Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp1024579ybh;
        Tue, 10 Mar 2020 13:01:46 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vtz5OXHI9QhOt8N13gnY4dm1/cNFiPwiojrfsd01Lu9NK6CUaHX+58Gc20ska7m8Ora7Sr3
X-Received: by 2002:a9d:7087:: with SMTP id l7mr19229532otj.0.1583870506167;
        Tue, 10 Mar 2020 13:01:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1583870506; cv=none;
        d=google.com; s=arc-20160816;
        b=hbFoc7n6rKvVzCmJmE5jyGTafMQ3wIN4McHOzB5W4asjwSGrJ9efJoMoO387BeSPvx
         izYEllYbQwMbYb/P09285yp0EDFkmdUsKf601ZeXW7hb89Lsgbyqf6YzhpHY0wYKYWN3
         DblStmyhP3bfS8kW2S/ALLA1Qyc7TBsL8nz+HFtN1l1GSEOHaGQtgKKvG4IxIPmiRZMQ
         PXm65biZsaLq97wUogO7FsSgcVfeeDEPcR73+I3QquEfx/jd3HljafaKUSY90qB1jkTQ
         nPhjOH0/P5Rsi2WSQSN5Sw7qLqTvIMzUbqw1wQuJkyYGK+3Mbx783odW49u6GfsowNjY
         21wg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=zIAAqBT5cH5cbbW3GFto6v7mD8pF39ecAMkC8oTgutI=;
        b=liIz8z6I4xdi/pUBAUdl8xaX40Nftr9H/jyawIFRlVC+iGPpRC+SH0+aF4hdXxbW7S
         43fdHIzqXgvwJB3tnAgEf5AbT/bCKVk24qmUV2La+AALlT71dfG65ej5X1Xdt26IlFP2
         e4pDRN6CjsiKNSGTyi58jV1L8wVzZSNdfs4HjLcRqMMuuIx5//nIBpCNYy4+8YjCRfEX
         DHMwVvNnJE3l4aYu6hgUQMb0yZluFdGlAgZ5JyuhoKQRHA7lK7ZjA9Yt7fW3sgDOA9sf
         Xo+uiLR9N3l8zfC8VjccX1JiwhI+kSiRNCvx3duGcVStoyneitdqJPLV4ZF4BjUOItuw
         5dQw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lToTywfF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l145si6639775oih.44.2020.03.10.13.01.21;
        Tue, 10 Mar 2020 13:01:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lToTywfF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727442AbgCJUAz (ORCPT <rfc822;schlichte.alexander@gmail.com>
        + 99 others); Tue, 10 Mar 2020 16:00:55 -0400
Received: from mail-ot1-f65.google.com ([209.85.210.65]:37490 "EHLO
        mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726545AbgCJUAz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Mar 2020 16:00:55 -0400
Received: by mail-ot1-f65.google.com with SMTP id b3so14478257otp.4
        for <linux-kernel@vger.kernel.org>; Tue, 10 Mar 2020 13:00:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=zIAAqBT5cH5cbbW3GFto6v7mD8pF39ecAMkC8oTgutI=;
        b=lToTywfF6/WNafCRISYFb5qIPhLOZD7H3m7K11tcVGoSy0sDMKZ5AOMrdtIh1Zcm+N
         FsSDckkbtI4yqMRWo5Fjqdg64HXXgblPk8H7PM2B/BLCmb4xHoUig7plVH7TGc1gK2Cr
         kNb3g6Is4ZWWVGTXV2n1kZH9gibgqCnEAvqkgY/U8QdWJYyuzGJ5/NKmku3+6X9qrx4w
         ahi9XPBSsYLPDacA5iChtNW4lQKX1M3pK4Y+gCGh2NS8fv2rmtdk2F6Wa83/mGUwm7si
         i9wYysP5fygg3ep0iX3jaDt/BGsNFKQNDX1evsDSMAIoQCH29ffsppjtETxuQHNKCs5q
         BGiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=zIAAqBT5cH5cbbW3GFto6v7mD8pF39ecAMkC8oTgutI=;
        b=sCUiY97dqLV+hBbjVPNy/2tzYQLGagxAJNB0q6GoGHKbZRHRF5n+g4a2NUKV6K4qUz
         ZAffdO83fsw6YuTmXYXWRKwIrEAcyZv9qh77kYPEkefzF31pk4Dj65nV3bYJUuYnvJ01
         1IUC6ZqBAnkvSoXxRTpDfryIEksgYkyLXBDrC9GY7Ip6rxJmGyKJRmnqL+RmqzpaWiLl
         X5B2J20Cxa4/Rc7vO90DvnyQMLzfGuQNTPmHxmcF+RAZPTNsAI32IoYHFSXrVtIssXFb
         9hppDt8kmNm+4kltkbNvpqB8JzlVqf+GtS0jGsnz8L+4rrL0SBOOCVAkiSUSyXQ+eCmm
         aRmw==
