On Sun, Sep 18, 2016 at 01:18:48PM -0700, Linus Torvalds wrote: > On Sun, Sep 18, 2016 at 8:05 AM, Jann Horn <jann@xxxxxxxxx> wrote: > > This ensures that VFS implementations don't call ptrace_may_access() from > > VFS read or write handlers. In order for file descriptor passing to have > > its intended security properties, VFS read/write handlers must not do any > > kind of privilege checking. > > Quite frankly, this smells like it should be a static check, not some > kind of runtime one. Or if runtime, it should be abstracted out so > that you can do an occasional "let's run a checking pass" rather than > enable it unconditionally and universally. Hm, fair point. I guess this could be implemented in eBPF or systemtap? Then for now, I guess I'll remove this patch from the series - and maybe I'll think about writing some external checker with eBPF kprobes or so. > It's just too specialized. Soon you'll want to do other random context > checking, and we can't just keep adding those kinds of ad-hoc things > without it becoming a maintenance nightmare. I can well imagine > somebody ending up writing some stupid patch to take that > "in_unprivileged_vfs" thing into account for some semantics, and then > we're *really* screwed. So there are many reasons to make sure this is > *not* something that people actually expect to always be there. Oh, yuck. Yes, those are good points.
Attachment:
signature.asc
Description: Digital signature
