| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrXO=V=+qEdLDVPf8eCgLZiB9bOTrUfe0V-U-tUZoeoRDA@mail.gmail.com>
Date: Wed, 20 Mar 2019 11:58:57 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Christian Brauner <christian@...uner.io>
Cc: Daniel Colascione <dancol@...gle.com>,
Joel Fernandes <joel@...lfernandes.org>,
Suren Baghdasaryan <surenb@...gle.com>,
Steven Rostedt <rostedt@...dmis.org>,
Sultan Alsawaf <sultan@...neltoast.com>,
Tim Murray <timmurray@...gle.com>,
Michal Hocko <mhocko@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arve Hjønnevåg <arve@...roid.com>,
Todd Kjos <tkjos@...roid.com>,
Martijn Coenen <maco@...roid.com>,
Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
LKML <linux-kernel@...r.kernel.org>,
"open list:ANDROID DRIVERS" <devel@...verdev.osuosl.org>,
linux-mm <linux-mm@...ck.org>,
kernel-team <kernel-team@...roid.com>,
Oleg Nesterov <oleg@...hat.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
Kees Cook <keescook@...omium.org>
Subject: Re: pidfd design
On Wed, Mar 20, 2019 at 11:52 AM Christian Brauner <christian@...uner.io> wrote:
>
> You're misunderstanding. Again, I said in my previous mails it should
> accept pidfds optionally as arguments, yes. But I don't want it to
> return the status fds that you previously wanted pidfd_wait() to return.
> I really want to see Joel's pidfd_wait() patchset and have more people
> review the actual code.
Just to make sure that no one is forgetting a material security consideration:
$ ls /proc/self
attr exe mountinfo projid_map status
autogroup fd mounts root syscall
auxv fdinfo mountstats sched task
cgroup gid_map net schedstat timers
clear_refs io ns sessionid timerslack_ns
cmdline latency numa_maps setgroups uid_map
comm limits oom_adj smaps wchan
coredump_filter loginuid oom_score smaps_rollup
cpuset map_files oom_score_adj stack
cwd maps pagemap stat
environ mem personality statm
A bunch of this stuff makes sense to make accessible through a syscall
interface that we expect to be used even in sandboxes. But a bunch of
it does not. For example, *_map, mounts, mountstats, and net are all
namespace-wide things that certain policies expect to be unavailable.
stack, for example, is a potential attack surface. Etc.
As it stands, if you create a fresh userns and mountns and try to
mount /proc, there are some really awful and hideous rules that are
checked for security reasons. All these new APIs either need to
return something more restrictive than a proc dirfd or they need to
follow the same rules. And I'm afraid that the latter may be a
nonstarter if you expect these APIs to be used in libraries.
Yes, this is unfortunate, but it is indeed the current situation. I
suppose that we could return magic restricted dirfds, or we could
return things that aren't dirfds and all and have some API that gives
you the dirfd associated with a procfd but only if you can see
/proc/PID.
--Andy
Powered by blists - more mailing lists