From: Lennart Poettering <mzxreary@0pointer.de>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>,
brauner@kernel.org, alexander@mihalicyn.com, bluca@debian.org,
daan.j.demeyer@gmail.com, davem@davemloft.net,
david@readahead.eu, edumazet@google.com, horms@kernel.org,
jack@suse.cz, jannh@google.com, kuba@kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
me@yhndnzj.com, netdev@vger.kernel.org, oleg@redhat.com,
pabeni@redhat.com, viro@zeniv.linux.org.uk, zbyszek@in.waw.pl,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH RFC v3 08/10] net, pidfs, coredump: only allow coredumping tasks to connect to coredump socket
Date: Wed, 7 May 2025 16:22:14 +0200 [thread overview]
Message-ID: <aBtslo-EkUCnFklN@gardel-login> (raw)
In-Reply-To: <20250507.ohsaiQuoh3uo@digikod.net>
On Mi, 07.05.25 13:51, Mickaël Salaün (mic@digikod.net) wrote:
> What if the task send a "fake" coredump and just after that really
> coredump? There could be a race condition on the server side when
> checking the coredump property of this pidfd.
>
> Could we add a trusted header to the coredump payload that is always
> written by the kernel? This would enable to read a trusted flag
> indicating if the following payload is a coredumped generated by the
> kernel or not.
With my systemd hat on I must say I don't really care if the coredump
is "authentic" or not. The coredump is untrusted data anyway, it needs
to be quarantined from systemd-coredump's PoV, there's no security
value in distinguishing if some random user's process was sent to the
handler because the user called raise(SIGSEGV) or because the user
called connect() to our socket. The process is under user control in
almost all ways anyways, they can rearrange its internals in almost
any way already, play any games they want. It's of very little value
if the receiving side can determine if the serialization of potential
complete garbage was written out by the kernel or by the process' own
code.
Moreover, in systemd-coredump we these days collect not only classic
ELF coredumps passed to us by the kernel, but also other forms of
crashes. For example if a Python program dies because of an uncaught
exception this is also passed to systemd-coredump, and treated the
same way in regards to metadata collection, logging, storage,
recycling and so on. Conceptually a python crash like that and a
process level crash are the same thing for us, we treat them the
same. And of course, Python crashes like this are *inherently* a
userspace concept, hence we explicitly want to accept them. Hence even
if we'd be able to distinguish "true" from "fake" coredumps we'd still
not care or change our behaviour much, because we are *as* *much*
interested in user-level crashes as in kernel handled crashes.
Lennart
--
Lennart Poettering, Berlin
next prev parent reply other threads:[~2025-05-07 14:22 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 11:13 [PATCH RFC v3 00/10] coredump: add coredump socket Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 01/10] coredump: massage format_corname() Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 02/10] coredump: massage do_coredump() Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 03/10] net: reserve prefix Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 04/10] coredump: add coredump socket Christian Brauner
2025-05-05 12:55 ` Jann Horn
2025-05-05 13:06 ` Luca Boccassi
2025-05-05 14:46 ` Christian Brauner
2025-05-05 18:48 ` Kuniyuki Iwashima
2025-05-06 8:24 ` Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 05/10] coredump: validate socket name as it is written Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 06/10] coredump: show supported coredump modes Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 07/10] pidfs, coredump: add PIDFD_INFO_COREDUMP Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 08/10] net, pidfs, coredump: only allow coredumping tasks to connect to coredump socket Christian Brauner
2025-05-05 13:08 ` Jann Horn
2025-05-05 14:06 ` Christian Brauner
2025-05-05 18:40 ` Kuniyuki Iwashima
2025-05-05 19:10 ` Jann Horn
2025-05-05 19:35 ` Kuniyuki Iwashima
2025-05-05 19:44 ` Kuniyuki Iwashima
2025-05-05 19:55 ` Jann Horn
2025-05-05 20:41 ` Kuniyuki Iwashima
2025-05-06 7:39 ` Christian Brauner
2025-05-06 14:51 ` Jann Horn
2025-05-06 15:16 ` Christian Brauner
2025-05-06 19:28 ` Kuniyuki Iwashima
2025-05-07 11:50 ` Mickaël Salaün
2025-05-05 19:55 ` Jann Horn
2025-05-05 20:30 ` Kuniyuki Iwashima
2025-05-06 8:06 ` Christian Brauner
2025-05-06 14:37 ` Jann Horn
2025-05-06 19:18 ` Kuniyuki Iwashima
2025-05-07 11:51 ` Mickaël Salaün
2025-05-07 14:22 ` Lennart Poettering [this message]
2025-05-07 22:10 ` Paul Moore
2025-05-05 11:13 ` [PATCH RFC v3 09/10] selftests/pidfd: add PIDFD_INFO_COREDUMP infrastructure Christian Brauner
2025-05-05 11:13 ` [PATCH RFC v3 10/10] selftests/coredump: add tests for AF_UNIX coredumps Christian Brauner
2025-05-05 14:41 ` [PATCH RFC v3 00/10] coredump: add coredump socket Mickaël Salaün
2025-05-05 14:56 ` Christian Brauner
2025-05-05 15:38 ` Mickaël Salaün
2025-05-05 14:59 ` Jann Horn
2025-05-05 15:39 ` Mickaël Salaün
2025-05-05 18:33 ` Kuniyuki Iwashima
2025-05-06 7:33 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aBtslo-EkUCnFklN@gardel-login \
--to=mzxreary@0pointer.de \
--cc=alexander@mihalicyn.com \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=daan.j.demeyer@gmail.com \
--cc=davem@davemloft.net \
--cc=david@readahead.eu \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=me@yhndnzj.com \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=pabeni@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox