| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrV6eMYGsw-AS+ZwLpTfdzbinJT_3or0hN+R=7PKmai4mg@mail.gmail.com> Date: Wed, 1 Feb 2012 12:35:33 -0800 From: Andy Lutomirski <luto@...capital.net> To: Kees Cook <keescook@...omium.org> Cc: Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org, Casey Schaufler <casey@...aufler-ca.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Jamie Lokier <jamie@...reable.org>, john.johansen@...onical.com, serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com, djm@...drot.org, segoon@...nwall.com, rostedt@...dmis.org, jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com, penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com, amwang@...hat.com, oleg@...hat.com, ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com, daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, olofj@...omium.org, mhalcrow@...gle.com, dlaor@...hat.com, corbet@....net, alan@...rguk.ukuu.org.uk Subject: Re: [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs On Wed, Feb 1, 2012 at 11:02 AM, Kees Cook <keescook@...omium.org> wrote: > On Mon, Jan 30, 2012 at 8:17 AM, Andy Lutomirski <luto@...capital.net> wrote: >> They are normally disallowed because they could be used to subvert >> setuid programs. But if setuid is disabled, then they are safe. >> >> Signed-off-by: Andy Lutomirski <luto@...capital.net> >> --- >> kernel/nsproxy.c | 8 +++++++- >> 1 files changed, 7 insertions(+), 1 deletions(-) >> >> diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c >> index b576f7f..47cf873 100644 >> --- a/kernel/nsproxy.c >> +++ b/kernel/nsproxy.c >> @@ -191,7 +191,13 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, >> CLONE_NEWNET))) >> return 0; >> >> - if (!capable(CAP_SYS_ADMIN)) >> + /* We require either no_new_privs or CAP_SYS_ADMIN for all modes */ >> + if (!current->no_new_privs && !capable(CAP_SYS_ADMIN)) >> + return -EPERM; >> + >> + /* NEWNS and NEWNET always require CAP_SYS_ADMIN. */ >> + if ((unshare_flags & (CLONE_NEWNS | CLONE_NEWNET)) && >> + !capable(CAP_SYS_ADMIN)) >> return -EPERM; >> >> *new_nsp = create_new_namespaces(unshare_flags, current, > > While I think it's unlikely that the list handled by > unshare_nsproxy_namespaces() is going to change, I'd still prefer that > the logic of this test be reversed so that the nnp-allowed flags are > listed instead of the CAP_SYS_ADMIN-required ones so that it will > default to disallowing new flags. It's a little less readable, but > maybe something like this (untested): > > unsigned long handled_mask = (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | > CLONE_NEWNET); > unsigned long npp_mask = (CLONE_NEWUTS | CLONE_NEWIPC); > > if (!(unshare_flags & handled_mask)) > return 0; > > if ( !(current->no_new_privs && > !(unshare_flags & (handled_mask ^ npp_mask))) && > !capable(CAP_SYS_ADMIN)) > return -EPERM; > ... > > This also has the side-effect of removing the double-check of > capable() in some cases. Agreed -- will fix. This patch is also missing the corresponding change for clone. I'll add that. I'm tempted to add CLONE_NEWPID as well (it's _useful_), but there's an unresolved issue with SCM_CREDENTIALS. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists