lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 19 Feb 2016 18:24:21 +0800
From:	Zhao Lei <zhaolei@...fujitsu.com>
To:	"'Eric W. Biederman'" <ebiederm@...ssion.com>
CC:	'Mateusz Guzik' <mguzik@...hat.com>,
	<containers@...ts.linux-foundation.org>,
	<linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] Make core_pattern support namespace

Hi, Biederman

> -----Original Message-----
> From: Eric W. Biederman [mailto:ebiederm@...ssion.com]
> Sent: Friday, February 19, 2016 4:18 AM
> To: Zhao Lei <zhaolei@...fujitsu.com>
> Cc: 'Mateusz Guzik' <mguzik@...hat.com>;
> containers@...ts.linux-foundation.org; linux-kernel@...r.kernel.org
> Subject: Re: [PATCH] Make core_pattern support namespace
> 
> Zhao Lei <zhaolei@...fujitsu.com> writes:
> 
> > Hi, Mateusz Guzik
> >
> >> -----Original Message-----
> >> From: Mateusz Guzik [mailto:mguzik@...hat.com]
> >> Sent: Thursday, February 18, 2016 4:54 AM
> >> To: Eric W. Biederman <ebiederm@...ssion.com>
> >> Cc: Zhao Lei <zhaolei@...fujitsu.com>;
> containers@...ts.linux-foundation.org;
> >> linux-kernel@...r.kernel.org
> >> Subject: Re: [PATCH] Make core_pattern support namespace
> >>
> >> On Wed, Feb 17, 2016 at 02:15:24PM -0600, Eric W. Biederman wrote:
> >> > Mateusz Guzik <mguzik@...hat.com> writes:
> >> > > On Tue, Feb 16, 2016 at 07:33:39PM +0800, Zhao Lei wrote:
> >> > >> For container based on namespace design, it is good to allow
> >> > >> each container keeping their own coredump setting.
> >> > >
> >> > > Sorry if this is a false alarm, I don't have easy means to test it, but
> >> > > is not this an immediate privilege escalation?
> >> >
> >> > It is.  This is why we do not currently have a per namespace setting.
> >> >
> >>
> >> Thanks for confimation.
> >>
> >> > Solving the user mode helper problem is technically a fair amount of
> >> > work, if not theoretically challenging.
> >> >
> >>
> >> Well, I would say custom core_patterns without pipe support are still
> >> better than none.
> >>
> > +1.
> 
> -1.
> 
> The problem is solvable.  It is just a matter of effort to build the
> necessary infrastructure and make certain everything works correctly.
> 
Writting a pipe for both host and container have some limit:
1: All host who wantting to run container can not custom core_patterns
   to other value, it is to say, core_patterns will turn to be a const
   value in linux release with container support.
2: If a host support 2 types of container manager, for example,
   lxc and docker, each manager will try to modify host's core_patterns
   to its internal pipe program, and cause competition.
3: container can not modify core_patterns for its need, it is not like
   a real system.

> >> Say one would ensure a stable core_pattern (i.e. that it cannot be
> >> modified as it is being parsed) and a restricted set of allowed
> >> characters in the pattern (which would not include the pipe), validated
> >> when one attempts to set the pattern.
> >>
> >> Does this sound acceptable? If so, and there are no counter ideas from
> >> Lei, I can get around to that.
> >>
> > If we can let kernel select pipe_program in vm's filesystem, and run
> > pipe_program with vm's filesystem, set a pipe for core_patterm in vm
> > will be safe.
> > What is your opinion on above solution?
> 
> Please see the other thread about user mode helpers that is current
> active on the container mailling list.
> 
User mode helpers is discussed in other threads, but we hadn't get a
conclusion to answer is user mode helpers better than letting kernel
support core_pattern in namespace, just as our discussing in this thread.

> > If above way is not acceptable, or impossible to realize, I also
> > agree your solution of limit vm setting pipe.
> 
> I honestly think have a fully capable system that we have now that is
> capable of using setns and entering a containers context is better than
> something half baked.  The solution either needs to support everything
> core_pattern does today but correctly in a container environment.
> 
If we can fix problem of "the pipe dumping data to host filesystem",
both host and container will able to support full core_pattern.

> To make the case that something does not need to be supported, a
> convincing argument needs to be presented and tested that no one ever
> does that.  Without such an argument you will be breaking userspace
> in a different way.  Not actually fixing things.
> 
It is same problem with above.
When we fixed it, all container can be free to set core_pattern without
breaking host env, and the every container manager don't need to add
special argument for setting core_pattern.

> My baseline reference implementation of all of this is that it is
> possible when a sufficiently privileged process writes to core_pattern
> to fork a child with the same environment and context as the writer.
> That forked child could then become a kernel thread and fork any
> additional children needed as user mode helpers.
> 
Thanks for detailed explanation.
I'll investigate it is possible to write piped dump data to container's
filesystem.

We still have "container-write-to-host" problem even if we don't use this
patch, in current kernel, if we run a container with privilege,
1: container can modify core_pattern of host and other container
2: container can set core_pattern to pipe, then dump data to host filesystem
3: container can use this way to do more bad thing
Each of them are not accessable.

In summary:
+-------------+----------------+-------------+--------------------------+
|             | CURRENT_KERNEL | AFTER_PATCH | AFTER_MORE_WORK_ON_PATCH |
|-------------+----------------+-------------+--------------------------+
| WITHOUT     | SAFE           | SAFE        | SAFE                     |
| PRIVILEGE   |                |             |                          |
|-------------+----------------+-------------+--------------------------+
| PRIVILEGE   | DANGEROUS      | SAFE        | SAFE                     |
| DUMPTO FILE |                |             |                          |
|-------------+----------------+-------------+--------------------------+
| PRIVILEGE   | DANGEROUS      | DANGEROUS   | SAFE                     |
| DUMPTO PIPE |                |             |                          |
+-------------+----------------+-------------+--------------------------+

So letting ns support core_pattern is also a bug fix for above case.

What is your opinion?
Any suggestions are welcome.

Thanks
Zhaolei

> Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