| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Aug 2013 11:10:56 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Oleg Nesterov <oleg@...hat.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Brad Spengler <spender@...ecurity.net>,
Colin Walters <walters@...hat.com>,
Pavel Emelyanov <xemul@...allels.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 3/3] fork: unify and tighten up CLONE_NEWUSER/CLONE_NEWPID checks
On Thu, Aug 22, 2013 at 10:10 AM, Oleg Nesterov <oleg@...hat.com> wrote:
> do_fork() denies CLONE_THREAD | CLONE_PARENT if NEWUSER | NEWPID.
>
> Then later copy_process() denies CLONE_SIGHAND if the new process
> will be in a different pid namespace (task_active_pid_ns() doesn't
> match current->nsproxy->pid_ns).
>
> This looks confusing and inconsistent. CLONE_NEWPID is very similar
> to the case when ->pid_ns was already unshared, we want the same
> restrictions so copy_process() should also nack CLONE_PARENT.
>
> And it would be better to deny CLONE_NEWUSER && CLONE_SIGHAND as
> well just for consistency.
>
> Kill the "CLONE_NEWUSER | CLONE_NEWPID" check in do_fork() and
> change copy_process() to the same check along with nsproxy->pid_ns
> we already have.
Did the old code actually prevent clone(CLONE_PARENT | CLONE_NEWPID)?
The new code explicitly does, and that looks like a good thing.
>
> Signed-off-by: Oleg Nesterov <oleg@...hat.com>
> ---
> kernel/fork.c | 22 ++++++++--------------
> 1 files changed, 8 insertions(+), 14 deletions(-)
>
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 8d56338..fae2ff7 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1173,12 +1173,15 @@ static struct task_struct *copy_process(unsigned long clone_flags,
> return ERR_PTR(-EINVAL);
>
> /*
> - * If the new process will be in a different pid namespace don't
> - * allow the creation of threads, or share the signal handlers.
> + * If the new process will be in a different pid or user namespace
> + * don't allow the creation of threads, or share the signal handlers,
> + * or share the parent.
> */
> - if ((clone_flags & CLONE_SIGHAND) &&
> - (task_active_pid_ns(current) != current->nsproxy->pid_ns))
> - return ERR_PTR(-EINVAL);
> + if (clone_flags & (CLONE_SIGHAND | CLONE_PARENT)) {
> + if ((clone_flags & (CLONE_NEWUSER | CLONE_NEWPID)) ||
> + (task_active_pid_ns(current) != current->nsproxy->pid_ns))
> + return ERR_PTR(-EINVAL);
> + }
>
> retval = security_task_create(clone_flags);
> if (retval)
> @@ -1575,15 +1578,6 @@ long do_fork(unsigned long clone_flags,
> long nr;
>
> /*
> - * Do some preliminary argument and permissions checking before we
> - * actually start allocating stuff
> - */
> - if (clone_flags & (CLONE_NEWUSER | CLONE_NEWPID)) {
> - if (clone_flags & (CLONE_THREAD|CLONE_PARENT))
> - return -EINVAL;
> - }
> -
> - /*
> * Determine whether and which event to report to ptracer. When
> * called from kernel_thread or CLONE_UNTRACED is explicitly
> * requested, no event is reported; otherwise, report if the event
> --
> 1.5.5.1
>
--
Andy Lutomirski
AMA Capital Management, LLC
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists