Bernd, everyone
This is how I think the infrastructure change should look that makes way
for fixing this issue.
- Correct the point of no return.
- Add a new mutex to replace cred_guard_mutex
Then I think it is just going through the existing
users of cred_guard_mutex and fixing them to use the new one.
There really aren't that many users of cred_guard_mutex so we should be
able to get through the easy ones fairly quickly. And anything that
isn't easy we can wait until we have a good fix.
The users of cred_guard_mutex that I saw were:
fs/proc/base.c:
proc_pid_attr_write
do_io_accounting
proc_pid_stack
proc_pid_syscall
proc_pid_personality
perf_event_open
mm_access
kcmp
pidfd_fget
seccomp_set_mode_filter
Bernd does this make sense to you?
I think we can fix the seccomp/no_new_privs issue with some careful
refactoring. We can probably do the same for ptrace but that appears
to need a little lsm bug fixing.
My goal here is to allow us to fix the uncontroversial easy bits. While
still allowing the difficult tricky bits to be fixed.
Eric W. Biederman (2):
exec: Properly mark the point of no return
exec: Add a exec_update_mutex to replace cred_guard_mutex
fs/exec.c | 11 ++++++++---
include/linux/binfmts.h | 7 ++++++-
include/linux/sched/signal.h | 9 ++++++++-
kernel/fork.c | 1 +
4 files changed, 23 insertions(+), 5 deletions(-)
Eric
