From: Oleg Nesterov <oleg@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <james.l.morris@oracle.com>,
Eric Paris <eparis@parisplace.org>,
Evan McNabb <emcnabb@redhat.com>,
Jan Stancek <jstancek@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
Date: Sat, 14 Dec 2013 17:32:56 +0100 [thread overview]
Message-ID: <20131214163256.GA21675@redhat.com> (raw)
In-Reply-To: <CAHC9VhQPn-aZ79BcO=Ljvn2V2fW9QdQ964M_yppJWoaQ-9_GLg@mail.gmail.com>
On 12/14, Paul Moore wrote:
>
> I understand your point, but I still think there is some value in
> keeping the call to ptrace_parent() rather than fetching the ptrace
> pointer on our own.
Yes, agreed, I changed my mind ;)
> However, that said, I think we should try and do something about the
> "suspicious RCU usage" you mentioned in your original posting.
Yes, this was the only motivation for this patch.
> but
> I'm curious about the removal of the task lock; shouldn't week keep
> the task lock in place?
Why? It protects nothing in this case, afaics. Unless of course it
protects cred->security somehow, but it doesn't look as if.
Probably task_lock() is here because PTRACE_ATTACH used the same lock,
but this was changed by 4b105cbbaf7c0 in 2009 (ptrace_attach() still
takes it for __ptrace_may_access() but this is another story).
However (iirc) PTRACE_DETACH never took this lock, so this was always
racy and task_lock() is simply misleading and confusing, at least
currently.
So I think the patch is fine, but I decided to send v2 without pid_alive().
If we are going to keep ptrace_parent(), it would be better to add the
comment into ptrace_parent() to explain that ->ptrace != 0 guarantees that
this task is not unhashed.
IOW, I also changed my mind about this part
The patch also checks pid_alive(p) before ptrace_parent(p) to
ensure that this task can't be dead even before rcu_read_lock(),
in this case its ->parent points to nowhere. This is not really
needed "in practice", task->ptrace must be already cleared in
this case but we should not rely on this.
in the changelog.
> > And perhaps I am wrong. Because otoh the usage of ->ptrace should be
> > avoided outside of the core kernel code.
>
> Not to muddy things up, but one could argue that this particular
> LSM/SELinux hook should be regarded as part of the "core" kernel code.
> However, I'm not sure that the distinction is really important here.
Yes, yes, sorry for confusion. I meant, the core kernel code which works
with ptrace/exit/fork/etc.
Oleg.
next prev parent reply other threads:[~2013-12-14 16:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-05 16:59 [PATCH] selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() Oleg Nesterov
2013-12-05 21:53 ` Paul Moore
2013-12-06 14:47 ` Oleg Nesterov
2013-12-14 15:16 ` Paul Moore
2013-12-14 16:32 ` Oleg Nesterov [this message]
2013-12-14 16:33 ` [PATCH v2] " Oleg Nesterov
2013-12-16 21:12 ` Paul Moore
2013-12-16 21:11 ` [PATCH] " Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131214163256.GA21675@redhat.com \
--to=oleg@redhat.com \
--cc=emcnabb@redhat.com \
--cc=eparis@parisplace.org \
--cc=james.l.morris@oracle.com \
--cc=jstancek@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox