Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp6241760imd;
        Wed, 31 Oct 2018 08:50:51 -0700 (PDT)
X-Google-Smtp-Source: AJdET5cg7MzuLnNhV9CUrhij+4IhwX+qW31gbdApdqGuq2mXjJZMxNdy1VAq9vYvJJP8PIsHUTeE
X-Received: by 2002:a17:902:1681:: with SMTP id h1-v6mr4033806plh.88.1541001051026;
        Wed, 31 Oct 2018 08:50:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1541001050; cv=none;
        d=google.com; s=arc-20160816;
        b=eUA5eGlVdy1JriLTi51TMP929SljSawtW1UClP5zrGJ2jGyVOqP8SrbFp54JHqJVZl
         AyLCLxcpoW5UZqZlr4vUQNaBNTfvCa2p8b9/0HPbXGMsiXX45dLhzwdLp98F575eBR7f
         r+kmdpgtsouytqKk6PWQQ8ex7wrrfG5+u1lF4SwD/LQP+m63zEIOXmgB5Z0gjfMTuH6M
         Og0r0iYGLD5B4ro665Vrx/gWDbCYjKGCXp9zX5te1jeexdQ+rlf2nwhSKVeMc7tLq+a1
         5F6Axt1gDb3nE/4ldz+hIWEtH5WPx7N3goiM8Y0rN3r1JWSBCj3gmDgvuLSIcx6ookGh
         6mSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=mBgPiE/KV6irrwRu5CtUE/xmXK/TECbegBFJ207vFj0=;
        b=yODpvhHiralEZX8rl0FSlA3re2lpP+s/cKJdu12RecxtaZRWWmvR78SE2ECY8vZgvg
         hj0q22kZyOLaw3kZnreGGagcZzO87w/v1O7ioK5U0d7Co2V8gG1AyszKlDWreps6UIdZ
         NGl1WkOKAsy5IOJWIvK6HoxRuzV6X3fUcO0nsUAsAep0qp7zuhu4BhiCiv7w2avUeH1v
         +NXuUrkZ0pYxQgpXE8exT8TKWAwTx+4Xb0/JFyZj5LbeVEz8qNfiO/r6+/a12XHs7vPS
         AIGKhV7xx4HJwP5z6vIHsi00yPYk3eoMYX2BZfl1kWjylfNl8te5pLobkHJy7XHb6696
         Jzrg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id go3si26461146plb.266.2018.10.31.08.50.35;
        Wed, 31 Oct 2018 08:50:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729620AbeKAAsK (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Wed, 31 Oct 2018 20:48:10 -0400
Received: from mx1.redhat.com ([209.132.183.28]:34128 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728848AbeKAAsJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Oct 2018 20:48:09 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 9E2F285550;
        Wed, 31 Oct 2018 15:49:36 +0000 (UTC)
Received: from dhcp-27-174.brq.redhat.com (unknown [10.43.17.31])
        by smtp.corp.redhat.com (Postfix) with SMTP id C02EA1001925;
        Wed, 31 Oct 2018 15:49:34 +0000 (UTC)
Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000
        oleg@redhat.com; Wed, 31 Oct 2018 16:49:35 +0100 (CET)
Date:   Wed, 31 Oct 2018 16:49:33 +0100
From:   Oleg Nesterov <oleg@redhat.com>
To:     Daniel Colascione <dancol@google.com>
Cc:     "Eric W. Biederman" <ebiederm@xmission.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Tim Murray <timmurray@google.com>,
        Joel Fernandes <joelaf@google.com>,
        Suren Baghdasaryan <surenb@google.com>,
        Kees Cook <keescook@chromium.org>,
        Christian Brauner <christian.brauner@canonical.com>
Subject: Re: [RFC PATCH] Implement /proc/pid/kill
Message-ID: <20181031154932.GB21207@redhat.com>
References: <20181029221037.87724-1-dancol@google.com>
 <87bm7a3et9.fsf@xmission.com>
 <20181031124435.GA9007@redhat.com>
 <CAKOZuevTF2cjJ0-nK7nv7jbgFexyW-deScaYVzE3iEPC48SAJg@mail.gmail.com>
 <20181031151007.GA21207@redhat.com>
 <CAKOZues0_jMfW8xAa0mC=QS7UnHMzkWb5nCz3S_GDf3RzPg90Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKOZues0_jMfW8xAa0mC=QS7UnHMzkWb5nCz3S_GDf3RzPg90Q@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Wed, 31 Oct 2018 15:49:36 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/31, Daniel Colascione wrote:
>
> > Confused... why? kill_ok_by_cred() should fail?
>
> Not if we don't run it. :-) I thought you were proposing that we do
> *all* access checks in open() and let write() succeed unconditionally,

Ah, no ;)

> Anyway, I sent a v2 patch that I think closes the hole another way. In
> v2, we just require that the real user ID that opens a /proc/pid/kill
> file is the same one that writes to it. It successfully blocks the
> setuid attack above while preserving all the write-time permission
> checks and keeping the close correspondence between
> write()-on-proc-pid-kill-fd and kill(2). Can you think of any
> situation where this scheme breaks?

I see no problems...

but again, perhaps we should fix kill_pid_info_as_cred() and use it in
/proc/pid/kill? I dunno.

Oleg.