From: Oleg Nesterov <oleg@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"security@kernel.org" <security@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Vasily Kulikov <segoon@openwall.com>,
Petr Matousek <pmatouse@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org,
Alex Kelly <alex.page.kelly@gmail.com>,
Josh Triplett <josh@joshtriplett.org>
Subject: Re: [PATCH 2/3] kill MMF_DUMPABLE and MMF_DUMP_SECURELY
Date: Mon, 18 Nov 2013 20:16:00 +0100 [thread overview]
Message-ID: <20131118191600.GA14679@redhat.com> (raw)
In-Reply-To: <CAGXu5jK4sJ6zwi+rPqP-FjwY4C+6gsOVUOBfN7ztu9wNQYnk4g@mail.gmail.com>
On 11/18, Kees Cook wrote:
>
> On Sat, Nov 16, 2013 at 11:01 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> > @@ -1629,24 +1628,13 @@ void set_dumpable(struct mm_struct *mm, int value)
> >
> > do {
> > old = ACCESS_ONCE(mm->flags);
> > - new = old & ~MMF_DUMPABLE_MASK;
> > -
> > - switch (value) {
> > - case SUID_DUMP_ROOT:
> > - new |= (1 << MMF_DUMP_SECURELY);
> > - case SUID_DUMP_USER:
> > - new |= (1<< MMF_DUMPABLE);
> > - }
> > -
> > + new = (old & ~MMF_DUMPABLE_MASK) | value;
>
> Just to make this safe against insane callers, perhaps mask the value as well?
Well yes, before this patch set_dumpable() silently ignored the wrong
value, perhaps you are right but see below.
> new = (old & ~MMF_DUMPABLE_MASK) | (value & MMF_DUMPABLE_MASK);
^^^^^^^^^^^^^^^^^^^^^^^^^^
this doesn't really help, with this patch "mm->flags & MMF_DUMPABLE_MASK"
has a room for yet another SUID_DUMP == 4 we do not have yet.
And I don't really like the "silently ignore" logic, so perhaps
if (WARN_ON(value > SUID_DUMP_ROOT))
return;
at the start makes more sense?
Or perhaps we do not really need the additional check? suid_dumpable
is always sane, other callers can't use the wrong value.
But I am fine either way, please tell me what do you prefer.
Oleg.
next prev parent reply other threads:[~2013-11-18 19:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20131101232521.GA23119@www.outflux.net>
[not found] ` <20131114170337.GA11068@redhat.com>
[not found] ` <CAGXu5jLXpLqjCAMFwKp7t7GpMq4+WBqNzSFC=up+CBvgGDuFCw@mail.gmail.com>
[not found] ` <20131115203652.GA13476@redhat.com>
[not found] ` <CAGXu5j+=LZYAczLVawGPAxd=9VX1FupWZq+2858GsrD1YprL3w@mail.gmail.com>
2013-11-16 19:00 ` [PATCH 0/3] get/set_dumpable() cleanups and theoretical fix Oleg Nesterov
2013-11-16 19:01 ` [PATCH 1/3] set_dumpable: fix the theoretical race with itself Oleg Nesterov
2013-11-18 16:36 ` Kees Cook
2013-11-16 19:01 ` [PATCH 2/3] kill MMF_DUMPABLE and MMF_DUMP_SECURELY Oleg Nesterov
2013-11-18 18:38 ` Kees Cook
2013-11-18 19:16 ` Oleg Nesterov [this message]
2013-11-18 19:27 ` Kees Cook
2013-11-18 19:37 ` Oleg Nesterov
2013-11-16 19:02 ` [PATCH 3/3] make __get_dumpable/get_dumpable inline, kill fs/coredump.h Oleg Nesterov
2013-11-18 18:39 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131118191600.GA14679@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alex.page.kelly@gmail.com \
--cc=ebiederm@xmission.com \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pmatouse@redhat.com \
--cc=security@kernel.org \
--cc=segoon@openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.