On 3/5/20 10:14 PM, Eric W. Biederman wrote:
Bernd, everyone
This is how I think the infrastructure change should look that makes way for fixing this issue.
- Correct the point of no return.
- Add a new mutex to replace cred_guard_mutex
Then I think it is just going through the existing users of cred_guard_mutex and fixing them to use the new one.
There really aren't that many users of cred_guard_mutex so we should be able to get through the easy ones fairly quickly. And anything that isn't easy we can wait until we have a good fix.
The users of cred_guard_mutex that I saw were: fs/proc/base.c: proc_pid_attr_write do_io_accounting proc_pid_stack proc_pid_syscall proc_pid_personality perf_event_open mm_access kcmp pidfd_fget seccomp_set_mode_filter
Bernd does this make sense to you?
I think we can fix the seccomp/no_new_privs issue with some careful refactoring. We can probably do the same for ptrace but that appears to need a little lsm bug fixing.
Yes, for most functions the proposed "exec_update_mutex" is fine, but we will need a longer-time block for ptrace_attach, seccomp_set_mode_filter and proc_pid_attr_write need to be blocked for the whole exec duration so they need a second "mutex", with deadlock-detection as in my previous patch, if I see that right.
Unfortunately only one of the two test cases can be fixed without the second mutex, of course the mm_access is what cause the practical problem.
Currently for the unlimited user space delay, I have only the case of a ptraced sibling thread on my radar, de_thread waits for the parent to call wait in this case, that can literally take forever. But I know that also PTRACE_CONT may be needed after a PTRACE_EVENT_EXIT.
Can you explain what else in the user space can go wrong to make an unlimited delay in the execve?
Bernd.