From: Cyrill Gorcunov <gorcunov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Linux FS Devel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
Andrew Morton
<akpm-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
Andrew Vagin <avagin-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>,
Pavel Emelyanov <xemul-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>,
Michael Kerrisk
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Kirill Kolyshkin <kir-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>,
Andrey Vagin <avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
Subject: Re: [RFC 1/2] fs,eventpoll: Add ability to install target file by its number
Date: Fri, 17 Feb 2017 20:11:36 +0300 [thread overview]
Message-ID: <20170217171136.GA23766@uranus> (raw)
In-Reply-To: <CALCETrUOaNaS6yAhLM9jLb8PD2eg2ZwXfu4v327aAOy82SbLwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Fri, Feb 17, 2017 at 08:52:59AM -0800, Andy Lutomirski wrote:
> >
> > To resolve this tie lets add EPOLL_CTL_DUP operation which simply takes
> > target file descriptor number and installs it into a caller's file table,
> > thus we can use kcmp() syscall and figure out which exactly file to be
> > added into eventpoll on restore procedure.
>
> This is a scary thing to let an unprivileged process do.
>
> I'm wondering if there might be a nicer way to address this using a
> better interface in /proc.
Well, I tend to agree. Need to add security checking if the target
file is accessable by a caller. As to better interface to procfs
nothing comes to mind immediately. Another potential problem is that
since it is never guaranteed that target file number listed in fdinfo
matching existing /proc/pid/fd/N, so that I think we will have to
use this dup functionality for every target file, which of course
not that fast. Probably need to think more if I manage to invent
some better and faster interface to find where exactly target file
belong in the whole process tree of a container.
Thanks for pointing about this security problem, Andy!
WARNING: multiple messages have this Message-ID (diff)
From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linux FS Devel <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linuxfoundation.org>,
Andrew Vagin <avagin@virtuozzo.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Kirill Kolyshkin <kir@openvz.org>,
Andrey Vagin <avagin@openvz.org>
Subject: Re: [RFC 1/2] fs,eventpoll: Add ability to install target file by its number
Date: Fri, 17 Feb 2017 20:11:36 +0300 [thread overview]
Message-ID: <20170217171136.GA23766@uranus> (raw)
In-Reply-To: <CALCETrUOaNaS6yAhLM9jLb8PD2eg2ZwXfu4v327aAOy82SbLwg@mail.gmail.com>
On Fri, Feb 17, 2017 at 08:52:59AM -0800, Andy Lutomirski wrote:
> >
> > To resolve this tie lets add EPOLL_CTL_DUP operation which simply takes
> > target file descriptor number and installs it into a caller's file table,
> > thus we can use kcmp() syscall and figure out which exactly file to be
> > added into eventpoll on restore procedure.
>
> This is a scary thing to let an unprivileged process do.
>
> I'm wondering if there might be a nicer way to address this using a
> better interface in /proc.
Well, I tend to agree. Need to add security checking if the target
file is accessable by a caller. As to better interface to procfs
nothing comes to mind immediately. Another potential problem is that
since it is never guaranteed that target file number listed in fdinfo
matching existing /proc/pid/fd/N, so that I think we will have to
use this dup functionality for every target file, which of course
not that fast. Probably need to think more if I manage to invent
some better and faster interface to find where exactly target file
belong in the whole process tree of a container.
Thanks for pointing about this security problem, Andy!
next prev parent reply other threads:[~2017-02-17 17:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-17 8:30 [RFC 1/2] fs,eventpoll: Add ability to install target file by its number Cyrill Gorcunov
[not found] ` <20170217083324.627615532-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2017-02-17 16:52 ` Andy Lutomirski
2017-02-17 16:52 ` Andy Lutomirski
[not found] ` <CALCETrUOaNaS6yAhLM9jLb8PD2eg2ZwXfu4v327aAOy82SbLwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-17 17:11 ` Cyrill Gorcunov [this message]
2017-02-17 17:11 ` Cyrill Gorcunov
2017-02-17 17:20 ` Andy Lutomirski
[not found] ` <CALCETrUmUOXL=72SA-pqNhQda0ic946UNnWUe_vwSHVruiyFfg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-17 18:01 ` Cyrill Gorcunov
2017-02-17 18:01 ` Cyrill Gorcunov
2017-02-17 18:34 ` Jason Baron
2017-02-17 19:45 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170217171136.GA23766@uranus \
--to=gorcunov-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=akpm-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=avagin-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org \
--cc=avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=kir-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
--cc=xemul-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.