From: Oren Laadan <orenl@librato.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>,
Matt Helsley <matthltc@us.ibm.com>,
Daniel Lezcano <daniel.lezcano@free.fr>,
randy.dunlap@oracle.com, arnd@arndb.de,
linux-api@vger.kernel.org,
Containers <containers@lists.linux-foundation.org>,
Nathan Lynch <nathanl@austin.ibm.com>,
linux-kernel@vger.kernel.org, Louis.Rilling@kerlabs.com,
kosaki.motohiro@jp.fujitsu.com, hpa@zytor.com, mingo@elte.hu,
torvalds@linux-foundation.org,
Alexey Dobriyan <adobriyan@gmail.com>,
roland@redhat.com, Pavel Emelyanov <xemul@openvz.org>
Subject: Re: [RFC][v8][PATCH 0/10] Implement clone3() system call
Date: Tue, 20 Oct 2009 16:13:04 -0400 [thread overview]
Message-ID: <4ADE19D0.4060900@librato.com> (raw)
In-Reply-To: <m1r5sxsw7w.fsf@fess.ebiederm.org>
Eric W. Biederman wrote:
> Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com> writes:
>
>> Eric W. Biederman [ebiederm@xmission.com] wrote:
>> | > Could you clarify ? How is the call to alloc_pidmap() from clone3() different
>> | > from the call from clone() itself ?
>> |
>> | I think it is totally inappropriate to assign pids in a pid namespace
>> | where there are user space processes already running.
>>
>> Honestly, I don't understand why it is inappropriate or how this differs
>> from normal clone() - which also assigns pids in own and ancestor pid
>> namespaces.
>
> The fact we can specify which pids we want. I won't claim it is as
> exploitable as NULL pointer deferences have been but it has that kind
> of feel to it.
This security concern was first brought up by Linus, and to address it
we made clone3() require that the user be privileged to select pids.
But, honestly, a clone3() that allows the caller to request a specific
pid is like a restart() syscall that allows the caller to restore a
process with its original pid: you would simply checkpoint, and then
alter the pid in the checkpoint image and restart, repeat ad infinitum.
>From your security prism, they are equivalent: they practically allow
a user to have an arbitrary process with a selected pid. So it doesn't
really matter - for this security concern - if you select the pid in
the kernel through restart() or from userspace through clone3().
Sure, you can also "choose" a pid today, by repeatedly forking until
you get what you want... but that is harder to exploit. In contrast,
both clone3() and restart() allow pid selection, instantaneously.
Which is why both require privileges if the caller wants to select/
restore pids.
Oren.
next prev parent reply other threads:[~2009-10-20 20:13 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-13 4:49 [RFC][v8][PATCH 0/10] Implement clone3() system call Sukadev Bhattiprolu
2009-10-13 4:49 ` [RFC][v8][PATCH 1/10]: Factor out code to allocate pidmap page Sukadev Bhattiprolu
2009-10-13 4:50 ` [RFC][v8][PATCH 2/10]: Have alloc_pidmap() return actual error code Sukadev Bhattiprolu
2009-10-13 4:50 ` [RFC][v8][PATCH 3/10]: Make pid_max a pid_ns property Sukadev Bhattiprolu
2009-10-13 5:19 ` Alexey Dobriyan
2009-10-13 13:09 ` Pavel Emelyanov
2009-10-13 15:24 ` Serge E. Hallyn
2009-10-13 16:10 ` Pavel Emelyanov
2009-10-13 16:28 ` Serge E. Hallyn
2009-10-13 4:51 ` [RFC][v8][PATCH 4/10]: Add target_pid parameter to alloc_pidmap() Sukadev Bhattiprolu
2009-10-13 11:50 ` Pavel Emelyanov
2009-10-15 0:24 ` Sukadev Bhattiprolu
2009-10-13 4:51 ` [RFC][v8][PATCH 5/10]: Add target_pids parameter to alloc_pid() Sukadev Bhattiprolu
2009-10-13 4:52 ` [RFC][v8][PATCH 6/10]: Add target_pids parameter to copy_process() Sukadev Bhattiprolu
