Re: Inconsistent capability requirements for prctl_set_mm_exe_file()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
	Nicolas Viennot <Nicolas.Viennot@twosigma.com>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Adrian Reber <areber@redhat.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Emelyanov <ovzxemul@gmail.com>,
	Kees Cook <keescook@chromium.org>,
	Casey Schaufler <casey@schaufler-ca.com>,
	lkml <linux-kernel@vger.kernel.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Jann Horn <jannh@google.com>, Andrei Vagin <avagin@gmail.com>,
	Dmitry Safonov <0x7f454c46@gmail.com>
Subject: Re: Inconsistent capability requirements for prctl_set_mm_exe_file()
Date: Tue, 27 Oct 2020 22:37:55 +0300	[thread overview]
Message-ID: <20201027193755.GB2093@grain> (raw)
In-Reply-To: <2b66ac32-adfd-de1b-499b-8ba4f7b9bea4@virtuozzo.com>

On Tue, Oct 27, 2020 at 08:22:11PM +0300, Kirill Tkhai wrote:
> 1)Before my commit there also were different checks
> 
>         !capable(CAP_SYS_RESOURCE))
> and
> 	uid_eq(cred->uid, make_kuid(ns, 0)) && gid_eq(cred->gid, make_kgid(ns, 0))
> 
> so it is not the initial reason. The commit even decreased the checks difference
> and it made both the checks are about capability().
> 
> 2)As I understand new PR_SET_MM_MAP interface differs in the way, that it allows to batch
> a setup of prctl_mm_map parameters. So, instead of 14 prlctl calls with different arguments:
> PR_SET_MM_START_CODE, PR_SET_MM_END_CODE, PR_SET_MM_START_DATA, .., PR_SET_MM_ENV_END,
> we set then all at once and the performance is better.
> 
> The second advantage is that the new interface is more comfortable in case of we set all
> of 14 parameters. Old interface requires special order of calls: sometimes you have to
> set PR_SET_MM_START_CODE first and then PR_SET_MM_END_CODE second, some times it is vice
> versa. Otherwise __prctl_check_order() in validate_prctl_map() will fail.

Since I've been the person who introduced the former PR_SET_MM_X interface I already
explained that the PR_SET_MM_X is simply shitty and better be vanished and forgotten.
Which we simply can't do :/ In turn PR_SET_MM_MAP is the only right way to verify
all fields in a one pass not only because of speed but otherwise the validation
of parameters is not even associative and in result (as you mentioned) _order_ of
calls does matter for start_code/end_code.

> 3)For me it looks like any combinations of parameters acceptable to be set by both interfaces
> are the same (in case of we don't see on permissions checks). In case of we can assign a set of
> parameters {A} using old interface, we can assign it from new interface and vice versa.
> Isn't this so?! If so, we should use the same permissions check.

Yup, if only I'm not missing something obvious we could drop cap(sys-resource) here
because internally after this check we jump into traditional verification procedure
where the map is filled from runtime data.

I'm quite sceptic that LSM hook Jann mentioned gonna be better. It might be an
addition but not the replacement. Moreover if we add it here someone from CRIU
camp have to verify that it won't break current CRIU tests.

     prev parent reply	other threads:[~2020-10-27 19:38 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-27 12:11 Inconsistent capability requirements for prctl_set_mm_exe_file() Michael Kerrisk (man-pages)
2020-10-27 12:51 ` Jann Horn
2020-10-27 12:51 ` Cyrill Gorcunov
2020-10-27 17:22 ` Kirill Tkhai
2020-10-27 19:37   ` Cyrill Gorcunov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201027193755.GB2093@grain \
    --to=gorcunov@gmail.com \
    --cc=0x7f454c46@gmail.com \
    --cc=Nicolas.Viennot@twosigma.com \
    --cc=areber@redhat.com \
    --cc=avagin@gmail.com \
    --cc=casey@schaufler-ca.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=ebiederm@xmission.com \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=ktkhai@virtuozzo.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=oleg@redhat.com \
    --cc=ovzxemul@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox