Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()

From: Oleg Nesterov
Date: Sun Mar 22 2020 - 16:29:38 EST

Next message: Julia Lawall: "Re: [Outreachy kernel] [PATCH] staging: rtl8723bs: Remove comparisons to NULL in conditionals"
Previous message: Andy Lutomirski: "Re: [RFC PATCH] seccomp: Add a trace action that allows the syscall if ptracer absent"
In reply to: Eric W. Biederman: "Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()"
Next in thread: Eric W. Biederman: "Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/22, Eric W. Biederman wrote:
>
> Oleg Nesterov <oleg@xxxxxxxxxx> writes:
>
> > Commit cc731525f26a ("signal: Remove kernel interal si_code magic")
> > changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify()
> > no longer works if the sender doesn't have rights to send a signal.
> >
> > Change __do_notify() to use do_send_sig_info() instead of kill_pid_info()
> > to avoid check_kill_permission().
>
> I totally see why you are doing this. To avoid the permission check,
> and since this process requested the signal it makes sense to bypass the
> permission checks.

And this is what we had before cc731525f26a, so this patch tries to fix
the regression.

> The code needs to make certain that this signal is
> canceled or otherwise won't be sent after an exec.

not sure I understand this part, but see below.

> That said I don't like it. I would really like to remove the signal
> sending interfaces that take a task_struct.

Oh, can we discuss the possible cleanups separately? On top of this fix,
if possible.

> Looking at the code I currently see several places where we have this
> kind of semantic (sending a requested signal to a process from the
> context of another process): do_notify_parent, pdeath_signal, f_setown,
> and mq_notify.

To me they all differ, I am not sure I understand how exactly you want
to unify them...

> Especially with the concerns about being able to send a signal after
> exec, and cause havoc.
...
> Espeically
> with concerns about being able to send signals to a suid process that
> would normally fail I think there is an issue here.

I can easily misread this code, never looked into ipc/mqueue.c before.
But it seems that it is not possible to send a signal after exec, suid
or not,

- sys_mq_open() uses O_CLOEXEC

- mqueue_flush_file() does

if (task_tgid(current) == info->notify_owner)
remove_notification(info);

> At the very least can you add a big fat comment about the semantics
> that userspace expects in this case?

Me? You are kidding ;)

I know absolutely nothing about ipc/mqueue, and when I read this code
or manpage I find the semantics of mq_notify is very strange.

Oleg.

Next message: Julia Lawall: "Re: [Outreachy kernel] [PATCH] staging: rtl8723bs: Remove comparisons to NULL in conditionals"
Previous message: Andy Lutomirski: "Re: [RFC PATCH] seccomp: Add a trace action that allows the syscall if ptracer absent"
In reply to: Eric W. Biederman: "Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()"
Next in thread: Eric W. Biederman: "Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]