Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2160774imu; Sun, 18 Nov 2018 17:23:09 -0800 (PST) X-Google-Smtp-Source: AJdET5ccSubbDSU/bwbB4CyVR5pg+DEqfFm9DBgOZ5ZXh+ZvPiUtDHRncbsIVkWmh14qHD2ErN2h X-Received: by 2002:a62:3241:: with SMTP id y62-v6mr21181105pfy.218.1542590589143; Sun, 18 Nov 2018 17:23:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542590589; cv=none; d=google.com; s=arc-20160816; b=G6TZVq/zTNAcfh7DA8fgt1SNJPlSBtp7PSvSBQxDZStIMy73V//n7aFURuHUdAvW23 UXfFQMTHlnOIALN4tltgmKtLHG5d6o77g0qD8HeiorTXaF6AtVD37EwCwGm36kHPREry MILvZRXjIV/QFudYUizAJtkX0yYCcA4EYnjrQ8HGYEzL9AfsM8E6QM7pDsuP2BPf+oDK ScBG0OtIdP0r0PajhJWiYGDFmU9VwsHsnowjofBtux25CKI41G/I0UijQ2yBTBeU5quz 7BuB2iiHxV11AQODSusPVVEIFTRE3iBuI2Qag6YqmmkRMDcq4KFD9uNzbmXj+UWrQjsT KG7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=EPU6gbT3pzQrwTTd8Uz3Co5fUAroN8ixZhgPdxLuYjM=; b=daT54FnR5TZlWX/crkqU61RtVHB65/2F6bVmr/mxw5i6sm5OcmXicpi5gLe/wH2+Vi VG3Zkpy7npcD10VLYmoGDOmd1mI7qa77uNpIPOZPGIdPuBnXQXiU/5FVLlQUDpHLpZbK 4LMIrKjsurC1dAX6oU7EbKOS0UsiLqhtQu8aHPVOpiIpJj7TbyPc61Ksit8ub2ChG27v CM9euyeOkf+LMbUsn2kYwe5wjhFCOiS38ny7GbMR4Un3O+D8+VYsiFGDETXZKgaJ1Jvu xAxUtvx9kRLpgU2RtyiN4wTIzffE7V/xKWEIEPTwIZcWsZL+6/c/wDikdz+YVzL38d2D zkjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rnxKAR54; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 186si5295464pgi.424.2018.11.18.17.22.51; Sun, 18 Nov 2018 17:23:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rnxKAR54; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727262AbeKSLiW (ORCPT + 99 others); Mon, 19 Nov 2018 06:38:22 -0500 Received: from mail-vs1-f67.google.com ([209.85.217.67]:34183 "EHLO mail-vs1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726235AbeKSLiV (ORCPT ); Mon, 19 Nov 2018 06:38:21 -0500 Received: by mail-vs1-f67.google.com with SMTP id y27so16869060vsi.1 for ; Sun, 18 Nov 2018 17:16:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=EPU6gbT3pzQrwTTd8Uz3Co5fUAroN8ixZhgPdxLuYjM=; b=rnxKAR54MFMWcCZ1EtHph8FbuJdVh1C/lit2WN2VLiiewXNRmfF9BywkMpvlOCU63c DwVoZUohnofTzUAk5S6nNzJpRkn4ItiHP32XFtELs0Ag424jZAr4f+YU/O7NdxK1g6QI hhgXF902usEZFCEZJjoLrROf9qvzcn9bIVe+3279kDWM07xeqWFWEI/mISZTa16Xhgwx Pk8XwJ8hxLMlu1wKRkpEYKS5MLSST/W20CALCJHXie0mHK4dwEMgJGSy6NuJFQXPuIT0 J4CeyI5PMWybiW74J3j6cxuReUpCI9gUbVMZSZux85uU9ASSu/mCvJ9jrPtxMoZgn0Vd 4kdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=EPU6gbT3pzQrwTTd8Uz3Co5fUAroN8ixZhgPdxLuYjM=; b=Xr5K7gya19S6A3HNzgLjtU3qGOAreKrEktsKOZoFWmdYaPT+Waz7yIn9J46483SmvP yQHfdl4lTJ+81u656aXgey+fAx2cnGnmJXiy2tfxrxDyd6zVQuZVGhgVAAQNoVRvtpG2 dBfLITT4pCXvshPcpkj0hfKriQ5jG1lUqan7Q4c7aFckwoVchtgQR56Y/KjxervqaVFr a9+QOwA61/hCKsE/Gk5FjmDSGecbly4/dXE94ONFBi9AHDQOc0DAAfwtkhkN2Y4Cjq13 TNmHDAy4M7916Oj8wd66EGS8Z7ZJDYXb2bxu6NB5yH2xL4JrXV6lyyVF79kfOsulvjNo IVwQ== X-Gm-Message-State: AGRZ1gIZoHnXohqXhKTxoGuKrVUiBWqgaPneDhkNTI/y4aS0R28GCwCw 1GhjnbtGVzS6CgQ1B4V24QMt8kFDAV9VyB69AjHgxw== X-Received: by 2002:a67:6e87:: with SMTP id j129mr8412454vsc.171.1542590184754; Sun, 18 Nov 2018 17:16:24 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a67:f48d:0:0:0:0:0 with HTTP; Sun, 18 Nov 2018 17:16:23 -0800 (PST) In-Reply-To: References: <20181118190504.ixglsqbn6mxkcdzu@yavin> <20181119000928.h2wp2rn2pnlfysp7@yavin> From: Daniel Colascione Date: Sun, 18 Nov 2018 17:16:23 -0800 Message-ID: Subject: Re: [PATCH] proc: allow killing processes via file descriptors To: Aleksa Sarai Cc: Andy Lutomirski , Randy Dunlap , Christian Brauner , "Eric W. Biederman" , LKML , "Serge E. Hallyn" , Jann Horn , Andrew Morton , Oleg Nesterov , Al Viro , Linux FS Devel , Linux API , Tim Murray , Kees Cook , Jan Engelhardt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 18, 2018 at 4:53 PM, Daniel Colascione wrote: >> Sure, I'd propose that ptrace_may_access() is what we should use for >> operation permission checks. > > The tricky part is that ptrace_may_access takes a struct task. We want > logic that's *like* ptrace_may_access, but that works posthumously. > It's especially tricky because there's an LSM hook that lets > __ptrace_may_access do arbitrary things. And we can't just run that > hook upon process death, since *after* a process dies, a process > holding an exithand FD (or whatever we call it) may pass that FD to > another process, and *that* process can read(2) from it. > > Another option is doing the exithand access check at open time. I > think that's probably fine, and it would make things a lot simpler. > But if we use this option, we should understand what we're doing, and > get some security-conscious people to think through the implications. A ptrace check is also probably too strict. Yama's ptrace_scope feature will block ptrace between unrelated processes within a single user context, but applying this restriction to exit code monitoring seems too severe to me.