Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp1063033rdb; Fri, 16 Feb 2024 04:28:36 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVaXE3phzxd77MuqvZy7TvmmVBWzdIvY/57BNbSmZI4j9BU/iPgm1faK/pNnPsyl76bSnDMV+1Eof2HHTeLT90Xg/+gsIuac6m4ZHaatA== X-Google-Smtp-Source: AGHT+IEUzQkXhxoMXZHs2x/yILUzAEb6aNLindpAX2NhAWwz22DEzY6nmY3cJt3Sy67QVujwGaAI X-Received: by 2002:a17:90a:6448:b0:299:d18:3f8c with SMTP id y8-20020a17090a644800b002990d183f8cmr3998820pjm.22.1708086516104; Fri, 16 Feb 2024 04:28:36 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708086516; cv=pass; d=google.com; s=arc-20160816; b=u6Ru8GKQUPV4SK8EvIhv884+nVtUVCp+5Au4TC9GlLoLdtWwaVXHqU3m9R//6vGehl hdNTP4q3XgdToMaYw2Y+QjuWDFtWer1dH7nD2eAx0oE9sFHmuhZ09vYWjCkaQTpjXaZH g2V4iJSjW9D3H8lkmxo0Am7x2w4ghr/fpfBou7kWLV+kr5KmowHpQcaj+A5x9esgdMq0 24YBJxK99CMbM4PYtjKV7mM9vRAkpxH8Z9beaX+BQfUQq4E0UTbe7E9Gm+5jAdzQFEo+ vIjArUKvPNdJu7ug42MIp6aoumkzv3rPFJWznAru5v9sPeECnNJjaYYRC7za6EjJNKuz tVxQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=bzwV7ty5CLUZCNduufP6f8p3lKxHVu1axMxaWPFw5Ts=; fh=c5+wgcC53e/Tri1Y6qjwKhun+2zDBL/8f9SJuYaUy7E=; b=jAmXvyK1+Hbi0SD5F12oZEfY4WeheLJfA/TrjNlGV3jXy3lVQdaU0+w42D7tLJIjTl yZZLOZR2OVV0Ebdqv0zw7jKEZlK1BphokfjHwjJiL/6dXFFf94KZCGg64cv54D0Va1fz oEYGFlCkvv7vPz0TmA/10zW/OmZ1VS2XWRhDNw+/WT5x1QR9m5GxwrvEBNJPqQq0ZX/b 0U2d08R/OabgqXuCAiR9256BXVgJGjl5wAE0WHGdG1tW2AfPHh9PaugysviPsoHXOYh8 49cdaH7uGeWwJeBBan+OZGgfPkt+ZD0W6LeVbF/ZKmcFH5eU+c7bTmnaCedUoLeBVn3H r7ug==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=u29Siem9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-68567-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-68567-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id so17-20020a17090b1f9100b0029731b1da81si3139451pjb.148.2024.02.16.04.28.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 04:28:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-68567-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=u29Siem9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-68567-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-68567-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B7314286DBB for ; Fri, 16 Feb 2024 12:28:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5998D78B46; Fri, 16 Feb 2024 12:28:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="u29Siem9" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C91278B5F; Fri, 16 Feb 2024 12:28:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708086510; cv=none; b=EnImLlfytqRbc5Z+bLi1DQ/Is8YqtlASwxaY+uc3eYKf83n/F37LFs0PMqoDkd5Uf5jmuoS9qiY1WD0K0A1o3nbNu9imFP+7EglMILuqQ4mT4szLQHn3NOrmFeAzuf+Jrc006baDZ3i4Ilw/L6goGY02v1/RFvejFtA7ysKc6Pk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708086510; c=relaxed/simple; bh=/SEClanMb1zOTsu/SpJJ69zMCA76oCxBh7VA840dNk8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=uYb/kpYxxWA4H9/VUuJskiyPSCWVc8DRirPJ6ohlZe/egOF2PWi/6gl+u/s5pxS40txsFOn0PcwlyhY0eFSBHk+/AfuT5ak05gLgMdoxVGAe7RSYa6LGhP+CkwmCGexnPmBr8atcuNOpFmsd4hTdoig0YSadiBitb7tX1pG2JXQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=u29Siem9; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id DFA9CC433F1; Fri, 16 Feb 2024 12:28:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708086509; bh=/SEClanMb1zOTsu/SpJJ69zMCA76oCxBh7VA840dNk8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=u29Siem9VAyc1Dqteg+8FLJoJJeIbdmOtuMnJWghjzE0QtDgNuuiZzZTs3JRv4PCG aB5/TKtX4EBTYHQN+AIBXHFVYrASm863is1GLMFSK2VCda/jrn6ejJQxMPR/JAN9sO zWKGWbxjaR2usvgSQNL3S86IaNNP5x79384QxFhYKnX19XOJ31bkWt1uuRCXrQoLiX ApGiW8uh2zXiGYm2ALdbuO1ymWmmCaeudnd69J3o1Bh7/tSjfiaTk3sxuICYmY+4OG XIP1TisohKO6RGlr0D/Pni1Oki9JT0mIoPardZ/Vm/ofIEnBB+SehIFeamf5oqcZiu kcnnfrNNNWqug== Date: Fri, 16 Feb 2024 13:28:24 +0100 From: Christian Brauner To: Oleg Nesterov Cc: Andy Lutomirski , "Eric W. Biederman" , Tycho Andersen , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 2/2] pidfd: change pidfd_send_signal() to respect PIDFD_THREAD Message-ID: <20240216-albern-aufwiegen-1de327c7dafd@brauner> References: <20240209154305.GC3282@redhat.com> <20240209-radeln-untrennbar-9d4ae05aa4cc@brauner> <20240209155644.GD3282@redhat.com> <20240210-abfinden-beimessen-2dbfea59b0da@brauner> <20240210123033.GA27557@redhat.com> <20240210-dackel-getan-619c70fefa62@brauner> <20240210131518.GC27557@redhat.com> <20240210-chihuahua-hinzog-3945b6abd44a@brauner> <20240210165133.GD27557@redhat.com> <20240214123655.GB16265@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="xjc36g5iq2xly2w4" Content-Disposition: inline In-Reply-To: <20240214123655.GB16265@redhat.com> --xjc36g5iq2xly2w4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Wed, Feb 14, 2024 at 01:36:56PM +0100, Oleg Nesterov wrote: > On 02/10, Oleg Nesterov wrote: > > > > On 02/10, Christian Brauner wrote: > > > > > > + if (type == PIDFD_SIGNAL_PROCESS_GROUP) > > > + ret = kill_pgrp_info(sig, &kinfo, pid); > > > > I guess you meant > > > > if (type == PIDTYPE_PGID) > > > > other than that, > > > > Reviewed-by: Oleg Nesterov > > Yes, but there is another thing I hadn't thought of... > > sys_pidfd_send_signal() does > > /* Only allow sending arbitrary signals to yourself. */ > ret = -EPERM; > if ((task_pid(current) != pid) && > (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) > goto err; > > and I am not sure that task_pid(current) == pid should allow > the "arbitrary signals" if PIDFD_SIGNAL_PROCESS_GROUP. > > Perhaps > > /* Only allow sending arbitrary signals to yourself. */ > ret = -EPERM; > if ((task_pid(current) != pid || type == PIDTYPE_PGID) && > (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL) > goto err; Honestly, we should probably just do: if (kinfo->si_code != SI_USER) goto err and be done with it. If we get regressions reports about this then it's easy to fix that up. But I find that unlikely. So why not try to get away with something much simpler. What do you think? --xjc36g5iq2xly2w4 Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="0001-signal-disallow-non-SI_USER-signals-in-pidfd_send_si.patch" From 82a0d641e6f0bcf1a81731e06462df6911ecdd4e Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 16 Feb 2024 13:21:11 +0100 Subject: [PATCH] signal: disallow non-SI_USER signals in pidfd_send_signal() Oleg pointed out that the following condition: /* Only allow sending arbitrary signals to yourself. */ ret = -EPERM; if ((task_pid(current) != pid) && (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) goto err; doesn't account for PIDFD_SIGNAL_PROCESS_GROUP. He suggested: /* Only allow sending arbitrary signals to yourself. */ ret = -EPERM; if ((task_pid(current) != pid || type == PIDTYPE_PGID) && (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL) goto err; but I think we should just go all the way and error out if userspace specifies anything else than SI_USER as si_code. It's probably an unused feature right now anyway and if someone needs it than it's easy to add back. Reported-by: Oleg Nesterov Link: https://lore.kernel.org/r/20240214123655.GB16265@redhat.com Signed-off-by: Christian Brauner --- kernel/signal.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/kernel/signal.c b/kernel/signal.c index cf6539a6b1cb..92a80e8d6b22 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -3954,10 +3954,7 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, int, sig, if (unlikely(sig != kinfo.si_signo)) goto err; - /* Only allow sending arbitrary signals to yourself. */ - ret = -EPERM; - if ((task_pid(current) != pid) && - (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) + if (kinfo.si_code != SI_USER) goto err; } else { prepare_kill_siginfo(sig, &kinfo, type); -- 2.43.0 --xjc36g5iq2xly2w4--