Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4419553imm; Mon, 15 Oct 2018 14:37:53 -0700 (PDT) X-Google-Smtp-Source: ACcGV60WozIqvb5A8lY8p8p2HzeXkgfEXuYq9yPb8mxWfngjg0+ThI3cbnuPBUqL5XR/mQ1Sb3t9 X-Received: by 2002:a17:902:930b:: with SMTP id bc11-v6mr18900097plb.101.1539639473574; Mon, 15 Oct 2018 14:37:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539639473; cv=none; d=google.com; s=arc-20160816; b=W+4iDgsXgtX80Y0clyPpJRgwTGs0Kn5lOR/qf6kh/dEq+jRtCpa0gaw3g3GcvTkh3B 1SeGa0ee+VTkzTqoitaC6O7pmWqbnSb/Oc24jz5g4cKSHZUG+lYC6WlW+9gYeE4JjoHt tUbuKQn6D6FTEApEfRhaKHIaLveE1ordLV4znguZcrwFjcSP7QjgF7QzdY487IdDlzlg Ijh+Ns9jAzPGbEllRM7eMOZPbZH65iiEmhR8UINSWVDc5N+yAXy2pr/TQVuAX7eax8+z NFd3i7siK5iC/4kM0D2MauatoogVaEDfQeElohefvJpba2OeOJ9V8Ks8zZIlvCb8eOkW JswA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=ox5ZjkFYdbuqcA53eZb5sj3YVtnDPREIcentqJmGIsk=; b=dWvNaraSn6HOWNheiVgELo2LpJMN4GpDeBRpGnOAul5fYw8R5V1cr/EOCyZNQ6NOek r4gvFfgbeRd0428mYF88znhqZ9uOrj5bCia5OP8VkRq1lMsuVHSTSpPKo0GEGtJCkDxY 6eZtjxbVtilMJ7N6aJkDnWXH/C83cfnaE5THwm7S3zJKb0lxPW+KOg5cJLi2QMjEvWH0 ++jDr+F0yx/S74AHG3aHDVKo/avhQAzbPo3HCtZjyMHICGXFiysKXfdzsy9XNK+UqwwZ 1kV5dYpJzAJ4FtV1SOkViUqnIuX8FitNoU9LuOwNVgVvsJxWaTH1eCSFCvwpuaOi0zAl lhGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=byGwsKfG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y23-v6si11731737plr.83.2018.10.15.14.37.37; Mon, 15 Oct 2018 14:37:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=byGwsKfG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726962AbeJPFYL (ORCPT + 99 others); Tue, 16 Oct 2018 01:24:11 -0400 Received: from rcdn-iport-8.cisco.com ([173.37.86.79]:35624 "EHLO rcdn-iport-8.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725974AbeJPFYL (ORCPT ); Tue, 16 Oct 2018 01:24:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1166; q=dns/txt; s=iport; t=1539639428; x=1540849028; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=yYprDjdedaZWsXdo4vmP4D1jqM77QeIZ0LgnnTH1BR0=; b=byGwsKfGsnOdZLo8Cx4pB0fG7eWXDjE7J+KwPD9TKvcFBeIxuxiV3TJX Rm7oJg08OURCdgkhvCZibk/h4U5gnsMGD5imZJ6J9u8WZGNc7PAfT3kV/ jCPCW5CNwcMpx44GwnQWnsXeuwfQEAUAOiNQ0014Ps2qQhtnwNRPuDTey M=; X-IronPort-AV: E=Sophos;i="5.54,385,1534809600"; d="scan'208";a="464813567" Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Oct 2018 21:37:08 +0000 Received: from [10.154.208.167] ([10.154.208.167]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTP id w9FLVvGL032210; Mon, 15 Oct 2018 21:31:59 GMT Subject: Re: [PATCH] kernel/signal: Signal-based pre-coredump notification To: Alan Cox Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, Peter Zijlstra , Arnd Bergmann , "Eric W. Biederman" , Khalid Aziz , Kate Stewart , Helge Deller , Greg Kroah-Hartman , Al Viro , Andrew Morton , Christian Brauner , Catalin Marinas , Will Deacon , Dave Martin , Mauro Carvalho Chehab , Michal Hocko , Rik van Riel , "Kirill A. Shutemov" , Roman Gushchin , Marcos Paulo de Souza , Oleg Nesterov , Dominik Brodowski , Cyrill Gorcunov , Yang Shi , Jann Horn , Kees Cook , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, "Victor Kamensky (kamensky)" , xe-linux-external@cisco.com, Stefan Strogin , Enke Chen References: <20181015222144.27fdafc3@alans-desktop> From: Enke Chen Message-ID: <3e3728f7-1370-586c-c5ac-4ba0604976a5@cisco.com> Date: Mon, 15 Oct 2018 14:31:57 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20181015222144.27fdafc3@alans-desktop> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-SMTP-Client: 10.154.208.167, [10.154.208.167] X-Outbound-Node: alln-core-7.cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Alan: As I replied earlier, I will remove the logic that allows setting on others. This function "set_predump_signal_perm()" will be gone too. Thanks. -- Enke On 10/15/18 2:21 PM, Alan Cox wrote: >> +/* >> + * Returns true if current's euid is same as p's uid or euid, >> + * or has CAP_SYS_ADMIN. >> + * >> + * Called with rcu_read_lock, creds are safe. >> + * >> + * Adapted from set_one_prio_perm(). >> + */ >> +static bool set_predump_signal_perm(struct task_struct *p) >> +{ >> + const struct cred *cred = current_cred(), *pcred = __task_cred(p); >> + >> + return uid_eq(pcred->uid, cred->euid) || >> + uid_eq(pcred->euid, cred->euid) || >> + capable(CAP_SYS_ADMIN); >> +} > > This makes absolutely no security sense whatsoever. The uid and euid of > the parent and child can both change between the test and the signal > delivery. > > There are reasons that the child signal control code is incredibly > careful about either the parent or child using execve or doing a > privilege change that might pose a risk. > > Until this code gets the same protections I don't believe it's safe. > > Alan >