From: ebiederm@xmission.com (Eric W. Biederman)
To: Will Drewry <wad@chromium.org>
Cc: Andi Kleen <andi@firstfloor.org>,
linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Roland McGrath <roland@redhat.com>,
Neil Horman <nhorman@tuxdriver.com>,
containers@lists.linux-foundation.org,
Eugene Teo <eteo@redhat.com>, Tejun Heo <tj@kernel.org>,
Serge Hallyn <serue@us.ibm.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH][RFC] v2 exec: move core_pattern pipe helper into the crashing namespace
Date: Mon, 20 Sep 2010 11:34:00 -0700 [thread overview]
Message-ID: <m1eico1cyv.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1284779629-15273-1-git-send-email-wad@chromium.org> (Will Drewry's message of "Fri, 17 Sep 2010 22:13:49 -0500")
Will Drewry <wad@chromium.org> writes:
> Presently, a core_pattern pipe endpoint will be run in the init
> namespace. It will receive the virtual pid (task_tgid_vnr->%p) of the
> core dumping process but will have no access to that processes /proc
> without walking the init namespace /proc looking through all the global
> pids until it finds the one it thinks matches.
>
> One option for fixing this is to change the reported pid:
> https://patchwork.kernel.org/patch/185912/
> However, it's unclear if it is desirable for the core_pattern to run
> outside the namespace. In particular, it can easily access the mounts
> via /proc/[pid_nr]/root, but if there is a net namespace, it will not
> have access. (Originally introduced in 2007 in commit
> b488893a390edfe027bae7a46e9af8083e740668 )
>
> Instead, this change implements the more complex option two. It
> migrates the ____call_usermodehelper() thread into the same namespaces
> as the dumping process. It does not assign a pid in that namespace so
> the collector will appear to be pid 0 in the namespace.
I like the direction this is going but as structured this looks like a
security exploit waiting to happen.
The pipe process needs to run in the namespaces of the process who set
the core pattern, not in the namespaces of the dumping process.
Otherwise it is possible to trigger a privileged process to run in a
context where it's reality that it expected, causing it to misuse
it's privileges. Even if we don't have a privilege problem I think
we will have a case of mismatched functionality where the core pattern
will not work as expected.
I believe the solution here is to move the core pattern into the pid
namespace and to capture the namespaces when set, but if the core
pattern hasn't been set to use the core pattern of the parent pid
namespace.
Eric
next prev parent reply other threads:[~2010-09-20 18:34 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-16 18:59 [PATCH][RFC] fs/exec.c: provide the correct process pid to the pipe helper Will Drewry
2010-09-16 19:35 ` Oleg Nesterov
2010-09-16 20:12 ` Eric W. Biederman
2010-09-16 21:02 ` Will Drewry
2010-09-17 19:08 ` Roland McGrath
2010-09-17 13:26 ` Andi Kleen
2010-09-17 14:52 ` Will Drewry
2010-09-17 15:16 ` [PATCH 1/2] nsproxy: add copy_namespaces_unattached Will Drewry
2010-09-17 15:16 ` [PATCH 2/2] exec: move core_pattern pipe helper into the crashing namespace Will Drewry
2010-09-17 18:15 ` Neil Horman
2010-09-18 2:33 ` Will Drewry
2010-09-18 1:29 ` Oleg Nesterov
2010-09-18 2:34 ` Will Drewry
2010-09-18 3:14 ` Will Drewry
2010-09-20 18:50 ` Oleg Nesterov
2010-09-20 20:28 ` Will Drewry
2010-09-18 3:13 ` [PATCH][RFC] v2 " Will Drewry
2010-09-20 18:34 ` Eric W. Biederman [this message]
2010-09-20 19:12 ` Andi Kleen
2010-09-20 20:26 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1eico1cyv.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=containers@lists.linux-foundation.org \
--cc=eteo@redhat.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
--cc=serue@us.ibm.com \
--cc=tj@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox