From: Casey Schaufler <casey@schaufler-ca.com>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org,
jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com,
penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
Date: Mon, 16 Jan 2012 10:02:29 -0800 [thread overview]
Message-ID: <4F146635.8070304@schaufler-ca.com> (raw)
In-Reply-To: <CAObL_7HaeRBpjLzp=B8z5n8KQPTPVmYTvbOw+w3eQbjWL-3E=w@mail.gmail.com>
On 1/15/2012 11:45 PM, Andrew Lutomirski wrote:
> On Sun, Jan 15, 2012 at 6:41 PM, Casey Schaufler<casey@schaufler-ca.com> wrote:
>> On 1/15/2012 2:07 PM, Andrew Lutomirski wrote:
>>> On Sun, Jan 15, 2012 at 1:32 PM, Casey Schaufler<casey@schaufler-ca.com>
>>>
>>> If you don't trust that binary, then why are you execing it with saved
>>> uid != euid in the first place?
>>
>> If I could trust the binary I wouldn't need your no_new_privs
>> semantics in the first place. Do you have any idea how big the
>> chrome browser binary is? You can't link it on a 32bit machine
>> it uses so much address space. On top of that, most modern
>> applications are compositions of scripts and interpreters built
>> on top of multiple layers of middleware. Of course I don't trust
>> the binary!
>>
> I'm not sure we're really talking about the same thing here. I agree
> that, if you are trying to sandbox untrusted code, then you probably
> don't want that code messing with setuid, capset, or any other
> privilege-changing operation.
My point is that if you're interacting with untrusted code it's
somewhat dangerous to change system call behavior and if you're
dealing strictly with trusted code you don't need to change
system call behavior.
> no_new_privs is not intended to be that sandbox. It is, by itself, at
> best a small reduction in attack surface.
My preference is that we not complicate an environment that has
already proven too difficult for many programmers to use effectively.
> The attack surface accessible to a program (e.g. chrome) that you run
> normally is huge. There is filesystem access, ptrace, unix sockets,
> any available privileges, setuid programs, /proc, etc. LSMs try to
> characterize and control that whole attack surface. seccomp mode 2
> allows a whitelisting approach in which everything is denied except
> that which is explicitly allowed (and I think that's a much better
> approach to sandboxing things). The problem is that seccomp mode 2,
> as well as anything else that changes the behavior of syscalls in a
> nonstandard way (chroot, unshare, etc), can cause existing code to
> malfunction. That's how the sendmail bug came to be -- dropping a
> privilege made sendmail do the wrong thing. This type of attack works
> by changing something that persists across a *gain* of privilege and
> then attacking the code that gains that privilege. If new things like
> seccomp mode 2 require no_new_privs, then that entire class of attacks
> is prevented.
Believe me, I am familiar with programs, trusted and otherwise,
that go wonky when there are little changes in the behavior of
syscalls. My take is that making security decisions based on the
system call used rather than on the thing being accessed leads
the programmer to expect behavior that does not always match the
underlying implementation. Yes, system call based controls are
easier to use and understand. That does not make them correct.
> In answer to your specific example, if you are trying to sandbox
> chrome or anything else and you forget to drop your privileged saved
> uid, I really don't think it's no_new_privs's job to rescue you.
As much as I dislike the modern application paradigms, I don't
see a lot of point in investing in new security facilities that
are not of value in that arena. And I really mean of value, not
just something that some "architect" threw onto a spreadsheet for
the PM to track. I expect that we're overdue for a mindset changing
sort of facility to address the issues that really matter.
Patches for that to follow, but not any time soon. :-)
>
> --Andy
>
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org,
jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com,
penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk, Casey Schaufler <casey@schauf
Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
Date: Mon, 16 Jan 2012 10:02:29 -0800 [thread overview]
Message-ID: <4F146635.8070304@schaufler-ca.com> (raw)
In-Reply-To: <CAObL_7HaeRBpjLzp=B8z5n8KQPTPVmYTvbOw+w3eQbjWL-3E=w@mail.gmail.com>
On 1/15/2012 11:45 PM, Andrew Lutomirski wrote:
> On Sun, Jan 15, 2012 at 6:41 PM, Casey Schaufler<casey@schaufler-ca.com> wrote:
>> On 1/15/2012 2:07 PM, Andrew Lutomirski wrote:
>>> On Sun, Jan 15, 2012 at 1:32 PM, Casey Schaufler<casey@schaufler-ca.com>
>>>
>>> If you don't trust that binary, then why are you execing it with saved
>>> uid != euid in the first place?
>>
>> If I could trust the binary I wouldn't need your no_new_privs
>> semantics in the first place. Do you have any idea how big the
>> chrome browser binary is? You can't link it on a 32bit machine
>> it uses so much address space. On top of that, most modern
>> applications are compositions of scripts and interpreters built
>> on top of multiple layers of middleware. Of course I don't trust
>> the binary!
>>
> I'm not sure we're really talking about the same thing here. I agree
> that, if you are trying to sandbox untrusted code, then you probably
> don't want that code messing with setuid, capset, or any other
> privilege-changing operation.
My point is that if you're interacting with untrusted code it's
somewhat dangerous to change system call behavior and if you're
dealing strictly with trusted code you don't need to change
system call behavior.
