From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, Tejun Heo <tj@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Andrew Vagin <avagin@openvz.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Pavel Emelyanov <xemul@parallels.com>,
Vasiliy Kulikov <segoon@openwall.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
Julien Tinnes <jln@google.com>
Subject: Re: [rfc 4/4] prctl: PR_SET_MM -- Introduce PR_SET_MM_MAP operation, v3
Date: Thu, 24 Jul 2014 23:44:38 +0400 [thread overview]
Message-ID: <20140724194438.GD17876@moon> (raw)
In-Reply-To: <CAGXu5jL9xMQ3G-pgVneUFqx=v6C7L0-7SBTJ0_bC2B5H0BfeDQ@mail.gmail.com>
On Thu, Jul 24, 2014 at 12:31:54PM -0700, Kees Cook wrote:
...
> > +
> > +#ifdef CONFIG_STACK_GROWSUP
> > + if (may_adjust_brk(rlimit(RLIMIT_STACK),
> > + stack_vma->vm_end,
> > + prctl_map->start_stack, 0, 0))
> > +#else
> > + if (may_adjust_brk(rlimit(RLIMIT_STACK),
> > + prctl_map->start_stack,
> > + stack_vma->vm_start, 0, 0))
> > +#endif
> > + goto out;
>
> Ah! Sorry, I missed this use of may_adjust_brk here. Perhaps rename
> it, since we're not checking brk here, and pass the RLIMIT_* value to
> the function, which can look it up itself? "check_vma_rlimit" ?
Yeah, a name is a bit confusing, but I guess check_vma_rlimit() is not
much better ;-) What we do inside -- we test if a sum of two intervals
or arguments in this helper so that it won't care about the logical
context it been called from, but then realized that this would be a way
too much of unneeded complexity. So if noone else pop with better suggestion
on name i'll update it to check_vma_rlimit (because it's more general
in compare to may_adjust_brk :-).
> > +
> > + /*
> > + * Finally, make sure the caller has the rights to
> > + * change /proc/pid/exe link: only local root should
> > + * be allowed to.
> > + */
> > + if (prctl_map->exe_fd != (u32)-1) {
> > + struct user_namespace *ns = current_user_ns();
> > + const struct cred *cred = current_cred();
> > +
> > + if (!uid_eq(cred->uid, make_kuid(ns, 0)) ||
> > + !gid_eq(cred->gid, make_kgid(ns, 0)))
> > + goto out;
> > + }
>
> I got tricked for a moment here. :) I see that even if we pass this
> check, prctl_set_mm_exe_file will still do the additional checks too
> during prctl_set_mm_map. Excellent!
Yeah.
> >
> > +#ifdef CONFIG_CHECKPOINT_RESTORE
> > + if (opt == PR_SET_MM_MAP || opt == PR_SET_MM_MAP_SIZE)
> > + return prctl_set_mm_map(opt, (const void __user *)addr, arg4);
> > +#endif
> > +
> > if (!capable(CAP_SYS_RESOURCE))
> > return -EPERM;
> >
> >
>
> I think this is looking good. Thanks for the refactoring!
Thanks a huge for comments!!!
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, Tejun Heo <tj@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Andrew Vagin <avagin@openvz.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Pavel Emelyanov <xemul@parallels.com>,
Vasiliy Kulikov <segoon@openwall.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
Julien Tinnes <jln@google.com>
Subject: Re: [rfc 4/4] prctl: PR_SET_MM -- Introduce PR_SET_MM_MAP operation, v3
Date: Thu, 24 Jul 2014 23:44:38 +0400 [thread overview]
Message-ID: <20140724194438.GD17876@moon> (raw)
In-Reply-To: <CAGXu5jL9xMQ3G-pgVneUFqx=v6C7L0-7SBTJ0_bC2B5H0BfeDQ@mail.gmail.com>
On Thu, Jul 24, 2014 at 12:31:54PM -0700, Kees Cook wrote:
...
