On 3/5/20 10:14 PM, Eric W. Biederman wrote: > > Bernd, everyone > > This is how I think the infrastructure change should look that makes way > for fixing this issue. > > - Correct the point of no return. > - Add a new mutex to replace cred_guard_mutex > > Then I think it is just going through the existing > users of cred_guard_mutex and fixing them to use the new one. > > There really aren't that many users of cred_guard_mutex so we should be > able to get through the easy ones fairly quickly. And anything that > isn't easy we can wait until we have a good fix. > > The users of cred_guard_mutex that I saw were: > fs/proc/base.c: > proc_pid_attr_write > do_io_accounting > proc_pid_stack > proc_pid_syscall > proc_pid_personality > > perf_event_open > mm_access > kcmp > pidfd_fget > seccomp_set_mode_filter > > Bernd does this make sense to you? > > I think we can fix the seccomp/no_new_privs issue with some careful > refactoring. We can probably do the same for ptrace but that appears > to need a little lsm bug fixing. > Yes, for most functions the proposed "exec_update_mutex" is fine, but we will need a longer-time block for ptrace_attach, seccomp_set_mode_filter and proc_pid_attr_write need to be blocked for the whole exec duration so they need a second "mutex", with deadlock-detection as in my previous patch, if I see that right. Unfortunately only one of the two test cases can be fixed without the second mutex, of course the mm_access is what cause the practical problem. Currently for the unlimited user space delay, I have only the case of a ptraced sibling thread on my radar, de_thread waits for the parent to call wait in this case, that can literally take forever. But I know that also PTRACE_CONT may be needed after a PTRACE_EVENT_EXIT. Can you explain what else in the user space can go wrong to make an unlimited delay in the execve? Bernd.
