From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752438AbdIARaj (ORCPT <rfc822;w@1wt.eu>);
        Fri, 1 Sep 2017 13:30:39 -0400
Received: from userp1040.oracle.com ([156.151.31.81]:40789 "EHLO
        userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752338AbdIARah (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 Sep 2017 13:30:37 -0400
Subject: Re: [RESEND PATCH] Allow passing tid or pid in SCM_CREDENTIALS
 without CAP_SYS_ADMIN
To: "Eric W. Biederman" <ebiederm@xmission.com>
References: <1503965540-30393-1-git-send-email-prakash.sangappa@oracle.com>
 <20170829.160232.1901318933754673000.davem@davemloft.net>
 <c9ea9bec-6b0e-70d6-3f74-9b483358edd2@oracle.com>
 <87ziahzzhx.fsf@xmission.com>
 <d23ec1ae-e2f0-659c-ce67-9b1b1e9ad8a5@oracle.com>
 <87inh5ymv2.fsf@xmission.com>
Cc: David Miller <davem@davemloft.net>, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, drepper@redhat.com
From: Prakash Sangappa <prakash.sangappa@oracle.com>
Message-ID: <ca086e10-764c-4389-808e-43fd1ace4e0c@oracle.com>
Date: Fri, 1 Sep 2017 10:30:31 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <87inh5ymv2.fsf@xmission.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 8/30/17 10:41 AM, ebiederm@xmission.com wrote:
> Prakash Sangappa <prakash.sangappa@oracle.com> writes:
>
>
>> With regards to security, the question basically is what is the consequence
>> of passing the wrong id. As I understand it, Interpreting the id to be pid
>> or tid, the effective uid and gid will be the same. It would be a problem
>> only if the incorrect interpretation of the id would refer a different process.
>> But that cannot happen as the the global tid(gettid() of a thread is
>> unique.
> There is also the issue that the receiving process could look, not see
> the pid in proc and assume the sending process is dead.  That I suspect
> is the larger danger.
>

Will this not be a bug in the application, if it is sending the wrong id?

>> As long as the thread is alive, that id cannot reference another process / thread.
>> Unless the thread were to exit and the id gets recycled and got used for another
>> thread or process. This would be no different from a process exiting and its
>> pid getting recycled which is the case now.
> Largely I agree.
>
> If all you want are pid translations I suspect the are far easier ways
> thant updating the SCM_CREDENTIALS code.

What would be an another easier & efficient way of doing pid translation?

Should a new API/mechanism be considered mainly for pid translation purpose
for use with pid namespaces, say based on 'pipe' something similar to 
I_SENDFD?

Thanks,
-Prakash.

> Eric
>