| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e7137350-b8a8-c7e5-e35d-8218a7df1147@suse.de>
Date: Fri, 20 Jan 2017 00:08:12 +1100
From: Aleksa Sarai <asarai@...e.de>
To: Michal Hocko <mhocko@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>,
Kees Cook <keescook@...omium.org>,
Al Viro <viro@...iv.linux.org.uk>,
John Stultz <john.stultz@...aro.org>,
Mateusz Guzik <mguzik@...hat.com>,
Janis Danisevskis <jdanis@...gle.com>,
linux-kernel@...r.kernel.org, dev@...ncontainers.org,
containers@...ts.linux-foundation.org,
"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: [PATCH] procfs: change the owner of non-dumpable and writeable
files
>> In order to protect against ptrace(2) and similar attacks on container
>> runtimes when they join namespaces, many runtimes set mm->dumpable to
>> SUID_DUMP_DISABLE. However, doing this means that attempting to set up
>> an unprivileged user namespace will fail because an unprivileged process
>> can no longer access /proc/self/{setgroups,{uid,gid}_map} for the
>> container process (which is the same uid as the runtime process).
>>
>> Fix this by changing pid_getattr to *also* change the owner of regular
>> files that have a mode of 0644 (when the process is not dumpable). This
>> ensures that the important /proc/[pid]/... files mentioned above are
>> properly accessible by a container runtime in a rootless container
>> context.
>>
>> The most blantant issue is that a non-dumpable process in a rootless
>> container context is unable to open /proc/self/setgroups, because it
>> doesn't own the file.
>>
>> int main(void)
>> {
>> prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
>> unshare(CLONE_NEWUSER);
>>
>> /* This will fail. */
>> int fd = open("/proc/self/setgroups", O_WRONLY);
>> if (fd < 0)
>> abort();
>>
>> return 0;
>> }
>
> I do agree that failing to open anything in /proc/self/ is more than
> unexepcted! I cannot judge the patch but my gut feeling tells me that
> the fix should be somewhere in the open handler.
Maybe that would suffice as a more specific fix (for the special case of
/proc/self), but the fact that none of the users and groups are
correctly set in /proc/[pid] will cause issues for runC and other
container runtimes (because they don't go through /proc/self -- it's
accessing /proc/[pid] from another process).
Though I get the feeling that the *correct* fix would be to remove the
conditional and *always* change the owner -- maybe I'm missing something
but I can't think of the security issue that this code currently fixes
(since all of the important permission checks are *in addition* to the
generic_permission used for /proc/self/..., which use ptrace_may_access).
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
Powered by blists - more mailing lists