Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()

From: Oleg Nesterov
Date: Tue Mar 24 2020 - 07:52:21 EST


On 03/23, Eric W. Biederman wrote:
>
> So far what we have is a report Oleg has read somewhere that some
> program doing something regressed, and his patch to fix that specific
> program. This problem was not noticed for several years.

Yes, this was reported on bugzilla.redhat.com, I'll add you to CC list.

> Presumably the problem is that a message queue was written to by one
> user and was read by another user to cause check_kill_permission to
> fail. Can someone tell me if that was the case?

I do not know. Yoji, did you hit this bug or did you find it by code
inspection ?

> So I am looking for something that makes it clear we are not removing
> a permission checking and backporting a security hole.

Yes, I thought about this too. I can be easily wrong, please correct me,
but I came to conclusion the old behaviour (no permission check) is fine
security-wise.

> Further even if in the common case it is the right thing to do to remove
> the permission check, the handling around exec looks bad enough that we
> will be backporting a security hole if we don't fix that and backport
> that at the same time.

could you explain what exactly you do not like wrt mq_notify/exec ?
I must have missed something.

> p.s. I am grouchy as temporary fixes in this part of the code base
> don't tend to be temporary and the entire signal/exec/ptrace world
> is bordering on unmaintainble and incomprehensible as a result.

Eric, please feel free to make another fix you like more. I know that
I can't convince you anyway, I won't argue.
Oleg.