From: Casey Schaufler <casey@schaufler-ca.com>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org,
jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com,
penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
Date: Sun, 15 Jan 2012 13:32:11 -0800 [thread overview]
Message-ID: <4F1345DB.8040303@schaufler-ca.com> (raw)
In-Reply-To: <CAObL_7FE1NGJLNu-xUkyzCfZ7OSHO16p-4Lk2h5emkE7CGxC_Q@mail.gmail.com>
On 1/15/2012 12:59 PM, Andrew Lutomirski wrote:
> On Sun, Jan 15, 2012 at 12:16 PM, Casey Schaufler
> <casey@schaufler-ca.com> wrote:
>> On 1/14/2012 12:22 PM, Linus Torvalds wrote:
>>> And yes, I really seriously do believe that is both safer and simpler
>>> than some model that says "you can drop stuff", and then you have to
>>> start making up rules for what "dropping" means.
>>>
>>> Does "dropping" mean allowing setuid(geteuid()) for example? That *is*
>>> dropping the uid in a _POSIX_SAVED_IDS environment. And I'm saying
>>> that no, we should not even allow that. It's simply all too "subtle".
>>
>> I am casting my two cents worth behind Linus. Dropping
>> privilege can be every bit as dangerous as granting privilege
>> in the real world of atrocious user land code. Especially in
>> the case of security policy enforcing user land code.
> Can you think of *any* plausible attack that is possible with my patch
> (i.e. no_new_privs allows setuid, setresuid, and capset) that would be
> prevented or even mitigated if I blocked those syscalls? I can't.
> (The sendmail-style attack is impossible with no_new_privs.)
I am notoriously bad at coming up with this sort of example.
I will try, I may not hit the mark, but it should be close.
The application is running with saved uid != euid when
no-new-privs is set. It execs a new binary, which keeps
the saved and effective uids. The program calls setreuid,
which succeeds. It opens the saved userid's files.
Some people reading this will say this is expected and
appropriate behavior, and others will say it's an exploit
under sandbox conditions. Those in the latter group can
point out that blocking setreuid() would prevent what
they consider an exploit. Those in the former group will
say blocking the setreuid would introduce a denial of
service that could lead to an exploit if the program is
poorly written.
Because the correctness of the behavior is ambiguous
(to me at least) when no_new_privs is set I argue that
we shouldn't have it. If we are going to have it my
feeling is that it should be as draconian as possible.
Because you can't always tell if state A is "more"
privileged than state B, any change between A and B has
to be treated as an escalation.
>
> Also, how would you even block setuid(2) in a non-confusing manner?
> The semantics and error returns are already such a disaster than it's
> barely worth it for anything to check the return value.
>
>> This even more important in environments that support fine
>> granularity of privilege, including capabilities and SELinux.
>> Under SELinux a domain transition can increase, decrease or
>> completely change a process' access rights and there is really
>> no way for the kernel to tell which it is because that's all
>> encoded in the arbitrary SELinux policy. Smack does not try
>> to maintain a notion of hierarchy of privilege, so the notion
>> of any change being equivalent to any other is in line with
>> the Smack philosophy.
>>
> My patch does not (barring bugs) allow selinux domain transitions. I
> certainly think that all security transitions that vary across
> distributions should be blocked by no_new_privs.
>
> --Andy
>
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org,
jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com,
penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk, Casey Schaufler <casey@schauf
Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
Date: Sun, 15 Jan 2012 13:32:11 -0800 [thread overview]
Message-ID: <4F1345DB.8040303@schaufler-ca.com> (raw)
In-Reply-To: <CAObL_7FE1NGJLNu-xUkyzCfZ7OSHO16p-4Lk2h5emkE7CGxC_Q@mail.gmail.com>
On 1/15/2012 12:59 PM, Andrew Lutomirski wrote:
> On Sun, Jan 15, 2012 at 12:16 PM, Casey Schaufler
> <casey@schaufler-ca.com> wrote:
>> On 1/14/2012 12:22 PM, Linus Torvalds wrote:
>>> And yes, I really seriously do believe that is both safer and simpler
>>> than some model that says "you can drop stuff", and then you have to
>>> start making up rules for what "dropping" means.
>>>
>>> Does "dropping" mean allowing setuid(geteuid()) for example? That *is*
>>> dropping the uid in a _POSIX_SAVED_IDS environment. And I'm saying
>>> that no, we should not even allow that. It's simply all too "subtle".
>>
>> I am casting my two cents worth behind Linus. Dropping
>> privilege can be every bit as dangerous as granting privilege
>> in the real world of atrocious user land code. Especially in
>> the case of security policy enforcing user land code.
> Can you think of *any* plausible attack that is possible with my patch
> (i.e. no_new_privs allows setuid, setresuid, and capset) that would be
> prevented or even mitigated if I blocked those syscalls? I can't.
> (The sendmail-style attack is impossible with no_new_privs.)
I am notoriously bad at coming up with this sort of example.
I will try, I may not hit the mark, but it should be close.
The application is running with saved uid != euid when
no-new-privs is set. It execs a new binary, which keeps
the saved and effective uids. The program calls setreuid,
which succeeds. It opens the saved userid's files.
Some people reading this will say this is expected and
appropriate behavior, and others will say it's an exploit
under sandbox conditions. Those in the latter group can
point out that blocking setreuid() would prevent what
they consider an exploit. Those in the former group will
say blocking the setreuid would introduce a denial of
service that could lead to an exploit if the program is
poorly written.
Because the correctness of the behavior is ambiguous
(to me at least) when no_new_privs is set I argue that
we shouldn't have it. If we are going to have it my
feeling is that it should be as draconian as possible.
Because you can't always tell if state A is "more"
privileged than state B, any change between A and B has
to be treated as an escalation.
>
> Also, how would you even block setuid(2) in a non-confusing manner?
> The semantics and error returns are already such a disaster than it's
> barely worth it for anything to check the return value.
>
>> This even more important in environments that support fine
>> granularity of privilege, including capabilities and SELinux.
>> Under SELinux a domain transition can increase, decrease or
>> completely change a process' access rights and there is really
>> no way for the kernel to tell which it is because that's all
>> encoded in the arbitrary SELinux policy. Smack does not try
>> to maintain a notion of hierarchy of privilege, so the notion
>> of any change being equivalent to any other is in line with
>> the Smack philosophy.
>>
> My patch does not (barring bugs) allow selinux domain transitions. I
> certainly think that all security transitions that vary across
> distributions should be blocked by no_new_privs.
>
> --Andy
>
next prev parent reply other threads:[~2012-01-15 21:32 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-12 23:38 [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Will Drewry
2012-01-12 23:38 ` [PATCH v3 2/3] seccomp_filters: system call filtering using BPF Will Drewry
2012-01-13 0:51 ` Randy Dunlap
2012-01-12 23:59 ` Will Drewry
2012-01-12 23:59 ` Will Drewry
2012-01-13 1:35 ` Randy Dunlap
2012-01-13 17:39 ` Eric Paris
2012-01-13 18:50 ` Will Drewry
2012-01-13 18:50 ` Will Drewry
2012-01-12 23:38 ` [PATCH v3 3/3] Documentation: prctl/seccomp_filter Will Drewry
2012-01-15 1:52 ` Randy Dunlap
2012-01-16 1:41 ` Will Drewry
2012-01-17 23:29 ` Eric Paris
2012-01-17 23:29 ` Eric Paris
2012-01-17 23:54 ` Will Drewry
2012-01-12 23:47 ` [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Linus Torvalds
2012-01-13 0:03 ` Will Drewry
2012-01-13 0:42 ` Andrew Lutomirski
2012-01-13 0:57 ` Linus Torvalds
2012-01-13 0:57 ` Linus Torvalds
2012-01-13 1:11 ` Andrew Lutomirski
2012-01-13 1:11 ` Andrew Lutomirski
2012-01-13 1:17 ` Linus Torvalds
2012-01-14 13:30 ` Jamie Lokier
2012-01-14 19:21 ` Will Drewry
2012-01-14 19:21 ` Will Drewry
2012-01-14 20:22 ` Linus Torvalds
2012-01-14 21:04 ` Andrew Lutomirski
2012-01-15 20:16 ` Casey Schaufler
2012-01-15 20:59 ` Andrew Lutomirski
2012-01-15 21:32 ` Casey Schaufler [this message]
2012-01-15 21:32 ` Casey Schaufler
2012-01-15 22:07 ` Andrew Lutomirski
2012-01-16 2:04 ` Will Drewry
2012-01-16 2:04 ` Will Drewry
2012-01-18 3:12 ` Eric W. Biederman
2012-01-18 3:12 ` Eric W. Biederman
2012-01-16 2:41 ` Casey Schaufler
2012-01-16 2:41 ` Casey Schaufler
2012-01-16 7:45 ` Andrew Lutomirski
2012-01-16 18:02 ` Casey Schaufler
2012-01-16 18:02 ` Casey Schaufler
2012-01-13 1:37 ` Will Drewry
2012-01-13 1:41 ` Andrew Lutomirski
2012-01-13 1:41 ` Andrew Lutomirski
2012-01-13 2:09 ` Kees Cook
2012-01-13 2:09 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F1345DB.8040303@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=amwang@redhat.com \
--cc=avi@redhat.com \
--cc=borislav.petkov@amd.com \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=daniel.lezcano@free.fr \
--cc=dhowells@redhat.com \
--cc=djm@mindrot.org \
--cc=dlaor@redhat.com \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@suse.de \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=khilman@ti.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mhalcrow@google.com \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=olofj@chromium.org \
--cc=penberg@cs.helsinki.fi \
--cc=pmoore@redhat.com \
--cc=rostedt@goodmis.org \
--cc=scarybeasts@gmail.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.