From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 531FCD735EE
	for <linux-mm@archiver.kernel.org>; Sat, 30 Nov 2024 05:55:29 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 7BF816B0082; Sat, 30 Nov 2024 00:55:28 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7700D6B0085; Sat, 30 Nov 2024 00:55:28 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 636DB6B0088; Sat, 30 Nov 2024 00:55:28 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id 446516B0082
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 00:55:28 -0500 (EST)
Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id ADCD5141028
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 05:55:27 +0000 (UTC)
X-FDA: 82841698842.22.5CC655B
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151])
	by imf23.hostedemail.com (Postfix) with ESMTP id C01E114000B
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 05:55:19 +0000 (UTC)
Authentication-Results: imf23.hostedemail.com;
	dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=QaoUrotg;
	dmarc=pass (policy=reject) header.from=cyphar.com;
	spf=pass (imf23.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.151 as permitted sender) smtp.mailfrom=cyphar@cyphar.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732946122; a=rsa-sha256;
	cv=none;
	b=RM6DKY7qSkGZWgo7yn1snfHmaEqw7WMAYk6BUSz2v+4BCYEPZfynAAG6Evi+ZrK8yeSVf+
	FfCly5+K05c9L7WlMi9W9Uu/8ZrKHnv/1oCaASJvawflaNumJqy7y1CrlCN+dnjsDMqvjn
	n2pFyHKji5XZpXshk7knFM4HR3g8lFk=
ARC-Authentication-Results: i=1;
	imf23.hostedemail.com;
	dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=QaoUrotg;
	dmarc=pass (policy=reject) header.from=cyphar.com;
	spf=pass (imf23.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.151 as permitted sender) smtp.mailfrom=cyphar@cyphar.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1732946122;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=DFFyRAYQJxjBoODb1KIsqrLrSJdTbzj1N/mY9TF40uc=;
	b=uDgqDDqC2Q3iY1AXHRKPdL/+PWGn8O9Eus1QcTBnffIH9lQ8z556DupEnwiBefjV2j82av
	33RQo+fDUM2525Vq5uXKczJNYa1mKNUVtn/xkry5iQPa9ZqkcqEpVE3f8eAf6mjcy6/PY1
	dW5yMwCd0ExZXk/htMwvqE3c1fvvzgo=
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4Y0fQx05vsz9syJ;
	Sat, 30 Nov 2024 06:55:21 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar.com; s=MBO0001;
	t=1732946121;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=DFFyRAYQJxjBoODb1KIsqrLrSJdTbzj1N/mY9TF40uc=;
	b=QaoUrotg7h3oTTzkfAM1BguTvwpsnUA4o2fbRkhsmlPGqW3/Lt6UbsDTRdsWV6uoYUNdZO
	UhoFvWIw29q8SN5MNO1cGDlTdDP03duHdOsjqvUXEdRpJXeNMNE+T4nKdRZapht/qPPZ2u
	h36bmHuTuLzWxY8oCXooKr+E4Z3ZikX/a73NZMkJxcohmVPWxNFxdhMH5AbdReUYxIZ4Bh
	JsMTpaNLwaFebf0S/2jOvLHtJyYlt3TNEb2TQvNV+fM6tBfyuCZEd+0Z9AuXPFvzt8a+tN
	5EZWO/2/ZmAsGs6mY2/a0EpFEc5p4uFYRgvQAAXXl11sQ9VNC/dwFcPYE+j8tQ==
Date: Sat, 30 Nov 2024 16:55:09 +1100
From: Aleksa Sarai <cyphar@cyphar.com>
To: Kees Cook <kees@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>, 
	Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>, Tycho Andersen <tandersen@netflix.com>, 
	Linus Torvalds <torvalds@linux-foundation.org>, Eric Biederman <ebiederm@xmission.com>, 
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>, linux-mm@kvack.org, 
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] exec: fix up /proc/pid/comm in the
 execveat(AT_EMPTY_PATH) case
Message-ID: <20241130.055433-shy.herds.gross.wars-zGaSWwzAa56n@cyphar.com>
References: <20241130045437.work.390-kees@kernel.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="42vhhdfvrpiztluk"
Content-Disposition: inline
In-Reply-To: <20241130045437.work.390-kees@kernel.org>
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: C01E114000B
X-Stat-Signature: 3iibkux8fzimwou11m1yqbqyoqemij3c
X-HE-Tag: 1732946119-134861
X-HE-Meta: U2FsdGVkX1+zKEqAYZELL9mMN4l7lLfvttBd+bVDO+2nPWUqUyA4p2PT+1cMFYNf4SPoDP6eJHa+v+oJlWcSlLnXwaznmlWgdccoG10Gt0whWtN/AJkSodQX0x8z7KF84p5Zy2tyAxxAo6OWcqY0SR4AxybZOrILfvMtNRvmXOjVsyJxEO1RiILu4d+u1o0r2rWID4EwnE6EsZ5PFAPv1d8CfGpXW9R0iwBOatgKe0iKKBAPla+7+VoJC6dsy7nN7MSs7RrBvHaS8cPmJyf27mhcTNBpc8o11IaYUXP+x8MRquPeiDvFWdj9RqxL0+4q/sQ+ccy+To6STY9WutE4ZGoDJ/JJ6+XhX6nM1ZoLUVYbRefGGOHVtgFXuRGCtyuhYMC2U7VWZm7V89Mc8HwYthlUWEgB3+U9zs5t1+qiPYoqAUsJia4AG8SdYXL2oaUDYlqkIljGYvguPCkQb1THGO3jSXJnYzCKK70zhCUN4OB5RcSz3GxDWv60vIc7PNlYBReKJX7ECZnj7FQJT8uQeT/TyTjXushiDeTLqAHLhomLPUJSPdR1ZHXkvDuSUXg87JQDpup1+ZYEeV7OYK5AHRzR+BsN2R1z5+OsUjnjJaYUszsvorgGPNLhOHPXvWLdxJWygz/nbppZW/Fsdjh47/VvJ+g6epZcVYBfvgLeg67WR5stVjNvYp1C6hPEHdOsYGmua+gfVgVewtd1znqKxKaPliLZg3F/zKL2AWcCFALxcVnhXUxQPyVVNm4tZUOlStB+e+03PuQd8HtkSGqb88qKBy5piPm46TJIl7zmuIK+w0kak2dkGonQMeIq1aKXVifvOMQ3Vfwb0lY9IrOrthn0CZ57Um70HI1GOJ4A1YMEDruU0ud6d4hXRrPARgPR57oDq7mmdQIYxj64ZtQRctHrhJXVcqoGxEArQmJoFXGh6zPKT/HmGRKIRBSSZr2gFPEDgqOCciDjqbkbIBZ
 4L9q3dZa
 X4URPzaMUkg239PbdKCwmowSsxDjeZPAzggY5MJPviCWrGz39tHkBneqayBQrI019UpE5SdIHyMc1eyTv+O9AxUAQWA9zoSwbMLn/BzFHKn7RrwYcbndf+e8VI3e4S/EITlqZfoBnr/JZnafLKSRjLGmsX5zfpm7MmrhQbBfxI3AfD8y4mrXt0AzTqz28R2RIGh1mYoxVtv3jVjkBGjJ/l+/qJ94IoYYEUbb6O5mOp9G2auSnT4iu+vpxVjj9gdu8sXSy+aazKOtQAnYJWctufjjh1IaZd6ZDweEhtiHhCaW9I0GYuvXsIWovVzE+zxKQFHJCzRc3fg5sUF4lKjtRybQ3H5wxIO6JWga/lTN/S191H3lBs2wr9HZjxgOFYrAoRpppx96FBooVVCvdqnkRJuEe9LVL8zmxADxcLmJZC99/8ZKXQAYxQI9q0LKULjwqw+GB4CKmg2ZNMrwAPUzmGbk5AwuogZ3zirqqa9VqezWd1slER3Z35fmXgsKkFkIGJUIM1fZrLf+H3N77flQCm3mA1nxDjPb/h40jKiANub8/KPqVG2jmiHGV1PrcFTf9CUiztW30Axk03HgXv+clXFZqZeCiweKh34fJyKsiiscbF1zldjY0aH3oRIkJw7/oa8HCWmveNsbuVSVrO1zmdcW1BrUu+0rGU8Ia1wUz6COCnT3le7qZ5AclqxM6167/XZjNcGouxj4mGdKGj+o5xgyTB4rb3A9VP1/1fT3XzopcdcqMoRwhWePeteS/fK0f4C8O
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>


--42vhhdfvrpiztluk
Content-Type: text/plain; protected-headers=v1; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PATCH] exec: fix up /proc/pid/comm in the
 execveat(AT_EMPTY_PATH) case
MIME-Version: 1.0

On 2024-11-29, Kees Cook <kees@kernel.org> wrote:
> Zbigniew mentioned at Linux Plumber's that systemd is interested in
> switching to execveat() for service execution, but can't, because the
> contents of /proc/pid/comm are the file descriptor which was used,
> instead of the path to the binary. This makes the output of tools like
> top and ps useless, especially in a world where most fds are opened
> CLOEXEC so the number is truly meaningless.
>=20
> When the filename passed in is empty (e.g. with AT_EMPTY_PATH), use the
> dentry's filename for "comm" instead of using the useless numeral from
> the synthetic fdpath construction. This way the actual exec machinery
> is unchanged, but cosmetically the comm looks reasonable to admins
> investigating things.
>=20
> Instead of adding TASK_COMM_LEN more bytes to bprm, use one of the unused
> flag bits to indicate that we need to set "comm" from the dentry.

Looks reasonable to me, feel free to take my

Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>

>=20
> Suggested-by: Zbigniew J=C4=99drzejewski-Szmek <zbyszek@in.waw.pl>
> Suggested-by: Tycho Andersen <tandersen@netflix.com>
> Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> CC: Aleksa Sarai <cyphar@cyphar.com>
> Link: https://github.com/uapi-group/kernel-features#set-comm-field-before=
-exec
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Eric Biederman <ebiederm@xmission.com>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Jan Kara <jack@suse.cz>
> Cc: linux-mm@kvack.org
> Cc: linux-fsdevel@vger.kernel.org
>=20
> Here's what I've put together from the various suggestions. I didn't
> want to needlessly grow bprm, so I just added a flag instead. Otherwise,
> this is very similar to what Linus and Al suggested.
> ---
>  fs/exec.c               | 22 +++++++++++++++++++---
>  include/linux/binfmts.h |  4 +++-
>  2 files changed, 22 insertions(+), 4 deletions(-)
>=20
> diff --git a/fs/exec.c b/fs/exec.c
> index 5f16500ac325..d897d60ca5c2 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1347,7 +1347,21 @@ int begin_new_exec(struct linux_binprm * bprm)
>  		set_dumpable(current->mm, SUID_DUMP_USER);
> =20
>  	perf_event_exec();
> -	__set_task_comm(me, kbasename(bprm->filename), true);
> +
> +	/*
> +	 * If the original filename was empty, alloc_bprm() made up a path
> +	 * that will probably not be useful to admins running ps or similar.
> +	 * Let's fix it up to be something reasonable.
> +	 */
> +	if (bprm->comm_from_dentry) {
> +		rcu_read_lock();
> +		/* The dentry name won't change while we hold the rcu read lock. */
> +		__set_task_comm(me, smp_load_acquire(&bprm->file->f_path.dentry->d_nam=
e.name),
> +				true);
> +		rcu_read_unlock();
> +	} else {
> +		__set_task_comm(me, kbasename(bprm->filename), true);
> +	}
> =20
>  	/* An exec changes our domain. We are no longer part of the thread
>  	   group */
> @@ -1521,11 +1535,13 @@ static struct linux_binprm *alloc_bprm(int fd, st=
ruct filename *filename, int fl
>  	if (fd =3D=3D AT_FDCWD || filename->name[0] =3D=3D '/') {
>  		bprm->filename =3D filename->name;
>  	} else {
> -		if (filename->name[0] =3D=3D '\0')
> +		if (filename->name[0] =3D=3D '\0') {
>  			bprm->fdpath =3D kasprintf(GFP_KERNEL, "/dev/fd/%d", fd);
> -		else
> +			bprm->comm_from_dentry =3D 1;
> +		} else {
>  			bprm->fdpath =3D kasprintf(GFP_KERNEL, "/dev/fd/%d/%s",
>  						  fd, filename->name);
> +		}
>  		if (!bprm->fdpath)
>  			goto out_free;
> =20
> diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
> index e6c00e860951..3305c849abd6 100644
> --- a/include/linux/binfmts.h
> +++ b/include/linux/binfmts.h
> @@ -42,7 +42,9 @@ struct linux_binprm {
>  		 * Set when errors can no longer be returned to the
>  		 * original userspace.
>  		 */
> -		point_of_no_return:1;
> +		point_of_no_return:1,
> +		/* Set when "comm" must come from the dentry. */
> +		comm_from_dentry:1;
>  	struct file *executable; /* Executable to pass to the interpreter */
>  	struct file *interpreter;
>  	struct file *file;
> --=20
> 2.34.1
>=20

--=20
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

--42vhhdfvrpiztluk
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCZ0qovQAKCRAol/rSt+lE
b5FTAP93qPm+eNSOs09B1018U/ThWjWGx3wa4e4OQ8UG49LWDgEA4ffCR0fzoQV8
nR57GUKYqfUw7R1e46eST1APMDTMtg0=
=Qnvr
-----END PGP SIGNATURE-----

--42vhhdfvrpiztluk--