Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp1024579ybh; Tue, 10 Mar 2020 13:01:46 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtz5OXHI9QhOt8N13gnY4dm1/cNFiPwiojrfsd01Lu9NK6CUaHX+58Gc20ska7m8Ora7Sr3 X-Received: by 2002:a9d:7087:: with SMTP id l7mr19229532otj.0.1583870506167; Tue, 10 Mar 2020 13:01:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583870506; cv=none; d=google.com; s=arc-20160816; b=hbFoc7n6rKvVzCmJmE5jyGTafMQ3wIN4McHOzB5W4asjwSGrJ9efJoMoO387BeSPvx izYEllYbQwMbYb/P09285yp0EDFkmdUsKf601ZeXW7hb89Lsgbyqf6YzhpHY0wYKYWN3 DblStmyhP3bfS8kW2S/ALLA1Qyc7TBsL8nz+HFtN1l1GSEOHaGQtgKKvG4IxIPmiRZMQ PXm65biZsaLq97wUogO7FsSgcVfeeDEPcR73+I3QquEfx/jd3HljafaKUSY90qB1jkTQ nPhjOH0/P5Rsi2WSQSN5Sw7qLqTvIMzUbqw1wQuJkyYGK+3Mbx783odW49u6GfsowNjY 21wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zIAAqBT5cH5cbbW3GFto6v7mD8pF39ecAMkC8oTgutI=; b=liIz8z6I4xdi/pUBAUdl8xaX40Nftr9H/jyawIFRlVC+iGPpRC+SH0+aF4hdXxbW7S 43fdHIzqXgvwJB3tnAgEf5AbT/bCKVk24qmUV2La+AALlT71dfG65ej5X1Xdt26IlFP2 e4pDRN6CjsiKNSGTyi58jV1L8wVzZSNdfs4HjLcRqMMuuIx5//nIBpCNYy4+8YjCRfEX DHMwVvNnJE3l4aYu6hgUQMb0yZluFdGlAgZ5JyuhoKQRHA7lK7ZjA9Yt7fW3sgDOA9sf Xo+uiLR9N3l8zfC8VjccX1JiwhI+kSiRNCvx3duGcVStoyneitdqJPLV4ZF4BjUOItuw 5dQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lToTywfF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l145si6639775oih.44.2020.03.10.13.01.21; Tue, 10 Mar 2020 13:01:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lToTywfF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727442AbgCJUAz (ORCPT + 99 others); Tue, 10 Mar 2020 16:00:55 -0400 Received: from mail-ot1-f65.google.com ([209.85.210.65]:37490 "EHLO mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726545AbgCJUAz (ORCPT ); Tue, 10 Mar 2020 16:00:55 -0400 Received: by mail-ot1-f65.google.com with SMTP id b3so14478257otp.4 for ; Tue, 10 Mar 2020 13:00:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zIAAqBT5cH5cbbW3GFto6v7mD8pF39ecAMkC8oTgutI=; b=lToTywfF6/WNafCRISYFb5qIPhLOZD7H3m7K11tcVGoSy0sDMKZ5AOMrdtIh1Zcm+N FsSDckkbtI4yqMRWo5Fjqdg64HXXgblPk8H7PM2B/BLCmb4xHoUig7plVH7TGc1gK2Cr kNb3g6Is4ZWWVGTXV2n1kZH9gibgqCnEAvqkgY/U8QdWJYyuzGJ5/NKmku3+6X9qrx4w ahi9XPBSsYLPDacA5iChtNW4lQKX1M3pK4Y+gCGh2NS8fv2rmtdk2F6Wa83/mGUwm7si i9wYysP5fygg3ep0iX3jaDt/BGsNFKQNDX1evsDSMAIoQCH29ffsppjtETxuQHNKCs5q BGiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zIAAqBT5cH5cbbW3GFto6v7mD8pF39ecAMkC8oTgutI=; b=sCUiY97dqLV+hBbjVPNy/2tzYQLGagxAJNB0q6GoGHKbZRHRF5n+g4a2NUKV6K4qUz ZAffdO83fsw6YuTmXYXWRKwIrEAcyZv9qh77kYPEkefzF31pk4Dj65nV3bYJUuYnvJ01 1IUC6ZqBAnkvSoXxRTpDfryIEksgYkyLXBDrC9GY7Ip6rxJmGyKJRmnqL+RmqzpaWiLl X5B2J20Cxa4/Rc7vO90DvnyQMLzfGuQNTPmHxmcF+RAZPTNsAI32IoYHFSXrVtIssXFb 9hppDt8kmNm+4kltkbNvpqB8JzlVqf+GtS0jGsnz8L+4rrL0SBOOCVAkiSUSyXQ+eCmm aRmw== X-Gm-Message-State: ANhLgQ1TPYU1pH9rD4+g3+1FIGkeSQSjQtSxai2+4d67/zj/iif5NgLM p4Owi4GXuVH1npZZ2ub+RLfmTAUtwfbSNrjD3FezlA== X-Received: by 2002:a05:6830:1d6e:: with SMTP id l14mr17776467oti.32.1583870453922; Tue, 10 Mar 2020 13:00:53 -0700 (PDT) MIME-Version: 1.0 References: <87r1y8dqqz.fsf@x220.int.ebiederm.org> <87tv32cxmf.fsf_-_@x220.int.ebiederm.org> <87v9ne5y4y.fsf_-_@x220.int.ebiederm.org> <87eeu25y14.fsf_-_@x220.int.ebiederm.org> <20200309195909.h2lv5uawce5wgryx@wittgenstein> <877dztz415.fsf@x220.int.ebiederm.org> <20200309201729.yk5sd26v4bz4gtou@wittgenstein> <87k13txnig.fsf@x220.int.ebiederm.org> <20200310085540.pztaty2mj62xt2nm@wittgenstein> <87wo7svy96.fsf_-_@x220.int.ebiederm.org> <87k13sui1p.fsf@x220.int.ebiederm.org> In-Reply-To: <87k13sui1p.fsf@x220.int.ebiederm.org> From: Jann Horn Date: Tue, 10 Mar 2020 21:00:27 +0100 Message-ID: Subject: Re: [PATCH] pidfd: Stop taking cred_guard_mutex To: "Eric W. Biederman" Cc: Christian Brauner , Bernd Edlinger , Kees Cook , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "stable@vger.kernel.org" , "linux-api@vger.kernel.org" , Arnd Bergmann , Sargun Dhillon Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 10, 2020 at 8:29 PM Eric W. Biederman wrote: > Jann Horn writes: > > On Tue, Mar 10, 2020 at 7:54 PM Eric W. Biederman wrote: > >> During exec some file descriptors are closed and the files struct is > >> unshared. But all of that can happen at other times and it has the > >> same protections during exec as at ordinary times. So stop taking the > >> cred_guard_mutex as it is useless. > >> > >> Furthermore he cred_guard_mutex is a bad idea because it is deadlock > >> prone, as it is held in serveral while waiting possibly indefinitely > >> for userspace to do something. > > > > Please don't. Just use the new exec_update_mutex like everywhere else. > > > >> Cc: Sargun Dhillon > >> Cc: Christian Brauner > >> Cc: Arnd Bergmann > >> Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall") > >> Signed-off-by: "Eric W. Biederman" > >> --- > >> kernel/pid.c | 6 ------ > >> 1 file changed, 6 deletions(-) > >> > >> Christian if you don't have any objections I will take this one through > >> my tree. > >> > >> I tried to figure out why this code path takes the cred_guard_mutex and > >> the archive on lore.kernel.org was not helpful in finding that part of > >> the conversation. > > > > That was my suggestion. > > > >> diff --git a/kernel/pid.c b/kernel/pid.c > >> index 60820e72634c..53646d5616d2 100644 > >> --- a/kernel/pid.c > >> +++ b/kernel/pid.c > >> @@ -577,17 +577,11 @@ static struct file *__pidfd_fget(struct task_struct *task, int fd) > >> struct file *file; > >> int ret; > >> > >> - ret = mutex_lock_killable(&task->signal->cred_guard_mutex); > >> - if (ret) > >> - return ERR_PTR(ret); > >> - > >> if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS)) > >> file = fget_task(task, fd); > >> else > >> file = ERR_PTR(-EPERM); > >> > >> - mutex_unlock(&task->signal->cred_guard_mutex); > >> - > >> return file ?: ERR_PTR(-EBADF); > >> } > > > > If you make this change, then if this races with execution of a setuid > > program that afterwards e.g. opens a unix domain socket, an attacker > > will be able to steal that socket and inject messages into > > communication with things like DBus. procfs currently has the same > > race, and that still needs to be fixed, but at least procfs doesn't > > let you open things like sockets because they don't have a working > > ->open handler, and it enforces the normal permission check for > > opening files. > > It isn't only exec that can change credentials. Do we need a lock for > changing credentials? Hmm, I guess so? Normally, a task that's changing credentials becomes nondumpable at the same time (and there are explicit memory barriers in commit_creds() and __ptrace_may_access() to enforce the ordering for this); so you normally don't see tasks becoming ptrace-accessible via anything other than execve(). But I guess if someone opens a root-only file, closes it, drops privileges, and then explicitly does prctl(PR_SET_DUMPABLE, 1), we should probably protect that, too. > Wouldn't it be sufficient to simply test ptrace_may_access after > we get a copy of the file? There are also setuid helpers that can, after having done privileged stuff, drop privileges and call execve(); after that, ptrace_may_access() succeeds again. In particular, polkit has a helper that does this. > If we need a lock around credential change let's design and build that. > Having a mismatch between what a lock is designed to do, and what > people use it for can only result in other bugs as people get confused. Hmm... what benefits do we get from making it a separate lock? I guess it would allow us to make it a per-task lock instead of a signal_struct-wide one? That might be helpful...