X-Gm-Message-State: ANhLgQ1TPYU1pH9rD4+g3+1FIGkeSQSjQtSxai2+4d67/zj/iif5NgLM
        p4Owi4GXuVH1npZZ2ub+RLfmTAUtwfbSNrjD3FezlA==
X-Received: by 2002:a05:6830:1d6e:: with SMTP id l14mr17776467oti.32.1583870453922;
 Tue, 10 Mar 2020 13:00:53 -0700 (PDT)
MIME-Version: 1.0
References: <87r1y8dqqz.fsf@x220.int.ebiederm.org> <AM6PR03MB517053AED7DC89F7C0704B7DE4E50@AM6PR03MB5170.eurprd03.prod.outlook.com>
 <AM6PR03MB51703B44170EAB4626C9B2CAE4E20@AM6PR03MB5170.eurprd03.prod.outlook.com>
 <87tv32cxmf.fsf_-_@x220.int.ebiederm.org> <87v9ne5y4y.fsf_-_@x220.int.ebiederm.org>
 <87eeu25y14.fsf_-_@x220.int.ebiederm.org> <20200309195909.h2lv5uawce5wgryx@wittgenstein>
 <877dztz415.fsf@x220.int.ebiederm.org> <20200309201729.yk5sd26v4bz4gtou@wittgenstein>
 <87k13txnig.fsf@x220.int.ebiederm.org> <20200310085540.pztaty2mj62xt2nm@wittgenstein>
 <87wo7svy96.fsf_-_@x220.int.ebiederm.org> <CAG48ez2cUZMVOAXfHPNjKjYsMSaWkjUjOCHo0KYZ+oXQUW4viA@mail.gmail.com>
 <87k13sui1p.fsf@x220.int.ebiederm.org>
In-Reply-To: <87k13sui1p.fsf@x220.int.ebiederm.org>
From:   Jann Horn <jannh@google.com>
Date:   Tue, 10 Mar 2020 21:00:27 +0100
Message-ID: <CAG48ez2vRgaEVJ=Rs8gn6HkGO6syL8MpSOUq7BNN+OUE1uYxCA@mail.gmail.com>
Subject: Re: [PATCH] pidfd: Stop taking cred_guard_mutex
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     Christian Brauner <christian.brauner@ubuntu.com>,
        Bernd Edlinger <bernd.edlinger@hotmail.de>,
        Kees Cook <keescook@chromium.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Oleg Nesterov <oleg@redhat.com>,
        Frederic Weisbecker <frederic@kernel.org>,
        Andrei Vagin <avagin@gmail.com>,
        Ingo Molnar <mingo@kernel.org>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>,
        Yuyang Du <duyuyang@gmail.com>,
        David Hildenbrand <david@redhat.com>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Anshuman Khandual <anshuman.khandual@arm.com>,
        David Howells <dhowells@redhat.com>,
        James Morris <jamorris@linux.microsoft.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Shakeel Butt <shakeelb@google.com>,
        Jason Gunthorpe <jgg@ziepe.ca>,
        Christian Kellner <christian@kellner.me>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        "Dmitry V. Levin" <ldv@altlinux.org>,
        "linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Sargun Dhillon <sargun@sargun.me>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 10, 2020 at 8:29 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> Jann Horn <jannh@google.com> writes:
> > On Tue, Mar 10, 2020 at 7:54 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> >> During exec some file descriptors are closed and the files struct is
> >> unshared.  But all of that can happen at other times and it has the
> >> same protections during exec as at ordinary times.  So stop taking the
> >> cred_guard_mutex as it is useless.
> >>
> >> Furthermore he cred_guard_mutex is a bad idea because it is deadlock
> >> prone, as it is held in serveral while waiting possibly indefinitely
> >> for userspace to do something.
> >
> > Please don't. Just use the new exec_update_mutex like everywhere else.
> >
> >> Cc: Sargun Dhillon <sargun@sargun.me>
> >> Cc: Christian Brauner <christian.brauner@ubuntu.com>
> >> Cc: Arnd Bergmann <arnd@arndb.de>
> >> Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
> >> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> >> ---
> >>  kernel/pid.c | 6 ------
> >>  1 file changed, 6 deletions(-)
> >>
> >> Christian if you don't have any objections I will take this one through
> >> my tree.
> >>
> >> I tried to figure out why this code path takes the cred_guard_mutex and
> >> the archive on lore.kernel.org was not helpful in finding that part of
> >> the conversation.
> >
> > That was my suggestion.
> >
> >> diff --git a/kernel/pid.c b/kernel/pid.c
> >> index 60820e72634c..53646d5616d2 100644
> >> --- a/kernel/pid.c
> >> +++ b/kernel/pid.c
> >> @@ -577,17 +577,11 @@ static struct file *__pidfd_fget(struct task_struct *task, int fd)
> >>         struct file *file;
> >>         int ret;
> >>
> >> -       ret = mutex_lock_killable(&task->signal->cred_guard_mutex);
> >> -       if (ret)
> >> -               return ERR_PTR(ret);
> >> -
> >>         if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
> >>                 file = fget_task(task, fd);
> >>         else
> >>                 file = ERR_PTR(-EPERM);
> >>
> >> -       mutex_unlock(&task->signal->cred_guard_mutex);
> >> -
> >>         return file ?: ERR_PTR(-EBADF);
> >>  }
> >
> > If you make this change, then if this races with execution of a setuid
> > program that afterwards e.g. opens a unix domain socket, an attacker
> > will be able to steal that socket and inject messages into
> > communication with things like DBus. procfs currently has the same
> > race, and that still needs to be fixed, but at least procfs doesn't
> > let you open things like sockets because they don't have a working
> > ->open handler, and it enforces the normal permission check for
> > opening files.
>
> It isn't only exec that can change credentials.  Do we need a lock for
> changing credentials?

Hmm, I guess so? Normally, a task that's changing credentials becomes
nondumpable at the same time (and there are explicit memory barriers
in commit_creds() and __ptrace_may_access() to enforce the ordering
for this); so you normally don't see tasks becoming ptrace-accessible
via anything other than execve(). But I guess if someone opens a
root-only file, closes it, drops privileges, and then explicitly does
prctl(PR_SET_DUMPABLE, 1), we should probably protect that, too.

> Wouldn't it be sufficient to simply test ptrace_may_access after
> we get a copy of the file?

There are also setuid helpers that can, after having done privileged
stuff, drop privileges and call execve(); after that,
ptrace_may_access() succeeds again. In particular, polkit has a helper
that does this.

> If we need a lock around credential change let's design and build that.
> Having a mismatch between what a lock is designed to do, and what
> people use it for can only result in other bugs as people get confused.

Hmm... what benefits do we get from making it a separate lock? I guess
it would allow us to make it a per-task lock instead of a
signal_struct-wide one? That might be helpful...