linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Thomas Gleixner <tglx@linutronix.de>
To: Frederic Weisbecker <frederic@kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Frederic Weisbecker <fweisbec@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>, Ingo Molnar <mingo@kernel.org>,
	Kees Cook <keescook@chromium.org>
Subject: Re: [patch 0/6] posix-cpu-timers: Fallout fixes and permission tightening
Date: Thu, 5 Sep 2019 16:57:10 +0200 (CEST)	[thread overview]
Message-ID: <alpine.DEB.2.21.1909051650030.1902@nanos.tec.linutronix.de> (raw)
In-Reply-To: <20190905144829.GA18251@lenoir>

On Thu, 5 Sep 2019, Frederic Weisbecker wrote:
> On Thu, Sep 05, 2019 at 02:03:39PM +0200, Thomas Gleixner wrote:
> > Sysbot triggered an issue in the posix timer rework which was trivial to
> > fix, but after running another test case I discovered that the rework broke
> > the permission checks subtly. That's also a straightforward fix.
> > 
> > Though when staring at it I discovered that the permission checks for
> > process clocks and process timers are completely bonkers. The only
> > requirement is that the target PID is a group leader. Which means that any
> > process can read the clocks and attach timers to any other process without
> > priviledge restrictions.
> > 
> > That's just wrong because the clocks and timers can be used to observe
> > behaviour and both reading the clocks and arming timers adds overhead and
> > influences runtime performance of the target process.
> 
> Yeah I stumbled upon that by the past and found out the explanation behind
> in old history: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/kernel/posix-cpu-timers.c?id=a78331f2168ef1e67b53a0f8218c70a19f0b2a4c
> 
> "This makes no constraint on who can see whose per-process clocks.  This
> information is already available for the VIRT and PROF (i.e.  utime and stime)
> information via /proc.  I am open to suggestions on if/how security
> constraints on who can see whose clocks should be imposed."
> 
> I'm all for mitigating that, let's just hope that won't break some ABIs.

Well, reading clocks is one part of the issue. Arming timers on any process
is a different story.

Also /proc/$PID access can be restricted nowadays. So that posic clock
stuff should at least have exactly the same restrictions.

Thanks,

	tglx


  reply	other threads:[~2019-09-05 14:57 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-05 12:03 [patch 0/6] posix-cpu-timers: Fallout fixes and permission tightening Thomas Gleixner
2019-09-05 12:03 ` [patch 1/6] posix-cpu-timers: Always clear head pointer on dequeue Thomas Gleixner
2019-09-05 15:49   ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 2/6] posix-cpu-timers: Fix permission check regression Thomas Gleixner
2019-09-05 17:31   ` Frederic Weisbecker
2019-09-05 18:55     ` Thomas Gleixner
2019-09-05 21:15       ` [patch V2 " Thomas Gleixner
2019-09-09 15:13         ` Frederic Weisbecker
2019-09-10 11:18         ` [tip: timers/core] " tip-bot2 for Thomas Gleixner
2019-09-05 12:03 ` [patch 3/6] posix-cpu-timers: Restrict timer_create() permissions Thomas Gleixner
2019-09-21  0:44   ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 4/6] posix-cpu-timers: Restrict clock_gettime() permissions Thomas Gleixner
2019-09-23 13:39   ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 5/6] posix-cpu-timers: Sanitize thread clock permissions Thomas Gleixner
2019-09-05 12:21   ` Peter Zijlstra
2019-09-05 14:11     ` Thomas Gleixner
2019-09-23 14:03   ` Frederic Weisbecker
2019-09-05 12:03 ` [patch 6/6] posix-cpu-timers: Make PID=0 and PID=self handling consistent Thomas Gleixner
2019-09-23 14:13   ` Frederic Weisbecker
2019-09-23 14:17     ` Thomas Gleixner
2019-09-05 14:48 ` [patch 0/6] posix-cpu-timers: Fallout fixes and permission tightening Frederic Weisbecker
2019-09-05 14:57   ` Thomas Gleixner [this message]
2019-09-05 15:21     ` Frederic Weisbecker
2019-09-05 20:32 ` Kees Cook
2019-09-05 21:13   ` Thomas Gleixner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.21.1909051650030.1902@nanos.tec.linutronix.de \
    --to=tglx@linutronix.de \
    --cc=frederic@kernel.org \
    --cc=fweisbec@gmail.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).