Re: [PATCH RFC v3 08/10] net, pidfs, coredump: only allow coredumping tasks to connect to coredump socket
From: Mickaël Salaün <mic@digikod.net>
Date: 2025-05-07 11:59:37
Also in:
linux-fsdevel, lkml
On Tue, May 06, 2025 at 04:51:25PM +0200, Jann Horn wrote:
On Tue, May 6, 2025 at 9:39 AM Christian Brauner [off-list ref] wrote:quoted
quoted
("a kernel socket" is not necessarily the same as "a kernel socket intended for core dumping")Indeed. The usermodehelper is a kernel protocol. Here it's the task with its own credentials that's connecting to a userspace socket. Which makes this very elegant because it's just userspace IPC. No one is running around with kernel credentials anywhere.To be clear: I think your current patch is using special kernel privileges in one regard, because kernel_connect() bypasses the security_socket_connect() security hook. I think it is a good thing that it bypasses security hooks in this way; I think we wouldn't want LSMs to get in the way of this special connect(), since the task in whose context the connect() call happens is not in control of this connection; the system administrator is the one who decided that this connect() should happen on core dumps. It is kind of inconsistent though that that separate security_unix_stream_connect() LSM hook will still be invoked in this case, and we might have to watch out to make sure that LSMs won't end up blocking such connections... which I think is related to what Mickael was saying on the other thread.
Right
Landlock currently doesn't filter abstract connections at that hook, so for now
Landlock implements this hook since Linux 6.12 and can deny connections from a sandboxed process to a peer outside the sandbox: https://docs.kernel.org/userspace-api/landlock.html#ipc-scoping I was worried that security_unix_stream_connect() would be called with the task's credential, which would block coredumps from sandboxed tasks. This would also apply to other LSMs.
this would only be relevant for SELinux and Smack. I guess those are maybe less problematic in this regard because they work on full-system policies rather than app-specific policies; but still, with the current implementation, SELinux/Smack policies would need to be designed to allow processes to connect to the core dumping socket to make core dumping work.