From: Pierre Morel <pmorel@linux.vnet.ibm.com>
To: Oleg Nesterov <oleg@tv-sign.ru>
Cc: sameske@linux.vnet.ibm.com,
uml-devel <user-mode-linux-devel@lists.sourceforge.net>,
gregkh@suse.de, Heiko Carstens <heicars2@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org,
Dave Hansen <dave@linux.vnet.ibm.com>,
Daniel Lezcano <dlezcano@fr.ibm.com>,
Cedric Le Goater <clg@fr.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@elte.hu>, Roland McGrath <roland@redhat.com>
Subject: Re: [uml-devel] [PATCH 1/1] system call notification with self_ptrace
Date: Wed, 10 Sep 2008 17:11:37 +0200 [thread overview]
Message-ID: <48C7E3A9.3060602@linux.vnet.ibm.com> (raw)
In-Reply-To: <20080909124302.GA139@tv-sign.ru>
Hello,
Oleg Nesterov wrote:
> On 09/08, Pierre Morel wrote:
>
>> --- linux-2.6.26.orig/arch/s390/kernel/signal.c
>> +++ linux-2.6.26/arch/s390/kernel/signal.c
>> @@ -409,6 +409,11 @@ handle_signal(unsigned long sig, struct
>> spin_unlock_irq(¤t->sighand->siglock);
>> }
>>
>> + if (current->instrumentation) {
>> + clear_thread_flag(TIF_SYSCALL_TRACE);
>> + current->instrumentation &= ~PTS_SELF;
>> + }
>> +
>> return ret;
>> }
>>
>
> I still think this patch shouldn't change handle_signal().
>
> Once again. The signal handler for SIGSYS can first do
> sys_ptrace(PTRACE_SELF_OFF) (which is filtered out), and then use any
> other syscall, so this change is not needed, afaics.
>
Yes it can but what if the application forget to do it?
It is a security so that the application do not bounce for ever.
> The overhead of the additional PTRACE_SELF_OFF syscall is very small,
> especially compared to signal delivery. I don't think this functionality
> will be widely used, but this change adds the unconditional overhead
> to handle_signal().
>
> Btw, the check above looks wrong, shouldn't it be
>
> if (current->instrumentation & PTS_SELF)
>
> ?
>
Yes you are right, in fact I do not need two flags, I will remove
the PTS_INSTRUMENTED flag.
> And. According to the prior discussion, this requires to hook every
> signal handler in user space, otherwise we can miss syscall. But every
> hook should start with PTRACE_SELF_ON, so I can't see any gain.
>
>
>> +#define PTS_INSTRUMENTED 0x00000001
>> +#define PTS_SELF 0x00000002
>>
>
> I don't really understand why do we need 2 flags, see also below,
>
Yes, I remove PTS_INSTRUMENTED, a bad idea.
>
>> --- linux-2.6.26.orig/kernel/ptrace.c
>> +++ linux-2.6.26/kernel/ptrace.c
>> @@ -543,6 +543,38 @@ asmlinkage long sys_ptrace(long request,
>> * This lock_kernel fixes a subtle race with suid exec
>> */
>> lock_kernel();
>> + if (request == PTRACE_SELF_ON) {
>> + task_lock(current);
>> + if (current->ptrace) {
>> + task_unlock(current);
>> + ret = -EPERM;
>> + goto out;
>> + }
>> + set_thread_flag(TIF_SYSCALL_TRACE);
>> + current->instrumentation |= PTS_INSTRUMENTED|PTS_SELF;
>> + task_unlock(current);
>> + ret = 0;
>> + goto out;
>>
>
> The code looks strange. How about
>
> if (request == PTRACE_SELF_ON) {
> ret = -EPERM;
> task_lock(current);
> if (!current->ptrace) {
> set_thread_flag(TIF_SYSCALL_TRACE);
> current->instrumentation |= PTS_INSTRUMENTED|PTS_SELF;
> ret = 0;
> }
> task_unlock(current);
> goto out;
> }
>
> ?
>
> I don't understand how task_lock() can help. This code runs under
> lock_kernel(), and without this lock the code is racy anyway.
>
I use task_lock to protect the current->ptrace bit-field which can be
accessed by another thread, like the one you pointed out previously.
I agree it is not necessary with lock_kernel().
I will put the code before the lock_kernel() to be more efficient.
>
>> + }
>> + if (request == PTRACE_SELF_OFF) {
>> + task_lock(current);
>> + if (current->ptrace) {
>> + task_unlock(current);
>> + ret = -EPERM;
>> + goto out;
>> + }
>> + clear_thread_flag(TIF_SYSCALL_TRACE);
>> + current->instrumentation &= ~PTS_SELF;
>>
>
> So. PTRACE_SELF_OFF doesn't clear PTS_INSTRUMENTED? How can the task
> reset ->instrumentation ?
>
You are right again, I will remove the PTS_INSTRUMENTED flag.
>
>> + if (current->instrumentation) {
>> + ret = -EPERM;
>> + goto out;
>> + }
>>
>
> So, PTRACE_SELF_XXX disables the "normal" ptrace. Not sure this is good.
>
I think that having two tracing system one over the other may be
quite difficult to handle.
Pierre
> Oleg.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
=============
Pierre Morel
RTOS and Embedded Linux
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
WARNING: multiple messages have this Message-ID (diff)
From: Pierre Morel <pmorel@linux.vnet.ibm.com>
To: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, Roland McGrath <roland@redhat.com>,
Heiko Carstens <heicars2@linux.vnet.ibm.com>,
sameske@linux.vnet.ibm.com,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Ingo Molnar <mingo@elte.hu>,
gregkh@suse.de,
uml-devel <user-mode-linux-devel@lists.sourceforge.net>,
Dave Hansen <dave@linux.vnet.ibm.com>,
Cedric Le Goater <clg@fr.ibm.com>,
Daniel Lezcano <dlezcano@fr.ibm.com>
Subject: Re: [PATCH 1/1] system call notification with self_ptrace
Date: Wed, 10 Sep 2008 17:11:37 +0200 [thread overview]
Message-ID: <48C7E3A9.3060602@linux.vnet.ibm.com> (raw)
In-Reply-To: <20080909124302.GA139@tv-sign.ru>
Hello,
Oleg Nesterov wrote:
> On 09/08, Pierre Morel wrote:
>
>> --- linux-2.6.26.orig/arch/s390/kernel/signal.c
>> +++ linux-2.6.26/arch/s390/kernel/signal.c
>> @@ -409,6 +409,11 @@ handle_signal(unsigned long sig, struct
>> spin_unlock_irq(¤t->sighand->siglock);
>> }
>>
>> + if (current->instrumentation) {
>> + clear_thread_flag(TIF_SYSCALL_TRACE);
>> + current->instrumentation &= ~PTS_SELF;
>> + }
>> +
>> return ret;
>> }
>>
>
> I still think this patch shouldn't change handle_signal().
>
> Once again. The signal handler for SIGSYS can first do
> sys_ptrace(PTRACE_SELF_OFF) (which is filtered out), and then use any
> other syscall, so this change is not needed, afaics.
>
Yes it can but what if the application forget to do it?
It is a security so that the application do not bounce for ever.
> The overhead of the additional PTRACE_SELF_OFF syscall is very small,
> especially compared to signal delivery. I don't think this functionality
> will be widely used, but this change adds the unconditional overhead
> to handle_signal().
>
> Btw, the check above looks wrong, shouldn't it be
>
> if (current->instrumentation & PTS_SELF)
>
> ?
>
Yes you are right, in fact I do not need two flags, I will remove
the PTS_INSTRUMENTED flag.
> And. According to the prior discussion, this requires to hook every
> signal handler in user space, otherwise we can miss syscall. But every
> hook should start with PTRACE_SELF_ON, so I can't see any gain.
>
>
>> +#define PTS_INSTRUMENTED 0x00000001
>> +#define PTS_SELF 0x00000002
>>
>
> I don't really understand why do we need 2 flags, see also below,
>
Yes, I remove PTS_INSTRUMENTED, a bad idea.
