From: Will Drewry <wad@chromium.org>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org,
jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com,
penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk
Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
Date: Sun, 15 Jan 2012 20:04:13 -0600 [thread overview]
Message-ID: <CABqD9haumYV6SizAXeR9Os69QgYEkW6fBC27dAYhOr-8U=p6_A@mail.gmail.com> (raw)
In-Reply-To: <CAObL_7F4hEvdyJLNhodOOETTv-Dur8gEadLkzESQWFC2C57t7w@mail.gmail.com>
On Sun, Jan 15, 2012 at 4:07 PM, Andrew Lutomirski <luto@mit.edu> wrote:
> On Sun, Jan 15, 2012 at 1:32 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 1/15/2012 12:59 PM, Andrew Lutomirski wrote:
>>>
>>> On Sun, Jan 15, 2012 at 12:16 PM, Casey Schaufler
>>> <casey@schaufler-ca.com> wrote:
>>>>
>>>> On 1/14/2012 12:22 PM, Linus Torvalds wrote:
>>>>>
>>>>> And yes, I really seriously do believe that is both safer and simpler
>>>>> than some model that says "you can drop stuff", and then you have to
>>>>> start making up rules for what "dropping" means.
>>>>>
>>>>> Does "dropping" mean allowing setuid(geteuid()) for example? That *is*
>>>>> dropping the uid in a _POSIX_SAVED_IDS environment. And I'm saying
>>>>> that no, we should not even allow that. It's simply all too "subtle".
>>>>
>>>>
>>>> I am casting my two cents worth behind Linus. Dropping
>>>> privilege can be every bit as dangerous as granting privilege
>>>> in the real world of atrocious user land code. Especially in
>>>> the case of security policy enforcing user land code.
>>>
>>> Can you think of *any* plausible attack that is possible with my patch
>>> (i.e. no_new_privs allows setuid, setresuid, and capset) that would be
>>> prevented or even mitigated if I blocked those syscalls? I can't.
>>> (The sendmail-style attack is impossible with no_new_privs.)
>>
>>
>> I am notoriously bad at coming up with this sort of example.
>> I will try, I may not hit the mark, but it should be close.
>>
>> The application is running with saved uid != euid when
>> no-new-privs is set. It execs a new binary, which keeps
>> the saved and effective uids. The program calls setreuid,
>> which succeeds. It opens the saved userid's files.
>
> If you don't trust that binary, then why are you execing it with saved
> uid != euid in the first place? If you are setting no_new_privs, then
> you are new code and should have at least some basic awareness of the
> semantics. The exact same "exploit" is possible if you have
> CAP_DAC_OVERRIDE with either no_new_privs semantics -- if you have a
> privilege and you run untrusted code, then you had better remove that
> privilege somehow for the untrusted code.
>
> IOW, *drop privileges if you are a sandbox*. Otherwise you're screwed
> with or without no_new_privs.
One consideration could be to add do_exit()s at known DAC transitions
(set*id, fcaps). I don't know if that'd be wise, but it would remove
some described ambiguity. The same could be done with exec when the
(e)uid/gid/fcaps change. However, none of that helps with the opaque
LSM data, so that'd have to be left up to the LSMs and the LSM_* flag
you've added.
This does seem subject to bitrot though, and your current approach
certainly suits the needs of the general
don't-do-something-stupid-on-exec that seccomp filter, unprivileged
chroot, unshare, etc all need (which is really nice).
> Another way of saying this is: no_new_privs is not a sandbox. It's
> just a way to make it safe for sandboxes and other such weird things
> processes can do to themselves safe across execve. If you want a
> sandbox, use seccomp mode 2, which will require you to set
> no_new_privs.
