Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp550298ybh;
        Wed, 18 Mar 2020 04:57:13 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvMNs27aPMWXqOjqaEWR7hjoF0nmbObmUBLhDWOoaQeraMQgpmqHN00kHqSEPG7xC523JxW
X-Received: by 2002:aca:4243:: with SMTP id p64mr2824455oia.21.1584532633357;
        Wed, 18 Mar 2020 04:57:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584532633; cv=none;
        d=google.com; s=arc-20160816;
        b=MGHnxq0wZRdeqBy5Z8kKCUUcpGioQr4VGR7td90PkGuxELCuIVflNfKkUHzxAZNXCg
         nKTNUiSbeDmgOuLi/8w6TM+g4Rc7BG0luOHhrL2yJiV76IbeDYPts2REx9tT+olVhG0e
         9WoPqTqh8KrkHOrbt6WdwzCXoYjL/8StAC9ZnbMqk4t139i6FiaxdFrHkUKBjLd3ZkhO
         HC+nRhMac+agsonZwzytgiTcirNBGnDg4/HwOI2/FTO2C4i0uvZ67CFVnLUaar1weKfm
         Je3NCb8tK4cTJu0h5lwInrHlVA2DlJRQkdMREWVJB+opFDL/00h9I+tEz3DzBRwIhLR6
         XqPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=WxHHwaPvnIIVQhKhjM/mEMgITdnFJ5sToHCM1ejs9lE=;
        b=mNmjAyC+OYWszX2yPZZMho+Rc3ziVqgtCL1of0vkTTA/j7VCNvVdd9F7WbTn7FE10e
         hLKlLVu7A7CdXtnB5gUZEFu+7Dsar0w1JQVzzmLg8svZaAnYqvHT60rl3S0v+mZzE1oM
         pMjpIUtj5Mc/UeMn+dav5LIIjX09Ymvpxp2ObK56pEMAanx85lfFq7NbsMIG0/qWQgws
         +qinwUJFAVRrkR8B34nRUE0ySjmfnajHE5hA2mYmBKfs9njFtk71QhNO28lgf/mwzM2R
         OYehFIJvWHo4LTPu/ylu508XKWcs23fIW9224G9HDXg6ByEqVMkayU/3aPqkadoqDWd5
         oNvw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c17si3045417otr.109.2020.03.18.04.57.00;
        Wed, 18 Mar 2020 04:57:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726747AbgCRL4l (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Wed, 18 Mar 2020 07:56:41 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:35424 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726631AbgCRL4l (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Mar 2020 07:56:41 -0400
Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <christian.brauner@ubuntu.com>)
        id 1jEXJN-0008Cd-TD; Wed, 18 Mar 2020 11:56:38 +0000
Date:   Wed, 18 Mar 2020 12:56:37 +0100
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     Simon Ser <contact@emersion.fr>
Cc:     "ebiederm@xmission.com" <ebiederm@xmission.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        "oleg\\@redhat.com" <oleg@redhat.com>,
        "christian\\@brauner.io" <christian@brauner.io>
Subject: Re: SO_PEERCRED and pidfd
Message-ID: <20200318115637.qffmwvtr4uqanyvc@wittgenstein>
References: <go0RLOS7_DdxyAmfrDR38QPUloZuUtiFdXe2Ey3EkGGuvmW7z18Dvt4fY1qZ1k-Y75-YZSxqVWnZpWRGN7TZ6OPbDczfL7HI25bXLIYq1y4=@emersion.fr>
 <87d09akduh.fsf@x220.int.ebiederm.org>
 <1Q35NFfgidxjWwXdBPA4EBehI5cyiQ2g47PjP_twMt_AlhcwWIzFK45Dyaw0bKT1KHPsbUAOXbfpvZODuRSd19LVI0tPBPsVblfSYy_YZEg=@emersion.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <1Q35NFfgidxjWwXdBPA4EBehI5cyiQ2g47PjP_twMt_AlhcwWIzFK45Dyaw0bKT1KHPsbUAOXbfpvZODuRSd19LVI0tPBPsVblfSYy_YZEg=@emersion.fr>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 18, 2020 at 10:31:00AM +0000, Simon Ser wrote:
> On Tuesday, March 17, 2020 7:58 PM, <ebiederm@xmission.com> wrote:
> 
> > Simon Ser contact@emersion.fr writes:
> >
> > > Hi all,
> > > I'm a Wayland developer and I've been working on protocol security,
> > > which involves identifying the process on the other end of a Unix
> > > socket 1. This is already done by e.g. D-Bus via the PID, however
> > > this is racy 2.
> > > Getting the PID is done via SO_PEERCRED. Would there be interest in
> > > adding a way to get a pidfd out of a Unix socket to fix the race?
> >
> > I think we are passing a struct pid through the socket metadata.
> > So it should be technically feasible.
> >
> > However it does come with some long term mainteance costs.
> >
> > The big question is what is a pid being used for when being passed.
> > Last I looked most of the justifications for using metadata like that
> > with unix domain sockets led to patterns of trust that were also
> > exploitable.
> >
> > Looking at the proposale in 1 even if you have race free access
> > to /proc/<pid>/exe using pidfds it is possible to change /proc/<pid>/exe
> > to be anything you can map so that seems to be an example of a problem.
> 
> /proc/<pid>/exe is a symlink. It doesn't seem like it's possible to
> unlink it and re-link it to something else (fails with EPERM).
> 
> Is there a way to do this?

Not while the process is running afaik. Given the right permission there
are some tricks you can do to overwrite the host binary and trick
someone into rexecuting itself and thus the ovewritten binary (There's
been an exploit in runC around this which Aleksa and I fixed a while
back.) but as long as the process is running you can't overwrite it
(unless there are bugs).

> 
> > So it would be very nice to see a use case spelled out where
> > the pid reuse race mattered, and that trusting a pid makes sense.
> 
> The use-case is identifying which process is at the other end of the
> socket. Once the process is identified, security rules can be applied.
> For instance a Wayland compositor might give access to a
> screen capture interface if the program is a trusted screen shooter.
> 
> Some want to get the full path to the executable, and read the
> /proc/<pid>/exe symlink. Some want to read a special file created at
> the root of the process' file system namespace, and access
> /proc/<pid>/root.

You can translate solely from a pidfd to a pid and then open /proc/<pid>
and verify that the directory you just opened referes to the same
process as the pidfd. That's illustrated in a sample program I wrote.
It's located in the kernel sources at:

samples/pidfd/pidfd_metadata.c

specifically the pidfd_metadata_fd() helper.

If you only have the pidfd and want to know the pid of the process you
can translate from the fd's fdinfo file to the pid. That's e.g. how
systemd is doing it too. See
https://github.com/systemd/systemd/blob/06ae8800d0bd9f8b01df7443daec37f90708bd84/src/basic/process-util.c#L1499
If the process has already exited _and_ been reaped fdinfo will show -1
as pid. The format of the fdinfo file matches the output for the Pid:
and NSpid: fields in the /prop/<pid>/status file.