Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4582946ybz; Tue, 28 Apr 2020 14:10:18 -0700 (PDT) X-Google-Smtp-Source: APiQypJVOC/Ifgtwy/pChP9hLqjKz2NRrzTQev/QxTCOGimXwJc8dZulicjRLJbEGo8ZC5t1lBzK X-Received: by 2002:a50:afa6:: with SMTP id h35mr594527edd.209.1588108218247; Tue, 28 Apr 2020 14:10:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588108218; cv=none; d=google.com; s=arc-20160816; b=fPx9qCvXQxRQ6DmRaK0AsxjMChnWQAWKmb81d8h1pKmqlIM2LQGOj8Mp7KWu48/gbu nVLpSWF3AvubUpu/3xD9RonFvuz6/riyw2pEPNGh47biUzqbg8+Z/B2R3ne4SXTuu6Bo nAl2YUva1q0Hz528AmcV2s/3Q47A7oQ0kUURTzNegjY0vjVhMB0UIfwPZWnBdlm3ncIe 8v+9WCUuckQjezwbRuSrxlr8xpfo5JfIhvq1sSc0psRIvWiqaGT+sNAB4UzKTDPEDF04 +849prrAs03seoU/mVGybDwmAQwdjTVxq46RnaukCJRWY0nLGqbiW1rr7YUqlE0uWaPh 62Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=OAyhRvn9T9rGX86VAJNageFChs7xaifFIhpVtWdiaas=; b=ra7zt8Zvp0VGB92vgKYA2KMVVDbncABBTt9wms94xGvSjmY0gjgcsaVodBbJOlHoZi 5sKILS3A5vaSNOqecWr9Zhp+5rggBzkZ4W5+adMJUa1hdcn/nkN3U6axKvMYCJfkVi0g G7b31jEMj9UK+hiYl4M/78+cESc2aXE4Iz8gxnryxxY3snidv1UtBBibU0t4dJeSH75z se5dDBoFGEY9sjv+ImF7iGP4SgsxsjvqoidMRviPSKTOeqoYOVbGj2RxMyARLjMWwMhW uKz3GNxjq/xokMaqlTRBpIu75au+6dw+hAv2aaYkU2kMMC/fbBP8gvW0Lpfyz3xFkjQx e6Ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CeE9YjIw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o32si1478096edb.380.2020.04.28.14.09.55; Tue, 28 Apr 2020 14:10:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CeE9YjIw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726476AbgD1VGa (ORCPT + 99 others); Tue, 28 Apr 2020 17:06:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39858 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726274AbgD1VGa (ORCPT ); Tue, 28 Apr 2020 17:06:30 -0400 Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1978C03C1AC for ; Tue, 28 Apr 2020 14:06:29 -0700 (PDT) Received: by mail-lj1-x241.google.com with SMTP id a21so236574ljb.9 for ; Tue, 28 Apr 2020 14:06:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OAyhRvn9T9rGX86VAJNageFChs7xaifFIhpVtWdiaas=; b=CeE9YjIwTMW8CWILtr2vamZ+47wZ4HXevcxF4gCYriFVCGSjjaDnluRa8MpqlIjBZw tNSZQbX3Xviu+b3vd42pX30tnY8CrzLSFXzA/26L93XvY1aXw6W2qyBNOr78YItOFamR PXtqdgGm5LljX34XEGYvFWHWe3BMu6PNUlyLZFIkdscveZNoWanc9teg+D3H/p+pPpyQ uXLqD1zZdlsMNVo0v0WZWv2YJN6xqEXXFyW0UtQTzGsV3eydm4dAUpAl+2yeDCbmJHwE zxzqwLUgfzCqGNwswdJgth1HG2sD9CA6vHNOKWe4tIu0vzebaU1c23XMspSS3LQeLQTp pRTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OAyhRvn9T9rGX86VAJNageFChs7xaifFIhpVtWdiaas=; b=YYmOo7IYjimoItLa8izwA+j5M6ZkSKNJ3ydB0/Id854L+K3A+4+wrcCujH3I9MoiXW KsBjQbQ6mgecFze9LS3AtbWk3OwvMDlMt14vPy0vHQ9YRlkGY6QiY6lWH//ku8M2khsm UqFx+NjwPQIlgpVdwAJu2woK024zDQZBxRGMIBv/IxPjYn9sqdML184s+FoEb5ZFiLOH IXPli0lxwH4aetuN4nxef2NL1UGF3/XSd20fWUbqdgo4v1w+lfbcm87cdLjhX1Bn0/vW fwaJI/f/osi/fp6vgnYeFuHfGeiGHwA2E+SeLhg67G92o52He8aRf0J0PMWPIbx78z5h lH2A== X-Gm-Message-State: AGi0Pub0T8GzA+wflyNkggrtMZna/VwAFDTLIL/e/uihIyXMOe9JiR0U ZqVAMS0qt6rRiK8Ez3kInS8l8oGVd7Dk7p0o0wUKCg== X-Received: by 2002:a2e:87d3:: with SMTP id v19mr17725331ljj.176.1588107987932; Tue, 28 Apr 2020 14:06:27 -0700 (PDT) MIME-Version: 1.0 References: <87imi8nzlw.fsf@x220.int.ebiederm.org> <20200411182043.GA3136@redhat.com> <20200412195049.GA23824@redhat.com> <20200428190836.GC29960@redhat.com> In-Reply-To: From: Jann Horn Date: Tue, 28 Apr 2020 23:06:01 +0200 Message-ID: Subject: Re: [GIT PULL] Please pull proc and exec work for 5.7-rc1 To: Linus Torvalds Cc: Oleg Nesterov , Bernd Edlinger , "Eric W. Biederman" , Waiman Long , Ingo Molnar , Will Deacon , Linux Kernel Mailing List , Alexey Gladkov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 28, 2020 at 10:36 PM Linus Torvalds wrote: > On Tue, Apr 28, 2020 at 12:08 PM Oleg Nesterov wrote: > > > > Oops. I can update that old patch but somehow I thought there is a better > > plan which I don't yet understand... > > I don't think any plan survived reality. > > Unless we want to do something *really* hacky.. The attached patch is > not meant to be serious. > > > And, IIRC, Jan had some ideas how to rework the new creds calculation in > > execve paths to avoid the cred_guard_mutex deadlock? > > I'm not sure how you'd do that. > > Execve() fundamentally needs to serialize with PTRACE_ATTACH somehow, > since the whole point is that "tsk->ptrace" changes how the > credentials are interpreted. > > So PTRACE_ATTACH doesn't really _change_ the credentials, but it very > much changes what execve() will do with them. > > But I guess we could do a "if somebody attached to us while we did the > execve(), just repeat the whole thing" > > Jann, what was your clever idea? Maybe it got lost in the long thread.. My clever/horrible/overly-complex idea was basically: In execve: - After the point of no return, but before we start waiting for the other threads to go away, finish calculating our post-execve creds and stash them somewhere in the task_struct or so. - Drop the cred_guard_mutex. - Wait for the other threads to die. - Take the cred_guard_mutex again. - Clear out the pointer in the task_struct. - Finish execve and install the new creds. - Drop the cred_guard_mutex again. Then in ptrace_may_access, after taking the cred_guard_mutex, we'd know that the target task is either outside execve or in the middle of execve, with old and new credentials known; and then we could say "you only get to access that task if you're capable relative to *both* its old and new credentials, since the task currently has both state from the old executable and from the new one". (Other users that expect to use cred_guard_mutex to synchronize with execve would also have to be changed appropriately; e.g. seccomp tsync would have to bail out if the task turns out to be in execve after the mutex has been acquired.) So I think we can conceptually fix the deadlock, but it requires a bit of refactoring. (I have an old branch somewhere in which I tried to implement this, and where I did a bunch of refactoring around ptrace_may_access() so that e.g. the LSM hooks for ptrace can be invoked twice when the target task is in execve, and so that they take the target's cred* as an argument.)