Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp6203965imd;
        Wed, 31 Oct 2018 08:17:31 -0700 (PDT)
X-Google-Smtp-Source: AJdET5e1LHoXWkdlKPi9RTUdbKiqaTsgs3uwt2vP4+DS/mS4vEKDz5oCNM9p4r73dCopDCelMibe
X-Received: by 2002:a17:902:6bc9:: with SMTP id m9-v6mr3944348plt.106.1540999051864;
        Wed, 31 Oct 2018 08:17:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540999051; cv=none;
        d=google.com; s=arc-20160816;
        b=pEV7JMPAvdZ6yHBrkk+JjWB/dCeUSfL0/cgoQ+WJ/VnNw5ryLILqz7hjyEhK9TYW9v
         XKXNnTUvFqd+Q/hRCabduipxoZyCblVl7aPy9SWworbeBrvEhMdQGT5GvH5dMq0hMy/s
         XEsiDu0Sqs322B9mkkwOH6KVsCtgQ5x81w6+n8IE5C6n1e7VzH5ATkFTDXwSpq/GxSiI
         4L2e96RgAThJw5LJfyk9F1awPSV4Ws0j0JiFxS7uxcHJa14OSxbsMORi8V13xMGzdQvj
         /zSDmRrX4w4L4s9Q3DH2b7W+qP8pPgdFOk3aLSHYTdBaIg/wQMRWrpDJllpOCYnHnNzj
         AFHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature;
        bh=mDD75d+IwQHXDKS8c/RtO1Ixi7VqLTvr9TtRrx0/vEs=;
        b=r0Ti+zeqt5ZZnpMc0+cBHuM9j+yV3yWsC23pCnAsqQDdP2stDHPK8CNeeXRDXRqIeS
         a3324db8CV9Tly7siPPrGgIzL/fi2Kgm3rJQKHTfs8nPGexYEPYkUg0ytIshcj7esXEN
         0yZimTP6Bi//Y8Aab6KloTRkDKUXWdMSLC6RYVtUqQ7P8HNq28+tJTD8IJRccmnKQvq1
         CzgJ1vxX3zd9V9LESNekZHLWBYK1UurmikjVM3FhQN/T9Bj7lFBb4dI/PViIP3YiE9Vm
         JSMnaWUpP68KvpMhJ7SgYDTq46W25iVSqnIiop9dFcwq4efDX5xUZWGYRVHkVdN8gbgG
         POmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bAuc5q7L;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m9-v6si3069088pgi.580.2018.10.31.08.17.13;
        Wed, 31 Oct 2018 08:17:31 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bAuc5q7L;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728994AbeKAAPE (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Wed, 31 Oct 2018 20:15:04 -0400
Received: from mail-ua1-f67.google.com ([209.85.222.67]:41877 "EHLO
        mail-ua1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726070AbeKAAPD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Oct 2018 20:15:03 -0400
Received: by mail-ua1-f67.google.com with SMTP id o17so6031955uad.8
        for <linux-kernel@vger.kernel.org>; Wed, 31 Oct 2018 08:16:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=mDD75d+IwQHXDKS8c/RtO1Ixi7VqLTvr9TtRrx0/vEs=;
        b=bAuc5q7LG2yshy2LFFxqW8rIhzew11u1fE06vcaENCcqBKoc5FUyrbdY23RvXv/mBR
         AUVPYBGuR/RN1LtnD3PZflpR61G8gdYRYt1ib/cShAPqu58tqt2MwI+DiJAmyrigOgRa
         TdwgFDld287pCJ/N8d2jX0ZhZFmfGyN53fjlttw++Nn7Sna0n0NtjnIsorNVriG2K8/j
         YoswUtFfsSbcDcR4nqxO7uzT1BDP+MAorpig3gWqF4zW62RtpNldYuxTj50mQ1DclGnr
         r8vdMn72IeEMQ+Py5jLmJNl9wuVdELwfMhdHhNMFckCxYYkafV4j25qK3vQrwIUhESz8
         aSJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=mDD75d+IwQHXDKS8c/RtO1Ixi7VqLTvr9TtRrx0/vEs=;
        b=m19KwCZ5CDFUGhgsqDjKtnbXMfDP7yeUgGHiPHVNtVNJDySniATVsi4Zl6eM4+GoFx
         DosrVTzNtq/yGVB2B8hXyznHjEqFoWrBVpnfiXclu3paAMItkjT8cOfBlsVatfbICubD
         6Ncbtd9NZ8Xro7Pj8ygQbd1f7gSY6BaFtIrzlK/3DxXAs7UoVtIH3D4H8kEHNZhplppW
         31rtMls0WRzjRj0DCi87jebtwXsB6C1KuBkvhBmMlZct/AXY/P9NZp9BAUDNNNU39h0/
         te3c+rjSi8bmx9ayo/gCuSNq7PQft1cGx5p/mt7xiZJu2LBTO1aEuKeZ9cR8mnN8LTLv
