-04-09 17:36 ` Linus Torvalds
2020-04-09 20:34 ` Eric W. Biederman
2020-04-09 20:56 ` Linus Torvalds
2020-04-02 23:02 ` Bernd Edlinger
2020-04-02 23:22 ` Bernd Edlinger
2020-04-03 7:38 ` Bernd Edlinger
2020-04-03 16:00 ` Bernd Edlinger
2020-04-03 15:09 ` Bernd Edlinger
2020-04-03 16:23 ` Linus Torvalds
2020-04-03 16:36 ` Bernd Edlinger
2020-04-04 5:43 ` Bernd Edlinger
2020-04-04 5:48 ` Bernd Edlinger
2020-04-06 6:41 ` Bernd Edlinger
2020-04-10 13:03 ` [GIT PULL] proc fix " Eric W. Biederman
2020-04-10 20:40 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=whTgFbjGTP=CqMWs_LOkY7bWvLQGYKwKx86amdbMovAkw@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=bernd.edlinger@hotmail.de \
--cc=ebiederm@xmission.com \
--cc=gladkov.alexey@gmail.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman@redhat.com \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).