All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: "Mickaël Salaün" <mic@digikod.net>,
	"Al Viro" <viro@zeniv.linux.org.uk>,
	"James Morris" <jmorris@namei.org>,
	"Serge Hallyn" <serge@hallyn.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Christoph Hellwig <hch@lst.de>,
	David Howells <dhowells@redhat.com>,
	Dominik Brodowski <linux@dominikbrodowski.net>,
	Eric Biederman <ebiederm@xmission.com>,
	John Johansen <john.johansen@canonical.com>,
	Kees Cook <keescook@chromium.org>,
	Kentaro Takeda <takedakn@nttdata.co.jp>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	kernel-hardening@lists.openwall.com,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v1 0/1] Unprivileged chroot
Date: Wed, 10 Mar 2021 09:22:16 -0800	[thread overview]
Message-ID: <4b9a1bb3-94f0-72af-f8f6-27f1ca2b43a2@schaufler-ca.com> (raw)
In-Reply-To: <20210310161000.382796-1-mic@digikod.net>

On 3/10/2021 8:09 AM, Mickaël Salaün wrote:
> Hi,
>
> The chroot system call is currently limited to be used by processes with
> the CAP_SYS_CHROOT capability.  This protects against malicious
> procesess willing to trick SUID-like binaries.  The following patch
> allows unprivileged users to safely use chroot(2).

Mount namespaces have pretty well obsoleted chroot(). CAP_SYS_CHROOT is
one of the few fine grained capabilities. We're still finding edge cases
(e.g. ptrace) where no_new_privs is imperfect. I doesn't seem that there
is a compelling reason to remove the privilege requirement on chroot().

>
> This patch is a follow-up of a previous one sent by Andy Lutomirski some
> time ago:
> https://lore.kernel.org/lkml/0e2f0f54e19bff53a3739ecfddb4ffa9a6dbde4d.1327858005.git.luto@amacapital.net/
>
> This patch can be applied on top of v5.12-rc2 .  I would really
> appreciate constructive reviews.
>
> Regards,
>
> Mickaël Salaün (1):
>   fs: Allow no_new_privs tasks to call chroot(2)
>
>  fs/open.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
>  1 file changed, 61 insertions(+), 3 deletions(-)
>
>
> base-commit: a38fd8748464831584a19438cbb3082b5a2dab15


  parent reply	other threads:[~2021-03-10 17:23 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-10 16:09 [PATCH v1 0/1] Unprivileged chroot Mickaël Salaün
2021-03-10 16:10 ` [PATCH v1 1/1] fs: Allow no_new_privs tasks to call chroot(2) Mickaël Salaün
2021-03-10 16:56   ` Eric W. Biederman
2021-03-10 18:13     ` Mickaël Salaün
2021-03-10 17:22 ` Casey Schaufler [this message]
2021-03-10 18:17   ` [PATCH v1 0/1] Unprivileged chroot Mickaël Salaün
2021-03-10 20:59     ` Casey Schaufler
2021-03-11 10:42       ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4b9a1bb3-94f0-72af-f8f6-27f1ca2b43a2@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=hch@lst.de \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linux@dominikbrodowski.net \
    --cc=luto@amacapital.net \
    --cc=mic@digikod.net \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=serge@hallyn.com \
    --cc=takedakn@nttdata.co.jp \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.