Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752013AbdH3AAU (ORCPT ); Tue, 29 Aug 2017 20:00:20 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:37054 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751786AbdH3AAS (ORCPT ); Tue, 29 Aug 2017 20:00:18 -0400 Reply-To: prakash.sangappa@oracle.com Subject: Re: [RESEND PATCH] Allow passing tid or pid in SCM_CREDENTIALS without CAP_SYS_ADMIN References: <1503965540-30393-1-git-send-email-prakash.sangappa@oracle.com> <20170829.160232.1901318933754673000.davem@davemloft.net> To: David Miller Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, ebiederm@xmission.com, drepper@redhat.com From: "prakash.sangappa" Message-ID: Date: Tue, 29 Aug 2017 16:59:18 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <20170829.160232.1901318933754673000.davem@davemloft.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: aserv0021.oracle.com [141.146.126.233] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1427 Lines: 36 On 08/29/2017 04:02 PM, David Miller wrote: > From: Prakash Sangappa > Date: Mon, 28 Aug 2017 17:12:20 -0700 > >> Currently passing tid(gettid(2)) of a thread in struct ucred in >> SCM_CREDENTIALS message requires CAP_SYS_ADMIN capability otherwise >> it fails with EPERM error. Some applications deal with thread id >> of a thread(tid) and so it would help to allow tid in SCM_CREDENTIALS >> message. Basically, either tgid(pid of the process) or the tid of >> the thread should be allowed without the need for CAP_SYS_ADMIN capability. >> >> SCM_CREDENTIALS will be used to determine the global id of a process or >> a thread running inside a pid namespace. >> >> This patch adds necessary check to accept tid in SCM_CREDENTIALS >> struct ucred. >> >> Signed-off-by: Prakash Sangappa > I'm pretty sure that by the descriptions in previous changes to this > function, what you are proposing is basically a minor form of PID > spoofing which we only want someone with CAP_SYS_ADMIN over the > PID namespace to be able to do. The fix is to allow passing tid of the calling thread itself not of any other thread or process. Curious why would this be considered as pid spoofing? This change would enable a thread in a multi threaded process, running inside a pid namespace to be identified by the recipient of the message easily. > > Sorry, I'm not applying this.