From: Andrei Vagin <avagin@gmail.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: "Nicolas Viennot" <Nicolas.Viennot@twosigma.com>,
"Adrian Reber" <areber@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Pavel Emelyanov" <ovzxemul@gmail.com>,
"Oleg Nesterov" <oleg@redhat.com>,
"Dmitry Safonov" <0x7f454c46@gmail.com>,
"Michał Cłapiński" <mclapinski@google.com>,
"Kamil Yurtsever" <kyurtsever@google.com>,
"Dirk Petersen" <dipeit@gmail.com>,
"Christine Flood" <chf@redhat.com>,
"Mike Rapoport" <rppt@linux.ibm.com>,
"Radostin Stoyanov" <rstoyanov1@gmail.com>,
"Cyrill Gorcunov" <gorcunov@openvz.org>,
"Serge Hallyn" <serge@hallyn.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Arnd Bergmann" <arnd@arndb.de>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"Eric Paris" <eparis@parisplace.org>,
"Jann Horn" <jannh@google.com>
Subject: Re: [PATCH] capabilities: Introduce CAP_RESTORE
Date: Sun, 7 Jun 2020 19:09:47 -0700 [thread overview]
Message-ID: <CANaxB-zb9xSxkP+AThVUA_gxU2AOKhj=vOcFdquTjQpxH_J1og@mail.gmail.com> (raw)
In-Reply-To: <20200528094839.gw7aqd3xs3kix273@wittgenstein>
> >
> > I would argue that setting the current process exe file check should just be reduced to a "can you ptrace a children" check.
> > Here's why: any process can masquerade into another executable with ptrace.
> > One can fork a child, ptrace it, have the child execve("target_exe"), then replace its memory content with an arbitrary program.
>
> Then it should probably be relaxed to CAP_SYS_PTRACE in the user
> namespace and not CAP_CHECKPOINT_RESTORE. (But apparently you also have
> a way of achieving what you want anyway. Imho, it's not necessarily
> wrong to require a bit more work when you want something like fully
> unprivileged c/r that's a rather special interest group.)
>
> > With CRIU's libcompel parasite mechanism (https://criu.org/Compel) this is fairly easy to implement.
> > In fact, we could modify CRIU to do just that (but with a fair amount of efforts due to the way CRIU is written),
> > and not rely on being able to SET_MM_EXE_FILE via prctl(). In turn, that would give an easy way to masquerade any process
> > into another one, provided that one can ptrace a child.
> >
I think you misunderstand this. In the case of malicious processes,
when only one or two processes must be hidden, they can use this trick
with execve+ptrace and this is relatively simple. But in the case of
CRIU, where we need to restore a process tree with cow memory
mappings, shared mappings, file descriptors and etc, this trick with
execve+ptrace doesn't work at all. We are in a weird situation when
malicious processes can do some operations, but useful tools like CRIU
needed to be running with extra capabilities that actually reduces the
security of the entire system.
next prev parent reply other threads:[~2020-06-08 2:10 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-22 5:53 [PATCH] capabilities: Introduce CAP_RESTORE Adrian Reber
2020-05-22 7:53 ` Christian Brauner
2020-05-22 18:02 ` Andrei Vagin
2020-05-22 13:41 ` Christian Brauner
2020-05-22 16:40 ` Casey Schaufler
2020-05-23 4:27 ` Andrei Vagin
2020-05-25 2:01 ` Casey Schaufler
2020-05-25 8:05 ` Adrian Reber
2020-05-25 18:55 ` Casey Schaufler
2020-05-27 13:48 ` Adrian Reber
2020-05-27 15:57 ` Casey Schaufler
2020-05-27 16:37 ` Nicolas Viennot
2020-05-27 16:46 ` Casey Schaufler
2020-05-26 13:59 ` Eric W. Biederman
[not found] ` <CALKUemw0UZ67yaDwAomHh0n8QZfjd52QvgEXTJ4R3JSrQjZX9g@mail.gmail.com>
2020-05-26 19:19 ` Casey Schaufler
2020-05-26 19:51 ` Jann Horn
2020-05-27 14:14 ` Adrian Reber
2020-05-27 15:29 ` Christian Brauner
2020-05-27 18:05 ` Nicolas Viennot
2020-05-28 9:48 ` Christian Brauner
2020-06-08 2:09 ` Andrei Vagin [this message]
2020-05-25 21:53 ` Jann Horn
2020-05-26 9:09 ` Radostin Stoyanov
2020-06-12 0:17 ` Matt Helsley
2020-06-12 14:39 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANaxB-zb9xSxkP+AThVUA_gxU2AOKhj=vOcFdquTjQpxH_J1og@mail.gmail.com' \
--to=avagin@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=Nicolas.Viennot@twosigma.com \
--cc=areber@redhat.com \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=chf@redhat.com \
--cc=christian.brauner@ubuntu.com \
--cc=dipeit@gmail.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=gorcunov@openvz.org \
--cc=jannh@google.com \
--cc=kyurtsever@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mclapinski@google.com \
--cc=oleg@redhat.com \
--cc=ovzxemul@gmail.com \
--cc=rppt@linux.ibm.com \
--cc=rstoyanov1@gmail.com \
--cc=sargun@sargun.me \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).