Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2010380ybf; Sun, 1 Mar 2020 23:50:32 -0800 (PST) X-Google-Smtp-Source: APXvYqzBc874rGaqRlJEkIyV+YbHWdxwy4RCOYkYU41wj6WFTcelgXiS8HWaX6zCK6opL3y8ORXG X-Received: by 2002:a9d:6c94:: with SMTP id c20mr12834600otr.285.1583135431930; Sun, 01 Mar 2020 23:50:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583135431; cv=none; d=google.com; s=arc-20160816; b=ZdF7mEIMutyVoJb+eapIvudi0izK2pS60ppYNSHrDQ/B7I1RijpFWOnDRg0ygbOv8b vT4XB//LREQCdIa5A5Gj+IHM0lRZgA1fy+BTMXy1Yx02XpXw/6nAXFJYHvpPBWRN7GQ/ 0lOslBfRjrlRK48VTt+yA4qHGxG92C6PDgXI27qM09xFtVPpXN0q2Ow93ElvEyw+l41p VqOA6qw7Ukee2Tty+UR5XTFgMWTLAGZP4A0yLHzLxeIlpOndElFKQBiyOWof9qsmMErV 154pemPHvneLilmVdCXm1Y0OvPgyVF2CDhDRafbGULXIT/F4LUFbRIeCNAYOjWLoaRc/ P8ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Di2gjy5CBIISr0a7NlE8vTM5k2l19IgGlLDqoesl4Ec=; b=uJG9mg8efCw8do5ZvyOsGJXCk4QRryjUpXQE2Mu3r31havzSzU+2X/y31sg5ijLJRV WQzdtSlbfhJgqGicQap/p/f3Qe0izPRkiezXQOiGTqzbf/rMxHPWPMKmLP0abS4QA5Gq mvJqDYz8Fg/HCyrcA0mevIVwLObZvN05faBkSe7y2ao685+ETI9lG+MHBSeHwo/Gxrnf gvznEZLCBZnDLIKX6Ba3grMb7mSn0bDUni1Lb3xjeOMpbKbJpFsxY4mwpRX0nne+rVaA npn2+v8rU0aVhhEa76r+SSPZeUJR+aX8j/k/9WfILBjk9dhfWESehXCSbgM2RRof6/vI Xpqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k13si6320338otp.224.2020.03.01.23.50.20; Sun, 01 Mar 2020 23:50:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727095AbgCBHtK (ORCPT + 99 others); Mon, 2 Mar 2020 02:49:10 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:47589 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725446AbgCBHtK (ORCPT ); Mon, 2 Mar 2020 02:49:10 -0500 Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j8foa-0001V1-Oy; Mon, 02 Mar 2020 07:48:36 +0000 Date: Mon, 2 Mar 2020 08:48:35 +0100 From: Christian Brauner To: Jann Horn Cc: Bernd Edlinger , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , "Eric W. Biederman" , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Kees Cook , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" Subject: Re: [PATCH] exec: Fix a deadlock in ptrace Message-ID: <20200302074835.ya3qn2sc3zaxqcsp@wittgenstein> References: <20200301185244.zkofjus6xtgkx4s3@wittgenstein> <20200302074751.evhnq3b5zvtbaqu4@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200302074751.evhnq3b5zvtbaqu4@wittgenstein> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 02, 2020 at 08:47:53AM +0100, Christian Brauner wrote: > On Sun, Mar 01, 2020 at 09:00:22PM +0100, Jann Horn wrote: > > On Sun, Mar 1, 2020 at 7:52 PM Christian Brauner > > wrote: > > > On Sun, Mar 01, 2020 at 07:21:03PM +0100, Jann Horn wrote: > > > > On Sun, Mar 1, 2020 at 12:27 PM Bernd Edlinger > > > > wrote: > > > > > The proposed solution is to have a second mutex that is > > > > > used in mm_access, so it is allowed to continue while the > > > > > dying threads are not yet terminated. > > > > > > > > Just for context: When I proposed something similar back in 2016, > > > > https://lore.kernel.org/linux-fsdevel/20161102181806.GB1112@redhat.com/ > > > > was the resulting discussion thread. At least back then, I looked > > > > through the various existing users of cred_guard_mutex, and the only > > > > places that couldn't be converted to the new second mutex were > > > > PTRACE_ATTACH and SECCOMP_FILTER_FLAG_TSYNC. > > > > > > > > > > > > The ideal solution would IMO be something like this: Decide what the > > > > new task's credentials should be *before* reaching de_thread(), > > > > install them into a second cred* on the task (together with the new > > > > dumpability), drop the cred_guard_mutex, and let ptrace_may_access() > > > > check against both. After that, some further restructuring might even > > > > > > Hm, so essentially a private ptrace_access_cred member in task_struct? > > > > And a second dumpability field, because that changes together with the > > creds during execve. (Btw, currently the dumpability is in the > > mm_struct, but that's kinda wrong. The mm_struct is removed from a > > task on exit while access checks can still be performed against it, and > > currently ptrace_may_access() just lets the access go through in that > > case, which weakens the protection offered by PR_SET_DUMPABLE when > > used for security purposes. I think it ought to be moved over into the > > task_struct.) > > > > > That would presumably also involve altering various LSM hooks to look at > > > ptrace_access_cred. > > > > When I tried to implement this in the past, I changed the LSM hook to > > take the target task's cred* as an argument, and then called the LSM > > hook twice from ptrace_may_access(). IIRC having the target task's > > creds as an argument works for almost all the LSMs, with the exception > > of Yama, which doesn't really care about the target task's creds, so > > you have to pass in both the task_struct* and the cred*. > > It seems we should try PoCing this. Independent of the fix for Bernd's issue that is.