Re: [GIT PULL] Please pull proc and exec work for 5.7-rc1

From: Linus Torvalds
Date: Tue Apr 28 2020 - 17:37:07 EST


On Tue, Apr 28, 2020 at 2:06 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
>
> In execve:
>
> - After the point of no return, but before we start waiting for the
> other threads to go away, finish calculating our post-execve creds
> and stash them somewhere in the task_struct or so.
> - Drop the cred_guard_mutex.
> - Wait for the other threads to die.
> - Take the cred_guard_mutex again.
> - Clear out the pointer in the task_struct.
> - Finish execve and install the new creds.
> - Drop the cred_guard_mutex again.
>
> Then in ptrace_may_access, after taking the cred_guard_mutex, we'd
> know that the target task is either outside execve or in the middle of
> execve, with old and new credentials known; and then we could say "you
> only get to access that task if you're capable relative to *both* its
> old and new credentials, since the task currently has both state from
> the old executable and from the new one".

That doesn't solve the problem with "check_unsafe_exec()" - you might
miss setting LSM_UNSAFE_PTRACE.

Although maybe that whole function could be moved down (to after you
get the cred_guard_mutex the second time).

Linus