From: Djalal Harouni <tixxdz@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linux API <linux-api@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Lafcadio Wluiki <wluikil@gmail.com>
Subject: Re: [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field
Date: Thu, 19 Jan 2017 14:53:32 +0100 [thread overview]
Message-ID: <CAEiveUevjijnmr7oWzQexi52nJm-BjVwAkb3fJinAbet=QvzxQ@mail.gmail.com> (raw)
In-Reply-To: <CALCETrWn-DpyR5JCGG0H2_yFxU3UHPHZHByXMc5uAxHgQDtnjA@mail.gmail.com>
On Thu, Jan 19, 2017 at 12:35 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Wed, Jan 18, 2017 at 2:50 PM, Djalal Harouni <tixxdz@gmail.com> wrote:
[...]
>>>>>
>>>>> …
>>>>> prctl(PR_SET_HIDEPID, 2);
>>>>> …
>>>>>
>>>>> And from that point on neither nginx itself, nor any of its child
>>>>> processes may see processes in /proc anymore that belong to a different
>>>>> user than "www-data". Other services running on the same system remain
>>>>> unaffected.
>>>
>>> What affect, if any, does this have on ptrace() permissions?
>>
>> This should not affect ptrace() permissions or other system calls that
>> work directly on pids, the test in procfs is related to inodes before
>> the ptrace check, hmm what do you have in mind ?
>>
>
> I'm wondering what problem you're trying to solve, then. hidepid
> helps lock down procfs, but ISTM you might still want to lock down
> other PID-based APIs.
Yes but they are already locked based on uid checks. procfs was not
and this patch is specifically to align it, and to reduce the ability
to peek data from other processes.
>>
>>> Also, this one-way thing seems wrong to me. I think it should roughly
>>> follow the no_new_privs rules instead. IOW, if you unshare your
>>> pidns, it gets cleared. Also, maybe you shouldn't be able to set it
>>
>> Andy I don't follow here, no_new_privs is never cleared right ? I
>> can't see the corresponding clear bit code for it.
>
> I believe that unsharing userns clears no_new_privs.
No, it is not cleared, and I can't see the clear bit for it. Maybe due
to userns+filesystems limitations it was not noticed.
>>
>> For this one I want it to act like no_new_privs. Also pidns can be
>> created with userns which means it can be revoked. For my use case I
>> want it to be part of *one* single operation where it is set with the
>> other sandbox operations that are all preserved... instead of setting
>> it *again* each time where it can already be late.
>>
>
> I don't see the problem as long as this gets implemented carefully
> enough. If you unshare your userns and your pidns, then you should be
> able to see all tasks in the new pidns, even if you mount a fresh
> procfs pointing at that pidns -- after all, you are privileged in that
> namespace.
That's already the case, if you are privileged you can see all tasks,
the code is written that the per-task hidepid does not overwrite
capabilities.
>>
>>> without either having CAP_SYS_ADMIN over your userns or having
>>> no_new_privs set.
>>
>> For this one I can add it sure. Historically that logic was added to
>> make seccomp more usable, for this patch the values can't be relaxed,
>> they are always increased never decreased. However one minor advantage
>> if you require no_new_privs is that this option hidepid will also
>> assert that you can't setuid to access some procfs inodes... though
>> you can also just set 'no_new_privs + hidepid' both of them in any
>> order. Also it allows unprivileged without userns to setup a minimal
>> jail while performing some operations that can be blocked by
>> no_new_privs.
>>
>> Andy, Kees any other comments please on it ? I'm not sure if overusing
>> no_new_privs in this case is a good idea. Seems to me that seccomp +
>> no_new_privs is different than this hidepid feature that overlaps
>> nicely with no_new_privs.
>>
>> If there are no responses for this question, then I will just add the
>> "CAP_SYS_ADMIN || no_new_privs" test in the next iteration.
>
> I feel like this feature (per-task hidepid) is subtle and complex
> enough that it should have a very clear purpose and use case before
> it's merged and that we should make sure that there isn't a better way
> to accomplish what you're trying to do.
Sure, the hidepid mount option is old enough, and this per-task
hidepid is clearly defined only for procfs and per task, we can't add
another switch that's relate to both a filesystem and pid namespaces,
it will be a bit complicated and not really useful for cases that are
in *same* pidns where *each* one have to mount its procfs, it will
propagate. Also as noted by Lafcadio, the gid thing is a bit hard to
use now.
Thanks!
--
tixxdz
http://opendz.org
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org"
<kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Lafcadio Wluiki <wluikil-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field
Date: Thu, 19 Jan 2017 14:53:32 +0100 [thread overview]
Message-ID: <CAEiveUevjijnmr7oWzQexi52nJm-BjVwAkb3fJinAbet=QvzxQ@mail.gmail.com> (raw)
In-Reply-To: <CALCETrWn-DpyR5JCGG0H2_yFxU3UHPHZHByXMc5uAxHgQDtnjA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Thu, Jan 19, 2017 at 12:35 AM, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> wrote:
> On Wed, Jan 18, 2017 at 2:50 PM, Djalal Harouni <tixxdz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
[...]
>>>>>
>>>>> …
>>>>> prctl(PR_SET_HIDEPID, 2);
>>>>> …
>>>>>
>>>>> And from that point on neither nginx itself, nor any of its child
>>>>> processes may see processes in /proc anymore that belong to a different
>>>>> user than "www-data". Other services running on the same system remain
>>>>> unaffected.
>>>
>>> What affect, if any, does this have on ptrace() permissions?
>>
>> This should not affect ptrace() permissions or other system calls that
>> work directly on pids, the test in procfs is related to inodes before
>> the ptrace check, hmm what do you have in mind ?
>>
>
> I'm wondering what problem you're trying to solve, then. hidepid
> helps lock down procfs, but ISTM you might still want to lock down
> other PID-based APIs.
Yes but they are already locked based on uid checks. procfs was not
and this patch is specifically to align it, and to reduce the ability
to peek data from other processes.
>>
>>> Also, this one-way thing seems wrong to me. I think it should roughly
>>> follow the no_new_privs rules instead. IOW, if you unshare your
>>> pidns, it gets cleared. Also, maybe you shouldn't be able to set it
>>
>> Andy I don't follow here, no_new_privs is never cleared right ? I
>> can't see the corresponding clear bit code for it.
>
> I believe that unsharing userns clears no_new_privs.
No, it is not cleared, and I can't see the clear bit for it. Maybe due
to userns+filesystems limitations it was not noticed.
>>
>> For this one I want it to act like no_new_privs. Also pidns can be
>> created with userns which means it can be revoked. For my use case I
>> want it to be part of *one* single operation where it is set with the
>> other sandbox operations that are all preserved... instead of setting
>> it *again* each time where it can already be late.
>>
>
> I don't see the problem as long as this gets implemented carefully
> enough. If you unshare your userns and your pidns, then you should be
> able to see all tasks in the new pidns, even if you mount a fresh
> procfs pointing at that pidns -- after all, you are privileged in that
> namespace.
That's already the case, if you are privileged you can see all tasks,
the code is written that the per-task hidepid does not overwrite
capabilities.
>>
>>> without either having CAP_SYS_ADMIN over your userns or having
>>> no_new_privs set.
>>
>> For this one I can add it sure. Historically that logic was added to
>> make seccomp more usable, for this patch the values can't be relaxed,
>> they are always increased never decreased. However one minor advantage
>> if you require no_new_privs is that this option hidepid will also
>> assert that you can't setuid to access some procfs inodes... though
>> you can also just set 'no_new_privs + hidepid' both of them in any
>> order. Also it allows unprivileged without userns to setup a minimal
>> jail while performing some operations that can be blocked by
>> no_new_privs.
>>
>> Andy, Kees any other comments please on it ? I'm not sure if overusing
>> no_new_privs in this case is a good idea. Seems to me that seccomp +
>> no_new_privs is different than this hidepid feature that overlaps
>> nicely with no_new_privs.
>>
>> If there are no responses for this question, then I will just add the
>> "CAP_SYS_ADMIN || no_new_privs" test in the next iteration.
>
> I feel like this feature (per-task hidepid) is subtle and complex
> enough that it should have a very clear purpose and use case before
> it's merged and that we should make sure that there isn't a better way
> to accomplish what you're trying to do.
Sure, the hidepid mount option is old enough, and this per-task
hidepid is clearly defined only for procfs and per task, we can't add
another switch that's relate to both a filesystem and pid namespaces,
it will be a bit complicated and not really useful for cases that are
in *same* pidns where *each* one have to mount its procfs, it will
propagate. Also as noted by Lafcadio, the gid thing is a bit hard to
use now.
Thanks!
--
tixxdz
http://opendz.org
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linux API <linux-api@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Lafcadio Wluiki <wluikil@gmail.com>
Subject: [kernel-hardening] Re: [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field
Date: Thu, 19 Jan 2017 14:53:32 +0100 [thread overview]
Message-ID: <CAEiveUevjijnmr7oWzQexi52nJm-BjVwAkb3fJinAbet=QvzxQ@mail.gmail.com> (raw)
In-Reply-To: <CALCETrWn-DpyR5JCGG0H2_yFxU3UHPHZHByXMc5uAxHgQDtnjA@mail.gmail.com>
On Thu, Jan 19, 2017 at 12:35 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Wed, Jan 18, 2017 at 2:50 PM, Djalal Harouni <tixxdz@gmail.com> wrote:
[...]
>>>>>
>>>>> …
>>>>> prctl(PR_SET_HIDEPID, 2);
>>>>> …
>>>>>
>>>>> And from that point on neither nginx itself, nor any of its child
>>>>> processes may see processes in /proc anymore that belong to a different
>>>>> user than "www-data". Other services running on the same system remain
>>>>> unaffected.
>>>
>>> What affect, if any, does this have on ptrace() permissions?
>>
>> This should not affect ptrace() permissions or other system calls that
>> work directly on pids, the test in procfs is related to inodes before
>> the ptrace check, hmm what do you have in mind ?
>>
>
> I'm wondering what problem you're trying to solve, then. hidepid
> helps lock down procfs, but ISTM you might still want to lock down
> other PID-based APIs.
Yes but they are already locked based on uid checks. procfs was not
and this patch is specifically to align it, and to reduce the ability
to peek data from other processes.
>>
>>> Also, this one-way thing seems wrong to me. I think it should roughly
>>> follow the no_new_privs rules instead. IOW, if you unshare your
>>> pidns, it gets cleared. Also, maybe you shouldn't be able to set it
>>
>> Andy I don't follow here, no_new_privs is never cleared right ? I
>> can't see the corresponding clear bit code for it.
>
> I believe that unsharing userns clears no_new_privs.
No, it is not cleared, and I can't see the clear bit for it. Maybe due
to userns+filesystems limitations it was not noticed.
>>
>> For this one I want it to act like no_new_privs. Also pidns can be
>> created with userns which means it can be revoked. For my use case I
>> want it to be part of *one* single operation where it is set with the
>> other sandbox operations that are all preserved... instead of setting
>> it *again* each time where it can already be late.
>>
>
> I don't see the problem as long as this gets implemented carefully
> enough. If you unshare your userns and your pidns, then you should be
> able to see all tasks in the new pidns, even if you mount a fresh
> procfs pointing at that pidns -- after all, you are privileged in that
> namespace.
That's already the case, if you are privileged you can see all tasks,
the code is written that the per-task hidepid does not overwrite
capabilities.
>>
>>> without either having CAP_SYS_ADMIN over your userns or having
>>> no_new_privs set.
>>
>> For this one I can add it sure. Historically that logic was added to
>> make seccomp more usable, for this patch the values can't be relaxed,
>> they are always increased never decreased. However one minor advantage
>> if you require no_new_privs is that this option hidepid will also
>> assert that you can't setuid to access some procfs inodes... though
>> you can also just set 'no_new_privs + hidepid' both of them in any
>> order. Also it allows unprivileged without userns to setup a minimal
>> jail while performing some operations that can be blocked by
>> no_new_privs.
>>
>> Andy, Kees any other comments please on it ? I'm not sure if overusing
>> no_new_privs in this case is a good idea. Seems to me that seccomp +
>> no_new_privs is different than this hidepid feature that overlaps
>> nicely with no_new_privs.
>>
>> If there are no responses for this question, then I will just add the
>> "CAP_SYS_ADMIN || no_new_privs" test in the next iteration.
>
> I feel like this feature (per-task hidepid) is subtle and complex
> enough that it should have a very clear purpose and use case before
> it's merged and that we should make sure that there isn't a better way
> to accomplish what you're trying to do.
Sure, the hidepid mount option is old enough, and this per-task
hidepid is clearly defined only for procfs and per task, we can't add
another switch that's relate to both a filesystem and pid namespaces,
it will be a bit complicated and not really useful for cases that are
in *same* pidns where *each* one have to mount its procfs, it will
propagate. Also as noted by Lafcadio, the gid thing is a bit hard to
use now.
Thanks!
--
tixxdz
http://opendz.org
next prev parent reply other threads:[~2017-01-19 13:53 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-16 13:23 [PATCH v4 0/2] procfs/tasks: introduce per-task procfs hidepid= field Djalal Harouni
2017-01-16 13:23 ` [kernel-hardening] " Djalal Harouni
2017-01-16 13:23 ` [PATCH v4 1/2] procfs: use an enum for possible hidepid values Djalal Harouni
2017-01-16 13:23 ` [kernel-hardening] " Djalal Harouni
2017-02-13 22:16 ` Kees Cook
2017-02-13 22:16 ` [kernel-hardening] " Kees Cook
2017-02-15 0:34 ` Andrew Morton
2017-02-15 0:34 ` [kernel-hardening] " Andrew Morton
2017-02-15 8:56 ` Djalal Harouni
2017-02-15 8:56 ` [kernel-hardening] " Djalal Harouni
2017-01-16 13:23 ` [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field Djalal Harouni
2017-01-16 13:23 ` [kernel-hardening] " Djalal Harouni
2017-01-16 17:12 ` Djalal Harouni
2017-01-16 17:12 ` [kernel-hardening] " Djalal Harouni
[not found] ` <1484572984-13388-3-git-send-email-djalal-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-01-16 17:15 ` Djalal Harouni
[not found] ` <CAEiveUfDvSoW9Hy2Y_uxU2YQ+vR8OvXMqRhxAANTGG7QaQbJeg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-01-17 20:33 ` Andy Lutomirski
2017-01-18 22:50 ` Djalal Harouni
2017-01-18 22:50 ` [kernel-hardening] " Djalal Harouni
2017-01-18 23:35 ` Andy Lutomirski
2017-01-18 23:35 ` [kernel-hardening] " Andy Lutomirski
2017-01-18 23:35 ` Andy Lutomirski
2017-01-19 13:53 ` Djalal Harouni [this message]
2017-01-19 13:53 ` [kernel-hardening] " Djalal Harouni
2017-01-19 13:53 ` Djalal Harouni
2017-01-19 19:52 ` Andy Lutomirski
2017-01-19 19:52 ` [kernel-hardening] " Andy Lutomirski
2017-01-19 19:52 ` Andy Lutomirski
2017-01-20 15:56 ` Lafcadio Wluiki
2017-01-20 15:56 ` [kernel-hardening] " Lafcadio Wluiki
2017-01-20 15:56 ` Lafcadio Wluiki
2017-01-20 16:33 ` Djalal Harouni
2017-01-20 16:33 ` [kernel-hardening] " Djalal Harouni
2017-01-20 16:33 ` Djalal Harouni
2017-01-21 0:53 ` Andy Lutomirski
2017-01-21 0:53 ` [kernel-hardening] " Andy Lutomirski
2017-01-21 0:53 ` Andy Lutomirski
2017-01-23 11:46 ` Djalal Harouni
2017-01-23 11:46 ` [kernel-hardening] " Djalal Harouni
2017-01-23 11:46 ` Djalal Harouni
2017-01-23 20:07 ` Andy Lutomirski
2017-01-23 20:07 ` [kernel-hardening] " Andy Lutomirski
2017-01-23 20:07 ` Andy Lutomirski
2017-01-26 13:20 ` Djalal Harouni
2017-01-26 13:20 ` [kernel-hardening] " Djalal Harouni
2017-01-26 13:20 ` Djalal Harouni
2017-02-10 14:40 ` Lafcadio Wluiki
2017-02-10 14:40 ` [kernel-hardening] " Lafcadio Wluiki
2017-02-10 14:40 ` Lafcadio Wluiki
2017-02-10 16:18 ` Andy Lutomirski
2017-02-10 16:18 ` [kernel-hardening] " Andy Lutomirski
2017-02-10 16:18 ` Andy Lutomirski
2017-01-20 15:44 ` Lafcadio Wluiki
2017-01-20 15:44 ` [kernel-hardening] " Lafcadio Wluiki
2017-01-20 15:44 ` Lafcadio Wluiki
2017-02-10 23:44 ` Kees Cook
2017-02-10 23:44 ` [kernel-hardening] " Kees Cook
2017-02-10 23:44 ` Kees Cook
2017-02-13 19:01 ` Andy Lutomirski
2017-02-13 19:01 ` [kernel-hardening] " Andy Lutomirski
2017-02-13 19:01 ` Andy Lutomirski
2017-02-13 19:15 ` Kees Cook
2017-02-13 19:15 ` [kernel-hardening] " Kees Cook
2017-02-13 19:15 ` Kees Cook
2017-02-14 4:11 ` Christian Kujau
2017-02-14 4:11 ` [kernel-hardening] " Christian Kujau
2017-02-14 4:11 ` Christian Kujau
2017-01-16 18:24 ` [kernel-hardening] " Daniel Micay
2017-01-17 9:54 ` Lafcadio Wluiki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEiveUevjijnmr7oWzQexi52nJm-BjVwAkb3fJinAbet=QvzxQ@mail.gmail.com' \
--to=tixxdz@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=wluikil@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.