From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>, Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Kees Cook <keescook@chromium.org>,
Roland McGrath <roland@hack.frob.com>,
Al Viro <viro@zeniv.linux.org.uk>,
David Howells <dhowells@redhat.com>,
"Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Subject: Re: [PATCH 03/26] signal: Do not perform permission checks when sending pdeath_signal
Date: Wed, 07 Jun 2017 06:23:12 -0500 [thread overview]
Message-ID: <87fufcxcrj.fsf@xmission.com> (raw)
In-Reply-To: <CA+55aFya7CgNozFrhQ9qk40UhZAD8SMva1+Y1vQ0YUEbpUpQUA@mail.gmail.com> (Linus Torvalds's message of "Tue, 6 Jun 2017 13:01:40 -0700")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> On Tue, Jun 6, 2017 at 12:03 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>>
>> As this is more permisssive there is no chance anything will break.
>
> Actually, I do worry about the security issues here.
>
> The thing is, the parent may be some system daemon that wants to catch
> SIGCHLD, but we've used prctl and changed pdeath_signal to something
> else (like SIGSEGV or something).
>
> Do we really want to be able to kill a system daemon that we couldn't
> use kill() on directly, just because that system daemon spawned us?
>
> So I think those permission checks may actually be a good idea.
> Although possibly they should be in prctl()..
To be clear. pdeath signal is the signal we receive when our parent
dies. It is the parent death signal.
AKA when the system daemon (or whatever is dies) what signal does the
child process that called the prctl get?
There is no chance of killing the system daemon that spawned us,
as the signal only gets sent to ourselves.
Eric
next prev parent reply other threads:[~2017-06-07 11:30 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 19:01 [PATCH 00/26] Fixing wait, exit, ptrace, exec, and CLONE_THREAD Eric W. Biederman
2017-06-06 19:03 ` [PATCH 01/26] alpha: Remove unused TASK_GROUP_LEADER Eric W. Biederman
2017-06-06 19:03 ` [PATCH 02/26] cgroup: Don't open code tasklist_empty() Eric W. Biederman
2017-06-06 19:03 ` [PATCH 03/26] signal: Do not perform permission checks when sending pdeath_signal Eric W. Biederman
2017-06-06 20:01 ` Linus Torvalds
2017-06-07 11:23 ` Eric W. Biederman [this message]
2017-06-06 21:42 ` Richard Weinberger
2017-06-06 19:03 ` [PATCH 04/26] signal: Make group_send_sig_info static Eric W. Biederman
2017-06-06 19:03 ` [PATCH 05/26] exit: Remove the pointless clearing of SIGPENDING in __exit_signal Eric W. Biederman
2017-06-06 19:03 ` [PATCH 06/26] rlimit: Remove unnecessary grab of tasklist_lock Eric W. Biederman
2017-06-07 12:36 ` Oleg Nesterov
2017-06-07 14:08 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 07/26] pidns: Improve the error handling in alloc_pid Eric W. Biederman
2017-06-06 19:03 ` [PATCH 08/26] exit: Make the runqueue rcu safe Eric W. Biederman
2017-06-07 13:16 ` Oleg Nesterov
2017-06-06 19:03 ` [PATCH 09/26] signal: Don't allow sending SIGKILL or SIGSTOP to init Eric W. Biederman
2017-06-06 19:03 ` [PATCH 10/26] ptrace: Simplify ptrace_detach & exit_ptrace Eric W. Biederman
2017-06-06 19:03 ` [PATCH 11/26] wait: Properly implement __WCLONE handling in the presence of exec and ptrace Eric W. Biederman
2017-06-06 19:03 ` [PATCH 12/26] wait: Directly test for the two cases where wait_task_zombie is called Eric W. Biederman
2017-06-06 19:03 ` [PATCH 13/26] wait: Remove unused delay_group_leader Eric W. Biederman
2017-06-06 19:03 ` [PATCH 14/26] wait: Move changing of ptrace from wait_consider_task into wait_task_stopped Eric W. Biederman
2017-06-06 19:03 ` [PATCH 15/26] wait: Don't delay !ptrace_reparented leaders Eric W. Biederman
2017-06-06 19:03 ` [PATCH 16/26] exit: Fix reporting a ptraced !reparented leader has exited Eric W. Biederman
2017-06-06 19:03 ` [PATCH 17/26] exit: Rework the exit states for ptracees Eric W. Biederman
2017-06-06 19:03 ` [PATCH 18/26] wait: Fix WSTOPPED on a ptraced child Eric W. Biederman
2017-06-06 19:03 ` [PATCH 19/26] wait: Simpler code for clearing notask_error in wait_consider_task Eric W. Biederman
2017-06-06 19:03 ` [PATCH 20/26] wait: Don't pass the list to wait_consider_task Eric W. Biederman
2017-06-06 19:03 ` [PATCH 21/26] wait: Optmize waitpid Eric W. Biederman
2017-06-06 19:03 ` [PATCH 22/26] exit: Fix auto-wait of ptraced children Eric W. Biederman
2017-06-06 19:03 ` [PATCH 23/26] signal: Fix SIGCONT before group stop completes Eric W. Biederman
2017-06-06 19:03 ` [PATCH 24/26] signal: In ptrace_stop improve identical signal detection Eric W. Biederman
2017-06-06 19:03 ` [PATCH 25/26] signal: In ptrace_stop use CLD_TRAPPED in all ptrace signals Eric W. Biederman
2017-06-06 19:03 ` [PATCH 26/26] pidns: Ensure zap_pid_ns_processes always terminates Eric W. Biederman
2017-06-06 19:40 ` [PATCH 00/26] Fixing wait, exit, ptrace, exec, and CLONE_THREAD Aleksa Sarai
2017-06-07 11:36 ` Eric W. Biederman
2017-06-07 12:21 ` Aleksa Sarai
2017-06-06 20:07 ` Linus Torvalds
2017-06-07 15:59 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fufcxcrj.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=dhowells@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=roland@hack.frob.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox