Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp210137imu; Mon, 19 Nov 2018 21:00:20 -0800 (PST) X-Google-Smtp-Source: AFSGD/VQwQisNkThQjnqSKv1BhFuTEBOBpBkGMXp87OQm5pfofqakpbNlf6HMf9PWmbxQdvQb63f X-Received: by 2002:a17:902:ab83:: with SMTP id f3-v6mr682859plr.122.1542690019986; Mon, 19 Nov 2018 21:00:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542690019; cv=none; d=google.com; s=arc-20160816; b=M2Sd+XwtdjA6eoRG8RV/syfTSKr0+X/LO9k7Ksv7g8eJVVFkdhT6n6xmvpVZQpUMKz /5ZMVzeVlBZ47mYQGA2NG5QvEW+gx8bWN/qCp8ho2MuOcXfoFr2xehw7K7F+RnED/xU5 g2T6ovTyrIKO11fElKDdtv9TMvKxSHgtxN/nS8fRWVeETCLw3gfSjxXmiWKcuLS9BxMt nxc4m7aT188QaEAyq1Aqk9Jaz7L+ykFW/TC/+4EEaJn3YDmEw7n4Cu3WL+7GpjmjRrFK Ehoq5RaRn3dt8PiGgMGx6OCvSDZwjI/OyqbAGqIEwOzeVLfCrQRdwhadSPSuOfH7evMO qktA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=QuUbq8rcCaHMcjVQdcH0lpJZphafbYW9VZFhg9+agWU=; b=bLCiEhBXBUo1cRWmEgk2QjrFeS6h9dYDuLiQGL4/c6/xK//FehXx4qQx5kFQeGwjuc U7qYjv6mvO39ucx0ij4+ez0stQe4SkNWVbO1wcOBAN83tyYGBKnyyl0rMYkOW/x3ZvnN XPUyorB9ZAquSM9JdQFrwe8jvKy3UVnuB6UEx10/vknfyNnLDcp8lAqAzz4zYUhRolZt Ee3m0XWOegG43rpClb4u41ywdTzPBRKELGZFK5RdqGUFTNxwQdQSDOJ6EdRfbF9l7toV N8tCPejpNasH2gKG9AmmsWiMUPHrbSNtEsT6kjcvU4h6aNfPDgzccGRD3dGwZCAtIcSr toQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 62-v6si43123067pla.217.2018.11.19.21.00.05; Mon, 19 Nov 2018 21:00:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731068AbeKTP0e (ORCPT + 99 others); Tue, 20 Nov 2018 10:26:34 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:60454 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730570AbeKTP0d (ORCPT ); Tue, 20 Nov 2018 10:26:33 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gOy88-0003fO-Pf; Mon, 19 Nov 2018 21:59:20 -0700 Received: from 67-3-154-154.omah.qwest.net ([67.3.154.154] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gOy87-0002Ur-Sf; Mon, 19 Nov 2018 21:59:20 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Daniel Colascione Cc: Christian Brauner , Aleksa Sarai , linux-kernel , "Serge E. Hallyn" , Jann Horn , Andy Lutomirski , Andrew Morton , Oleg Nesterov , Al Viro , Linux FS Devel , Linux API , Tim Murray , linux-man , Kees Cook References: <20181119103241.5229-1-christian@brauner.io> <20181119103241.5229-3-christian@brauner.io> <20181119202857.k5zw742xjfrw677j@yavin> <20181119205518.btew3vxwgva4w3zh@brauner.io> <20181119211810.73ptfhnwdmkngfi4@yavin> <20181119212126.u2nkijmula6wcfqi@brauner.io> <20181119213722.z54huio5g4kuldxk@brauner.io> Date: Mon, 19 Nov 2018 22:59:12 -0600 In-Reply-To: (Daniel Colascione's message of "Mon, 19 Nov 2018 13:41:21 -0800") Message-ID: <87muq4xs2n.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1gOy87-0002Ur-Sf;;;mid=<87muq4xs2n.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.154.154;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18yJnZg8cNKpJiFux8/b8jS8UgYDG3P7Po= X-SA-Exim-Connect-IP: 67.3.154.154 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa04.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.3 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01, T_TooManySym_02,T_TooManySym_03,XM_Body_Dirty_Words autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4858] * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject * 0.0 T_TooManySym_03 6+ unique symbols in subject * 0.5 XM_Body_Dirty_Words Contains a dirty word * 0.0 T_TooManySym_02 5+ unique symbols in subject X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Daniel Colascione X-Spam-Relay-Country: X-Spam-Timing: total 496 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.9 (0.8%), b_tie_ro: 2.7 (0.5%), parse: 1.60 (0.3%), extract_message_metadata: 20 (4.1%), get_uri_detail_list: 4.3 (0.9%), tests_pri_-1000: 19 (3.9%), tests_pri_-950: 1.72 (0.3%), tests_pri_-900: 1.41 (0.3%), tests_pri_-90: 36 (7.2%), check_bayes: 33 (6.7%), b_tokenize: 13 (2.7%), b_tok_get_all: 10 (2.0%), b_comp_prob: 4.0 (0.8%), b_tok_touch_all: 3.6 (0.7%), b_finish: 0.73 (0.1%), tests_pri_0: 386 (77.9%), check_dkim_signature: 0.70 (0.1%), check_dkim_adsp: 2.8 (0.6%), poll_dns_idle: 0.33 (0.1%), tests_pri_10: 4.9 (1.0%), tests_pri_500: 16 (3.3%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v1 2/2] signal: add procfd_signal() syscall X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Daniel Colascione writes: > On Mon, Nov 19, 2018 at 1:37 PM Christian Brauner wrote: >> >> On Mon, Nov 19, 2018 at 01:26:22PM -0800, Daniel Colascione wrote: >> > On Mon, Nov 19, 2018 at 1:21 PM, Christian Brauner wrote: >> > > That can be done without a loop by comparing the level counter for the >> > > two pid namespaces. >> > > >> > >> >> > >> And you can rewrite pidns_get_parent to use it. So you would instead be >> > >> doing: >> > >> >> > >> if (pidns_is_descendant(proc_pid_ns, task_active_pid_ns(current))) >> > >> return -EPERM; >> > >> >> > >> (Or you can just copy the 5-line loop into procfd_signal -- though I >> > >> imagine we'll need this for all of the procfd_* APIs.) >> > >> > Why is any of this even necessary? Why does the child namespace we're >> > considering even have a file descriptor to its ancestor's procfs? If >> >> Because you can send file descriptors between processes and container >> runtimes tend to do that. > > Right. But why *would* a container runtime send one of these procfs > FDs to a container? > >> > it has one of these FDs, it can already *read* all sorts of >> > information it really shouldn't be able to acquire, so the additional >> > ability to send a signal (subject to the usual permission checks) >> > feels like sticking a finger in a dike that's already well-perforated. >> > IMHO, we shouldn't bother with this check. The patch would be simpler >> > without it. >> >> We will definitely not allow signaling processes in an ancestor pid >> namespace! That is a security issue! I can imagine container runtimes >> killing their monitoring process etc. pp. Not happening, unless someone >> with deep expertise in signals can convince me otherwise. > > If parent namespace procfs FDs or mounts really can leak into child > namespaces as easily as Aleksa says, then I don't mind adding the > check. I was under the impression that if you find yourself in this > situation, you already have a big problem. There is one big reason to have the check, and I have not seen it mentioned yet in this thread. When SI_USER is set we report the pid of the sender of the signal in si_pid. When the signal comes from the kernel si_pid == 0. When signal is sent from an ancestor pid namespace si_pid also equals 0 (which is reasonable). A signal out to a process in a parent pid namespace such as SIGCHLD is reasonable as we can map the pid. I really don't see the point of forbidding that. From the perspective of the process in the parent pid namespace it is just another process in it's pid namespace. So it should pose no problem from the perspective of the receiving process. A signal to a process in a pid namespace that is neither a parent nor a descendent pid namespace would be a problem, as there is no well defined notion of what si_pid should be set to. So for that case perhaps we should have something like a noprocess pid that we can set. Perhaps we could set si_pid to 0xffffffff. That would take a small extension to pid_nr_ns. File descriptors are not namespaced. It is completely legitimate to use file descriptors to get around limitations of namespaces. Adding limitations to a file descriptor based api because someone else can't set up their processes in such a way as to get the restrictions they are looking for seems very sad. Frankly I think it is one of the better features of namespaces that we have to carefully handle and define these cases so that when the inevitable leaks happen you are not immediately in a world of hurt. All of the other permission checks etc continue to do their job. Plus you are prepared for the case when someone wants their containers to have an interesting communication primitive. Eric