Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1834026imu;
        Sun, 18 Nov 2018 09:44:58 -0800 (PST)
X-Google-Smtp-Source: AJdET5c3HXWTEdgYIQ8E9R4eBTdJpeFsWl+OpCqcc1dzbAh6H/Bo9AI7PQWsO1aXAiWZW2DFlT0n
X-Received: by 2002:a17:902:9a04:: with SMTP id v4-v6mr18698671plp.247.1542563098920;
        Sun, 18 Nov 2018 09:44:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542563098; cv=none;
        d=google.com; s=arc-20160816;
        b=ilxPKiZb3mNari9yLfxh+lXZPIjPlSlmfU/i3SsgKLeQqXoQENZfskiknjy2h1aO+N
         BOIVfLHXu15AiNzVEN+SbcvlA5M7LcoQ1rVnAIOTArJenwT5rACX3cndKgxXlTxast+F
         qXIbMMgKhzHWfac3lTsRWyUO1CyTNDU1SgrvsbsxzEgBsNdFfzHg+HltKDiParGwrE9C
         vC2HihyXiNMgyxxsRyiSkbQGj1G3ubkWc4yArCRAhx5U0nA5pCklQm1ubSX/zom0uVX6
         PzhKnuc7x6TqWVSo/TWvdk55kGtjE1j5RlvEG3LrnDTaeakxzkJVY5BV+ApJCHYL0T7Z
         OR1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:mime-version:user-agent
         :message-id:in-reply-to:date:references:cc:to:from;
        bh=h06J5eDGXhvzxhk7YQ91JRjB+8QbTJKXCg2DmEgLKSc=;
        b=LkAd57xvtn9nwlppan8yLB/w7XiardJXhOsf/lR6wKiX4mgyDZ96sRbKOMkPYMKZfv
         49pKp18QizUVoXihfo3gtMan1YCIqcyfAAC/+xWVxMIuolM3T8z3cWwGvty5y+aaxqy0
         +kryL5NMp8NOr++wJ3Vzz61IL9fqnUS7yT5evH61HVDCJ4kYObIf8A+4Of8CPEIBTP60
         2f4V9+6Gy1ZbOMmkCnkfzpyMmSqTTntgunPSDi5lowHlYBsGKheJIFeE1F9yXxiUbZ/8
         FeSGe9Po/dpm/yxIbrW72CxUKvq4JPjW2kLifUdbmIW5GJZnFXa5mJ1we+0bwz9+eE0r
         sF2g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d77si17195042pfj.124.2018.11.18.09.44.44;
        Sun, 18 Nov 2018 09:44:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727280AbeKSEEP (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Sun, 18 Nov 2018 23:04:15 -0500
Received: from out03.mta.xmission.com ([166.70.13.233]:55502 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726366AbeKSEEP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 18 Nov 2018 23:04:15 -0500
Received: from in02.mta.xmission.com ([166.70.13.52])
        by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gOR6O-0001mA-1v; Sun, 18 Nov 2018 10:43:20 -0700
Received: from 67-3-154-154.omah.qwest.net ([67.3.154.154] helo=x220.xmission.com)
        by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gOR6N-0007LV-BZ; Sun, 18 Nov 2018 10:43:19 -0700
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     Daniel Colascione <dancol@google.com>
Cc:     Andy Lutomirski <luto@kernel.org>,
        Christian Brauner <christian@brauner.io>,
        LKML <linux-kernel@vger.kernel.org>,
        "Serge E. Hallyn" <serge@hallyn.com>, Jann Horn <jannh@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Tim Murray <timmurray@google.com>,
        Kees Cook <keescook@chromium.org>
References: <20181118111751.6142-1-christian@brauner.io>
        <CAKOZuet3s0WxxPgrtrNkq8YiOWhYAiK6yEio6PKVV9J_H4_TSA@mail.gmail.com>
        <CALCETrUd2Y2MmO8Qx8aUvQDOTNiyj35Y7bctPBZe0p2i1EUiLw@mail.gmail.com>
        <CAKOZuev1JUGFWuwsKqS6rXcFMqpCHT1VAG2kwB4O=FHo6DAFiQ@mail.gmail.com>
        <CALCETrVLP_mudJTW6EQpRr5GZ7kfuGci+QCT1uPrOVDTWcod-A@mail.gmail.com>
        <CAKOZuetuuxW+yFnyaqS5kW6gkVMstLa8D-7SgYtrLBUQB+sgDg@mail.gmail.com>
        <CALCETrXNBNcASRtxTL_aO-KSj4ahPRpXKLUdHaWG3sPjsWx3CQ@mail.gmail.com>
        <CAKOZues3_uh1mnQr=VPCxoWiY0wfiUq0oFXcVuiHF7rPmUXsuw@mail.gmail.com>
Date:   Sun, 18 Nov 2018 11:43:14 -0600
In-Reply-To: <CAKOZues3_uh1mnQr=VPCxoWiY0wfiUq0oFXcVuiHF7rPmUXsuw@mail.gmail.com>
        (Daniel Colascione's message of "Sun, 18 Nov 2018 09:17:31 -0800")
Message-ID: <875zwu46z1.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1gOR6N-0007LV-BZ;;;mid=<875zwu46z1.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.154.154;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX18JBW/uB6HpGNYgmgf8rS/fZZSm5h4pRc4=
X-SA-Exim-Connect-IP: 67.3.154.154
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa06.xmission.com
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50,
        DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,XMSubLong
        autolearn=disabled version=3.4.2
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4983]
        *  0.7 XMSubLong Long Subject
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Daniel Colascione <dancol@google.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 335 ms - load_scoreonly_sql: 0.05 (0.0%),
        signal_user_changed: 2.6 (0.8%), b_tie_ro: 1.78 (0.5%), parse: 0.92
        (0.3%), extract_message_metadata: 4.0 (1.2%), get_uri_detail_list:
        1.85 (0.6%), tests_pri_-1000: 4.2 (1.2%), tests_pri_-950: 1.26 (0.4%),
        tests_pri_-900: 1.06 (0.3%), tests_pri_-90: 25 (7.5%), check_bayes: 24
        (7.0%), b_tokenize: 8 (2.4%), b_tok_get_all: 8 (2.4%), b_comp_prob:
        2.6 (0.8%), b_tok_touch_all: 2.8 (0.8%), b_finish: 0.55 (0.2%),
        tests_pri_0: 280 (83.8%), check_dkim_signature: 0.51 (0.2%),
        check_dkim_adsp: 2.7 (0.8%), poll_dns_idle: 1.01 (0.3%), tests_pri_10:
        2.2 (0.6%), tests_pri_500: 5 (1.6%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [PATCH] proc: allow killing processes via file descriptors
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Daniel Colascione <dancol@google.com> writes:

