On Thu, Sep 05, 2019 at 04:57:10PM +0200, Thomas Gleixner wrote: > On Thu, 5 Sep 2019, Frederic Weisbecker wrote: > > On Thu, Sep 05, 2019 at 02:03:39PM +0200, Thomas Gleixner wrote: > > > Sysbot triggered an issue in the posix timer rework which was trivial to > > > fix, but after running another test case I discovered that the rework > > > broke > > > the permission checks subtly. That's also a straightforward fix. > > > > > > Though when staring at it I discovered that the permission checks for > > > process clocks and process timers are completely bonkers. The only > > > requirement is that the target PID is a group leader. Which means that any > > > process can read the clocks and attach timers to any other process without > > > priviledge restrictions. > > > > > > That's just wrong because the clocks and timers can be used to observe > > > behaviour and both reading the clocks and arming timers adds overhead and > > > influences runtime performance of the target process. > > > > Yeah I stumbled upon that by the past and found out the explanation behind > > in old history: > > https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/kernel/posix-cpu-timers.c?id=a78331f2168ef1e67b53a0f8218c70a19f0b2a4c > > > > "This makes no constraint on who can see whose per-process clocks. This > > information is already available for the VIRT and PROF (i.e. utime and > > stime) > > information via /proc. I am open to suggestions on if/how security > > constraints on who can see whose clocks should be imposed." > > > > I'm all for mitigating that, let's just hope that won't break some ABIs. > > Well, reading clocks is one part of the issue. Arming timers on any process > is a different story.
Exactly! > > Also /proc/$PID access can be restricted nowadays. So that posic clock > stuff should at least have exactly the same restrictions. Yeah definetly. > > Thanks, > > tglx >
