From: Oleg Nesterov <oleg@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <james.l.morris@oracle.com>,
Eric Paris <eparis@parisplace.org>,
Evan McNabb <emcnabb@redhat.com>,
Jan Stancek <jstancek@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
Date: Sat, 14 Dec 2013 17:32:56 +0100 [thread overview]
Message-ID: <20131214163256.GA21675@redhat.com> (raw)
In-Reply-To: <CAHC9VhQPn-aZ79BcO=Ljvn2V2fW9QdQ964M_yppJWoaQ-9_GLg@mail.gmail.com>
On 12/14, Paul Moore wrote:
>
> I understand your point, but I still think there is some value in
> keeping the call to ptrace_parent() rather than fetching the ptrace
> pointer on our own.
Yes, agreed, I changed my mind ;)
> However, that said, I think we should try and do something about the
> "suspicious RCU usage" you mentioned in your original posting.
Yes, this was the only motivation for this patch.
> but
> I'm curious about the removal of the task lock; shouldn't week keep
> the task lock in place?
Why? It protects nothing in this case, afaics. Unless of course it
protects cred->security somehow, but it doesn't look as if.
Probably task_lock() is here because PTRACE_ATTACH used the same lock,
but this was changed by 4b105cbbaf7c0 in 2009 (ptrace_attach() still
takes it for __ptrace_may_access() but this is another story).
However (iirc) PTRACE_DETACH never took this lock, so this was always
racy and task_lock() is simply misleading and confusing, at least
currently.
So I think the patch is fine, but I decided to send v2 without pid_alive().
If we are going to keep ptrace_parent(), it would be better to add the
comment into ptrace_parent() to explain that ->ptrace != 0 guarantees that
this task is not unhashed.
IOW, I also changed my mind about this part
The patch also checks pid_alive(p) before ptrace_parent(p) to
ensure that this task can't be dead even before rcu_read_lock(),
in this case its ->parent points to nowhere. This is not really
needed "in practice", task->ptrace must be already cleared in
this case but we should not rely on this.
in the changelog.
> > And perhaps I am wrong. Because otoh the usage of ->ptrace should be
> > avoided outside of the core kernel code.
>
> Not to muddy things up, but one could argue that this particular
> LSM/SELinux hook should be regarded as part of the "core" kernel code.
> However, I'm not sure that the distinction is really important here.
Yes, yes, sorry for confusion. I meant, the core kernel code which works
with ptrace/exit/fork/etc.
Oleg.
next prev parent reply other threads:[~2013-12-14 16:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-05 16:59 [PATCH] selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() Oleg Nesterov
2013-12-05 21:53 ` Paul Moore
2013-12-06 14:47 ` Oleg Nesterov
2013-12-14 15:16 ` Paul Moore
2013-12-14 16:32 ` Oleg Nesterov [this message]
2013-12-14 16:33 ` [PATCH v2] " Oleg Nesterov
2013-12-16 21:12 ` Paul Moore
2013-12-16 21:12 ` Paul Moore
2013-12-16 21:11 ` [PATCH] " Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131214163256.GA21675@redhat.com \
--to=oleg@redhat.com \
--cc=emcnabb@redhat.com \
--cc=eparis@parisplace.org \
--cc=james.l.morris@oracle.com \
--cc=jstancek@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.