> no_new_privs is not intended to be that sandbox. It is, by itself, at
> best a small reduction in attack surface.
My preference is that we not complicate an environment that has
already proven too difficult for many programmers to use effectively.
> The attack surface accessible to a program (e.g. chrome) that you run
> normally is huge. There is filesystem access, ptrace, unix sockets,
> any available privileges, setuid programs, /proc, etc. LSMs try to
> characterize and control that whole attack surface. seccomp mode 2
> allows a whitelisting approach in which everything is denied except
> that which is explicitly allowed (and I think that's a much better
> approach to sandboxing things). The problem is that seccomp mode 2,
> as well as anything else that changes the behavior of syscalls in a
> nonstandard way (chroot, unshare, etc), can cause existing code to
> malfunction. That's how the sendmail bug came to be -- dropping a
> privilege made sendmail do the wrong thing. This type of attack works
> by changing something that persists across a *gain* of privilege and
> then attacking the code that gains that privilege. If new things like
> seccomp mode 2 require no_new_privs, then that entire class of attacks
> is prevented.
Believe me, I am familiar with programs, trusted and otherwise,
that go wonky when there are little changes in the behavior of
syscalls. My take is that making security decisions based on the
system call used rather than on the thing being accessed leads
the programmer to expect behavior that does not always match the
underlying implementation. Yes, system call based controls are
easier to use and understand. That does not make them correct.
> In answer to your specific example, if you are trying to sandbox
> chrome or anything else and you forget to drop your privileged saved
> uid, I really don't think it's no_new_privs's job to rescue you.
As much as I dislike the modern application paradigms, I don't
see a lot of point in investing in new security facilities that
are not of value in that arena. And I really mean of value, not
just something that some "architect" threw onto a spreadsheet for
the PM to track. I expect that we're overdue for a mindset changing
sort of facility to address the issues that really matter.
Patches for that to follow, but not any time soon. :-)
>
> --Andy
>
next prev parent reply other threads:[~2012-01-16 18:03 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-12 23:38 [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Will Drewry
2012-01-12 23:38 ` [PATCH v3 2/3] seccomp_filters: system call filtering using BPF Will Drewry
2012-01-13 0:51 ` Randy Dunlap
2012-01-12 23:59 ` Will Drewry
2012-01-12 23:59 ` Will Drewry
2012-01-13 1:35 ` Randy Dunlap
2012-01-13 17:39 ` Eric Paris
2012-01-13 18:50 ` Will Drewry
2012-01-13 18:50 ` Will Drewry
2012-01-12 23:38 ` [PATCH v3 3/3] Documentation: prctl/seccomp_filter Will Drewry
2012-01-15 1:52 ` Randy Dunlap
2012-01-16 1:41 ` Will Drewry
2012-01-17 23:29 ` Eric Paris
2012-01-17 23:29 ` Eric Paris
2012-01-17 23:54 ` Will Drewry
2012-01-12 23:47 ` [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Linus Torvalds
2012-01-13 0:03 ` Will Drewry
2012-01-13 0:42 ` Andrew Lutomirski
2012-01-13 0:57 ` Linus Torvalds
2012-01-13 0:57 ` Linus Torvalds
2012-01-13 1:11 ` Andrew Lutomirski
2012-01-13 1:11 ` Andrew Lutomirski
2012-01-13 1:17 ` Linus Torvalds
2012-01-14 13:30 ` Jamie Lokier
2012-01-14 19:21 ` Will Drewry
2012-01-14 19:21 ` Will Drewry
2012-01-14 20:22 ` Linus Torvalds
2012-01-14 21:04 ` Andrew Lutomirski
2012-01-15 20:16 ` Casey Schaufler
2012-01-15 20:59 ` Andrew Lutomirski
2012-01-15 21:32 ` Casey Schaufler
2012-01-15 21:32 ` Casey Schaufler
2012-01-15 22:07 ` Andrew Lutomirski
2012-01-16 2:04 ` Will Drewry
2012-01-16 2:04 ` Will Drewry
2012-01-18 3:12 ` Eric W. Biederman
2012-01-18 3:12 ` Eric W. Biederman
2012-01-16 2:41 ` Casey Schaufler
2012-01-16 2:41 ` Casey Schaufler
2012-01-16 7:45 ` Andrew Lutomirski
2012-01-16 18:02 ` Casey Schaufler [this message]
2012-01-16 18:02 ` Casey Schaufler
2012-01-13 1:37 ` Will Drewry
2012-01-13 1:41 ` Andrew Lutomirski
2012-01-13 1:41 ` Andrew Lutomirski
2012-01-13 2:09 ` Kees Cook
2012-01-13 2:09 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F146635.8070304@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=amwang@redhat.com \
--cc=avi@redhat.com \
--cc=borislav.petkov@amd.com \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=daniel.lezcano@free.fr \
--cc=dhowells@redhat.com \
--cc=djm@mindrot.org \
--cc=dlaor@redhat.com \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@suse.de \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=khilman@ti.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mhalcrow@google.com \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=olofj@chromium.org \
--cc=penberg@cs.helsinki.fi \
--cc=pmoore@redhat.com \
--cc=rostedt@goodmis.org \
--cc=scarybeasts@gmail.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.