From: Jann Horn <jannh@google.com>
To: Christian Brauner <brauner@kernel.org>
Cc: "Eric Dumazet" <edumazet@google.com>,
"Kuniyuki Iwashima" <kuniyu@amazon.com>,
"Oleg Nesterov" <oleg@redhat.com>,
linux-fsdevel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Daan De Meyer" <daan.j.demeyer@gmail.com>,
"David Rheinsberg" <david@readahead.eu>,
"Jakub Kicinski" <kuba@kernel.org>, "Jan Kara" <jack@suse.cz>,
"Lennart Poettering" <lennart@poettering.net>,
"Luca Boccassi" <bluca@debian.org>, "Mike Yuan" <me@yhndnzj.com>,
"Paolo Abeni" <pabeni@redhat.com>,
"Simon Horman" <horms@kernel.org>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH RFC v2 0/6] coredump: support AF_UNIX sockets
Date: Fri, 2 May 2025 16:04:28 +0200 [thread overview]
Message-ID: <CAG48ez3oefetsGTOxLf50d+PGcthj3oJCiMbxtNvkDkRZ-jwEg@mail.gmail.com> (raw)
In-Reply-To: <20250502-work-coredump-socket-v2-0-43259042ffc7@kernel.org>
On Fri, May 2, 2025 at 2:42 PM Christian Brauner <brauner@kernel.org> wrote:
> I need some help with the following questions:
>
> (i) The core_pipe_limit setting is of vital importance to userspace
> because it allows it to a) limit the number of concurrent coredumps
> and b) causes the kernel to wait until userspace closes the pipe and
> thus prevents the process from being reaped, allowing userspace to
> parse information out of /proc/<pid>/.
>
> Pipes already support this. I need to know from the networking
> people (or Oleg :)) how to wait for the userspace side to shutdown
> the socket/terminate the connection.
>
> I don't want to just read() because then userspace can send us
> SCM_RIGHTS messages and it's really ugly anyway.
>
> (ii) The dumpability setting is of importance for userspace in order to
> know how a given binary is dumped: as regular user or as root user.
> This helps guard against exploits abusing set*id binaries. The
> setting needs to be the same as used at the time of the coredump.
>
> I'm exposing this as part of PIDFD_GET_INFO. I would like some
> input whether it's fine to simply expose the dumpability this way.
> I'm pretty sure it is. But it'd be good to have @Jann give his
> thoughts here.
My only concern here is that if we expect the userspace daemon to look
at the dumpability field and treat nondumpable tasks as "this may
contain secret data and resources owned by various UIDs mixed
together, only root should see the dump", we should have at least very
clear documentation around this.
[...]
> Userspace can get a stable handle on the task generating the coredump by
> using the SO_PEERPIDFD socket option. SO_PEERPIDFD uses the thread-group
> leader pid stashed during connect(). Even if the task generating the
Unrelated to this series: Huh, I think I haven't seen SO_PEERPIDFD
before. I guess one interesting consequence of that feature is that if
you get a unix domain socket whose peer is in another PID namespace,
you can call pidfd_getfd() on that peer, which wouldn't normally be
possible? Though of course it'll still be subject to the normal ptrace
checks.
next prev parent reply other threads:[~2025-05-02 14:05 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-02 12:42 [PATCH RFC v2 0/6] coredump: support AF_UNIX sockets Christian Brauner
2025-05-02 12:42 ` [PATCH RFC v2 1/6] coredump: massage format_corname() Christian Brauner
2025-05-02 12:42 ` [PATCH RFC v2 2/6] coredump: massage do_coredump() Christian Brauner
2025-05-02 12:42 ` [PATCH RFC v2 3/6] coredump: support AF_UNIX sockets Christian Brauner
2025-05-02 14:04 ` Jann Horn
2025-05-02 20:10 ` Christian Brauner
2025-05-02 20:23 ` Jann Horn
2025-05-03 5:17 ` Christian Brauner
2025-05-05 19:03 ` Kuniyuki Iwashima
2025-05-02 12:42 ` [PATCH RFC v2 4/6] coredump: show supported coredump modes Christian Brauner
2025-05-02 14:07 ` Jann Horn
2025-05-02 20:11 ` Christian Brauner
2025-05-02 12:42 ` [PATCH RFC v2 5/6] pidfs, coredump: add PIDFD_INFO_COREDUMP Christian Brauner
2025-05-02 14:10 ` Jann Horn
2025-05-02 12:42 ` [PATCH RFC v2 6/6] selftests/coredump: add tests for AF_UNIX coredumps Christian Brauner
2025-05-02 14:04 ` Jann Horn [this message]
2025-05-02 19:25 ` [PATCH RFC v2 0/6] coredump: support AF_UNIX sockets Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez3oefetsGTOxLf50d+PGcthj3oJCiMbxtNvkDkRZ-jwEg@mail.gmail.com \
--to=jannh@google.com \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=daan.j.demeyer@gmail.com \
--cc=davem@davemloft.net \
--cc=david@readahead.eu \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jack@suse.cz \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=lennart@poettering.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@yhndnzj.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=pabeni@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).