> On Sun, Nov 18, 2018 at 9:13 AM, Andy Lutomirski <luto@kernel.org> wrote:
>> On Sun, Nov 18, 2018 at 8:29 AM Daniel Colascione <dancol@google.com> wrote:
>>>
>>> On Sun, Nov 18, 2018 at 8:17 AM, Andy Lutomirski <luto@kernel.org> wrote:
>>> > On Sun, Nov 18, 2018 at 7:53 AM Daniel Colascione <dancol@google.com> wrote:
>>> >>
>>> >> On Sun, Nov 18, 2018 at 7:38 AM, Andy Lutomirski <luto@kernel.org> wrote:
>>> >> > I fully agree that a more comprehensive, less expensive API for
>>> >> > managing processes would be nice.  But I also think that this patch
>>> >> > (using the directory fd and ioctl) is better from a security
>>> >> > perspective than using a new file in /proc.
>>> >>
>>> >> That's an assertion, not an argument. And I'm not opposed to an
>>> >> operation on the directory FD, now that it's clear Linus has banned
>>> >> "write(2)-as-a-command" APIs. I just insist that we implement the API
>>> >> with a system call instead of a less-reliable ioctl due to the
>>> >> inherent namespace collision issues in ioctl command names.
>>> >
>>> > Linus banned it because of bugs iike the ones in the patch.
>>>
>>> Maybe: he didn't provide a reason. What's your point?
>>
>> My point is that an API that involves a file like /proc/PID/kill is
>> very tricky to get right.  Here are some considerations:
>
> Moot. write(2) for this interface is off the table anyway. The right
> approach here is a system call that accepts a /proc/pid directory file
> descriptor, a signal number, and a signal information field (as in
> sigqueue(2)).

If we did not have the permission check challenges and could perform
the permission checks in open, write(2) would be on the table.
Performing write(2) would only be concrend about data.

Unfortunately we have setresuid and exec which make that infeasible
for the kill operations.

>> Now if we had an ioctlat() API, maybe it would make sense.  But we
>> don't, and I think it would be a bit crazy to add one.
>
> A process is not a driver. Why won't this idea of using an ioctl for
> the kill-process-by-dfd thing just won't die? An ioctl has *zero*
> advantage in this context.

An ioctl has an advantage in implementation complexity.  An ioctl is
very much easier to wire up that a system call.

I don't know if that outweighs ioctls disadvantages in long term
maintainability.

Eric