Re: [PATCH] kernel/signal: Signal-based pre-coredump notification

From: Alan Cox
Date: Mon Oct 15 2018 - 17:23:14 EST

Next message: Lukasz Majewski: "Re: [PATCH] dt-bindings: misc: bk4: Add device tree binding for Liebherr's BK4 SPI bus"
Previous message: Stephen Boyd: "Re: [GIT PULL] clk/samsung updates for 4.20-rc1"
In reply to: Enke Chen: "Re: [PATCH] kernel/signal: Signal-based pre-coredump notification"
Next in thread: Enke Chen: "Re: [PATCH] kernel/signal: Signal-based pre-coredump notification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> +/*
> + * Returns true if current's euid is same as p's uid or euid,
> + * or has CAP_SYS_ADMIN.
> + *
> + * Called with rcu_read_lock, creds are safe.
> + *
> + * Adapted from set_one_prio_perm().
> + */
> +static bool set_predump_signal_perm(struct task_struct *p)
> +{
> + const struct cred *cred = current_cred(), *pcred = __task_cred(p);
> +
> + return uid_eq(pcred->uid, cred->euid) ||
> + uid_eq(pcred->euid, cred->euid) ||
> + capable(CAP_SYS_ADMIN);
> +}

This makes absolutely no security sense whatsoever. The uid and euid of
the parent and child can both change between the test and the signal
delivery.

There are reasons that the child signal control code is incredibly
careful about either the parent or child using execve or doing a
privilege change that might pose a risk.

Until this code gets the same protections I don't believe it's safe.

Alan

Next message: Lukasz Majewski: "Re: [PATCH] dt-bindings: misc: bk4: Add device tree binding for Liebherr's BK4 SPI bus"
Previous message: Stephen Boyd: "Re: [GIT PULL] clk/samsung updates for 4.20-rc1"
In reply to: Enke Chen: "Re: [PATCH] kernel/signal: Signal-based pre-coredump notification"
Next in thread: Enke Chen: "Re: [PATCH] kernel/signal: Signal-based pre-coredump notification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]