lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Zz-AVoa7Ra22LJ5L@kawka3.in.waw.pl>
Date: Thu, 21 Nov 2024 18:47:50 +0000
From: Zbigniew Jędrzejewski-Szmek <zbyszek@...waw.pl>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
	Kees Cook <kees@...nel.org>, linux-kernel@...r.kernel.org,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Christophe JAILLET <christophe.jaillet@...adoo.fr>,
	Dan Carpenter <dan.carpenter@...aro.org>,
	Nir Lichtman <nir@...htman.org>,
	syzbot+03e1af5c332f7e0eb84b@...kaller.appspotmail.com,
	Tycho Andersen <tandersen@...flix.com>,
	Vegard Nossum <vegard.nossum@...cle.com>
Subject: Re: [GIT PULL] execve updates for v6.13-rc1

On Thu, Nov 21, 2024 at 10:02:03AM -0800, Linus Torvalds wrote:
> On Thu, 21 Nov 2024 at 10:00, Zbigniew Jędrzejewski-Szmek
> <zbyszek@...waw.pl> wrote:
> >
> > Identical — as far as the callee is concerned.
> > Basically, we'd like to switch the execve() that we use in systemd
> > to start everything with fexecve(), but this should be invisible to
> > both the programs that are started and users who call ps/pgrep/….
> 
> I'm not discussing this. If you cannot understand the difference
> between comm[] and argv[0], this discussion is entirely pointless.

You brought up argv to say that it's "garbage". I was replying to that
part of your message.

With execve, the initial values of comm and argv are under full
control of the caller, e.g. comm can be set as
'ln -s /bin/sleep /tmp/whatever && /tmp/whatever'.
So comm doesn't have to match the "actual executable name" and
if one is "garbage" then so is the other one.

I very much understand the difference between comm and argv[0].
Once again: the goal is to be able to use fexecve in a way that
doesn't cause a visible change to the called programs. Comm was
previously set to the basename of the path, and if it's set based on
argv[0] with fexecve, we get the behaviour that we want (*) and the
rest of userspace is happy. If we set it to f_path.dentry, userspace
is unhappy.

(*) The exception is when a program is called with an argv[0] that
has some special value. But it's such a niche case that nobody
cares about it. There were some cups printer plugins which passed
something important via argv[0], but that was at least a decade
ago. I'm not aware of anybody trying to do that. In the worst case,
we can fall back to execve for those cases if absolutely necessary.

> I'd suggest you just not use fexecve().

Pffff. That's not helpful. The patch to use fexecve/execveat
in systemd was merged in 2020, but we can't make this the default
behaviour because of the comm blocker.

Zbyszek

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