On Wed, Oct 31, 2018 at 06:00:49PM +0000, Daniel Colascione wrote: > On Wed, Oct 31, 2018 at 5:54 PM, Tycho Andersen <ty...@tycho.ws> wrote: > > Why not just use an ioctl() like Jann suggested instead of this big > > security check? Then we avoid the whole setuid writer thing entirely, > > Don't you think a system call would be better than a new ioctl?
We already have a kill() system call :) > With either an ioctl or a new system call, though, the shell would > need a helper program to use the facility, whereas with the existing > approach, the shell can use the new facility without any additional > binaries. ...and a binary to use it! The nice thing about an ioctl is that it avoids this class of attacks entirely. > > and we can pass the fd around if we want to. > > You can pass the FD around today --- specifically, you just pass the > /proc/pid directory FD, not the /proc/pid/kill FD. The /proc/pid > directory FD acts as a process handle. (It's literally a reference to > a struct pid.) Anyone who receives one of these process handle FDs and > who wants to use the corresponding kill file can open the kill fd with > openat(2). What you can't do is pass the /proc/pid/kill FD to another > security context and use it, but when would you ever want to do that? Perhaps I don't have a good imagination, because it's not clear to me when I'd ever use this from a shell instead of the kill binary, either. Using this from the shell is still racy, because if I do something like: echo 9 > /proc/$pid/kill There's exactly the same race that there is with kill, that $pid might be something else. Of course I could do some magic with bind mounts or my pwd or something to keep it alive, but I can already do that today with kill. I can understand the desire to have a race free way to do this, but "it must use write(2)" seems a little unnecessary, given that the shell use case isn't particularly convincing to me. Tycho