And even with system call filtering, you'll need to have appropriately
set up accessible files, file descriptors, memory maps, etc if you
want a proper sandbox. There's no single sandbox-equivalent kernel
feature. no_new_privs would be an excellent addition to the sandbox
toolkit. (I've tried to synthesize it in userspace with an empty
capability bounding set, SECURE_NOROOT, and MNT_NOSUID. Having this
in a future-proof task_struct bit form would be amazing.)
cheers!
will
WARNING: multiple messages have this Message-ID (diff)
From: Will Drewry <wad@chromium.org>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org,
jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com,
penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk
Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
Date: Sun, 15 Jan 2012 20:04:13 -0600 [thread overview]
Message-ID: <CABqD9haumYV6SizAXeR9Os69QgYEkW6fBC27dAYhOr-8U=p6_A@mail.gmail.com> (raw)
In-Reply-To: <CAObL_7F4hEvdyJLNhodOOETTv-Dur8gEadLkzESQWFC2C57t7w@mail.gmail.com>
On Sun, Jan 15, 2012 at 4:07 PM, Andrew Lutomirski <luto@mit.edu> wrote:
> On Sun, Jan 15, 2012 at 1:32 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 1/15/2012 12:59 PM, Andrew Lutomirski wrote:
>>>
>>> On Sun, Jan 15, 2012 at 12:16 PM, Casey Schaufler
>>> <casey@schaufler-ca.com> wrote:
>>>>
>>>> On 1/14/2012 12:22 PM, Linus Torvalds wrote:
>>>>>
>>>>> And yes, I really seriously do believe that is both safer and simpler
>>>>> than some model that says "you can drop stuff", and then you have to
>>>>> start making up rules for what "dropping" means.
>>>>>
>>>>> Does "dropping" mean allowing setuid(geteuid()) for example? That *is*
>>>>> dropping the uid in a _POSIX_SAVED_IDS environment. And I'm saying
>>>>> that no, we should not even allow that. It's simply all too "subtle".
>>>>
>>>>
>>>> I am casting my two cents worth behind Linus. Dropping
>>>> privilege can be every bit as dangerous as granting privilege
>>>> in the real world of atrocious user land code. Especially in
>>>> the case of security policy enforcing user land code.
>>>
>>> Can you think of *any* plausible attack that is possible with my patch
>>> (i.e. no_new_privs allows setuid, setresuid, and capset) that would be
>>> prevented or even mitigated if I blocked those syscalls? I can't.
>>> (The sendmail-style attack is impossible with no_new_privs.)
>>
>>
>> I am notoriously bad at coming up with this sort of example.
>> I will try, I may not hit the mark, but it should be close.
>>
>> The application is running with saved uid != euid when
>> no-new-privs is set. It execs a new binary, which keeps
>> the saved and effective uids. The program calls setreuid,
>> which succeeds. It opens the saved userid's files.
>
> If you don't trust that binary, then why are you execing it with saved
> uid != euid in the first place? If you are setting no_new_privs, then
> you are new code and should have at least some basic awareness of the
> semantics. The exact same "exploit" is possible if you have
> CAP_DAC_OVERRIDE with either no_new_privs semantics -- if you have a
> privilege and you run untrusted code, then you had better remove that
> privilege somehow for the untrusted code.
>
> IOW, *drop privileges if you are a sandbox*. Otherwise you're screwed
> with or without no_new_privs.
One consideration could be to add do_exit()s at known DAC transitions
(set*id, fcaps). I don't know if that'd be wise, but it would remove
some described ambiguity. The same could be done with exec when the
(e)uid/gid/fcaps change. However, none of that helps with the opaque
LSM data, so that'd have to be left up to the LSMs and the LSM_* flag
you've added.
This does seem subject to bitrot though, and your current approach
certainly suits the needs of the general
don't-do-something-stupid-on-exec that seccomp filter, unprivileged
chroot, unshare, etc all need (which is really nice).
> Another way of saying this is: no_new_privs is not a sandbox. It's
> just a way to make it safe for sandboxes and other such weird things
> processes can do to themselves safe across execve. If you want a
> sandbox, use seccomp mode 2, which will require you to set
> no_new_privs.
