Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5590299imd; Tue, 30 Oct 2018 21:47:35 -0700 (PDT) X-Google-Smtp-Source: AJdET5damIV55Lo+seerj63ujOOiVVfkxppp+VZNlvaCwbNDpCWn1gvviuVts5GIhnMVwSgi6jpN X-Received: by 2002:a62:500c:: with SMTP id e12-v6mr1797395pfb.30.1540961255881; Tue, 30 Oct 2018 21:47:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540961255; cv=none; d=google.com; s=arc-20160816; b=Wan4hOJGylL9c27kaC0p1UgjMWw18f5uiuKbcUXKo3oZA0zc2IvHIdyJ+qHtcsmb4q FVVer5fD+375bKMWV0hPU6n2HrymHgaRcLkzvpD+VCaAGcagmbcpr/f4ESKczwphYFay G/hD+RiAmXVVquBXwzKcGCprJ3GflnXDegvSPpjhjiA5vQf+LYVFq3UL/N/NfjOa9422 guLH0IB7rvOR2SDMhp/BbQX9f0l7pKEpkz45B2HxRNSul76X+nLGuv575v93z3kr83dl /wVR5nGA8WdPZivbz5jsXxJVdam29vPvYEYFcUjRVqEreCiCovTB+ZzC928k93Vuxh1K Td/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=qcwz6Fc2xT9ZKeyMDVqjk+2QyWjOkr7B8iqxijTlQJM=; b=qMscoTbsUmqN41fcNvCxb4qvqa4nFLo+2r6h24ucQwmReUBWWOX2h1XPiVVadgbfNv QWiqBpf92TacsQ0ABAAQrnitLDmKJ0Vmv8mKpeS0NGlm/UegZEbdxTXjqoUagU2nd+Cp f63T7yvHBQCHwhohHCkJYqPx4z67ubDqxLOgYz8LH5Y1aomPkwva3H8N6O96nd3g9MnD pWAuW1aCx/B2XGPKlSDm6jBVSGXTPdIbbY/NYJVkEDe8sEkTqUDUOXEnhnvdjDqp0Mba 7xbp2Ms8JfiJMDfNZMyqpWfrYOAfYhtX9ZJK46Y2iGJ1N78AvRkRx5OKf+z498mIOzR+ v1Tw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r3-v6si26669760pga.321.2018.10.30.21.47.20; Tue, 30 Oct 2018 21:47:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729124AbeJaNmD (ORCPT + 99 others); Wed, 31 Oct 2018 09:42:03 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:47506 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728889AbeJaNmC (ORCPT ); Wed, 31 Oct 2018 09:42:02 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gHiNs-0002v1-9b; Tue, 30 Oct 2018 22:45:36 -0600 Received: from 67-3-154-154.omah.qwest.net ([67.3.154.154] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gHiNc-0008Jr-Ne; Tue, 30 Oct 2018 22:45:36 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Daniel Colascione Cc: linux-kernel@vger.kernel.org, timmurray@google.com, joelaf@google.com, surenb@google.com, Kees Cook , Christian Brauner , Oleg Nesterov References: <20181029221037.87724-1-dancol@google.com> Date: Tue, 30 Oct 2018 23:44:50 -0500 In-Reply-To: <20181029221037.87724-1-dancol@google.com> (Daniel Colascione's message of "Mon, 29 Oct 2018 22:10:37 +0000") Message-ID: <87bm7a3et9.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1gHiNc-0008Jr-Ne;;;mid=<87bm7a3et9.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.154.154;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+FneTdDlDEYXCq9FuigTPaN7Qn/NrBS9c= X-SA-Exim-Connect-IP: 67.3.154.154 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Daniel Colascione X-Spam-Relay-Country: X-Spam-Timing: total 15036 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 2.6 (0.0%), b_tie_ro: 1.78 (0.0%), parse: 0.85 (0.0%), extract_message_metadata: 8 (0.1%), get_uri_detail_list: 2.7 (0.0%), tests_pri_-1000: 4.3 (0.0%), tests_pri_-950: 1.71 (0.0%), tests_pri_-900: 1.27 (0.0%), tests_pri_-90: 41 (0.3%), check_bayes: 39 (0.3%), b_tokenize: 14 (0.1%), b_tok_get_all: 13 (0.1%), b_comp_prob: 3.6 (0.0%), b_tok_touch_all: 4.0 (0.0%), b_finish: 0.80 (0.0%), tests_pri_0: 254 (1.7%), check_dkim_signature: 0.81 (0.0%), check_dkim_adsp: 4.1 (0.0%), tests_pri_10: 2.3 (0.0%), tests_pri_500: 14710 (97.8%), poll_dns_idle: 14692 (97.7%), rewrite_mail: 0.00 (0.0%) Subject: Re: [RFC PATCH] Implement /proc/pid/kill X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Daniel Colascione writes: > Add a simple