lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGZ=bq+E3PFm8aZ1eaJaLnHK2dL_nxKBJ_F6MDR-uON+6T-87A@mail.gmail.com>
Date:	Thu, 12 Jan 2012 14:08:18 -0500
From:	Kyle Moffett <kyle@...fetthome.net>
To:	Andrew Lutomirski <luto@....edu>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Steven Rostedt <rostedt@...dmis.org>,
	Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
	keescook@...omium.org, john.johansen@...onical.com,
	serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com,
	pmoore@...hat.com, eparis@...hat.com, djm@...drot.org,
	segoon@...nwall.com, jmorris@...ei.org, scarybeasts@...il.com,
	avi@...hat.com, penberg@...helsinki.fi, viro@...iv.linux.org.uk,
	mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com,
	borislav.petkov@....com, amwang@...hat.com, oleg@...hat.com,
	ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de,
	dhowells@...hat.com, daniel.lezcano@...e.fr,
	linux-fsdevel@...r.kernel.org,
	linux-security-module@...r.kernel.org, olofj@...omium.org,
	mhalcrow@...gle.com, dlaor@...hat.com
Subject: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF

On Thu, Jan 12, 2012 at 13:44, Andrew Lutomirski <luto@....edu> wrote:
> On Thu, Jan 12, 2012 at 10:32 AM, Linus Torvalds <torvalds@...ux-foundation.org> wrote:
>> On Thu, Jan 12, 2012 at 10:18 AM, Andrew Lutomirski <luto@....edu> wrote:
>>> Like this?
>>>
>>> http://lkml.indiana.edu/hypermail/linux/kernel/1003.3/01225.html
>>
>> I don't know the execve_nosecurity patches, so the diff makes little
>> sense to me, but yeah, I wouldn't expect it to be more than a couple
>> of lines. Exactly *how* you set the bit etc is not something I care
>> deeply about, prctl seems about as good as anything.
>>
>>> Note that there's a huge can of worms if execve is allowed but
>>> suid/sgid is not: selinux may elevate privileges on exec of pretty
>>> much anything.  (I think that this is a really awful idea, but it's in
>>> the kernel, so we're stuck with it.)
>>
>> You can do any amount of crazy things with selinux, but the other side
>> of the coin is that it would also be trivial to teach selinux about
>> this same "restricted environment" bit, and just say that a process
>> with that bit set doesn't get to match whatever selinux privilege
>> escalation rules..
>>
>> I really don't think this is just about "execve cannot do setuid". I
>> think it's about the process being marked as restricted.
>>
>> So in your patch, I think that "PR_RESTRICT_EXEC" bit is wrong. It
>> should simply be "PR_RESTRICT_ME", and be done with it, and not try to
>> artificially limit it to be some "execve feature", and more think of
>> it as a "this is a process that has *no* extra privileges at all, and
>> can never get them".
>
> execve_nosecurity was my attempt to sidestep selinux issues.  It's a
> different syscall that does all of the non-security-related things
> that execve does but does not escalate (or even change) any
> privileges.  Maybe I'll try to rework that for newer kernels as well.
> The idea is that programs that expect to run in sandboxes / chroots /
> namespaces / whatever can use it, and older programs that might
> malfunction dangerously if the semantics of execve change will just
> fail instead.

I don't see any issues with SELinux support for this feature.

Specifically, when you try to execute something in SELinux, it will
first look at the types and try to "execute" (involving a type
transition IE: security label change).

But if that fails in many cases it may still be allowed to
"execute_no_trans" (IE: regular non-privileged exec() without a
transition).

If you add this feature, it should just disable the normal "execute"
with transition path and unconditionally fall back to
"execute_no_trans".

Likewise, enabling these bits should also disable the "transition" and
"dyntransition" process access vectors, and I'm on the fence about
whether "setfscreate", etc should be allowed.

Cheers,
Kyle Moffett

-- 
Curious about my work on the Debian powerpcspe port?
I'm keeping a blog here: http://pureperl.blogspot.com/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