From: ebiederm@xmission.com (Eric W. Biederman)
To: David Hildenbrand <david@redhat.com>
Cc: "Linus Torvalds" <torvalds@linux-foundation.org>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Alexey Dobriyan" <adobriyan@gmail.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Peter Zijlstra" <peterz@infradead.org>,
"Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Mark Rutland" <mark.rutland@arm.com>,
"Alexander Shishkin" <alexander.shishkin@linux.intel.com>,
"Jiri Olsa" <jolsa@redhat.com>,
"Namhyung Kim" <namhyung@kernel.org>,
"Petr Mladek" <pmladek@suse.com>,
"Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
"Rasmus Villemoes" <linux@rasmusvillemoes.dk>,
"Kees Cook" <keescook@chromium.org>,
"Greg Ungerer" <gerg@linux-m68k.org>,
"Geert Uytterhoeven" <geert@linux-m68k.org>,
"Mike Rapoport" <rppt@kernel.org>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Vincenzo Frascino" <vincenzo.frascino@arm.com>,
"Chinwen Chang" <chinwen.chang@mediatek.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
"Huang Ying" <ying.huang@intel.com>,
"Jann Horn" <jannh@google.com>, "Feng Tang" <feng.tang@intel.com>,
"Kevin Brodsky" <Kevin.Brodsky@arm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Shawn Anastasio" <shawn@anastas.io>,
"Steven Price" <steven.price@arm.com>,
"Nicholas Piggin" <npiggin@gmail.com>,
"Christian Brauner" <christian.brauner@ubuntu.com>,
"Jens Axboe" <axboe@kernel.dk>,
"Gabriel Krisman Bertazi" <krisman@collabora.com>,
"Peter Xu" <peterx@redhat.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Shakeel Butt" <shakeelb@google.com>,
"Marco Elver" <elver@google.com>,
"Daniel Jordan" <daniel.m.jordan@oracle.com>,
"Nicolas Viennot" <Nicolas.Viennot@twosigma.com>,
"Thomas Cedeno" <thomascedeno@google.com>,
"Michal Hocko" <mhocko@suse.com>,
"Miklos Szeredi" <miklos@szeredi.hu>,
"Chengguang Xu" <cgxu519@mykernel.net>,
"Christian König" <ckoenig.leichtzumerken@gmail.com>,
"Florian Weimer" <fweimer@redhat.com>,
"David Laight" <David.Laight@aculab.com>,
linux-unionfs@vger.kernel.org,
"Linux API" <linux-api@vger.kernel.org>,
"the arch/x86 maintainers" <x86@kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>
Subject: Re: [PATCH v2 2/7] kernel/fork: factor out replacing the current MM exe_file
Date: Fri, 20 Aug 2021 09:36:12 -0500 [thread overview]
Message-ID: <87o89srxnn.fsf@disp2133> (raw)
In-Reply-To: <d90a7dfd-11c8-c4e1-1c59-91aad5a7f08e@redhat.com> (David Hildenbrand's message of "Fri, 20 Aug 2021 10:46:45 +0200")
David Hildenbrand <david@redhat.com> writes:
> On 19.08.21 22:51, Linus Torvalds wrote:
>> So I like this series.
>>
>> However, logically, I think this part in replace_mm_exe_file() no
>> longer makes sense:
>>
>> On Mon, Aug 16, 2021 at 12:50 PM David Hildenbrand <david@redhat.com> wrote:
>>>
>>> + /* Forbid mm->exe_file change if old file still mapped. */
>>> + old_exe_file = get_mm_exe_file(mm);
>>> + if (old_exe_file) {
>>> + mmap_read_lock(mm);
>>> + for (vma = mm->mmap; vma && !ret; vma = vma->vm_next) {
>>> + if (!vma->vm_file)
>>> + continue;
>>> + if (path_equal(&vma->vm_file->f_path,
>>> + &old_exe_file->f_path))
>>> + ret = -EBUSY;
>>> + }
>>> + mmap_read_unlock(mm);
>>> + fput(old_exe_file);
>>> + if (ret)
>>> + return ret;
>>> + }
>>
>> and should just be removed.
>>
>> NOTE! I think it makes sense within the context of this patch (where
>> you just move code around), but that it should then be removed in the
>> next patch that does that "always deny write access to current MM
>> exe_file" thing.
>>
>> I just quoted it in the context of this patch, since the next patch
>> doesn't actually show this code any more.
>>
>> In the *old* model - where the ETXTBUSY was about the mmap() of the
>> file - the above tests make sense.
>>
>> But in the new model, walking the mappings just doesn't seem to be a
>> sensible operation any more. The mappings simply aren't what ETXTBUSY
>> is about in the new world order, and so doing that mapping walk seems
>> nonsensical.
>>
>> Hmm?