And even with system call filtering, you'll need to have appropriately
set up accessible files, file descriptors, memory maps, etc if you
want a proper sandbox. There's no single sandbox-equivalent kernel
feature. no_new_privs would be an excellent addition to the sandbox
toolkit. (I've tried to synthesize it in userspace with an empty
capability bounding set, SECURE_NOROOT, and MNT_NOSUID. Having this
in a future-proof task_struct bit form would be amazing.)
cheers!
will
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-01-16 2:04 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-12 23:38 [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Will Drewry
2012-01-12 23:38 ` [PATCH v3 2/3] seccomp_filters: system call filtering using BPF Will Drewry
2012-01-13 0:51 ` Randy Dunlap
2012-01-12 23:59 ` Will Drewry
2012-01-12 23:59 ` Will Drewry
2012-01-13 1:35 ` Randy Dunlap
2012-01-13 17:39 ` Eric Paris
2012-01-13 18:50 ` Will Drewry
2012-01-13 18:50 ` Will Drewry
2012-01-12 23:38 ` [PATCH v3 3/3] Documentation: prctl/seccomp_filter Will Drewry
2012-01-15 1:52 ` Randy Dunlap
2012-01-16 1:41 ` Will Drewry
2012-01-17 23:29 ` Eric Paris
2012-01-17 23:29 ` Eric Paris
2012-01-17 23:54 ` Will Drewry
2012-01-12 23:47 ` [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Linus Torvalds
2012-01-13 0:03 ` Will Drewry
2012-01-13 0:42 ` Andrew Lutomirski
2012-01-13 0:57 ` Linus Torvalds
2012-01-13 0:57 ` Linus Torvalds
2012-01-13 1:11 ` Andrew Lutomirski
2012-01-13 1:11 ` Andrew Lutomirski
2012-01-13 1:17 ` Linus Torvalds
2012-01-14 13:30 ` Jamie Lokier
2012-01-14 19:21 ` Will Drewry
2012-01-14 19:21 ` Will Drewry
2012-01-14 20:22 ` Linus Torvalds
2012-01-14 21:04 ` Andrew Lutomirski
2012-01-15 20:16 ` Casey Schaufler
2012-01-15 20:59 ` Andrew Lutomirski
2012-01-15 21:32 ` Casey Schaufler
2012-01-15 21:32 ` Casey Schaufler
2012-01-15 22:07 ` Andrew Lutomirski
2012-01-16 2:04 ` Will Drewry [this message]
2012-01-16 2:04 ` Will Drewry
2012-01-18 3:12 ` Eric W. Biederman
2012-01-18 3:12 ` Eric W. Biederman
2012-01-16 2:41 ` Casey Schaufler
2012-01-16 2:41 ` Casey Schaufler
2012-01-16 7:45 ` Andrew Lutomirski
2012-01-16 18:02 ` Casey Schaufler
2012-01-16 18:02 ` Casey Schaufler
2012-01-13 1:37 ` Will Drewry
2012-01-13 1:41 ` Andrew Lutomirski
2012-01-13 1:41 ` Andrew Lutomirski
2012-01-13 2:09 ` Kees Cook
2012-01-13 2:09 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABqD9haumYV6SizAXeR9Os69QgYEkW6fBC27dAYhOr-8U=p6_A@mail.gmail.com' \
--to=wad@chromium.org \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=amwang@redhat.com \
--cc=avi@redhat.com \
--cc=borislav.petkov@amd.com \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=daniel.lezcano@free.fr \
--cc=dhowells@redhat.com \
--cc=djm@mindrot.org \
--cc=dlaor@redhat.com \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@suse.de \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=khilman@ti.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mhalcrow@google.com \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=olofj@chromium.org \
--cc=penberg@cs.helsinki.fi \
--cc=pmoore@redhat.com \
--cc=rostedt@goodmis.org \
--cc=scarybeasts@gmail.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.