From: Bernd Edlinger <bernd.edlinger@hotmail.de>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Kees Cook <kees@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
Christian Brauner <brauner@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Serge Hallyn <serge@hallyn.com>,
James Morris <jamorris@linux.microsoft.com>,
Randy Dunlap <rdunlap@infradead.org>,
Suren Baghdasaryan <surenb@google.com>,
Yafang Shao <laoar.shao@gmail.com>, Helge Deller <deller@gmx.de>,
Adrian Reber <areber@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Jens Axboe <axboe@kernel.dk>, Alexei Starovoitov <ast@kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
linux-security-module@vger.kernel.org,
tiozhang <tiozhang@didiglobal.com>,
Luis Chamberlain <mcgrof@kernel.org>,
"Paulo Alcantara (SUSE)" <pc@manguebit.com>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Frederic Weisbecker <frederic@kernel.org>,
YueHaibing <yuehaibing@huawei.com>,
Paul Moore <paul@paul-moore.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Stefan Roesch <shr@devkernel.io>, Chao Yu <chao@kernel.org>,
xu xin <xu.xin16@zte.com.cn>, Jeff Layton <jlayton@kernel.org>,
Jan Kara <jack@suse.cz>, David Hildenbrand <david@redhat.com>,
Dave Chinner <dchinner@redhat.com>, Shuah Khan <shuah@kernel.org>,
Elena Reshetova <elena.reshetova@intel.com>,
David Windsor <dwindsor@gmail.com>,
Mateusz Guzik <mjguzik@gmail.com>,
Ard Biesheuvel <ardb@kernel.org>,
"Joel Fernandes (Google)" <joel@joelfernandes.org>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Hans Liljestrand <ishkamiel@gmail.com>,
Penglei Jiang <superman.xpt@gmail.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Adrian Ratiu <adrian.ratiu@collabora.com>,
Ingo Molnar <mingo@kernel.org>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Eric Dumazet <edumazet@google.com>
Subject: Re: [RFC][PATCH] exec: Move cred computation under exec_update_lock
Date: Fri, 21 Nov 2025 10:35:17 +0100 [thread overview]
Message-ID: <GV2PPF74270EBEEFA106F4EF26B087ED898E4D5A@GV2PPF74270EBEE.EURP195.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <87o6ovx38h.fsf@email.froward.int.ebiederm.org>
On 11/21/25 08:18, Eric W. Biederman wrote:
> Bernd Edlinger <bernd.edlinger@hotmail.de> writes:
>
>> Hi Eric,
>>
>> thanks for you valuable input on the topic.
>>
>> On 11/21/25 00:50, Eric W. Biederman wrote:
>>> "Eric W. Biederman" <ebiederm@xmission.com> writes:
>>>
>>>> Instead of computing the new cred before we pass the point of no
>>>> return compute the new cred just before we use it.
>>>>
>>>> This allows the removal of fs_struct->in_exec and cred_guard_mutex.
>>>>
>>>> I am not certain why we wanted to compute the cred for the new
>>>> executable so early. Perhaps I missed something but I did not see any
>>>> common errors being signaled. So I don't think we loose anything by
>>>> computing the new cred later.
>>>
>>> I should add that the permission checks happen in open_exec,
>>> everything that follows credential wise is just about representing in
>>> struct cred the credentials the new executable will have.
>>>
>>> So I am really at a loss why we have had this complicated way of
>>> computing of computed the credentials all of these years full of
>>> time of check to time of use problems.
>>>
>>
>> Well, I think I see a problem with your patch:
>>
>> When the security engine gets the LSM_UNSAFE_PTRACE flag, it might
>> e.g. return -EPERM in bprm_creds_for_exec in the apparmor, selinux
>> or the smack security engines at least. Previously that callback
>> was called before the point of no return, and the return code should
>> be returned as a return code the the caller of execve. But if we move
>> that check after the point of no return, the caller will get killed
>> due to the failed security check.
>>
>> Or did I miss something?
>
> I think we definitely need to document this change in behavior. I would
> call ending the exec with SIGSEGV vs -EPERM a quality of implementation
> issue. The exec is failing one way or the other so I don't see it as a
> correctness issue.
>
> In the case of ptrace in general I think it is a bug if the mere act of
> debugging a program changes it's behavior. So which buggy behavior
> should we prefer? SIGSEGV where it is totally clear that the behavior
> has changed or -EPERM and ask the debugged program to handle it.
> I lean towards SIGSEGV because then it is clear the code should not
> handle it.
>
> In the case of LSM_UNSAFE_NO_NEW_PRIVS I believe the preferred way to
> handle unexpected things happening is to terminate the application.
>
> In the case of LSM_UNSAFE_SHARE -EPERM might be better. I don't know
> of any good uses of any good uses of sys_clone(CLONE_FS ...) outside
> of CLONE_THREAD.
>
>
> Plus all of these things are only considerations if we are exec'ing a
> program that transitions to a different set of credentials. Something
> that happens but is quite rare itself.
>
> In practice I don't expect there is anything that depends on the exact
> behavior of what happens when exec'ing a suid executable to gain
> privileges when ptraced. The closes I can imagine is upstart and
> I think upstart ran as root when ptracing other programs so there is no
> gaining of privilege and thus no reason for a security module to
> complain.
>
> Who knows I could be wrong, and someone could actually care. Which is> hy I think we should document it.
>
Well, I dont know for sure, but the security engine could deny the execution
for any reason, not only because of being ptraced.
Maybe there can be a policy which denies user X to execute e.g. any suid programs.
Bernd.
next prev parent reply other threads:[~2025-11-21 9:35 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AM8PR10MB470801D01A0CF24BC32C25E7E40E9@AM8PR10MB4708.EURPRD10.PROD.OUTLOOK.COM>
[not found] ` <AM8PR10MB470875B22B4C08BEAEC3F77FE4169@AM8PR10MB4708.EURPRD10.PROD.OUTLOOK.COM>
2023-10-30 5:20 ` [PATCH v12] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
2023-10-30 9:00 ` kernel test robot
[not found] ` <AS8P193MB12851AC1F862B97FCE9B3F4FE4AAA@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM>
2024-01-15 19:22 ` [PATCH v14] " Bernd Edlinger
2024-01-15 19:37 ` Matthew Wilcox
2024-01-17 9:51 ` Bernd Edlinger
2024-01-16 15:22 ` Oleg Nesterov
2024-01-17 15:07 ` Bernd Edlinger
2024-01-17 16:38 ` Oleg Nesterov
2024-01-22 13:24 ` Bernd Edlinger
2024-01-22 13:44 ` Oleg Nesterov
2024-01-22 21:30 ` Kees Cook
2024-01-23 18:30 ` Bernd Edlinger
2024-01-24 0:09 ` Kees Cook
[not found] ` <AS8P193MB1285937F9831CECAF2A9EEE2E4752@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM>
2025-08-18 6:04 ` [PATCH v15] " Jain, Ayush
2025-08-18 20:53 ` [PATCH v16] " Bernd Edlinger
2025-08-19 4:36 ` Kees Cook
2025-08-19 18:53 ` Bernd Edlinger
2025-08-21 17:34 ` [PATCH v17] " Bernd Edlinger
2025-10-27 6:26 ` Bernd Edlinger
2025-10-27 12:06 ` Peter Zijlstra
2025-11-02 16:17 ` Oleg Nesterov
2025-11-05 14:32 ` Oleg Nesterov
2025-11-11 9:21 ` Christian Brauner
2025-11-11 11:07 ` Bernd Edlinger
2025-11-11 13:12 ` Oleg Nesterov
2025-11-11 13:45 ` Bernd Edlinger
2025-11-12 9:52 ` Oleg Nesterov
2025-11-17 6:31 ` Bernd Edlinger
2025-11-17 15:01 ` Oleg Nesterov
2025-11-17 20:08 ` Bernd Edlinger
2025-11-23 18:32 ` Oleg Nesterov
2025-11-29 15:06 ` Bernd Edlinger
2025-12-01 15:13 ` Oleg Nesterov
2025-11-09 17:14 ` [RFC PATCH 0/3] mt-exec: fix deadlock with ptrace_attach() Oleg Nesterov
2025-11-09 17:14 ` [RFC PATCH 1/3] exec: make setup_new_exec() return int Oleg Nesterov
2025-11-09 17:15 ` [RFC PATCH 2/3] exec: don't wait for zombie threads with cred_guard_mutex held Oleg Nesterov
2025-11-10 10:58 ` Cyrill Gorcunov
2025-11-10 15:09 ` Oleg Nesterov
2025-11-10 21:49 ` Cyrill Gorcunov
2025-11-11 14:09 ` Oleg Nesterov
2025-11-09 17:16 ` [RFC PATCH 3/3] ptrace: ensure PTRACE_EVENT_EXIT won't stop if the tracee is killed by exec Oleg Nesterov
2025-11-10 5:28 ` [RFC PATCH 0/3] mt-exec: fix deadlock with ptrace_attach() Bernd Edlinger
2025-11-10 14:47 ` Oleg Nesterov
2025-11-18 18:13 ` [PATCH v18] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
2025-11-20 15:15 ` Eric W. Biederman
2025-11-20 17:29 ` Eric W. Biederman
2025-11-20 20:57 ` [RFC][PATCH] exec: Move cred computation under exec_update_lock Eric W. Biederman
2025-11-20 23:50 ` Eric W. Biederman
2025-11-21 2:59 ` Bernd Edlinger
2025-11-21 7:18 ` Eric W. Biederman
2025-11-21 9:35 ` Bernd Edlinger [this message]
2025-11-21 11:26 ` Bernd Edlinger
2025-11-21 19:19 ` Eric W. Biederman
2025-11-21 23:06 ` Ryan Lee
2025-11-23 18:52 ` Oleg Nesterov
2025-11-23 23:22 ` Eric W. Biederman
2025-11-25 16:19 ` Bernd Edlinger
2025-11-25 11:55 ` Roberto Sassu
2025-12-01 16:06 ` Are setuid shell scripts safe? (Implied by security_bprm_creds_for_exec) Eric W. Biederman
2025-12-01 16:49 ` Roberto Sassu
2025-12-01 18:53 ` Eric W. Biederman
2025-12-01 21:39 ` David Laight
2025-12-03 13:16 ` Bernd Edlinger
2025-12-04 5:49 ` Al Viro
2025-12-04 9:32 ` David Laight
2025-12-04 13:03 ` Bernd Edlinger
2025-12-09 12:28 ` Jan Kara
2025-12-04 15:43 ` Stephen Smalley
2025-11-22 17:10 ` [PATCH v18] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
2025-12-19 8:15 ` [PATCH v19] " Bernd Edlinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=GV2PPF74270EBEEFA106F4EF26B087ED898E4D5A@GV2PPF74270EBEE.EURP195.PROD.OUTLOOK.COM \
--to=bernd.edlinger@hotmail.de \
--cc=adobriyan@gmail.com \
--cc=adrian.ratiu@collabora.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=areber@redhat.com \
--cc=ast@kernel.org \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=chao@kernel.org \
--cc=cyphar@cyphar.com \
--cc=david@redhat.com \
--cc=dchinner@redhat.com \
--cc=deller@gmx.de \
--cc=dwindsor@gmail.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=elena.reshetova@intel.com \
--cc=frederic@kernel.org \
--cc=gorcunov@gmail.com \
--cc=ishkamiel@gmail.com \
--cc=jack@suse.cz \
--cc=jamorris@linux.microsoft.com \
--cc=jlayton@kernel.org \
--cc=joel@joelfernandes.org \
--cc=kees@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=luto@amacapital.net \
--cc=mcgrof@kernel.org \
--cc=mhocko@suse.com \
--cc=mingo@kernel.org \
--cc=mjguzik@gmail.com \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=pc@manguebit.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=senozhatsky@chromium.org \
--cc=serge@hallyn.com \
--cc=shr@devkernel.io \
--cc=shuah@kernel.org \
--cc=superman.xpt@gmail.com \
--cc=surenb@google.com \
--cc=tglx@linutronix.de \
--cc=tiozhang@didiglobal.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
--cc=willy@infradead.org \
--cc=xu.xin16@zte.com.cn \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox