From: "Reshetova, Elena" <elena.reshetova@intel.com>
To: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Cc: "linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"spender@grsecurity.net" <spender@grsecurity.net>,
"jmorris@namei.org" <jmorris@namei.org>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
"Leibowitz, Michael" <michael.leibowitz@intel.com>,
"Roberts, William C" <william.c.roberts@intel.com>
Subject: RE: [kernel-hardening] [RFC] [PATCH 1/5] path_fchdir and path_fhandle LSM hooks
Date: Mon, 1 Aug 2016 08:38:45 +0000 [thread overview]
Message-ID: <2236FBA76BA1254E88B949DDB74E612B41B70522@IRSMSX102.ger.corp.intel.com> (raw)
In-Reply-To: <20160731212318.GA31482@pc.thejh.net>
[-- Attachment #1: Type: text/plain, Size: 1996 bytes --]
>On Sun, Jul 31, 2016 at 06:28:08PM +0000, Reshetova, Elena wrote:
> On Sun, Jul 31, 2016 at 10:55:04AM +0000, Reshetova, Elena wrote:
[...]
> >Alternatively, you could forbid double-chroots and use the LSM hooks
> >for
> file descriptor passing via unix domain sockets and binder to check
> incoming file descriptors.
>
> This would not prevent guessing the file descriptor unfortunately.
>That doesn't make sense to me. Can you elaborate on that, please?
>How would you "guess" a file descriptor? Are you talking about file
descriptors opened before chroot() that have been leaked accidentally?
Yes, these ones. Also I guess in general security-wise it is better approach
to have a check in a place where descriptor will be attempted to
use/resolved vs. trying to make sure you caught all cases where/how process
might obtain some.
Various IPC, leaked descriptors, some other potential surprises... But I
think in this case it might be worth trying to do what you suggest since I
don't see good alternatives either.
>In that case, you could just do on chroot() what SELinux does on a domain
transition and replace all dangerous open file descriptors with /dev/null.
I guess this could work, if I can correctly close the ones that are outside
of the chroot. I will check how SELinux does it. Thank you for the tip!
>Or are you concerned about shared file descriptor tables (which really
shouldn't happen accidentally,
You mean CLONE_FILES on clone()? If yes, then I am less concerned of this
since it really not common as far as I understood for legitimate
processes/daemons to be started this way. However, if this case needs to be
addressed, it is trickier, you cannot just substitute these ones with
/dev/null without breaking the parent also and you would need to check them
all, not just opened ones.
> at least when you keep in mind that for this to be an issue, the fs_struct
would have to not be shared)?
What do you mean by the last part? Not sure I understand here...
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 7586 bytes --]
next prev parent reply other threads:[~2016-08-01 8:38 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-29 7:34 [kernel-hardening] [RFC] [PATCH 0/5] Hardchroot LSM + additional hooks Elena Reshetova
2016-07-29 7:34 ` [kernel-hardening] [RFC] [PATCH 1/5] path_fchdir and path_fhandle LSM hooks Elena Reshetova
2016-07-29 18:12 ` Jann Horn
2016-07-31 10:55 ` Reshetova, Elena
2016-07-31 12:02 ` Jann Horn
2016-07-31 18:28 ` Reshetova, Elena
2016-07-31 21:23 ` Jann Horn
2016-08-01 8:38 ` Reshetova, Elena [this message]
2016-07-29 7:34 ` [kernel-hardening] [RFC] [PATCH 2/5] task_unshare LSM hook Elena Reshetova
2016-07-29 17:58 ` Jann Horn
2016-07-29 18:17 ` Reshetova, Elena
2016-07-29 7:34 ` [kernel-hardening] [RFC] [PATCH 3/5] sb_unsharefs " Elena Reshetova
2016-07-29 18:02 ` Jann Horn
2016-07-29 18:09 ` Reshetova, Elena
2016-07-29 18:15 ` Jann Horn
2016-07-29 18:19 ` Reshetova, Elena
2016-07-29 7:34 ` [kernel-hardening] [RFC] [PATCH 4/5] invoke path_chroot() LSM hook on mntns_install() Elena Reshetova
2016-07-29 18:11 ` Jann Horn
2016-07-31 10:39 ` Reshetova, Elena
2016-07-31 11:29 ` Jann Horn
2016-08-01 9:26 ` Reshetova, Elena
2016-07-29 7:34 ` [kernel-hardening] [RFC] [PATCH 5/5] Hardchroot LSM Elena Reshetova
2016-07-29 11:44 ` [kernel-hardening] " Brad Spengler
2016-07-29 12:15 ` [kernel-hardening] " Reshetova, Elena
2016-07-29 12:25 ` Reshetova, Elena
2016-07-29 18:53 ` [kernel-hardening] " Jann Horn
2016-07-29 19:20 ` Casey Schaufler
2016-07-29 20:53 ` Jann Horn
2016-07-29 21:10 ` Casey Schaufler
2016-07-29 21:50 ` Jann Horn
2016-07-30 6:10 ` Reshetova, Elena
2016-08-03 6:36 ` [kernel-hardening] Re: [RFC] [PATCH 0/5] Hardchroot LSM + additional hooks James Morris
2016-08-05 7:53 ` [kernel-hardening] " Reshetova, Elena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2236FBA76BA1254E88B949DDB74E612B41B70522@IRSMSX102.ger.corp.intel.com \
--to=elena.reshetova@intel.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-security-module@vger.kernel.org \
--cc=michael.leibowitz@intel.com \
--cc=spender@grsecurity.net \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.