linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Djalal Harouni <tixxdz@opendz.org>
Cc: linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com,
	Andrew Morton <akpm@linux-foundation.org>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Vasiliy Kulikov <segoon@openwall.com>,
	Kees Cook <keescook@chromium.org>,
	Solar Designer <solar@openwall.com>,
	WANG Cong <xiyou.wangcong@gmail.com>,
	James Morris <james.l.morris@oracle.com>,
	Oleg Nesterov <oleg@redhat.com>,
	linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org,
	Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
	Stephen Wilson <wilsons@start.ca>,
	"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve
Date: Sat, 10 Mar 2012 16:01:09 -0800	[thread overview]
Message-ID: <CA+55aFwdOgt=C52APPyvnAitcWNbzu-uXRi43m4bLS85oDgtqA@mail.gmail.com> (raw)
In-Reply-To: <1331421919-15499-1-git-send-email-tixxdz@opendz.org>

On Sat, Mar 10, 2012 at 3:25 PM, Djalal Harouni <tixxdz@opendz.org> wrote:
>
> 1) Use the target exec_id to bind files to their exec_id task:
>
> For the REG files /proc/<pid>/{environ,pagemap,mem} we set the exec_id
> of the proc_file_private to the target task, and we continue with
> permission checks at open time, later on each read/write call the
> permission checks are done + check the target exec_id if it equals the
> exec_id of the proc_file_private that was set at open time, in other words
> we bind the file to its task's exec_id, this way new exec programs can not
> operate on the passed fd.

So the exec_id approach was totally broken when it was used for
/proc/<pid>/mem, is there any reason to believe it's a good idea now?

It's entirely predictable, and you can make the exec_id match by
simply forking elsewhere and then passing the fd around using unix
domain sockets, since the exec_id is just updated by incrementing a
counter.

I would in general suggest strongly against using exec_id for anything
that involves files. It isn't designed for that, it's designed for the
whole "check the parent exec_id" thing for ptrace, where that whole
"pass things around to another process" approach doesn't work.

                Linus

  parent reply	other threads:[~2012-03-11  0:01 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-10 23:25 [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Djalal Harouni
2012-03-10 23:25 ` [PATCH 1/9] exec: add a global execve counter Djalal Harouni
2012-03-11  0:12   ` Linus Torvalds
2012-03-11  0:36     ` Linus Torvalds
2012-03-11  0:58       ` Linus Torvalds
2012-03-11  8:24         ` Solar Designer
2012-03-11  9:56           ` Ingo Molnar
2012-03-11 14:03       ` Alan Cox
2012-03-11 17:15         ` Djalal Harouni
2012-03-11  8:39     ` Djalal Harouni
2012-03-11  9:40     ` Solar Designer
2012-03-11 17:25   ` Oleg Nesterov
2012-03-11 17:49     ` self_exec_id/parent_exec_id && CLONE_PARENT Oleg Nesterov
2012-03-11 18:02       ` Linus Torvalds
2012-03-11 18:37         ` richard -rw- weinberger
2012-03-11 18:39           ` Oleg Nesterov
2012-03-14 18:55         ` [PATCH 0/1] (Was: self_exec_id/parent_exec_id && CLONE_PARENT) Oleg Nesterov
2012-03-14 18:55           ` [PATCH 1/1] CLONE_PARENT shouldn't allow to set ->exit_signal Oleg Nesterov
2012-03-18 18:25             ` Linus Torvalds
2012-03-18 20:53               ` Oleg Nesterov
2012-03-11 22:48     ` [PATCH 1/9] exec: add a global execve counter Linus Torvalds
2012-03-11 23:32       ` Djalal Harouni
2012-03-11 23:42         ` Linus Torvalds
2012-03-12  0:25           ` Djalal Harouni
2012-03-12 10:11             ` Linus Torvalds
2012-03-12 14:01               ` Djalal Harouni
2012-03-11 23:36     ` Djalal Harouni
2012-03-12 14:34       ` Oleg Nesterov
2012-03-10 23:25 ` [PATCH 2/9] proc: add proc_file_private struct to store private information Djalal Harouni
2012-03-10 23:25 ` [PATCH 3/9] proc: new proc_exec_id_ok() helper function Djalal Harouni
2012-03-10 23:25 ` [PATCH 4/9] proc: protect /proc/<pid>/* INF files from reader across execve Djalal Harouni
2012-03-10 23:25 ` [PATCH 5/9] proc: add protection support for /proc/<pid>/* ONE files Djalal Harouni
2012-03-10 23:25 ` [PATCH 6/9] proc: protect /proc/<pid>/* ONE files from reader across execve Djalal Harouni
2012-03-10 23:25 ` [PATCH 7/9] proc: protect /proc/<pid>/{maps,smaps,numa_maps} Djalal Harouni
2012-03-10 23:25 ` [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve Djalal Harouni
2012-03-11  8:05   ` Alexey Dobriyan
2012-03-11 17:01     ` Djalal Harouni
2012-03-10 23:25 ` [PATCH 9/9] proc: improve and clean up /proc/<pid>/mem protection Djalal Harouni
2012-03-11  0:01 ` Linus Torvalds [this message]
2012-03-11  0:27   ` [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Djalal Harouni
2012-03-11  8:46   ` Djalal Harouni
2012-03-11 10:35   ` exec_id protection from bad child exit signals (was: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve) Solar Designer
2012-03-11 18:20     ` Oleg Nesterov
2012-03-12 19:13 ` [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Eric W. Biederman
2012-03-12 20:44   ` Djalal Harouni
2012-03-12 21:47     ` Eric W. Biederman
2012-03-12 22:41       ` Djalal Harouni
2012-03-12 23:10         ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+55aFwdOgt=C52APPyvnAitcWNbzu-uXRi43m4bLS85oDgtqA@mail.gmail.com' \
    --to=torvalds@linux-foundation.org \
    --cc=Jason@zx2c4.com \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=ebiederm@xmission.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=james.l.morris@oracle.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=oleg@redhat.com \
    --cc=segoon@openwall.com \
    --cc=solar@openwall.com \
    --cc=tixxdz@opendz.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wilsons@start.ca \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).