lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 18 Nov 2018 09:09:14 -0800
From:   Andy Lutomirski <luto@...nel.org>
To:     Daniel Colascione <dancol@...gle.com>
Cc:     Randy Dunlap <rdunlap@...radead.org>,
        Andrew Lutomirski <luto@...nel.org>,
        Christian Brauner <christian@...uner.io>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        LKML <linux-kernel@...r.kernel.org>,
        "Serge E. Hallyn" <serge@...lyn.com>, Jann Horn <jannh@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Oleg Nesterov <oleg@...hat.com>,
        Aleksa Sarai <cyphar@...har.com>,
        Al Viro <viro@...iv.linux.org.uk>,
        Linux FS Devel <linux-fsdevel@...r.kernel.org>,
        Linux API <linux-api@...r.kernel.org>,
        Tim Murray <timmurray@...gle.com>,
        Kees Cook <keescook@...omium.org>,
        Jan Engelhardt <jengelh@...i.de>
Subject: Re: [PATCH] proc: allow killing processes via file descriptors

On Sun, Nov 18, 2018 at 8:49 AM Daniel Colascione <dancol@...gle.com> wrote:
>
> On Sun, Nov 18, 2018 at 8:33 AM, Randy Dunlap <rdunlap@...radead.org> wrote:
> > On 11/18/18 8:17 AM, Andy Lutomirski wrote:
> >> On Sun, Nov 18, 2018 at 7:53 AM Daniel Colascione <dancol@...gle.com> wrote:
> >>>
> >>> On Sun, Nov 18, 2018 at 7:38 AM, Andy Lutomirski <luto@...nel.org> wrote:
> >>>> I fully agree that a more comprehensive, less expensive API for
> >>>> managing processes would be nice.  But I also think that this patch
> >>>> (using the directory fd and ioctl) is better from a security
> >>>> perspective than using a new file in /proc.
> >>>
> >>> That's an assertion, not an argument. And I'm not opposed to an
> >>> operation on the directory FD, now that it's clear Linus has banned
> >>> "write(2)-as-a-command" APIs. I just insist that we implement the API
> >>> with a system call instead of a less-reliable ioctl due to the
> >>> inherent namespace collision issues in ioctl command names.
> >>
> >> Linus banned it because of bugs iike the ones in the patch.
> >>
> >>>
> >>>> I have an old patch to make proc directory fds pollable:
> >>>>
> >>>> https://lore.kernel.org/patchwork/patch/345098/
> >>>>
> >>>> That patch plus the one in this thread might make a nice addition to
> >>>> the kernel even if we expect something much better to come along
> >>>> later.
> >>>
> >>> I've always commented on that patch. You never addressed my technical
> >>> objections. Why are you bringing up this patch again as if that
> >>> discussion had never happened? To review, that patch has various race
> >>> conditions
> >>
> >> I don't think I ever saw that review.
> >>
> >>> and even if it were technically correct, it'd be an abuse
> >>> of directory objects (in what other circumstance do we poll
> >>> directories?) and not logically generalizable to a model in which we
> >>> expose process exit status via the exit-monitoring API.
> >>
> >> I agree it's weird.  It might be better to have /proc/PID/exit_status
> >> and make *that* pollable.
> >>
> >
> > If there is a new exit_status file, it could even be more than
> > 8 bits of exit status:
> >
> > See https://lore.kernel.org/lkml/alpine.LSU.2.20.1507091257010.9602@nerf40.vanv.qr/T/#u
> > and http://austingroupbugs.net/view.php?id=594#c1317
>
> First of all, as I discussed in [1], we need to first figure out *who*
> should have access to the process exit information. FreeBSD appears to
> make it public without disaster, and if we make exit status public, a
> lot of problems just disappear.

I kind of want to go in the other direction of making a lot of process
information (especially cmdline) less publicly accessible.

In general, any kind of API where a process has an fd is tricky to do
right on UNIXy systems because of SUID, SGID, and LSM transition
rules.  Windows has an easy time of it because it's always safe for a
parent process to introspect the child.  (Well, almost, because
Windows gained their privilege elevation stuff.  I'm not saying we
shouldn't do it -- I'm just saying that it's nontrivial.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