> > +
> > +#ifdef CONFIG_STACK_GROWSUP
> > + if (may_adjust_brk(rlimit(RLIMIT_STACK),
> > + stack_vma->vm_end,
> > + prctl_map->start_stack, 0, 0))
> > +#else
> > + if (may_adjust_brk(rlimit(RLIMIT_STACK),
> > + prctl_map->start_stack,
> > + stack_vma->vm_start, 0, 0))
> > +#endif
> > + goto out;
>
> Ah! Sorry, I missed this use of may_adjust_brk here. Perhaps rename
> it, since we're not checking brk here, and pass the RLIMIT_* value to
> the function, which can look it up itself? "check_vma_rlimit" ?
Yeah, a name is a bit confusing, but I guess check_vma_rlimit() is not
much better ;-) What we do inside -- we test if a sum of two intervals
or arguments in this helper so that it won't care about the logical
context it been called from, but then realized that this would be a way
too much of unneeded complexity. So if noone else pop with better suggestion
on name i'll update it to check_vma_rlimit (because it's more general
in compare to may_adjust_brk :-).
> > +
> > + /*
> > + * Finally, make sure the caller has the rights to
> > + * change /proc/pid/exe link: only local root should
> > + * be allowed to.
> > + */
> > + if (prctl_map->exe_fd != (u32)-1) {
> > + struct user_namespace *ns = current_user_ns();
> > + const struct cred *cred = current_cred();
> > +
> > + if (!uid_eq(cred->uid, make_kuid(ns, 0)) ||
> > + !gid_eq(cred->gid, make_kgid(ns, 0)))
> > + goto out;
> > + }
>
> I got tricked for a moment here. :) I see that even if we pass this
> check, prctl_set_mm_exe_file will still do the additional checks too
> during prctl_set_mm_map. Excellent!
Yeah.
> >
> > +#ifdef CONFIG_CHECKPOINT_RESTORE
> > + if (opt == PR_SET_MM_MAP || opt == PR_SET_MM_MAP_SIZE)
> > + return prctl_set_mm_map(opt, (const void __user *)addr, arg4);
> > +#endif
> > +
> > if (!capable(CAP_SYS_RESOURCE))
> > return -EPERM;
> >
> >
>
> I think this is looking good. Thanks for the refactoring!
Thanks a huge for comments!!!
next prev parent reply other threads:[~2014-07-24 19:44 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-24 16:46 [rfc 0/4] prctl: set-mm -- Rework interface, v2 Cyrill Gorcunov
2014-07-24 16:46 ` Cyrill Gorcunov
2014-07-24 16:46 ` [rfc 1/4] mm: Introduce may_adjust_brk helper Cyrill Gorcunov
2014-07-24 16:46 ` Cyrill Gorcunov
2014-07-24 19:18 ` Kees Cook
2014-07-24 19:18 ` Kees Cook
2014-07-24 19:21 ` Cyrill Gorcunov
2014-07-24 19:21 ` Cyrill Gorcunov
2014-07-24 19:32 ` Serge Hallyn
2014-07-24 19:32 ` Serge Hallyn
2014-07-24 19:46 ` Cyrill Gorcunov
2014-07-24 19:46 ` Cyrill Gorcunov
2014-07-24 16:46 ` [rfc 2/4] mm: Use " Cyrill Gorcunov
2014-07-24 16:46 ` Cyrill Gorcunov
2014-07-24 16:47 ` [rfc 3/4] prctl: PR_SET_MM -- Factor out mmap_sem when update mm::exe_file Cyrill Gorcunov
2014-07-24 16:47 ` Cyrill Gorcunov
2014-07-24 16:47 ` [rfc 4/4] prctl: PR_SET_MM -- Introduce PR_SET_MM_MAP operation, v3 Cyrill Gorcunov
2014-07-24 16:47 ` Cyrill Gorcunov
2014-07-24 19:31 ` Kees Cook
2014-07-24 19:31 ` Kees Cook
2014-07-24 19:44 ` Cyrill Gorcunov [this message]
2014-07-24 19:44 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140724194438.GD17876@moon \
--to=gorcunov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=avagin@openvz.org \
--cc=ebiederm@xmission.com \
--cc=hpa@zytor.com \
--cc=jln@google.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mtk.manpages@gmail.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.