[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20181031143744.77677-1-dancol@google.com>
Date: Wed, 31 Oct 2018 14:37:44 +0000
From: Daniel Colascione <dancol@...gle.com>
To: linux-kernel@...r.kernel.org
Cc: timmurray@...gle.com, joelaf@...gle.com, surenb@...gle.com,
cyphar@...har.com, christian.brauner@...onical.com,
ebiederm@...ssion.com, keescook@...omium.org, oleg@...hat.com,
Daniel Colascione <dancol@...gle.com>
Subject: [PATCH v2] Implement /proc/pid/kill
Add a simple proc-based kill interface. To use /proc/pid/kill, just
write the signal number in base-10 ASCII to the kill file of the
process to be killed: for example, 'echo 9 > /proc/$$/kill'.
Semantically, /proc/pid/kill works like kill(2), except that the
process ID comes from the proc filesystem context instead of from an
explicit system call parameter. This way, it's possible to avoid races
between inspecting some aspect of a process and that process's PID
being reused for some other process.
Note that only the real user ID that opened a /proc/pid/kill file can
write to it; other users get EPERM. This check prevents confused
deputy attacks via, e.g., standard output of setuid programs.
With /proc/pid/kill, it's possible to write a proper race-free and
safe pkill(1). An approximation follows. A real program might use
openat(2), having opened a process's /proc/pid directory explicitly,
with the directory file descriptor serving as a sort of "process
handle".
#!/bin/bash
set -euo pipefail
pat=$1
for proc_status in /proc/*/status; do (
cd $(dirname $proc_status)
readarray proc_argv -d'' < cmdline
if ((${#proc_argv[@]} > 0)) &&
[[ ${proc_argv[0]} = *$pat* ]];
then
echo 15 > kill
fi
) || true; done
Signed-off-by: Daniel Colascione <dancol@...gle.com>
---
Added a real-user-ID check to prevent confused deputy attacks.
fs/proc/base.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 7e9f07bf260d..74e494f24b28 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -205,6 +205,56 @@ static int proc_root_link(struct dentry *dentry, struct path *path)
return result;
}
+static ssize_t proc_pid_kill_write(struct file *file,
+ const char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ ssize_t res;
+ int sig;
+ char buffer[4];
+
+ /* This check prevents a confused deputy attack in which an
+ * unprivileged process opens /proc/victim/kill and convinces
+ * a privileged process to write to that kill FD, effectively
+ * performing a kill with the privileges of the unwitting
+ * privileged process. Here, we just fail the kill operation
+ * if someone calls write(2) with a real user ID that differs
+ * from the one used to open the kill FD.
+ */
+ res = -EPERM;
+ if (file->f_cred->user != current_user())
+ goto out;
+
+ res = -EINVAL;
+ if (*ppos != 0)
+ goto out;
+
+ res = -EINVAL;
+ if (count > sizeof(buffer) - 1)
+ goto out;
+
+ res = -EFAULT;
+ if (copy_from_user(buffer, buf, count))
+ goto out;
+
+ buffer[count] = '\0';
+ res = kstrtoint(strstrip(buffer), 10, &sig);
+ if (res)
+ goto out;
+
+ res = kill_pid(proc_pid(file_inode(file)), sig, 0);
+ if (res)
+ goto out;
+ res = count;
+out:
+ return res;
+
+}
+
+static const struct file_operations proc_pid_kill_ops = {
+ .write = proc_pid_kill_write,
+};
+
static ssize_t get_mm_cmdline(struct mm_struct *mm, char __user *buf,
size_t count, loff_t *ppos)
{
@@ -2935,6 +2985,7 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
ONE("syscall", S_IRUSR, proc_pid_syscall),
#endif
+ REG("kill", S_IRUGO | S_IWUGO, proc_pid_kill_ops),
REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
ONE("stat", S_IRUGO, proc_tgid_stat),
ONE("statm", S_IRUGO, proc_pid_statm),
--
2.19.1.568.g152ad8e336-goog
Powered by blists - more mailing lists