[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG48ez2oRPBdbfoNxGcV85CXFx1Su+dmhoWXE6rWsXui6_OTPg@mail.gmail.com>
Date: Mon, 3 Jul 2023 17:06:42 +0200
From: Jann Horn <jannh@...gle.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>
Cc: Oleg Nesterov <oleg@...hat.com>, Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
Kees Cook <keescook@...omium.org>,
Casey Schaufler <casey@...aufler-ca.com>,
David Howells <dhowells@...hat.com>,
LuisChamberlain <mcgrof@...nel.org>,
Eric Biederman <ebiederm@...ssion.com>,
Petr Tesarik <petrtesarik@...weicloud.com>,
Christoph Hellwig <hch@...radead.org>,
Petr Mladek <pmladek@...e.com>,
Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>,
Tejun Heo <tj@...nel.org>, linux-mm@...ck.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, keyrings@...r.kernel.org,
linux-integrity@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [QUESTION] Full user space process isolation?
On Thu, Jun 22, 2023 at 4:45 PM Roberto Sassu
<roberto.sassu@...weicloud.com> wrote:
> I wanted to execute some kernel workloads in a fully isolated user
> space process, started from a binary statically linked with klibc,
> connected to the kernel only through a pipe.
FWIW, the kernel has some infrastructure for this already, see
CONFIG_USERMODE_DRIVER and kernel/usermode_driver.c, with a usage
example in net/bpfilter/.
> I also wanted that, for the root user, tampering with that process is
> as hard as if the same code runs in kernel space.
I believe that actually making it that hard would probably mean that
you'd have to ensure that the process doesn't use swap (in other
words, it would have to run with all memory locked), because root can
choose where swapped pages are stored. Other than that, if you mark it
as a kthread so that no ptrace access is allowed, you can probably get
pretty close. But if you do anything like that, please leave some way
(like a kernel build config option or such) to enable debugging for
these processes.
But I'm not convinced that it makes sense to try to draw a security
boundary between fully-privileged root (with the ability to mount
things and configure swap and so on) and the kernel - my understanding
is that some kernel subsystems don't treat root-to-kernel privilege
escalation issues as security bugs that have to be fixed.
Powered by blists - more mailing lists