On 11/20/18 5:27 PM, Linus Torvalds wrote:
Also, "dumpable" in general is pretty oddly defined to be used for this.
The same (privileged) process can be dumpable or not depending on how it was started (ie if it was started by a regular user and became trusted through suid, it's not dumpable, but if it was started from a root process it remains dumpable.
So I'm just not convinced "dumpability" is meaningful for STIBP.
I think we're hoping that "dumpability" is at least correlated with sensitive processes. As you've pointed out, it's not a strict relationship, but there's still some meaning.
Let's not forget about things like gpg that do PR_SET_DUMPABLE completely independently of the actions that trigger the /proc/sys/fs/suid_dumpable behavior. Those will be non-dumpable regardless of how they were started.
In addition, things that are started via suid surely *do* have more attack surface than something started by root. We've been positing that these attacks get easier when the attacker and victim have a relationship, either via RPC, or the network, or *something*. suid basically *guarantees* there's a relationship between the privileged thing and _something_ untrusted.
Repurposing dumpable is really screwy and surely imprecise, but it really is the closest thing that we have without the new ABI.