Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Jul 2011 05:16:29 +0400
From: Solar Designer <solar@...nwall.com>
To: NeilBrown <neilb@...e.de>
Cc: Vasiliy Kulikov <segoon@...nwall.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	kernel-hardening@...ts.openwall.com,
	James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...e.de>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"David S. Miller" <davem@...emloft.net>,
	Jiri Slaby <jslaby@...e.cz>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	linux-fsdevel@...r.kernel.org,
	KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
	Eric Paris <eparis@...hat.com>, Willy Tarreau <w@....eu>,
	Sebastian Krahmer <krahmer@...e.de>
Subject: Re: [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common()

On Tue, Jul 26, 2011 at 10:47:13AM +1000, NeilBrown wrote:
> On Tue, 26 Jul 2011 03:40:13 +0400 Solar Designer <solar@...nwall.com> wrote:
> > On Mon, Jul 25, 2011 at 09:14:23PM +0400, Vasiliy Kulikov wrote:
> > > @@ -1433,6 +1433,19 @@ static int do_execve_common(const char *filename,
> > >  	struct files_struct *displaced;
> > >  	bool clear_in_exec;
> > >  	int retval;
> > > +	const struct cred *cred = current_cred();
> > > +
> > > +	/*
> > > +	 * We move the actual failure in case of RLIMIT_NPROC excess from
> > > +	 * set*uid() to execve() because too many poorly written programs
> > > +	 * don't check setuid() return code.  Here we additionally recheck
> > > +	 * whether NPROC limit is still exceeded.
> > > +	 */
> > > +	if ((current->flags & PF_NPROC_EXCEEDED) &&
> > > +	    atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
> > > +		retval = -EAGAIN;
> > > +		goto out_ret;
> > > +	}
> > 
> > Do you possibly need:
> > 
> > 	current->flags &= ~PF_NPROC_EXCEEDED;
> > 
> > somewhere after this point?
> > 
> > I think it's weird to have past set_user() failure affect other than the
> > very next execve().
> 
> So we are hoping that no program uses execvp() or similar...

Why?  No, we don't, unless I am missing something.

> Maybe that is
> reasonable but "in for a penny, in for a pound" - I'd fail them all.
> 
> I think the flag should only be cleared once we notice that the limit is no
> longer exceeded.  So clearing the flag can appear *after* the code you quote
> above, but not in the middle of it.

Definitely.  In case execve() fails because of the limit, the flag
remains set, so a second execve() by the process will fail too.

> > Perhaps also reset the flag on fork() because we have an RLIMIT_NPROC
> > check on fork() anyway.
> 
> I agree it should be cleared here too.

Great.  Just to clarify my own words: on fork(), clear the flag in the
child process only.

> But there is still the issue of 'zygot' like services....

Here's my take on it:

1. It is not known (from the discussion so far) whether Android/Zygote
even cares about RLIMIT_NPROC specifically or not.  The code is very
generic, usable for any rlimits, and the rationale behind it might have
been to be able to apply certain other limits.  I don't know whether or
not there exists a system that actually sets RLIMIT_NPROC via that
mechanism and expects it working.

2. If desired, Android/Zygote will be able to check the
PF_NPROC_EXCEEDED flag, via procfs or via a prctl() interface that we
might introduce.  Or it may simply pass an extra fork().

> Let me try another suggestion.  Instead of catching the error in
> do_execve_common, how about we catch it in do_mmap_pgoff.
> i.e. if the flag is set and an attempt it made to create an executable
> mapping, we check the user->processes against the limit then - either failing
> or clearing the flag and succeeding.
> 
> This will stop an execve, and an attempt to load a shared library and call it.

This sounds too hackish to me, although if others are (unexpectedly) OK
with it, I don't mind.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.