On 11/20/18 5:27 PM, Linus Torvalds wrote: > Also, "dumpable" in general is pretty oddly defined to be used for this. > > The same (privileged) process can be dumpable or not depending on how > it was started (ie if it was started by a regular user and became > trusted through suid, it's not dumpable, but if it was started from a > root process it remains dumpable. > > So I'm just not convinced "dumpability" is meaningful for STIBP. I think we're hoping that "dumpability" is at least correlated with sensitive processes. As you've pointed out, it's not a strict relationship, but there's still some meaning. Let's not forget about things like gpg that do PR_SET_DUMPABLE completely independently of the actions that trigger the /proc/sys/fs/suid_dumpable behavior. Those will be non-dumpable regardless of how they were started. In addition, things that are started via suid surely *do* have more attack surface than something started by root. We've been positing that these attacks get easier when the attacker and victim have a relationship, either via RPC, or the network, or *something*. suid basically *guarantees* there's a relationship between the privileged thing and _something_ untrusted. Repurposing dumpable is really screwy and surely imprecise, but it really is the closest thing that we have without the new ABI.
