lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <YQXRyMUGS5cDSbzu@zeniv-ca.linux.org.uk>
Date:   Sat, 31 Jul 2021 22:42:16 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     John Ericson <mail@...nericson.me>
Cc:     Christian Brauner <christian.brauner@...ntu.com>,
        LKML <linux-kernel@...r.kernel.org>,
        David Laight <David.Laight@...lab.com>,
        Andy Lutomirski <luto@...nel.org>,
        "Jason A. Donenfeld" <Jason@...c4.com>,
        Kernel Hardening <kernel-hardening@...ts.openwall.com>,
        Jann Horn <jann@...jh.net>,
        Christian Brauner <christian.brauner@...onical.com>
Subject: Re: Leveraging pidfs for process creation without fork

On Sat, Jul 31, 2021 at 03:11:03PM -0700, John Ericson wrote:
> Do you mind pointing out one of those examples? I'm new to this, but if they follow a pattern I should be able to find the other examples based off it. I'm certainly curious to take a look :).
> 
> I hope these issues aren't to deep. Ideally there's a nice decoupling so the creating process is just manipulating "inert" data structures for the embryo that scheduler doesn't even need see, and then after the embryonic process is submitted, when the context switches to it for the first time that's a completely normal process without special cases.
> 
> The place complexity is hardest to avoid I think would be cleaning up the yet-unborn embryonic processes orphaned by exitted parent(s), because that will have to handle all the semi-initialized states those could be in (as opposed to real processes).

	It's more on the exit/exec/coredump side, actually.  For
exit we want to be sure that no new live threads will appear in a
group once the last live thread has entered do_exit().  For
exec (de_thread(), for starters) you want to have all threads
except for the one that does execve() to be killed and your
thread to take over as group leader.  Look for the machinery there
and in do_exit()/release_task() involved into that.  For coredump
you want all threads except for dumper to be brought into do_exit()
and stopped there, for dumping one to be able to access their state.

	Then there's fun with ->sighand treatment - the whole thing
critically relies upon ->sighand being shared for the entire thread
group; look at the ->sighand->siglock uses.

	The whole area is full of rather subtle places.  Again, the
real headache comes from the exit and execve.  Embryonic threads are
passive; it's the ones already running that can (and do) cause PITA.

	What do you want that for, BTW?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