Re: utrace vs. ptrace

From: Ingo Molnar
Date: Thu Jul 13 2006 - 15:52:57 EST

Next message: Hans Reiser: "Re: short term task list for Reiser4"
Previous message: Ingo Molnar: "Re: [patch] lockdep: annotate mm/slab.c"
In reply to: Linus Torvalds: "Re: utrace vs. ptrace"
Next in thread: Paul Jackson: "Re: utrace vs. ptrace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Linus Torvalds <torvalds@xxxxxxxx> wrote:

> > Mostly because I fear it would become another udev like disaster,
> > requiring user space updates regularly, and core dumps are a fairly
> > critical debugging feature that I wouldn't like to become
> > unreliable.
>
> Doing core-dumping in user space would be insane. It doesn't give
> _any_ advantages, only disadvantages.

well, it was just a quick idea of mine that looked nice in the following
sense: it would reuse (and thus test) debugging infrastructure that we
want to and have to provide anyway. (if gdb is attached to a task that
crashes then it is in a position to get all the information to create a
coredump)

it wouldnt be fundamentally easier - but lots of policy stuff could be
done there which we would otherwise reject to add to the kernel. Like
more complex rules for "do we want to dump core for this particular
app".

> Why do people keep thinking that doing things in user space is "safer"
> and "easier". It's quite often not. For example, all the "fragile"
> stuff would be true for a user-space dumper (don't tell me it's safer
> - it would obviously have to run with elevated capabilities), and a
> lot of it would be a hell of a lot harder.

It would have to run with privileges enough to 1) get the process/thread
state [but not set it] 2) to write the resulting coredump to some file.

You are right that if we make it privileged enough to implement #2 as
"put the coredump into the apps cwd, with the user's identity", that
would expose this privileged code to similar file-permission security
problems as the in-kernel dumper.

But if #2 is implemented in a more restricted way (like coredumps only
go to a central directory not accessible to users, are size-limited, are
fingerprinted for their backtraces to remove duplicates, are matched to
an online repository of already reported bugs, etc.) then it could be
more secure than the in-kernel dumper - just because it would do less.
(and it would also do more, in a sense)

but ... i agree that it's not an "obvious win", and that it can create a
less secure solution than the in-kernel dumper. Although the in-kernel
dumper doesnt have a stellar security track record, so the quality bar
isnt particularly high :-/

Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Hans Reiser: "Re: short term task list for Reiser4"
Previous message: Ingo Molnar: "Re: [patch] lockdep: annotate mm/slab.c"
In reply to: Linus Torvalds: "Re: utrace vs. ptrace"
Next in thread: Paul Jackson: "Re: utrace vs. ptrace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]