Message-ID: <556DFDB2.3050205@parallels.com>
Date: Tue, 2 Jun 2015 22:02:10 +0300
From: Pavel Emelyanov <xemul@parallels.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Oleg Nesterov <oleg@redhat.com>,
        Tycho Andersen <tycho.andersen@canonical.com>
CC: <linux-kernel@vger.kernel.org>, <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>,
        Roland McGrath <roland@hack.frob.com>,
        "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
Subject: Re: [PATCH] seccomp: add ptrace commands for suspend/resume
References: <1433186918-9626-1-git-send-email-tycho.andersen@canonical.com> <20150602182829.GA23449@redhat.com>
In-Reply-To: <20150602182829.GA23449@redhat.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1022
Lines: 31


>> +int suspend_seccomp(struct task_struct *task)
>> +{
>> +	int ret = -EACCES;
>> +
>> +	spin_lock_irq(&task->sighand->siglock);
>> +
>> +	if (!capable(CAP_SYS_ADMIN))
>> +		goto out;
> 
> I am puzzled ;) Why do we need ->siglock? And even if we need it, why
> we can't check CAP_SYS_ADMIN lockless?
> 
> And I am not sure I understand why do we need the additional security
> check, but I leave this to you and Andy.
> 
> If you have the rights to trace this task, then you can do anything
> the tracee could do without the filtering.

I think _this_ check is required, otherwise the seccomp-ed task (in
filtered mode) fork-s a child, then this child ptrace-attach to parent
(allowed) then suspend its seccomd. And -- we have unpriviledged process 
de-seccomped.

-- Pavel

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/