>
>> --- linux-2.6.26.orig/kernel/ptrace.c
>> +++ linux-2.6.26/kernel/ptrace.c
>> @@ -543,6 +543,38 @@ asmlinkage long sys_ptrace(long request,
>> * This lock_kernel fixes a subtle race with suid exec
>> */
>> lock_kernel();
>> + if (request == PTRACE_SELF_ON) {
>> + task_lock(current);
>> + if (current->ptrace) {
>> + task_unlock(current);
>> + ret = -EPERM;
>> + goto out;
>> + }
>> + set_thread_flag(TIF_SYSCALL_TRACE);
>> + current->instrumentation |= PTS_INSTRUMENTED|PTS_SELF;
>> + task_unlock(current);
>> + ret = 0;
>> + goto out;
>>
>
> The code looks strange. How about
>
> if (request == PTRACE_SELF_ON) {
> ret = -EPERM;
> task_lock(current);
> if (!current->ptrace) {
> set_thread_flag(TIF_SYSCALL_TRACE);
> current->instrumentation |= PTS_INSTRUMENTED|PTS_SELF;
> ret = 0;
> }
> task_unlock(current);
> goto out;
> }
>
> ?
>
> I don't understand how task_lock() can help. This code runs under
> lock_kernel(), and without this lock the code is racy anyway.
>
I use task_lock to protect the current->ptrace bit-field which can be
accessed by another thread, like the one you pointed out previously.
I agree it is not necessary with lock_kernel().
I will put the code before the lock_kernel() to be more efficient.
>
>> + }
>> + if (request == PTRACE_SELF_OFF) {
>> + task_lock(current);
>> + if (current->ptrace) {
>> + task_unlock(current);
>> + ret = -EPERM;
>> + goto out;
>> + }
>> + clear_thread_flag(TIF_SYSCALL_TRACE);
>> + current->instrumentation &= ~PTS_SELF;
>>
>
> So. PTRACE_SELF_OFF doesn't clear PTS_INSTRUMENTED? How can the task
> reset ->instrumentation ?
>
You are right again, I will remove the PTS_INSTRUMENTED flag.
>
>> + if (current->instrumentation) {
>> + ret = -EPERM;
>> + goto out;
>> + }
>>
>
> So, PTRACE_SELF_XXX disables the "normal" ptrace. Not sure this is good.
>
I think that having two tracing system one over the other may be
quite difficult to handle.
Pierre
> Oleg.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
=============
Pierre Morel
RTOS and Embedded Linux
next prev parent reply other threads:[~2008-09-10 15:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-08 12:02 [uml-devel] [PATCH 1/1] system call notification with self_ptrace Pierre Morel
2008-09-08 12:02 ` Pierre Morel
2008-09-09 0:04 ` Andrew Morton
2008-09-09 0:04 ` [uml-devel] " Andrew Morton
2008-09-10 14:17 ` Pierre Morel
2008-09-10 14:17 ` [uml-devel] " Pierre Morel
2008-09-09 12:43 ` Oleg Nesterov
2008-09-09 12:43 ` Oleg Nesterov
2008-09-10 15:11 ` Pierre Morel [this message]
2008-09-10 15:11 ` Pierre Morel
2008-09-10 16:20 ` [uml-devel] " Oleg Nesterov
2008-09-10 16:20 ` Oleg Nesterov
2008-09-10 16:23 ` [uml-devel] " Dave Hansen
2008-09-10 16:23 ` Dave Hansen
2008-09-12 12:22 ` [uml-devel] " Pierre Morel
2008-09-12 12:22 ` Pierre Morel
2008-09-12 12:19 ` [uml-devel] " Pierre Morel
2008-09-12 12:19 ` Pierre Morel
2008-09-12 14:32 ` [uml-devel] " Oleg Nesterov
2008-09-12 14:32 ` Oleg Nesterov
2008-09-10 16:19 ` [uml-devel] " Dave Hansen
2008-09-10 16:19 ` Dave Hansen
2008-09-12 12:30 ` [uml-devel] " Pierre Morel
2008-09-12 12:30 ` Pierre Morel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C7E3A9.3060602@linux.vnet.ibm.com \
--to=pmorel@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=clg@fr.ibm.com \
--cc=dave@linux.vnet.ibm.com \
--cc=dlezcano@fr.ibm.com \
--cc=gregkh@suse.de \
--cc=heicars2@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@tv-sign.ru \
--cc=roland@redhat.com \
--cc=sameske@linux.vnet.ibm.com \
--cc=schwidefsky@de.ibm.com \
--cc=user-mode-linux-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.