>
> I think this is somewhat another kind of "stop user space trying
> to do stupid things" thingy, not necessarily glued to ETXTBUSY:
> don't allow replacing exe_file if that very file is still mapped
> and consequently eventually still in use by the application.
>
> I don't think it necessarily has many things to do with ETXTBUSY:
> we only check if there is a VMA mapping that file, not that it's
> a VM_DENYWRITE mapping.
>
> That code originates from
>
> commit 4229fb1dc6843c49a14bb098719f8a696cdc44f8
> Author: Konstantin Khlebnikov <khlebnikov@openvz.org>
> Date: Wed Jul 11 14:02:11 2012 -0700
>
> c/r: prctl: less paranoid prctl_set_mm_exe_file()
>
> "no other files mapped" requirement from my previous patch (c/r: prctl:
> update prctl_set_mm_exe_file() after mm->num_exe_file_vmas removal) is too
> paranoid, it forbids operation even if there mapped one shared-anon vma.
> Let's check that current mm->exe_file already unmapped, in this case
> exe_file symlink already outdated and its changing is reasonable.
>
>
> The statement "exe_file symlink already outdated and its
> changing is reasonable" somewhat makes sense.
>
>
> Long story short, I think this check somehow makes a bit of sense, but
> we wouldn't lose too much if we drop it -- just another sanity check.
>
> Your call :)
There has been quite a bit of conversation of the years about how bad is
it to allow changing /proc/self/exe as some userspace depends on it.
I think this check is there to keep from changing /proc/self/exe
arbitrarily.
Maybe it is all completely silly and we should not care about the code
that thinks /proc/self/exe is a reliable measure of anything, but short
of that I think we should either keep the code or put in some careful
thought as to which restrictions make sense when changing
/proc/self/exe.
Eric
next prev parent reply other threads:[~2021-08-20 14:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 19:48 [PATCH v2 0/7] Remove in-tree usage of MAP_DENYWRITE David Hildenbrand
2021-08-16 19:48 ` [PATCH v2 1/7] binfmt: don't use MAP_DENYWRITE when loading shared libraries via uselib() David Hildenbrand
2021-09-05 15:32 ` Guenter Roeck
2021-09-05 17:17 ` Linus Torvalds
2021-09-05 19:07 ` David Hildenbrand
2021-08-16 19:48 ` [PATCH v2 2/7] kernel/fork: factor out replacing the current MM exe_file David Hildenbrand
2021-08-19 20:51 ` Linus Torvalds
2021-08-20 8:46 ` David Hildenbrand
2021-08-20 14:36 ` Eric W. Biederman [this message]
2021-08-22 17:58 ` Linus Torvalds
2021-08-16 19:48 ` [PATCH v2 3/7] kernel/fork: always deny write access to " David Hildenbrand
2021-08-16 19:48 ` [PATCH v2 4/7] binfmt: remove in-tree usage of MAP_DENYWRITE David Hildenbrand
2021-08-16 19:48 ` [PATCH v2 5/7] mm: remove VM_DENYWRITE David Hildenbrand
2021-08-16 19:48 ` [PATCH v2 6/7] mm: ignore MAP_DENYWRITE in ksys_mmap_pgoff() David Hildenbrand
2021-08-16 19:48 ` [PATCH v2 7/7] fs: update documentation of get_write_access() and friends David Hildenbrand
2021-08-17 11:01 ` [PATCH v2 0/7] Remove in-tree usage of MAP_DENYWRITE Christian König
2021-09-03 9:45 ` David Hildenbrand
2021-09-03 16:26 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o89srxnn.fsf@disp2133 \
--to=ebiederm@xmission.com \
--cc=David.Laight@aculab.com \
--cc=Kevin.Brodsky@arm.com \
--cc=Nicolas.Viennot@twosigma.com \
--cc=acme@kernel.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=axboe@kernel.dk \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=cgxu519@mykernel.net \
--cc=chinwen.chang@mediatek.com \
--cc=christian.brauner@ubuntu.com \
--cc=ckoenig.leichtzumerken@gmail.com \
--cc=daniel.m.jordan@oracle.com \
--cc=david@redhat.com \
--cc=elver@google.com \
--cc=feng.tang@intel.com \
--cc=fweimer@redhat.com \
--cc=geert@linux-m68k.org \
--cc=gerg@linux-m68k.org \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=jolsa@redhat.com \
--cc=keescook@chromium.org \
--cc=krisman@collabora.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=mark.rutland@arm.com \
--cc=mhocko@suse.com \
--cc=miklos@szeredi.hu \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=namhyung@kernel.org \
--cc=npiggin@gmail.com \
--cc=peterx@redhat.com \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=sergey.senozhatsky@gmail.com \
--cc=shakeelb@google.com \
--cc=shawn@anastas.io \
--cc=steven.price@arm.com \
--cc=surenb@google.com \
--cc=tglx@linutronix.de \
--cc=thomascedeno@google.com \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=vincenzo.frascino@arm.com \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=ying.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.