2009-10-13 4:52 ` [RFC][v8][PATCH 7/10]: Check invalid clone flags Sukadev Bhattiprolu
2009-10-13 18:35 ` Oren Laadan
2009-10-13 23:38 ` Sukadev Bhattiprolu
2009-10-13 4:52 ` [RFC][v8][PATCH 8/10]: Define do_fork_with_pids() Sukadev Bhattiprolu
2009-10-13 4:54 ` [RFC][v8][PATCH 9/10]: Define clone3() syscall Sukadev Bhattiprolu
2009-10-13 18:46 ` Oren Laadan
2009-10-16 4:20 ` Sukadev Bhattiprolu
2009-10-16 6:25 ` Michael Kerrisk
2009-10-16 18:06 ` Sukadev Bhattiprolu
2009-10-19 17:44 ` Matt Helsley
2009-10-19 21:31 ` H. Peter Anvin
2009-10-19 23:50 ` Matt Helsley
2009-10-21 4:26 ` Michael Kerrisk
2009-10-21 13:03 ` H. Peter Anvin
2009-10-21 19:44 ` Sukadev Bhattiprolu
2009-10-21 22:03 ` H. Peter Anvin
2009-10-22 10:40 ` Michael Kerrisk
2009-10-22 18:10 ` Sukadev Bhattiprolu
2009-10-22 10:26 ` Michael Kerrisk
2009-10-22 11:38 ` H. Peter Anvin
2009-10-22 12:14 ` Michael Kerrisk
2009-10-22 12:19 ` H. Peter Anvin
2009-10-22 13:57 ` Matt Helsley
2009-10-13 4:55 ` [RFC][v8][PATCH 10/10]: Document " Sukadev Bhattiprolu
2009-10-14 12:26 ` Arnd Bergmann
2009-10-14 18:39 ` Sukadev Bhattiprolu
2009-10-19 21:36 ` Pavel Machek
2009-10-21 8:37 ` Arnd Bergmann
2009-10-21 9:33 ` Pavel Machek
2009-10-21 13:26 ` Arnd Bergmann
2009-10-21 18:27 ` Sukadev Bhattiprolu
2009-10-13 20:50 ` [RFC][v8][PATCH 0/10] Implement clone3() system call Roland McGrath
2009-10-13 23:27 ` Sukadev Bhattiprolu
2009-10-13 23:53 ` Roland McGrath
2009-10-14 1:13 ` H. Peter Anvin
2009-10-14 4:36 ` Sukadev Bhattiprolu
2009-10-14 4:38 ` H. Peter Anvin
2009-10-14 22:36 ` Sukadev Bhattiprolu
2009-10-14 22:49 ` H. Peter Anvin
2009-10-15 0:17 ` Sukadev Bhattiprolu
2009-10-13 23:49 ` H. Peter Anvin
2009-10-14 1:39 ` Matt Helsley
2009-10-14 2:24 ` H. Peter Anvin
2009-10-14 4:40 ` Sukadev Bhattiprolu
2009-10-14 4:50 ` H. Peter Anvin
2009-10-14 16:07 ` Serge E. Hallyn
2009-10-16 19:22 ` Daniel Lezcano
2009-10-16 19:44 ` Sukadev Bhattiprolu
2009-10-19 20:34 ` Daniel Lezcano
2009-10-19 21:47 ` Oren Laadan
2009-10-20 0:51 ` Matt Helsley
2009-10-20 3:33 ` Eric W. Biederman
2009-10-20 4:03 ` Sukadev Bhattiprolu
2009-10-20 10:46 ` Eric W. Biederman
2009-10-20 14:16 ` Serge E. Hallyn
2009-10-20 18:33 ` Sukadev Bhattiprolu
2009-10-20 19:26 ` Eric W. Biederman
2009-10-20 20:13 ` Oren Laadan [this message]
2009-10-21 6:20 ` Sukadev Bhattiprolu
2009-10-21 9:16 ` Eric W. Biederman
2009-10-21 18:52 ` Sukadev Bhattiprolu
2009-10-21 21:11 ` Eric W. Biederman
2009-10-23 0:42 ` Sukadev Bhattiprolu
2009-10-23 1:03 ` Eric W. Biederman
2009-10-23 5:30 ` Sukadev Bhattiprolu
2009-10-23 5:44 ` Eric W. Biederman
2009-10-23 19:21 ` Sukadev Bhattiprolu
2009-10-23 20:48 ` Sukadev Bhattiprolu
2009-10-23 23:26 ` Eric W. Biederman
2009-10-24 3:38 ` Sukadev Bhattiprolu
2009-10-23 19:16 ` Oren Laadan
2009-10-23 19:34 ` Oren Laadan
2009-10-23 23:12 ` Eric W. Biederman
2009-10-20 14:09 ` Serge E. Hallyn
2009-10-21 15:53 ` Daniel Lezcano
2009-10-21 18:45 ` Oren Laadan
2009-10-22 11:22 ` Daniel Lezcano
-- strict thread matches above, loose matches on Subject: below --
2009-10-26 9:38 Albert Cahalan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ADE19D0.4060900@librato.com \
--to=orenl@librato.com \
--cc=Louis.Rilling@kerlabs.com \
--cc=adobriyan@gmail.com \
--cc=arnd@arndb.de \
--cc=containers@lists.linux-foundation.org \
--cc=daniel.lezcano@free.fr \
--cc=ebiederm@xmission.com \
--cc=hpa@zytor.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@us.ibm.com \
--cc=mingo@elte.hu \
--cc=nathanl@austin.ibm.com \
--cc=randy.dunlap@oracle.com \
--cc=roland@redhat.com \
--cc=sukadev@linux.vnet.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox