Re: [PATCH] kernel/exit.c: make sure current's nsproxy != NULL while checking caps
From: Oleg Nesterov
Date: Wed Nov 26 2014 - 15:53:07 EST
On 11/26, Lukasz Pawelczyk wrote:
>
> My understanding is that while we have to use task_nsproxy()
task_nsproxy() has already gone... probably this doesn't matter but which
kernel version ?
> task's nsproxy and check whether it's NULL, for the 'current' we don't
> have to and it's expected not to be NULL.
Well, unless exit_task_namespaces() was called ;)
> There seem to be no crash currently because of this, but with other LSM
> modules or in future there might be. This is the backtrace:
Confused... backtrace of what? did kernel crash or what?
> 0 smk_tskacc (task=0xffff88003b0b92e0, obj_known=0x2 <irq_stack_union+2>, mode=2, a=0xffff88003be53dd8) at security/smack/smack_access.c:261
> 1 0xffffffff8130e2aa in smk_curacc (obj_known=<optimized out>, mode=<optimized out>, a=<optimized out>) at security/smack/smack_access.c:318
> 2 0xffffffff8130a50d in smack_task_kill (p=0xffff88003b0b92e0, info=<optimized out>, sig=<optimized out>, secid=<optimized out>) at security/smack/smack_lsm.c:2071
I do not know this code, so could you please tell more? How/wher smk_tskacc()
uses ->nsproxy? smack_access.c:261 leads to the comment header above smk_curacc()
in my tree, so this tells me nothing.
> --- a/kernel/exit.c
> +++ b/kernel/exit.c
> @@ -751,7 +751,6 @@ void do_exit(long code)
> exit_fs(tsk);
> if (group_dead)
> disassociate_ctty(1);
> - exit_task_namespaces(tsk);
> exit_task_work(tsk);
> exit_thread();
>
> @@ -773,6 +772,13 @@ void do_exit(long code)
> flush_ptrace_hw_breakpoint(tsk);
>
> exit_notify(tsk, group_dead);
> +
> + /*
> + * This should be after all things that pottentially require
> + * process's namespaces (e.g. capability checks).
> + */
> + exit_task_namespaces(tsk);
> +
> proc_exit_connector(tsk);
Well, we can probably move exit_task_namespaces() down (perhaps we even
want to move it after exit_task_work).
But I am not sure about exit_notify(), in this case free_nsproxy() can
be called when the caller is already reaped.
In any case, please more details?
Oleg.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/