Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5590299imd;
        Tue, 30 Oct 2018 21:47:35 -0700 (PDT)
X-Google-Smtp-Source: AJdET5damIV55Lo+seerj63ujOOiVVfkxppp+VZNlvaCwbNDpCWn1gvviuVts5GIhnMVwSgi6jpN
X-Received: by 2002:a62:500c:: with SMTP id e12-v6mr1797395pfb.30.1540961255881;
        Tue, 30 Oct 2018 21:47:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540961255; cv=none;
        d=google.com; s=arc-20160816;
        b=Wan4hOJGylL9c27kaC0p1UgjMWw18f5uiuKbcUXKo3oZA0zc2IvHIdyJ+qHtcsmb4q
         FVVer5fD+375bKMWV0hPU6n2HrymHgaRcLkzvpD+VCaAGcagmbcpr/f4ESKczwphYFay
         G/hD+RiAmXVVquBXwzKcGCprJ3GflnXDegvSPpjhjiA5vQf+LYVFq3UL/N/NfjOa9422
         guLH0IB7rvOR2SDMhp/BbQX9f0l7pKEpkz45B2HxRNSul76X+nLGuv575v93z3kr83dl
         /wVR5nGA8WdPZivbz5jsXxJVdam29vPvYEYFcUjRVqEreCiCovTB+ZzC928k93Vuxh1K
         Td/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:mime-version:user-agent
         :message-id:in-reply-to:date:references:cc:to:from;
        bh=qcwz6Fc2xT9ZKeyMDVqjk+2QyWjOkr7B8iqxijTlQJM=;
        b=qMscoTbsUmqN41fcNvCxb4qvqa4nFLo+2r6h24ucQwmReUBWWOX2h1XPiVVadgbfNv
         QWiqBpf92TacsQ0ABAAQrnitLDmKJ0Vmv8mKpeS0NGlm/UegZEbdxTXjqoUagU2nd+Cp
         f63T7yvHBQCHwhohHCkJYqPx4z67ubDqxLOgYz8LH5Y1aomPkwva3H8N6O96nd3g9MnD
         pWAuW1aCx/B2XGPKlSDm6jBVSGXTPdIbbY/NYJVkEDe8sEkTqUDUOXEnhnvdjDqp0Mba
         7xbp2Ms8JfiJMDfNZMyqpWfrYOAfYhtX9ZJK46Y2iGJ1N78AvRkRx5OKf+z498mIOzR+
         v1Tw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r3-v6si26669760pga.321.2018.10.30.21.47.20;
        Tue, 30 Oct 2018 21:47:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729124AbeJaNmD (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Wed, 31 Oct 2018 09:42:03 -0400
Received: from out03.mta.xmission.com ([166.70.13.233]:47506 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728889AbeJaNmC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Oct 2018 09:42:02 -0400
Received: from in02.mta.xmission.com ([166.70.13.52])
        by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gHiNs-0002v1-9b; Tue, 30 Oct 2018 22:45:36 -0600
Received: from 67-3-154-154.omah.qwest.net ([67.3.154.154] helo=x220.xmission.com)
        by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gHiNc-0008Jr-Ne; Tue, 30 Oct 2018 22:45:36 -0600
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     Daniel Colascione <dancol@google.com>
Cc:     linux-kernel@vger.kernel.org, timmurray@google.com,
        joelaf@google.com, surenb@google.com,
        Kees Cook <keescook@chromium.org>,
        Christian Brauner <christian.brauner@canonical.com>,
        Oleg Nesterov <oleg@redhat.com>
References: <20181029221037.87724-1-dancol@google.com>
Date:   Tue, 30 Oct 2018 23:44:50 -0500
In-Reply-To: <20181029221037.87724-1-dancol@google.com> (Daniel Colascione's
        message of "Mon, 29 Oct 2018 22:10:37 +0000")
Message-ID: <87bm7a3et9.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1gHiNc-0008Jr-Ne;;;mid=<87bm7a3et9.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.154.154;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1+FneTdDlDEYXCq9FuigTPaN7Qn/NrBS9c=
X-SA-Exim-Connect-IP: 67.3.154.154
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50,
        DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG autolearn=disabled
        version=3.4.1
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Daniel Colascione <dancol@google.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 15036 ms - load_scoreonly_sql: 0.03 (0.0%),
        signal_user_changed: 2.6 (0.0%), b_tie_ro: 1.78 (0.0%), parse: 0.85 (0.0%),
        extract_message_metadata: 8 (0.1%), get_uri_detail_list: 2.7 (0.0%),
        tests_pri_-1000: 4.3 (0.0%), tests_pri_-950: 1.71 (0.0%), tests_pri_-900:
        1.27 (0.0%), tests_pri_-90: 41 (0.3%), check_bayes: 39 (0.3%), b_tokenize: 14
        (0.1%), b_tok_get_all: 13 (0.1%), b_comp_prob: 3.6 (0.0%), b_tok_touch_all:
        4.0 (0.0%), b_finish: 0.80 (0.0%), tests_pri_0: 254 (1.7%),
        check_dkim_signature: 0.81 (0.0%), check_dkim_adsp: 4.1 (0.0%), tests_pri_10:
        2.3 (0.0%), tests_pri_500: 14710 (97.8%), poll_dns_idle: 14692 (97.7%),
        rewrite_mail: 0.00 (0.0%)
Subject: Re: [RFC PATCH] Implement /proc/pid/kill
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Daniel Colascione <dancol@google.com> writes:

