[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250509-querschnitt-fotokopien-6ae91dfdac45@brauner>
Date: Fri, 9 May 2025 17:40:14 +0200
From: Christian Brauner <brauner@...nel.org>
To: linux-fsdevel@...r.kernel.org, Jann Horn <jannh@...gle.com>,
Daniel Borkmann <daniel@...earbox.net>, Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: Eric Dumazet <edumazet@...gle.com>, Oleg Nesterov <oleg@...hat.com>,
"David S. Miller" <davem@...emloft.net>, Alexander Viro <viro@...iv.linux.org.uk>,
Daan De Meyer <daan.j.demeyer@...il.com>, David Rheinsberg <david@...dahead.eu>,
Jakub Kicinski <kuba@...nel.org>, Jan Kara <jack@...e.cz>,
Lennart Poettering <lennart@...ttering.net>, Luca Boccassi <bluca@...ian.org>, Mike Yuan <me@...dnzj.com>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Zbigniew Jędrzejewski-Szmek <zbyszek@...waw.pl>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
linux-security-module@...r.kernel.org, Alexander Mikhalitsyn <alexander@...alicyn.com>
Subject: Re: [PATCH v5 4/9] coredump: add coredump socket
> Userspace can set /proc/sys/kernel/core_pattern to:
>
> @linuxafsk/coredump_socket
I have one other proposal that:
- avoids reserving a specific address
- doesn't require bpf or lsm to be safe
- allows for safe restart and crashes of the coredump sever
To set up a coredump socket the coredump server must allocate a socket
cookie for the listening socket via SO_COOKIE. The socket cookie must be
used as the prefix in the abstract address for the coredump socket. It
can be followed by a \0 byte and then followed by whatever the coredump
server wants. For example:
12345678\0coredump.socket
When a task crashes and generates a coredump it will find the provided
address but also compare the prefixed SO_COOKIE value with the socket
cookie of the socket listening at that address. If they don't match it
will refuse to connect.
So even if the coredump server restarts or crashes and unprivileged
userspace recycles the socket address for an attack the crashing process
will detect this as the new listening socket will have gotten either a
new or no SO_COOKIE and the crashing process will not connect.
The coredump server just sets /proc/sys/kernel/core_pattern to:
@SO_COOKIE/whatever
The "@" at the beginning indicates to the kernel that the abstract
AF_UNIX coredump socket will be used to process coredumps and the
indicating the end of the SO_COOKIE and the rest of the name.
Appended what that would look like.
View attachment "0001-coredump-add-coredump-socket.patch" of type "text/x-diff" (15284 bytes)
Powered by blists - more mailing lists