From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18495CDD1BC for ; Fri, 27 Sep 2024 15:39:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 969886B0104; Fri, 27 Sep 2024 11:38:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 918C96B0105; Fri, 27 Sep 2024 11:38:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7E0676B0106; Fri, 27 Sep 2024 11:38:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 610806B0104 for ; Fri, 27 Sep 2024 11:38:59 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 1EA7181071 for ; Fri, 27 Sep 2024 15:38:59 +0000 (UTC) X-FDA: 82610926398.09.C7CCC99 Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) by imf21.hostedemail.com (Postfix) with ESMTP id 03E5E1C0007 for ; Fri, 27 Sep 2024 15:38:55 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=xmission.com; spf=pass (imf21.hostedemail.com: domain of ebiederm@xmission.com designates 166.70.13.231 as permitted sender) smtp.mailfrom=ebiederm@xmission.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727451436; a=rsa-sha256; cv=none; b=hmOZmfhADIqr+TtsqgNtvobHfo8UDdiZjGLw4DMBrGZzpY5LX+bSk3E2irxocCogFH57Lt rXXGPPHvzM5uQrv+QHGS0qT69Yt9rgQSUU/8rvoytwbfbNHEatneXPt9xoswn2lmickeMi QfuUMKwVB3wY/0AYyBasULK7XRltfSM= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=xmission.com; spf=pass (imf21.hostedemail.com: domain of ebiederm@xmission.com designates 166.70.13.231 as permitted sender) smtp.mailfrom=ebiederm@xmission.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727451436; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=45AJNIURAun5nCpdAQyM/IqX2LqIHmXKOE1f4scfWF4=; b=2C+BGTNSzIClfdjeWCrUwRxghGN4uj0ELoXIUBnYMy6SE4zIGZP+tqWCTc2s3WQmBIzxaE kdPjHBplIsHw8Y/9lNUmva96eCXPX7gxPpcVFbU035cdK6VwI7vHWZRR7uZxFQ7bdZ5WYa gGjaYbAhJMTTj/mILiL/JSAjVYceKn4= Received: from in01.mta.xmission.com ([166.70.13.51]:55628) by out01.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1suD3V-004ZpH-Bb; Fri, 27 Sep 2024 09:38:53 -0600 Received: from ip68-227-165-127.om.om.cox.net ([68.227.165.127]:36938 helo=email.froward.int.ebiederm.org.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1suD3U-009xfm-B0; Fri, 27 Sep 2024 09:38:52 -0600 From: "Eric W. Biederman" To: Tycho Andersen Cc: Aleksa Sarai , Alexander Viro , Christian Brauner , Jan Kara , Kees Cook , Jeff Layton , Chuck Lever , Alexander Aring , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Tycho Andersen , Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= References: <20240924141001.116584-1-tycho@tycho.pizza> <87msjx9ciw.fsf@email.froward.int.ebiederm.org> <20240925.152228-private.conflict.frozen.trios-TdUGhuI5Sb4v@cyphar.com> <878qvf17zl.fsf@email.froward.int.ebiederm.org> <87h6a1xilx.fsf@email.froward.int.ebiederm.org> Date: Fri, 27 Sep 2024 10:38:45 -0500 In-Reply-To: (Tycho Andersen's message of "Fri, 27 Sep 2024 08:56:20 -0600") Message-ID: <87wmixw1h6.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1suD3U-009xfm-B0;;;mid=<87wmixw1h6.fsf@email.froward.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.165.127;;;frm=ebiederm@xmission.com;;;spf=pass X-XM-AID: U2FsdGVkX1/SeLu3lFfn5+34ujWa2fAf2nSewHm7GeA= Subject: Re: [RFC] exec: add a flag for "reasonable" execveat() comm X-SA-Exim-Connect-IP: 166.70.13.51 X-SA-Exim-Rcpt-To: zbyszek@in.waw.pl, tandersen@netflix.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, alex.aring@gmail.com, chuck.lever@oracle.com, jlayton@kernel.org, kees@kernel.org, jack@suse.cz, brauner@kernel.org, viro@zeniv.linux.org.uk, cyphar@cyphar.com, tycho@tycho.pizza X-SA-Exim-Mail-From: ebiederm@xmission.com X-SA-Exim-Scanned: No (on out01.mta.xmission.com); SAEximRunCond expanded to false X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 03E5E1C0007 X-Stat-Signature: 6sqxboxotm9h59s8jhtts11iqhzbuqb3 X-Rspam-User: X-HE-Tag: 1727451535-726830 X-HE-Meta: U2FsdGVkX1+1/APVn/cjdlnPcXvNmvv2PcEq+KYvix5ewBYFnmv9b9UsBpLQdUjIsyM4t8GPA3nmjtU0J/C2Ml2+fUtuUTa8paUAbBKIp7NZwcuRtoH/8WM5y7nHPjHrgqXJtam1TF101nz8pG1UXB1Y607vqqS6RE6tZ7HqZa98r/do1n7V3TzHwJ5S1wvE0TA9M4S5xAqCoXM6BfoKjODe2RxlspbOc4u8XUzE3vUFbkVjhXLAj2ATr+X9I3YbGNj4a7iqrgNKIUKD04HjP55zDkzJgKyMMH4FrwAXxxKCvrAufmtqRZITqhqvCYHJ7OhI5fpESEV5xa6aLQ2RO98nRFbcorTQcP2blCZMK+3B0pXG2vsLeGsaM9VX+K+7t1JJqBbkgFSDAxwNe70+hsP7aN2guUo6kj6yD/HYyP1MzCqQPQbDCAxR65ntOsbr25YxKCEDP2kZbJqAER2vLJ/4NmPYvAP5ZDYsJZi0SmWjYNGJj3iV6vXcR0Z2/oKoPyzl9RCBLrDVzmS3g21/CY+tvrANILDvDnRpRHJvnqbUyD34zZ5K2Bmv5dPkEEvdWa1W842t4PmA7skPjSvh1xsGuz48iG8Ik5CCIRw/KfmpsMnufVzD5AhgBp3GBO+h7H9lTPhXhTJLPh8fXtHaVn/FjqzxE9QwPP8xno/+wIy4UNHRxYJVk68fshCZpi64c2TkPQ17pZfPOuNKkgLxF+qu9z8lcz2g4Y+KWbbdF+x49EO0ACBJ6vC0TTwEKrXm+RnhRIl4p2fzRFo4x7uPP6yt/L4xcIU2qENYxWJQFoCePNxgtwMWQFRr64XLbH650fVieM7Bxov0GIpIYf1y33DObWXkGoRq1oFUr+gTpid0jiyNsokNFbuiVjkDy7CVkhj4rlYC73gPYqjsUhBOA9/IRJPDfngq1IY0EGSI1YFUlrQ+slkxhEYXXBXoaYmkf1imz5uA69Q7wSNePAE 8cdxbxdF ZoV23YuPMGb1B9jaP4lpg2qGejaXUwWotPjiHbMFm/oeL0RVIkztcvpsRYT9IvngARTp8RgUKm2a8xc2Ty/nyQgPIlpzvmJo1tOxd X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Tycho Andersen writes: > On Fri, Sep 27, 2024 at 09:43:22AM -0500, Eric W. Biederman wrote: >> Tycho Andersen writes: >> >> > On Wed, Sep 25, 2024 at 09:09:18PM -0500, Eric W. Biederman wrote: >> >> Tycho Andersen writes: >> >> >> >> > Yep, I did this for the test above, and it worked fine: >> >> > >> >> > if (bprm->fdpath) { >> >> > /* >> >> > * If fdpath was set, execveat() made up a path that will >> >> > * probably not be useful to admins running ps or similar. >> >> > * Let's fix it up to be something reasonable. >> >> > */ >> >> > struct path root; >> >> > char *path, buf[1024]; >> >> > >> >> > get_fs_root(current->fs, &root); >> >> > path = __d_path(&bprm->file->f_path, &root, buf, sizeof(buf)); >> >> > >> >> > __set_task_comm(me, kbasename(path), true); >> >> > } else { >> >> > __set_task_comm(me, kbasename(bprm->filename), true); >> >> > } >> >> > >> >> > obviously we don't want a stack allocated buffer, but triggering on >> >> > ->fdpath != NULL seems like the right thing, so we won't need a flag >> >> > either. >> >> > >> >> > The question is: argv[0] or __d_path()? >> >> >> >> You know. I think we can just do: >> >> >> >> BUILD_BUG_ON(DNAME_INLINE_LEN >= TASK_COMM_LEN); >> >> __set_task_comm(me, bprm->file->f_path.dentry->d_name.name, true); >> >> >> >> Barring cache misses that should be faster and more reliable than what >> >> we currently have and produce the same output in all of the cases we >> >> like, and produce better output in all of the cases that are a problem >> >> today. >> >> >> >> Does anyone see any problem with that? >> > >> > Nice, this works great. We need to drop the BUILD_BUG_ON() since it is >> > violated in today's tree, but I think this is safe to do anyway since >> > __set_task_comm() does strscpy_pad(tsk->comm, buf, sizeof(tsk->comm)). >> >> Doh. I simply put the conditional in the wrong order. That should have >> been: >> BUILD_BUG_ON(TASK_COMM_LEN > DNAME_INLINE_LEN); >> >> Sorry I was thinking of the invariant that needs to be preserved rather >> than the bug that happens. > > Thanks, I will include that. Just for my own education: this is still > *safe* to do, because of _pad, it's just that it is a userspace > visible break if TASK_COMM_LEN > DNAME_INLINE_LEN is ever true? Not a userspace visible issue at all. With TASK_COMM_LEN <= DNAME_INLINE_LEN we could just use a memcpy of TASK_COMM_LEN bytes, and everything will be safe. (But we aren't guaranteed a terminating '\0'). If you look at d_move and copy_name in dcache.c you can see that there are cases where a rename of the dentry that happens as we are reading it to fill task->comm a terminating '\0' might be missed. strscpy_pad relies on either finding a final '\0' after which is adds more '\0's or on finding the end of the source buffer. strscpy_pad will guarantee that there is a final '\0' in task->comm. There might be some race in reading dentry->d_name, but I don't think we much care. Eric