| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez2hhu8AXgBR=ze9RRLDpB0V1rzUX2Xr2e45giV6ebTxMA@mail.gmail.com> Date: Mon, 16 Sep 2024 23:14:30 +0200 From: Jann Horn <jannh@...gle.com> To: Paul Moore <paul@...l-moore.com> Cc: David Howells <dhowells@...hat.com>, Jeffrey Altman <jaltman@...istor.com>, openafs-devel@...nafs.org, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, John Johansen <john.johansen@...onical.com>, Jarkko Sakkinen <jarkko@...nel.org>, Mickaël Salaün <mic@...ikod.net>, Günther Noack <gnoack@...gle.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>, Casey Schaufler <casey@...aufler-ca.com>, linux-afs@...ts.infradead.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, apparmor@...ts.ubuntu.com, keyrings@...r.kernel.org, selinux@...r.kernel.org Subject: Re: Can KEYCTL_SESSION_TO_PARENT be dropped entirely? -- was Re: [PATCH v2 1/2] KEYS: use synchronous task work for changing parent credentials On Mon, Sep 16, 2024 at 12:46 PM Paul Moore <paul@...l-moore.com> wrote: > On Tue, Sep 10, 2024 at 4:49 PM Paul Moore <paul@...l-moore.com> wrote: > > On Thu, Aug 15, 2024 at 4:00 PM Jann Horn <jannh@...gle.com> wrote: > > > On Thu, Aug 15, 2024 at 9:46 PM David Howells <dhowells@...hat.com> wrote: > > > > Jann Horn <jannh@...gle.com> wrote: > > > > > > > > > Rewrite keyctl_session_to_parent() to run task work on the parent > > > > > synchronously, so that any errors that happen in the task work can be > > > > > plumbed back into the syscall return value in the child. > > > > > > > > The main thing I worry about is if there's a way to deadlock the child and the > > > > parent against each other. vfork() for example. > > > > > > Yes - I think it would work fine for scenarios like using > > > KEYCTL_SESSION_TO_PARENT from a helper binary against the shell that > > > launched the helper (which I think is the intended usecase?), but > > > there could theoretically be constellations where it would cause an > > > (interruptible) hang if the parent is stuck in > > > uninterruptible/killable sleep. > > > > > > I think vfork() is rather special in that it does a killable wait for > > > the child to exit or execute; and based on my understanding of the > > > intended usecase of KEYCTL_SESSION_TO_PARENT, I think normally > > > KEYCTL_SESSION_TO_PARENT would only be used by a child that has gone > > > through execve? > > > > Where did we land on all of this? Unless I missed a thread somewhere, > > it looks like the discussion trailed off without any resolution on if > > we are okay with a potentially (interruptible) deadlock? > > As a potential tweak to this, what if we gave up on the idea of > returning the error code so we could avoid the signal deadlock issue? I'm still not convinced that there is a real danger of deadlocking here if the only way to deadlock involves the parent being in an uninterruptible wait. There aren't many places in the kernel that involve a parent uninterruptibly waiting for the child without locks being involved, especially when the parent is a shell that spawns the child with execve, as seems to be the intended use here. I really dislike the idea of silently ignoring an error - I kinda feel like if we give up on returning an error to the child that issued the keyctl, the next-best option is to SIGKILL the parent, so that we can say "hey, we technically ensured that all future syscalls in the parent will use the new creds, because the parent will no longer do _any_ syscalls". > I suppose there could be an issue if the parent was > expecting/depending on keyring change from the child, but honestly, if > the parent is relying on the kernel keyring and spawning a child > process without restring the KEYCTL_SESSION_TO_PARENT then the parent > really should be doing some sanity checks on the keyring after the > child returns anyway. > I'm conflicted on the best way to solve this problem, but I think we > need to fix this somehow as I believe the current behavior is broken > ...
Powered by blists - more mailing lists