From mboxrd@z Thu Jan 1 00:00:00 1970 From: Oleg Nesterov Subject: Re: exec_id protection from bad child exit signals (was: Re: [PATCH 0/9] proc: protect /proc//* files across execve) Date: Sun, 11 Mar 2012 19:20:07 +0100 Message-ID: <20120311182007.GA5601@redhat.com> References: <1331421919-15499-1-git-send-email-tixxdz@opendz.org> <20120311103532.GA26980@openwall.com> Reply-To: kernel-hardening@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Linus Torvalds , Djalal Harouni , linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Andrew Morton , Al Viro , Alexey Dobriyan , "Eric W. Biederman" , Vasiliy Kulikov , Kees Cook , WANG Cong , James Morris , linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Alan Cox , Greg KH , Ingo Molnar , Stephen Wilson , "Jason A. Donenfeld" To: Solar Designer Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Content-Disposition: inline In-Reply-To: <20120311103532.GA26980@openwall.com> List-Id: linux-fsdevel.vger.kernel.org On 03/11, Solar Designer wrote: > > Actually, the original/historical purpose of the exec_id stuff was to > protect privileged parent processes (those having done a SUID/SGID exec) > from non-standard child exit signals, which could be set with clone(). > I think we may want to audit the current implementation and see if it > still fully achieves the goal or maybe not (and fix it if not). Funny that, I noticed this message only after I sent the question about the current exec_id stuff. > I include below pieces of the prototype implementation from > linux-2.2.12-ow6.tar.gz released in 1999. Perhaps I missed something, but ignoring the "cap_raised" issues, this all is very simple. de_thread() should simply do: current->exit_signal = SIGCHLD; read_lock(&tasklist_lock); list_for_each_entry(p, ¤t->children, sibling) p->exit_signal = SIGCHILD; read_unlock(&tasklist_lock); The only problem is CLONE_PARENT. Oleg.