> Add a simple proc-based kill interface. To use /proc/pid/kill, just
> write the signal number in base-10 ASCII to the kill file of the
> process to be killed: for example, 'echo 9 > /proc/$$/kill'.
>
> Semantically, /proc/pid/kill works like kill(2), except that the
> process ID comes from the proc filesystem context instead of from an
> explicit system call parameter. This way, it's possible to avoid races
> between inspecting some aspect of a process and that process's PID
> being reused for some other process.
>
> With /proc/pid/kill, it's possible to write a proper race-free and
> safe pkill(1). An approximation follows. A real program might use
> openat(2), having opened a process's /proc/pid directory explicitly,
> with the directory file descriptor serving as a sort of "process
> handle".
>
>     #!/bin/bash
>     set -euo pipefail
>     pat=$1
>     for proc_status in /proc/*/status; do (
>         cd $(dirname $proc_status)
>         readarray proc_argv -d'' < cmdline
>         if ((${#proc_argv[@]} > 0)) &&
>                [[ ${proc_argv[0]} = *$pat* ]];
>         then
>             echo 15 > kill
>         fi
>     ) || true; done
>

In general this looks good.

Unfortunately the permission checks are are subject to a serious
problem.  Even if I don't have permission to kill a process I quite
likely will be allowed to open the file.

Then I just need to find a setuid or setcap executable will write to
stdout or stderr a number.  Then I have killed something I should not
have the privileges to kill.

At a bare minimum you need to perform the permission check using the
credentials of the opener of the file.    Which means refactoring
kill_pid so that you can perform the permission check for killing the
application during open.  Given that process credentials can change
completely during exec you also need to rule out a change in process
credentials making it so that the original opener of the file would not
be able to kill the process as it is now.

But overall this looks quite reasaonble.

Eric

> Signed-off-by: Daniel Colascione <dancol@google.com>
> ---
>  fs/proc/base.c | 39 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 7e9f07bf260d..923d62b21e67 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -205,6 +205,44 @@ static int proc_root_link(struct dentry *dentry, struct path *path)
>  	return result;
>  }
>  
> +static ssize_t proc_pid_kill_write(struct file *file,
> +				   const char __user *buf,
> +				   size_t count, loff_t *ppos)
> +{
> +	ssize_t res;
> +	int sig;
> +	char buffer[4];
> +
> +	res = -EINVAL;
> +	if (*ppos != 0)
> +		goto out;
> +
> +	res = -EINVAL;
> +	if (count > sizeof(buffer) - 1)
> +		goto out;
> +
> +	res = -EFAULT;
> +	if (copy_from_user(buffer, buf, count))
> +		goto out;
> +
> +	buffer[count] = '\0';
> +	res = kstrtoint(strstrip(buffer), 10, &sig);
> +	if (res)
> +		goto out;
> +
> +	res = kill_pid(proc_pid(file_inode(file)), sig, 0);
> +	if (res)
> +		goto out;
> +	res = count;
> +out:
> +	return res;
> +
> +}
> +
> +static const struct file_operations proc_pid_kill_ops = {
> +	.write	= proc_pid_kill_write,
> +};
> +
>  static ssize_t get_mm_cmdline(struct mm_struct *mm, char __user *buf,
>  			      size_t count, loff_t *ppos)
>  {
> @@ -2935,6 +2973,7 @@ static const struct pid_entry tgid_base_stuff[] = {
>  #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
>  	ONE("syscall",    S_IRUSR, proc_pid_syscall),
>  #endif
> +	REG("kill",       S_IRUGO | S_IWUGO, proc_pid_kill_ops),
>  	REG("cmdline",    S_IRUGO, proc_pid_cmdline_ops),
>  	ONE("stat",       S_IRUGO, proc_tgid_stat),
>  	ONE("statm",      S_IRUGO, proc_pid_statm),