proc-based kill interface. To use /proc/pid/kill, just > write the signal number in base-10 ASCII to the kill file of the > process to be killed: for example, 'echo 9 > /proc/$$/kill'. > > Semantically, /proc/pid/kill works like kill(2), except that the > process ID comes from the proc filesystem context instead of from an > explicit system call parameter. This way, it's possible to avoid races > between inspecting some aspect of a process and that process's PID > being reused for some other process. > > With /proc/pid/kill, it's possible to write a proper race-free and > safe pkill(1). An approximation follows. A real program might use > openat(2), having opened a process's /proc/pid directory explicitly, > with the directory file descriptor serving as a sort of "process > handle". > > #!/bin/bash > set -euo pipefail > pat=$1 > for proc_status in /proc/*/status; do ( > cd $(dirname $proc_status) > readarray proc_argv -d'' < cmdline > if ((${#proc_argv[@]} > 0)) && > [[ ${proc_argv[0]} = *$pat* ]]; > then > echo 15 > kill > fi > ) || true; done > In general this looks good. Unfortunately the permission checks are are subject to a serious problem. Even if I don't have permission to kill a process I quite likely will be allowed to open the file. Then I just need to find a setuid or setcap executable will write to stdout or stderr a number. Then I have killed something I should not have the privileges to kill. At a bare minimum you need to perform the permission check using the credentials of the opener of the file. Which means refactoring kill_pid so that you can perform the permission check for killing the application during open. Given that process credentials can change completely during exec you also need to rule out a change in process credentials making it so that the original opener of the file would not be able to kill the process as it is now. But overall this looks quite reasaonble. Eric > Signed-off-by: Daniel Colascione > --- > fs/proc/base.c | 39 +++++++++++++++++++++++++++++++++++++++ > 1 file changed, 39 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 7e9f07bf260d..923d62b21e67 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -205,6 +205,44 @@ static int proc_root_link(struct dentry *dentry, struct path *path) > return result; > } > > +static ssize_t proc_pid_kill_write(struct file *file, > + const char __user *buf, > + size_t count, loff_t *ppos) > +{ > + ssize_t res; > + int sig; > + char buffer[4]; > + > + res = -EINVAL; > + if (*ppos != 0) > + goto out; > + > + res = -EINVAL; > + if (count > sizeof(buffer) - 1) > + goto out; > + > + res = -EFAULT; > + if (copy_from_user(buffer, buf, count)) > + goto out; > + > + buffer[count] = '\0'; > + res = kstrtoint(strstrip(buffer), 10, &sig); > + if (res) > + goto out; > + > + res = kill_pid(proc_pid(file_inode(file)), sig, 0); > + if (res) > + goto out; > + res = count; > +out: > + return res; > + > +} > + > +static const struct file_operations proc_pid_kill_ops = { > + .write = proc_pid_kill_write, > +}; > + > static ssize_t get_mm_cmdline(struct mm_struct *mm, char __user *buf, > size_t count, loff_t *ppos) > { > @@ -2935,6 +2973,7 @@ static const struct pid_entry tgid_base_stuff[] = { > #ifdef CONFIG_HAVE_ARCH_TRACEHOOK > ONE("syscall", S_IRUSR, proc_pid_syscall), > #endif > + REG("kill", S_IRUGO | S_IWUGO, proc_pid_kill_ops), > REG("cmdline", S_IRUGO, proc_pid_cmdline_ops), > ONE("stat", S_IRUGO, proc_tgid_stat), > ONE("statm", S_IRUGO, proc_pid_statm),