From patchwork Fri Sep 30 13:20:47 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oleg Nesterov X-Patchwork-Id: 9358255 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6F220600C8 for ; Fri, 30 Sep 2016 13:22:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 60F412A022 for ; Fri, 30 Sep 2016 13:22:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 55B7C2A024; Fri, 30 Sep 2016 13:22:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C4112A022 for ; Fri, 30 Sep 2016 13:22:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932915AbcI3NWB (ORCPT ); Fri, 30 Sep 2016 09:22:01 -0400 Received: from mx1.redhat.com ([209.132.183.28]:33500 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932707AbcI3NWA (ORCPT ); Fri, 30 Sep 2016 09:22:00 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CB4BA25CD5; Fri, 30 Sep 2016 13:21:58 +0000 (UTC) Received: from tranklukator.brq.redhat.com (dhcp-1-131.brq.redhat.com [10.34.1.131]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with SMTP id u8UDLp9O025583; Fri, 30 Sep 2016 09:21:51 -0400 Received: by tranklukator.brq.redhat.com (nbSMTP-1.00) for uid 500 oleg@redhat.com; Fri, 30 Sep 2016 15:20:54 +0200 (CEST) Date: Fri, 30 Sep 2016 15:20:47 +0200 From: Oleg Nesterov To: Jann Horn Cc: Alexander Viro , Roland McGrath , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise , Ben Hutchings , Andy Lutomirski , Linus Torvalds , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: Re: [PATCH v2 2/8] exec: turn self_exec_id into self_privunit Message-ID: <20160930132046.GA12047@redhat.com> References: <1474663238-22134-1-git-send-email-jann@thejh.net> <1474663238-22134-3-git-send-email-jann@thejh.net> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1474663238-22134-3-git-send-email-jann@thejh.net> User-Agent: Mutt/1.5.18 (2008-05-17) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 30 Sep 2016 13:21:59 +0000 (UTC) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On 09/23, Jann Horn wrote: > > One reason for doing this is that it prevents an attacker from sending an > arbitrary signal to a parent process after performing 2^32-1 execve() > calls. I think we should simply kill self/parent_exec_id's. I am going to send the patch below after re-check/testing. Oleg. --- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html --- x/include/linux/sched.h +++ x/include/linux/sched.h @@ -1677,9 +1677,6 @@ struct task_struct { #endif struct seccomp seccomp; -/* Thread group tracking */ - u32 parent_exec_id; - u32 self_exec_id; /* Protection of (de-)allocation: mm, files, fs, tty, keyrings, mems_allowed, * mempolicy */ spinlock_t alloc_lock; --- x/fs/exec.c +++ x/fs/exec.c @@ -1163,6 +1163,14 @@ static int de_thread(struct task_struct no_thread_group: /* we have changed execution domain */ tsk->exit_signal = SIGCHLD; + if (!list_empty(&father->children)) { + struct task_struct *child; + + read_lock(&tasklist_lock); + list_for_each_entry(child, &father->children, sibling) + child->exit_signal = SIGCHLD; + read_unlock(&tasklist_lock); + } exit_itimers(sig); flush_itimer_signals(); @@ -1306,9 +1314,6 @@ void setup_new_exec(struct linux_binprm set_dumpable(current->mm, suid_dumpable); } - /* An exec changes our domain. We are no longer part of the thread - group */ - current->self_exec_id++; flush_signal_handlers(current, 0); do_close_on_exec(current->files); } --- x/kernel/fork.c +++ x/kernel/fork.c @@ -1573,13 +1573,10 @@ static struct task_struct *copy_process( write_lock_irq(&tasklist_lock); /* CLONE_PARENT re-uses the old parent */ - if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) { + if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) p->real_parent = current->real_parent; - p->parent_exec_id = current->parent_exec_id; - } else { + else p->real_parent = current; - p->parent_exec_id = current->self_exec_id; - } spin_lock(¤t->sighand->siglock); --- x/kernel/signal.c +++ x/kernel/signal.c @@ -1585,15 +1585,6 @@ bool do_notify_parent(struct task_struct BUG_ON(!tsk->ptrace && (tsk->group_leader != tsk || !thread_group_empty(tsk))); - if (sig != SIGCHLD) { - /* - * This is only possible if parent == real_parent. - * Check if it has changed security domain. - */ - if (tsk->parent_exec_id != tsk->parent->self_exec_id) - sig = SIGCHLD; - } - info.si_signo = sig; info.si_errno = 0; /*