1

I'm using a BPF kprobe to find out when a task's UIDs, GIDs and namespaces change outside the syscalls that have the ability to change these values. For this, I update values[pid] when returning from execve(), execveat(), setns(), unshare(), set*uid(). And on entry to begin_new_exec(), I check whether the current task's values match values[pid].

In some cases the probes incorrectly report that the UID or nsproxy for a process has changed, indicating I've missed a place where I need to update the task's values.

Looking at begin_new_exec(), it replaces the task's credentials and wipes out the old executable. But after begin_new_exec() returns, load_elf_binary() can still return errors while trying to set up the new process image.

Do these late errors reach usermode ? Is there a scenario where sys_execve can fail after begin_new_exec returns, and the PID is not terminated ?

patraulea
  • 652
  • 2
  • 5
  • 26
  • 1
    The [comment](https://elixir.bootlin.com/linux/latest/source/fs/exec.c#L1238) above `begin_new_exec()` states *"Calling this is the point of no return. None of the failures will be seen by userspace"*... so there's that. – Marco Bonelli Nov 03 '22 at 16:28
  • Seems like the answer does lie in the point of no return. Once bprm->point_of_no_return is set in begin_new_exec, any errors returned in bprm_execve result in a fatal signal being sent. – patraulea Nov 09 '22 at 13:43

0 Answers0