Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3854153ybz; Tue, 28 Apr 2020 01:23:44 -0700 (PDT) X-Google-Smtp-Source: APiQypLL33zfq16oiVzCGcMCs4OoP/CNCloqaveUsy3HRLt04Lf1+mbfRv71RoGJYPSBG3kflE/A X-Received: by 2002:a50:d90f:: with SMTP id t15mr21266456edj.209.1588062224045; Tue, 28 Apr 2020 01:23:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588062224; cv=none; d=google.com; s=arc-20160816; b=dB2fIctrWo234Y2I+HrNkkbE5SBdawGQjZv4Weco+U1ltIvwr3PSlkdcdGQlMx/6XL YcDv2qw0J7ycmXSDbLhp1dRwERzucpERQfbAI67c/R+s24+0ivWjKVIViFokfQDWqkte H3XRFPZpDmpF/1eTAutEMZ3ysDEKCIrlIS2brKoFJI3D1Mdl4kLiIsQTVRfmPeJo0Vhy J3WBAVhSwvaPyOPgFIcslae1QGdEB9ZvbltZEVV0slh9X0hknD10j70uS/veD8sT6h1z 1bJixiW7O2gz5JJz7ZaPsf1D7Al7FmT0LEmxoQq1nJNZRnxQeMCn3z7d/k2QoPIQLn+Q JMsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ZRCN2jAYWBOhApn5bDL/ZKiWSoH3osXmY0touHTbL5c=; b=st6dXrZaYzBZW1XAr56ymdb7x5gADZc0/MZgeU6EQqLFh7JcnuMJSCljm7bO5R+cnN mxFPayFdGkQkUX1g8b/LZ1TY+jWwK0KNj18OZzsX7WTNfJpQ6k8ZxFjpZfCpwwcBhzeA Z2qT9ht5rIqiz2VYMgmYOtRrPM83xprd1ujYL0bku2hozi6bIkV+7pqGf4zVC/W6YY1f iXP/wy4O2LMp7iAQaDGC6rmW7ABGhWkNRkCb5U3e6dwUc0iwA70GlyodS7l47Cm0fRyj fHhX5at/HcVNZ1m9FlPbRn+M+LUudgDKiz1xC3jKZwWRduTnq4SRcUeUCwPAOj80IfpS fxsQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mh26si1366821ejb.177.2020.04.28.01.23.21; Tue, 28 Apr 2020 01:23:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726846AbgD1IVw (ORCPT + 99 others); Tue, 28 Apr 2020 04:21:52 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:34708 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726515AbgD1IVv (ORCPT ); Tue, 28 Apr 2020 04:21:51 -0400 Received: from ip5f5af183.dynamic.kabel-deutschland.de ([95.90.241.131] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jTLUl-0004Ab-MP; Tue, 28 Apr 2020 08:21:35 +0000 Date: Tue, 28 Apr 2020 10:21:33 +0200 From: Christian Brauner To: Linus Torvalds Cc: Andy Lutomirski , Aleksa Sarai , Arnd Bergmann , Hagen Paul Pfeifer , "Eric W. Biederman" , Jann Horn , kernel list , Florian Weimer , Al Viro , Christian Brauner , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Brian Gerst , Sami Tolvanen , David Howells , Andy Lutomirski , Oleg Nesterov , Arnaldo Carvalho de Melo , Sargun Dhillon , Linux API , linux-arch , Greg Kroah-Hartman Subject: Re: [RFC v2] ptrace, pidfd: add pidfd_ptrace syscall Message-ID: <20200428082133.kusyjofgg7w2lchg@wittgenstein> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 27, 2020 at 09:28:14PM -0700, Linus Torvalds wrote: > On Mon, Apr 27, 2020 at 9:17 PM Andy Lutomirski wrote: > > > > I hate to say this, but I’m not convinced that asking the gdb folks is > > the right approach. GDB has an ancient architecture and is > > *incredibly* buggy. I’m sure ptrace is somewhere on the pain point > > list, but I suspect it’s utterly dwarfed by everything else. > > You may be right. However, if gdbn isn't going to use it, then I > seriously don't think it's worth changing much. > > It might be worth looking at people who don't use ptrace() for > debugging, but for "incidental" reasons. IOW sandboxing, tracing, > things like that. > > Maybe those people want things that are simpler and don't actually > need the kinds of hard serialization that ptrace() wants. > > I'd rather add a few really simple things that might not be a full > complement of operations for a debugger, but exactly because they > aren't a full debugger, maybe they are things that we can tell are > obviously secure and simple? I think the biggest non-anecdotal user of ptrace() besides debuggers is actually criu (and strace of course). They use it to inject parasite code (their phrasing not mine) into another task to handle restoring the parts of a task that can't be restored from the outside. Looking through their repo they make quite a bit of use of ptrace functionality including some arch specific bits: PTRACE_GETREGSET PTRACE_GETFPREGS PTRACE_PEEKUSER PTRACE_POKEUSER PTRACE_CONT PTRACE_SETREGSET PTRACE_GETVFPREGS /* arm/arm64 */ PTRACE_GETVRREGS /* powerpc */ PTRACE_GETVSRREGS /* powerpc */ PTRACE_EVENT_STOP PTRACE_GETSIGMASK PTRACE_INTERRUPT PTRACE_DETACH PTRACE_GETSIGINFO PTRACE_SEIZE PTRACE_SETSIGMASK PTRACE_SI_EVENT PTRACE_SYSCALL PTRACE_SETOPTIONS PTRACE_ATTACH PTRACE_O_SUSPEND_SECCOMP PTRACE_PEEKSIGINFO PTRACE_SECCOMP_GET_FILTER PTRACE_SECCOMP_GET_METADATA So I guess strace and criu would be the ones to go and ask and if they don't care enough we already need to start squinting for other larg-ish users. proot comes to mind https://github.com/proot-me/proot (From personal experience, most of the time when ptrace is used in a non-debugger codebase it's either to plug a security hole exploitable through ptracing the task and the fix is ptracing that very task to prevent the attacker from ptracing it (where non-dumpability alone doesn't cut it) or the idea is dropped immediately to not lose the ability to use a debugger on the program.) Christian