Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1035094pxm; Wed, 23 Feb 2022 16:28:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJzYPXy6+M9pw/0qL45eRC4Fjn/Ry78gmx8zMnTiFomalP9X4HcK0+ZEVJZkTlMl4P9CjPI0 X-Received: by 2002:a63:cf09:0:b0:372:d564:8024 with SMTP id j9-20020a63cf09000000b00372d5648024mr258737pgg.251.1645662499972; Wed, 23 Feb 2022 16:28:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645662499; cv=none; d=google.com; s=arc-20160816; b=ezqCCSkIb6kalXk/eLMaMvOmpUvsP4nznqDjX8AIqK3PbddsrrKCJ2x5arUnlOsiRW bVPn6Rb0w57ZlR+rmxbOQpei+0mkBFPw16lhyK2vRmFzEblYUMYgsyz/zQMTxLWZeVhH zM8hnCpUyndOdmIXao57ZfwEQHfVy80C3XGkv4YmPkZP+LjTmmu0/C2hSiRMplM8PgBw QECBh6yK/U7SlbAAWD+ELkskFCqbAs2iaaSwLu1bnxkzVU886ibyug/+KUNEANPrRNaV 09EE5uchJ/6hcItUdqwUVBePUUQTFEZ+EOsW5wJFNLRTsCPDYTzIiGPJreX2/H4XIL+9 MM9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=G7dJVDzzZAJjRauYjEJNaQl9t1I3SGJZFs1Isig0Hes=; b=rwrOnW2Dz4uCP+ttMiCvnpBSDx9oJyO9yB5OdKYG/5fHNPrBhrflvkEDg/GicDJMvd zXsxJ1JzS8iqL+XnLzwREVufjYELTy5eU2vWfhkS9JOTT5ttKmcAy09x1LSyBhWwK1zc U5BnnAZqILLdnyD3vDKxfr+vIdxpEkbJz2Ld43wzdc8rPYRa++7rrI5dc6EOZDd27amB rE/oTB8aFO7N6TzckKt0jBuQxeE1KVYubJTTI5c/T+A6m5YithN/RucHBuN5Iblglt3p lAmBvbz/cN0G0YNUYd5q68+55NsSVS73BwaYNwCWVe6iglxgeVFt/8HQkfh1KjVtvVo/ pJwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@torvalds.org header.s=google header.b=GeBgaLL4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id a9si957161plp.386.2022.02.23.16.28.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 16:28:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@torvalds.org header.s=google header.b=GeBgaLL4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 31B3F6B099; Wed, 23 Feb 2022 16:27:58 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244533AbiBWTv1 (ORCPT + 99 others); Wed, 23 Feb 2022 14:51:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52702 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244494AbiBWTv0 (ORCPT ); Wed, 23 Feb 2022 14:51:26 -0500 Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 619554BFDF for ; Wed, 23 Feb 2022 11:50:56 -0800 (PST) Received: by mail-lf1-x132.google.com with SMTP id d23so70403lfv.13 for ; Wed, 23 Feb 2022 11:50:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=torvalds.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=G7dJVDzzZAJjRauYjEJNaQl9t1I3SGJZFs1Isig0Hes=; b=GeBgaLL4eq9eWZjU0wevcBQGzUWXyZs/IOZ1JKX2Wlcns4sVMXgiLeyrLGgpiHwUKn RDUY8upu6aguSTlEQlDihMx04s66J0M2mWT+uKPfTUYJAfXZR8o5/5LJMY/bli20Fwlu aAozLHgIjRf7xB+BegArTfWC8qikwYo0dRBCsYlL1c1vHl/xaM61qUDWQb475nWLcdwf S6xIlLnLaqo8ThSnWPn81hyfA15ApEI9x0tXHomSEcBdFUeFdH4+nAubcZ4s7b3V4ozz 4Mx+KwdM6vOp8WGoY3uplkxjoqiQpSo0+YSpgFOmK4uGOZreE8Titb0Bpmjy+0a4tSWq Za5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G7dJVDzzZAJjRauYjEJNaQl9t1I3SGJZFs1Isig0Hes=; b=0tN1Ut6d7OacUqEKF/Sk/DHFgJxz3COok1JU+A5/RDKlF65Y0ebxdkja5NvG5Waf69 Nf3xmUN5ieWXdZgTtn34uD1W0ok/JXVomsnqSqtQj6DE+g7MpD13MwA4B528M2iL4suw +Qm4zfFQntwxnLzmF2U+kwGYvtjw9NcQXb9UkfDrj02cJXsxS7z23+23HExnFcQbduof rIASCWrNU8LbRY4ruv0DID2RoJxggFdyLP+NNufbwbqApu78HLc6He0PKswYplLIcMac kmLp5PhzAj29tae49kpNjaZ58Zbw5TsdtyMZSHsCxl53RaK/o7nxi0msJO5poTZNUQnz fheQ== X-Gm-Message-State: AOAM5336wVTuuX94t8Ht554n0K2yyg/t9HbQTkukuyLYyilXDXE56YbZ LBFrPEjJe1eUeu65u5SCn83PTz7M1FtNOw1lTjkPPQ== X-Received: by 2002:ac2:4211:0:b0:438:2f1:83c4 with SMTP id y17-20020ac24211000000b0043802f183c4mr808431lfh.435.1645645854680; Wed, 23 Feb 2022 11:50:54 -0800 (PST) MIME-Version: 1.0 References: <20220207121800.5079-1-mkoutny@suse.com> <20220215101150.GD21589@blackbody.suse.cz> <87zgmi5rhm.fsf@email.froward.int.ebiederm.org> <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> In-Reply-To: <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> From: Linus Torvalds Date: Wed, 23 Feb 2022 11:50:38 -0800 Message-ID: Subject: Re: How should rlimits, suid exec, and capabilities interact? To: "Eric W. Biederman" Cc: Linux API , Etienne Dechamps , Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Solar Designer , Ran Xiaokai , Linux Kernel Mailing List , "open list:KERNEL SELFTEST FRAMEWORK" , Linux Containers , =?UTF-8?Q?Michal_Koutn=C3=BD?= , Security Officers , Neil Brown , NeilBrown , "Serge E. Hallyn" , Jann Horn Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 23, 2022 at 10:00 AM Eric W. Biederman wrote: > > Which brings us to the practical issues of how all of these things are > wired together today. I honestly think you should treat the limits as "approximate". We do that for a number of reasons: - sometimes we have racy tests because we don't want to do excessive locking just for a limit: nobody cares if you can go a couple of entries past a limit because you were lucky, it's important that you can't go *much* past the limit. - sometimes the limits themselves are fuzzy (example: time. it's incremented by "ticks", but it's simply not that precise, and it depends a bit when the ticks happen) - sometimes it's ambiguous who we're talking about. I think suid execs tend to fall in that third category. Be generous. If the limit doesn't trigger at the suid exec, nobody cares. You want to make sure it triggers eventually. For example, let's say that you are the admin, and you made a mistake, and you had a runaway fork() bomb that was caught by the limits. Optimally, you still want to be able to be able to log in (one process that was root when it did the fork(), and did a 'setresuid()' or similar to drop the things, and then one process that does 'sudo' to get privileges to kill the darn fork bomb). See how that 'user' technically went over the limit, and that was A-OK! Basic rule: it's better to be too lenient than to be too strict. Linus