From: Florian Weimer <fweimer@redhat.com>
To: "Jürg Billeter" <j@bitron.ch>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Eric Biederman <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@kernel.org>,
linux-api@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 1/1] prctl: add PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT
Date: Sat, 01 Dec 2018 13:28:37 +0100 [thread overview]
Message-ID: <878t19o2h6.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <e92ab3c06fe42fc9872261999623be19e2b0a294.camel@bitron.ch> ("Jürg Billeter"'s message of "Sat, 01 Dec 2018 10:39:28 +0000")
* Jürg Billeter:
> On Fri, 2018-11-30 at 14:40 +0100, Florian Weimer wrote:
>> * Jürg Billeter:
>>
>> > This introduces a new thread group flag that can be set by calling
>> >
>> > prctl(PR_SET_KILL_DESCENDANTS_ON_EXIT, 1, 0, 0, 0)
>> >
>> > When a thread group exits with this flag set, it will send SIGKILL to
>> > all descendant processes. This can be used to prevent stray child
>> > processes.
>> >
>> > This flag is cleared on privilege gaining execve(2) to ensure an
>> > unprivileged process cannot get a privileged process to send SIGKILL.
>>
>> So this is inherited across regular execve? I'm not sure that's a good
>> idea.
>
> Yes, this matches PR_SET_CHILD_SUBREAPER (and other process
> attributes). Besides consistency and allowing a parent to configure the
> flag for a spawned process, this is also needed to prevent a process
> from clearing the flag (in combination with a seccomp filter).
I think the semantics of PR_SET_CHILD_SUBREAPER are different, and the
behavior makes more sense there.
>> > Descendants that are orphaned and reparented to an ancestor of the
>> > current process before the current process exits, will not be killed.
>> > PR_SET_CHILD_SUBREAPER can be used to contain orphaned processes.
>>
>> For double- or triple-forking daemons, the reparenting will be racy, if
>> I understand things correctly.
>
> Can you please elaborate, if you're concerned about a particular race?
> As the commit message mentions, for containment this flag can be
> combined with PR_SET_CHILD_SUBREAPER (and PR_SET_NO_NEW_PRIVS).
Without PR_SET_CHILD_SUBREAPER, if a newly execve'ed daemon performs
double/triple forking to disentangle itself from the parent process
session, and the parent process which set
PR_SET_KILL_DESCENDANTS_ON_EXIT terminates, behavior depends on when
exactly the parent process terminates. The daemon process will leak if
it has completed its reparenting.
I think this could be sufficiently common that solution is needed here.
Thanks,
Florian
next prev parent reply other threads:[~2018-12-01 12:28 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-27 22:54 [PATCH 0/1] Add prctl to kill descendants on exit Jürg Billeter
2018-11-27 22:54 ` [PATCH] prctl: add PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT Jürg Billeter
2018-11-28 14:42 ` Oleg Nesterov
2018-11-28 15:23 ` Eric W. Biederman
2018-11-29 12:34 ` Oleg Nesterov
2018-11-29 15:41 ` Jürg Billeter
2018-11-30 10:33 ` Oleg Nesterov
2018-12-01 4:28 ` Kees Cook
2018-11-30 8:00 ` [PATCH v2 0/1] Add prctl to kill descendants on exit Jürg Billeter
2018-11-30 8:00 ` [PATCH v2 1/1] prctl: add PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT Jürg Billeter
2018-11-30 11:22 ` Oleg Nesterov
2018-11-30 13:40 ` Florian Weimer
2018-12-01 10:39 ` Jürg Billeter
2018-12-01 12:28 ` Florian Weimer [this message]
2018-12-01 13:57 ` Jürg Billeter
2018-12-06 15:54 ` [PATCH v2 0/1] Add prctl to kill descendants on exit Jürg Billeter
2019-01-18 13:11 ` [RESEND PATCH " Jürg Billeter
2019-01-18 13:11 ` [RESEND PATCH v2 1/1] prctl: add PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT Jürg Billeter
2019-01-29 1:23 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878t19o2h6.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=j@bitron.ch \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oleg@redhat.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.