         wBUQ==
X-Gm-Message-State: AGRZ1gICBkzSLIdnJod3eZ+nAnDQ4htwGi0bpIyHAMtG7TK1ZFv10EFY
        e+b84qIr5To679xFm2tlN1cHpQScXpzoXVPKU9+RaA==
X-Received: by 2002:ab0:648b:: with SMTP id p11mr1604254uam.128.1540998995900;
 Wed, 31 Oct 2018 08:16:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a67:f48d:0:0:0:0:0 with HTTP; Wed, 31 Oct 2018 08:16:32
 -0700 (PDT)
In-Reply-To: <20181031151007.GA21207@redhat.com>
References: <20181029221037.87724-1-dancol@google.com> <87bm7a3et9.fsf@xmission.com>
 <20181031124435.GA9007@redhat.com> <CAKOZuevTF2cjJ0-nK7nv7jbgFexyW-deScaYVzE3iEPC48SAJg@mail.gmail.com>
 <20181031151007.GA21207@redhat.com>
From:   Daniel Colascione <dancol@google.com>
Date:   Wed, 31 Oct 2018 15:16:32 +0000
Message-ID: <CAKOZues0_jMfW8xAa0mC=QS7UnHMzkWb5nCz3S_GDf3RzPg90Q@mail.gmail.com>
Subject: Re: [RFC PATCH] Implement /proc/pid/kill
To:     Oleg Nesterov <oleg@redhat.com>
Cc:     "Eric W. Biederman" <ebiederm@xmission.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Tim Murray <timmurray@google.com>,
        Joel Fernandes <joelaf@google.com>,
        Suren Baghdasaryan <surenb@google.com>,
        Kees Cook <keescook@chromium.org>,
        Christian Brauner <christian.brauner@canonical.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Oct 31, 2018 at 3:10 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> On 10/31, Daniel Colascione wrote:
>>
>> > perhaps it would be simpler to do
>> >
>> >         my_cred = override_creds(file->f_cred);
>> >         kill_pid(...);
>> >         revert_creds(my_cred);
>>
>> Thanks for the suggestion. That looks neat, but it's not quite enough.
>> The problem is that check_kill_permission looks for
>> same_thread_group(current, t) _before_ checking kill_of_by_cred,
>
> Yes, you are right.
>
> Looks like kill_pid_info_as_cred() can find another user, but probably
> it needs some changes with or without /proc/pid/kill ...
>
>> There's another problem though: say we open /proc/pid/5/kill *, with
>> proc 5 being an ordinary unprivileged process, e.g., the shell. At
>> open(2) time, the access check passes. Now suppose PID 5 execve(2)s
>> into a setuid process. The kill FD is still open, so the kill FD's
>> holder can send a signal
>
> Confused... why? kill_ok_by_cred() should fail?

Not if we don't run it. :-) I thought you were proposing that we do
*all* access checks in open() and let write() succeed unconditionally,
since that's the model that a lot of FD-mediated resources (like
regular files) use. (MAC notwithstanding.)

Anyway, I sent a v2 patch that I think closes the hole another way. In
v2, we just require that the real user ID that opens a /proc/pid/kill
file is the same one that writes to it. It successfully blocks the
setuid attack above while preserving all the write-time permission
checks and keeping the close correspondence between
write()-on-proc-pid-kill-fd and kill(2). Can you think of any
situation where this scheme breaks? I *think* comparing struct user
addresses instead of numeric UIDs will protect the check against user
namespace shenanigans.