| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5jK-4DaUVofwy3aqKnQTbyQGsLVmNNfAc1pjkJHt2Kfwww@mail.gmail.com>
Date: Wed, 1 Feb 2012 11:02:23 -0800
From: Kees Cook <keescook@...omium.org>
To: Andy Lutomirski <luto@...capital.net>
Cc: Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
Casey Schaufler <casey@...aufler-ca.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jamie Lokier <jamie@...reable.org>,
john.johansen@...onical.com, serge.hallyn@...onical.com,
coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com,
djm@...drot.org, segoon@...nwall.com, rostedt@...dmis.org,
jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com,
penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu,
akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com,
amwang@...hat.com, oleg@...hat.com, ak@...ux.intel.com,
eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com,
daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org, olofj@...omium.org,
mhalcrow@...gle.com, dlaor@...hat.com, corbet@....net,
alan@...rguk.ukuu.org.uk
Subject: Re: [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC
with no_new_privs
On Mon, Jan 30, 2012 at 8:17 AM, Andy Lutomirski <luto@...capital.net> wrote:
> They are normally disallowed because they could be used to subvert
> setuid programs. But if setuid is disabled, then they are safe.
>
> Signed-off-by: Andy Lutomirski <luto@...capital.net>
> ---
> kernel/nsproxy.c | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> index b576f7f..47cf873 100644
> --- a/kernel/nsproxy.c
> +++ b/kernel/nsproxy.c
> @@ -191,7 +191,13 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
> CLONE_NEWNET)))
> return 0;
>
> - if (!capable(CAP_SYS_ADMIN))
> + /* We require either no_new_privs or CAP_SYS_ADMIN for all modes */
> + if (!current->no_new_privs && !capable(CAP_SYS_ADMIN))
> + return -EPERM;
> +
> + /* NEWNS and NEWNET always require CAP_SYS_ADMIN. */
> + if ((unshare_flags & (CLONE_NEWNS | CLONE_NEWNET)) &&
> + !capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> *new_nsp = create_new_namespaces(unshare_flags, current,
While I think it's unlikely that the list handled by
unshare_nsproxy_namespaces() is going to change, I'd still prefer that
the logic of this test be reversed so that the nnp-allowed flags are
listed instead of the CAP_SYS_ADMIN-required ones so that it will
default to disallowing new flags. It's a little less readable, but
maybe something like this (untested):
unsigned long handled_mask = (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC |
CLONE_NEWNET);
unsigned long npp_mask = (CLONE_NEWUTS | CLONE_NEWIPC);
if (!(unshare_flags & handled_mask))
return 0;
if ( !(current->no_new_privs &&
!(unshare_flags & (handled_mask ^ npp_mask))) &&
!capable(CAP_SYS_ADMIN))
return -EPERM;
...
This also has the side-effect of removing the double-check of
capable() in some cases.
-Kees
--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists