From: Pavel Emelyanov <xemul@parallels.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>,
Andrew Vagin <avagin@gmail.com>,
Aditya Kali <adityakali@google.com>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Oleg Nesterov <oleg@redhat.com>, <linux-kernel@vger.kernel.org>,
<criu@openvz.org>, Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>
Subject: Re: [CRIU] [PATCH 1/3] prctl: reduce permissions to change boundaries of data, brk and stack
Date: Fri, 14 Feb 2014 23:47:13 +0400 [thread overview]
Message-ID: <52FE72C1.9090100@parallels.com> (raw)
In-Reply-To: <8761ohqzc6.fsf@xmission.com>
On 02/14/2014 11:16 PM, Eric W. Biederman wrote:
> Cyrill Gorcunov <gorcunov@gmail.com> writes:
>
>> On Fri, Feb 14, 2014 at 09:43:14PM +0400, Andrew Vagin wrote:
>>>> My brain hurts just looking at this patch and how you are justifying it.
>>>>
>>>> For the resources you are mucking with below all you have to do is to
>>>> verify that you are below the appropriate rlimit at all times and no
>>>> CAP_SYS_RESOURCE check is needed. You only need CAP_SYS_RESOURCE
>>>> to exceed your per process limits.
>>>>
>>>> All you have to do is to fix the current code to properly enforce the
>>>> limits.
>>>
>>> I'm afraid what you are suggesting doesn't work.
>>>
>>> The first reason is that we can not change both boundaries in one call.
>>> But when we are restoring these attributes, we may need to move their
>>> too far.
>>
>> When this code was introduced, there were no user-namespace implementation,
>> if I remember correctly, so CAP_SYS_RESOURCE was enough barrier point
>> to prevent modifying this values by anyone. Now user-ns brings a limit --
>> we need somehow to provide a way to modify these mm fields having no
>> CAP_SYS_RESOURCE set. "Verifying rlimit" not an option here because
>> we're modifying members one by one (looking back I think this was not
>> a good idea to modify the fields in this manner).
>>
>> Maybe we could improve this api and provide argument as a pointer
>> to a structure, which would have all the fields we're going to
>> modify, which in turn would allow us to verify that all new values
>> are sane and fit rlimits, then we could (probably) deprecate old
>> api if noone except c/r camp is using it (I actually can't imagine
>> who else might need this api). Then CAP_SYS_RESOURCE requirement
>> could be ripped off. Hm? (sure touching api is always "no-no"
>> case, but maybe...)
>
> Hmm. Let me rewind this a little bit.
>
> I want to be very stupid and ask the following.
>
> Why can't you have the process of interest do:
> ptrace(PTRACE_ATTACHME);
> execve(executable, args, ...);
>
> /* Have the ptracer inject the recovery/fixup code */
> /* Fix up the mostly correct process to look like it has been
> * executing for a while.
> */
Let's imagine we do that.
This means, that the whole memory contents should be restored _after_
the execve() call, since the execve() flushes old mappings. In
that case we lose the ability to preserve any shared memory regions
between any two processes. This "shared" can be either regular
MAP_SHARED mappings or MAP_ANONYMOUS but still not COW-ed ones.
> That should work, set all of the interesting fields, and works as
> non-root today. My gut feel says do that and we can just
> deprecate/remove prctl_set_mm.
>
> I am hoping we can move this conversation what makes sense from oh ick
> checkpoint/restort does not work with user namespaces.
>
> Eric
> .
Thanks,
Pavel
next prev parent reply other threads:[~2014-02-14 19:47 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-14 14:13 [PATCH RFC 0/3] c/r: add ability to restore mm attributes in a non-root userns Andrey Vagin
2014-02-14 14:13 ` [PATCH 1/3] prctl: reduce permissions to change boundaries of data, brk and stack Andrey Vagin
2014-02-14 16:05 ` Eric W. Biederman
2014-02-14 17:43 ` Andrew Vagin
2014-02-14 18:01 ` [CRIU] " Cyrill Gorcunov
2014-02-14 19:16 ` Eric W. Biederman
2014-02-14 19:47 ` Pavel Emelyanov [this message]
2014-02-14 20:06 ` Cyrill Gorcunov
2014-02-14 20:18 ` Eric W. Biederman
2014-02-15 6:29 ` Cyrill Gorcunov
2014-02-15 23:01 ` Eric W. Biederman
2014-02-14 20:09 ` Eric W. Biederman
2014-02-17 8:34 ` Pavel Emelyanov
2014-02-17 8:52 ` Cyrill Gorcunov
2014-02-17 16:57 ` Pavel Emelyanov
2014-03-07 13:51 ` Pavel Emelyanov
2014-02-14 20:44 ` Andrey Wagin
2014-02-15 23:05 ` Eric W. Biederman
2014-02-14 14:13 ` [PATCH 2/3] capabilities: add a secure bit to allow changing a task exe link Andrey Vagin
2014-02-18 4:53 ` Serge E. Hallyn
2014-02-14 14:13 ` [PATCH 3/3] prctl: allow to use PR_MM_SET_* which affect only a current task Andrey Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52FE72C1.9090100@parallels.com \
--to=xemul@parallels.com \
--cc=adityakali@google.com \
--cc=akpm@linux-foundation.org \
--cc=avagin@gmail.com \
--cc=criu@openvz.org \
--cc=ebiederm@xmission.com \
--cc=gorcunov@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=sfr@canb.auug.org.au \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox