lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrV1kV3aRZrWFK3TgVQ6aoUZKKASszfu0TMLqkx_Xn41qw@mail.gmail.com>
Date:	Wed, 6 Nov 2013 12:21:02 -0800
From:	Andy Lutomirski <luto@...capital.net>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	Serge Hallyn <serge.hallyn@...ntu.com>,
	Brad Spengler <spender@...ecurity.net>,
	Christian Seiler <christian@...kd.de>,
	lkml <linux-kernel@...r.kernel.org>,
	Andy Whitcroft <apw@...onical.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Lxc development list <lxc-devel@...ts.sourceforge.net>
Subject: Re: CLONE_PARENT after setns(CLONE_NEWPID)

On Wed, Nov 6, 2013 at 12:06 PM, Oleg Nesterov <oleg@...hat.com> wrote:
> On 11/06, Andy Lutomirski wrote:
>>
>> On Wed, Nov 6, 2013 at 11:33 AM, Oleg Nesterov <oleg@...hat.com> wrote:
>> > Hi Serge,
>> >
>> > On 11/06, Serge Hallyn wrote:
>> >>
>> >> Hi Oleg,
>> >>
>> >> commit 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e :
>> >> "fork: unify and tighten up CLONE_NEWUSER/CLONE_NEWPID checks"
>> >> breaks lxc-attach in 3.12.  That code forks a child which does
>> >> setns() and then does a clone(CLONE_PARENT).  That way the
>> >> grandchild can be in the right namespaces (which the child was
>> >> not) and be a child of the original task, which is the monitor.
>> >
>> > Thanks...
>> >
>> > Yes, this is what 40a0d32d1ea explicitly tries to disallow.
>> >
>> >> Is there a real danger in allowing CLONE_PARENT
>> >> when current->nsproxy->pidns_for_children is not our pidns,
>> >> or was this done out of an "over-abundance of caution"?
>> >
>> > I am not sure... This all was based on the long discussion, and
>> > it was decided that the CLONE_PARENT check should be consistent
>> > wrt CLONE_NEWPID and pidns_for_children != task_active_pid_ns().
>> >
>> >> Can we
>> >> safely revert that new extra check?
>> >
>> > Well, usually we do not break user-space, but I am not sure about
>> > this case...
>>
>> Presumably if we allow this, then we should also allow
>> clone(CLONE_NEWPID | CLONE_PARENT).
>
> Yes, agreed. but this means another change, this was forbidden even
> before this commit.

I'm really not a fan of allowing things by one path but disallowing
them by another.  That way lurk hidden bugs and
incomprehensibilities...

>
>> This seems a little odd, but off
>> the top of my head it doesn't seem obviously dangerous.
>
> I do not see any "strong" reason too. At least right now... But I would
> say that it would be better to not allow to abuse ->real_parent, it
> doesn't event know about the new child (if CLONE_PARENT).

I'm not sure what namespaces have to do with this, though.  The
grandparent may be surprised to acquire a new child, but I don't see
why it would care about the security context of that child.

I admit that this stuff is complicated, but I don't see the problem
that any of this is trying to prevent.

>
>> (Why were we worried about this in the first place?  The comment says
>> that we don't want signal handlers or thread groups to span
>> namespaces, but CLONE_PARENT has nothing to do with that.)
>
> it also says "or parent" ;)
>
>> I feel like I'm rehashing something ancient, but shouldn't that code just be:
>>
>> if (clone_flags & CLONE_VM) {
>>   // check for unsharing namespaces
>
> No, this will break vfork().
>
> And note that CLONE_SIGHAND was disallowed "just in case" and because
> do_fork() had a similar check. Sharing the signal handlers is fine afaics.
>
> From e79f525e:
>
>         We could probably even drop CLONE_SIGHAND and use CLONE_THREAD, but it
>         would be safer to not do this.  The current check denies CLONE_SIGHAND
>         implicitely and there is no reason to change this.
>
> And I disagree with
>
>         Eric said "CLONE_SIGHAND is fine.  CLONE_THREAD would be even better.
>         Having shared signal handling between two different pid namespaces is
>         the case that we are fundamentally guarding against."
>
> added during the merging ;) Or perhaps I misunderstood the text above. But this
> all is off-topic.
>
> Oleg.
>



-- 
Andy Lutomirski
AMA Capital Management, LLC
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