Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4616564ybz; Tue, 28 Apr 2020 14:57:51 -0700 (PDT) X-Google-Smtp-Source: APiQypKVpxMOJDgSblu0qXGXbm2lYb+DROaZKPWoC9X6vWEGthWs9ETf8viZGFNhqiD17bydu1q2 X-Received: by 2002:a17:906:e098:: with SMTP id gh24mr27405445ejb.44.1588111071803; Tue, 28 Apr 2020 14:57:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588111071; cv=none; d=google.com; s=arc-20160816; b=A9NoJF1g37Q4V2+xxYQ2Lj9Y6Po4AJyUlXGT2O5szNKUpb4xcJBkpGJMKsaUBTgOTI IJ2Ieouj3XO3bzgUGC3DAEIwMF/5P+OBkkRlyaDkmKNmklJ23I5pqGNJdwMXL405xfQT FzWqberIYmL7nLt6ZAHPjdPOwBsltQWJktgHOD35Y9jNx8W961Aqgecp2RVSAIW8xwgU n39s4gc80JzgMXF0kmXi2N3acrPwNx0ihobrDJALlXsOGoXsbtGDzl+RD/ZrfZYR4r6z Fjr0tEso+36tRw7pIjNuY18y9pCG+ocU6zKounmZ790rlRuGQzcUT7jokZnu934LnkJ1 c0Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=EebmjuehlITayp5XUzqWL+oJJRo+KSj0cYhRYx1gdlA=; b=j+4Mlz+cx8Y7R0KjfVgWC2/+uxmLku7hGWcLnI4FhmDiI91xoNoX+fKImL92m3lSez eOYmC3/3tDCn9m7fE8UMOQyQYKRdZLYwAoyKVXyg9lsLy+/mvaFOcTRG6ii6knSff/V2 k7EuHUPT5Um1QJSVW+/Nn8gIDmWemInAzGrX7dymfxtdFmd5uzWolhnnMTxc3VX3NoMM GDtwP1MZGTtboXUSVW/y6rPlbWpQy6JDY1efzo69OdFJboLwQh+TYZlqlG8q0XVk+fyF mwmwxA48MJ+vzDi/dRK6aD8UyIWXB3u/fVyaLMeEWte1p3EzTjy5kA+hMtpR9IC1R4uL bsEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="meYDDc/N"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i14si2381275ejh.494.2020.04.28.14.57.28; Tue, 28 Apr 2020 14:57:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="meYDDc/N"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726527AbgD1Vxh (ORCPT + 99 others); Tue, 28 Apr 2020 17:53:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47314 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1725934AbgD1Vxh (ORCPT ); Tue, 28 Apr 2020 17:53:37 -0400 Received: from mail-lf1-x142.google.com (mail-lf1-x142.google.com [IPv6:2a00:1450:4864:20::142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB734C03C1AE for ; Tue, 28 Apr 2020 14:53:36 -0700 (PDT) Received: by mail-lf1-x142.google.com with SMTP id 198so18118434lfo.7 for ; Tue, 28 Apr 2020 14:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EebmjuehlITayp5XUzqWL+oJJRo+KSj0cYhRYx1gdlA=; b=meYDDc/NArsPldNgBgNJvrPvMIFHwYS0eD8aPeUWYtpdZTlFyEn5GX2LksPqglJHgk EVKmWqoVAaKuViS0X3GMxJ9j0QsRi1r5ZKpNap+JbNg/5cX+nBJxgWnQhnkvD2Z/sVVX s2B8DMwznPP6crTK8gUVsUUkGnYEKkHNtBtdcOzPkOmvNQUDNhVU0QRbAAalgjJZWIxV winagD3FWbOyBtQIEzXVoPMBuIu7pPRBIThcQ8C6bjb58g9R+VrgHTziKQ/43+2qZeu/ palfN8xIHpmdSHyeWb0FLV51Hiqb/9NFSSiq07YOp6F//OanEJIE8W7br+Rn/PCPIyZW 2Oww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EebmjuehlITayp5XUzqWL+oJJRo+KSj0cYhRYx1gdlA=; b=Hii5Q8O6eTowGTewhS4Np4KVIJEITWxPA2/nFnVbpu6O0EVfZQs6DtRKIN3Y74oHlG nlEwXBh2Vmp4wpEcZPceEpeQizeHDcfFeG7sKOIizUzfvU9SFRQbzlvhSRoDwIdTwsfQ xYDtN84Cul8xL0cuoIuXFiOuy/BejbubpMZf0dLsK5HcP/Zmv5C+iRKQjWsGI5S2i+dc krZ9mP5aOoSLlW8tB0pv948FrXWqwOhqeJ+8vKqzKZLtnbNV4KPhWcWNN5c3X2gAavfs kR3ESP4LlTfNl+oivLn7nyOKWg3h5/xLXqFvvI7CULVCR+K6vUJf7V16/wsg+FGtySxb zFLA== X-Gm-Message-State: AGi0PuaVtC7lO7Loo9BxVdsYM0ZstqZJrAnS6P+7bWrbikq5ZFnDGu3S 6LABcEjLZmL+fKpF93dPSK0mLmHnmuM3KYMqQuvuQw== X-Received: by 2002:ac2:4257:: with SMTP id m23mr20189275lfl.141.1588110814972; Tue, 28 Apr 2020 14:53:34 -0700 (PDT) MIME-Version: 1.0 References: <87imi8nzlw.fsf@x220.int.ebiederm.org> <20200411182043.GA3136@redhat.com> <20200412195049.GA23824@redhat.com> <20200428190836.GC29960@redhat.com> In-Reply-To: From: Jann Horn Date: Tue, 28 Apr 2020 23:53:08 +0200 Message-ID: Subject: Re: [GIT PULL] Please pull proc and exec work for 5.7-rc1 To: Linus Torvalds Cc: Oleg Nesterov , Bernd Edlinger , "Eric W. Biederman" , Waiman Long , Ingo Molnar , Will Deacon , Linux Kernel Mailing List , Alexey Gladkov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 28, 2020 at 11:37 PM Linus Torvalds wrote: > On Tue, Apr 28, 2020 at 2:06 PM Jann Horn wrote: > > In execve: > > > > - After the point of no return, but before we start waiting for the > > other threads to go away, finish calculating our post-execve creds > > and stash them somewhere in the task_struct or so. > > - Drop the cred_guard_mutex. > > - Wait for the other threads to die. > > - Take the cred_guard_mutex again. > > - Clear out the pointer in the task_struct. > > - Finish execve and install the new creds. > > - Drop the cred_guard_mutex again. > > > > Then in ptrace_may_access, after taking the cred_guard_mutex, we'd > > know that the target task is either outside execve or in the middle of > > execve, with old and new credentials known; and then we could say "you > > only get to access that task if you're capable relative to *both* its > > old and new credentials, since the task currently has both state from > > the old executable and from the new one". > > That doesn't solve the problem with "check_unsafe_exec()" - you might > miss setting LSM_UNSAFE_PTRACE. You don't need LSM_UNSAFE_PTRACE if the tracer has already passed a ptrace_may_access() check against the post-execve creds of the target - that's no different from having done PTRACE_ATTACH after execve is over.