Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1804322imu; Sun, 18 Nov 2018 09:10:24 -0800 (PST) X-Google-Smtp-Source: AJdET5cUAD8iprGWkDEOnvyiHfvzMGMaWBAUBcOxWrUMLj8sBE3yKKMfdd3hup5ttMqOm3I4ja/b X-Received: by 2002:a63:7a5b:: with SMTP id j27mr17266226pgn.112.1542561024028; Sun, 18 Nov 2018 09:10:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542561023; cv=none; d=google.com; s=arc-20160816; b=gApnaA+gkNrIivRDJGyszjIBWo3KjO4zOaIvpkMhl5otFf1iR5+SPwaboAxDVbZvBo 2DbDBOMftwdeHH8pXYk6GN4fboLNLmNLftg+L4soRR5w5TaPXXWX8nMPEn2du6LG9Kwz tgJYwSP3b/tIhg6Ec8UtCDIOmjyBjl1XYr7vsBPg8TUb2Gt2O9NxVc9Um6u92wOF7wVn eYQlKAhX0HWWL//D3S3N3gSqGz8ATR+7U7E7ax+av+WSdjtc1lP+zCnTnzK3LK5oDjPP tVm2Op8cNjWlZAQhmSBqGCmMvveOrwaxdkDNVW5pZFKZc274i+OMaUlDTkaLOvm7xsLr clIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=D+hVsP36cfQ4dEwm8HcZbB33YtxSz+1K0q2CoETIvKk=; b=Q0qXbIUKFzLM4y/8x4oo/aHyFSFnOmWY6GV/ypLtZz826+IuMznMTcl24Ug7rQxZg5 MQuBclbg9MvQ6QJRfaNxUg3hhOXW4owISr+F0XMtjHcZfkZKn+404OAYhrBz2xW9MaY6 pQhIUg8czFCbxvtBnT1BmnEfGf20vjJ5JhYPkLE56v/pJLtFXXbJUDOToJ5bFq2nP9w3 7cgWkybNBFTnv8KMavKh2qkD/UE6lEdK7CSdoTgLGRSjKtOgII0VPUULmsI3d0zA7f4F K/oDh+3da0Z/7SM3f8coQ95Di87FdjmpmUN+4eI4U4KrSg03r6njRcf8eAgUoM3+7WbH BIKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YNWUwSHO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o127si994258pfo.251.2018.11.18.09.10.08; Sun, 18 Nov 2018 09:10:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YNWUwSHO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726975AbeKSDaQ (ORCPT + 99 others); Sun, 18 Nov 2018 22:30:16 -0500 Received: from mail.kernel.org ([198.145.29.99]:49782 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726523AbeKSDaQ (ORCPT ); Sun, 18 Nov 2018 22:30:16 -0500 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3B68A208E3 for ; Sun, 18 Nov 2018 17:09:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542560967; bh=2QM+RP7fWWbheI5LZR3igWIYaa6+JjVIEblS3pw3ZO8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=YNWUwSHOoW73tVsirihN6BQAKMlzV4YtGODCl2bzCLqeSSKyyau/G5OdHn4+Z2mvE 47d/KtK00MA4OTs4YavgPoka1lQxTIFDY7cXOgVcZafkLfFLlMTE7l3FYOrtrQRrkJ ZJhTdtKBWnMjMjGYbCgbIcrVBW8jq5t0gafbv9bY= Received: by mail-wm1-f41.google.com with SMTP id k198so2591983wmd.3 for ; Sun, 18 Nov 2018 09:09:27 -0800 (PST) X-Gm-Message-State: AA+aEWYWNvrSDRo/JWiB0CpUhbQ1aL5y4U+a6UwdOvJUQfKHp0arRoQc zOcQ7h2KyFuTs7LjuEznOqA9XNCR2wOxrbDjhCNIjA== X-Received: by 2002:a7b:ce11:: with SMTP id m17mr4940668wmc.74.1542560965548; Sun, 18 Nov 2018 09:09:25 -0800 (PST) MIME-Version: 1.0 References: <20181118111751.6142-1-christian@brauner.io> In-Reply-To: From: Andy Lutomirski Date: Sun, 18 Nov 2018 09:09:14 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] proc: allow killing processes via file descriptors To: Daniel Colascione Cc: Randy Dunlap , Andrew Lutomirski , Christian Brauner , "Eric W. Biederman" , LKML , "Serge E. Hallyn" , Jann Horn , Andrew Morton , Oleg Nesterov , Aleksa Sarai , Al Viro , Linux FS Devel , Linux API , Tim Murray , Kees Cook , Jan Engelhardt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 18, 2018 at 8:49 AM Daniel Colascione wrote: > > On Sun, Nov 18, 2018 at 8:33 AM, Randy Dunlap wrote: > > On 11/18/18 8:17 AM, Andy Lutomirski wrote: > >> On Sun, Nov 18, 2018 at 7:53 AM Daniel Colascione wrote: > >>> > >>> On Sun, Nov 18, 2018 at 7:38 AM, Andy Lutomirski wrote: > >>>> I fully agree that a more comprehensive, less expensive API for > >>>> managing processes would be nice. But I also think that this patch > >>>> (using the directory fd and ioctl) is better from a security > >>>> perspective than using a new file in /proc. > >>> > >>> That's an assertion, not an argument. And I'm not opposed to an > >>> operation on the directory FD, now that it's clear Linus has banned > >>> "write(2)-as-a-command" APIs. I just insist that we implement the API > >>> with a system call instead of a less-reliable ioctl due to the > >>> inherent namespace collision issues in ioctl command names. > >> > >> Linus banned it because of bugs iike the ones in the patch. > >> > >>> > >>>> I have an old patch to make proc directory fds pollable: > >>>> > >>>> https://lore.kernel.org/patchwork/patch/345098/ > >>>> > >>>> That patch plus the one in this thread might make a nice addition to > >>>> the kernel even if we expect something much better to come along > >>>> later. > >>> > >>> I've always commented on that patch. You never addressed my technical > >>> objections. Why are you bringing up this patch again as if that > >>> discussion had never happened? To review, that patch has various race > >>> conditions > >> > >> I don't think I ever saw that review. > >> > >>> and even if it were technically correct, it'd be an abuse > >>> of directory objects (in what other circumstance do we poll > >>> directories?) and not logically generalizable to a model in which we > >>> expose process exit status via the exit-monitoring API. > >> > >> I agree it's weird. It might be better to have /proc/PID/exit_status > >> and make *that* pollable. > >> > > > > If there is a new exit_status file, it could even be more than > > 8 bits of exit status: > > > > See https://lore.kernel.org/lkml/alpine.LSU.2.20.1507091257010.9602@nerf40.vanv.qr/T/#u > > and http://austingroupbugs.net/view.php?id=594#c1317 > > First of all, as I discussed in [1], we need to first figure out *who* > should have access to the process exit information. FreeBSD appears to > make it public without disaster, and if we make exit status public, a > lot of problems just disappear. I kind of want to go in the other direction of making a lot of process information (especially cmdline) less publicly accessible. In general, any kind of API where a process has an fd is tricky to do right on UNIXy systems because of SUID, SGID, and LSM transition rules. Windows has an easy time of it because it's always safe for a parent process to introspect the child. (Well, almost, because Windows gained their privilege elevation stuff. I'm not saying we shouldn't do it -- I'm just saying that it's nontrivial.