| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Sep 2010 11:34:00 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Will Drewry <wad@...omium.org> Cc: Andi Kleen <andi@...stfloor.org>, linux-kernel@...r.kernel.org, Alexander Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Oleg Nesterov <oleg@...hat.com>, KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>, Roland McGrath <roland@...hat.com>, Neil Horman <nhorman@...driver.com>, containers@...ts.linux-foundation.org, Eugene Teo <eteo@...hat.com>, Tejun Heo <tj@...nel.org>, Serge Hallyn <serue@...ibm.com>, Alexey Dobriyan <adobriyan@...il.com>, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH][RFC] v2 exec: move core_pattern pipe helper into the crashing namespace Will Drewry <wad@...omium.org> writes: > Presently, a core_pattern pipe endpoint will be run in the init > namespace. It will receive the virtual pid (task_tgid_vnr->%p) of the > core dumping process but will have no access to that processes /proc > without walking the init namespace /proc looking through all the global > pids until it finds the one it thinks matches. > > One option for fixing this is to change the reported pid: > https://patchwork.kernel.org/patch/185912/ > However, it's unclear if it is desirable for the core_pattern to run > outside the namespace. In particular, it can easily access the mounts > via /proc/[pid_nr]/root, but if there is a net namespace, it will not > have access. (Originally introduced in 2007 in commit > b488893a390edfe027bae7a46e9af8083e740668 ) > > Instead, this change implements the more complex option two. It > migrates the ____call_usermodehelper() thread into the same namespaces > as the dumping process. It does not assign a pid in that namespace so > the collector will appear to be pid 0 in the namespace. I like the direction this is going but as structured this looks like a security exploit waiting to happen. The pipe process needs to run in the namespaces of the process who set the core pattern, not in the namespaces of the dumping process. Otherwise it is possible to trigger a privileged process to run in a context where it's reality that it expected, causing it to misuse it's privileges. Even if we don't have a privilege problem I think we will have a case of mismatched functionality where the core pattern will not work as expected. I believe the solution here is to move the core pattern into the pid namespace and to capture the namespaces when set, but if the core pattern hasn't been set to use the core pattern of the parent pid namespace. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists