lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87o7ovlla5.fsf@redhat.com>
Date:   Tue, 14 Mar 2023 10:44:34 +0100
From:   Giuseppe Scrivano <gscrivan@...hat.com>
To:     linux-kernel@...r.kernel.org
Cc:     keescook@...omium.org, bristot@...hat.com, ebiederm@...ssion.com,
        brauner@...nel.org, cyphar@...har.com, viro@...iv.linux.org.uk,
        walters@...bum.org, avagin@...il.com, alexl@...hat.com,
        peterz@...radead.org, bmasney@...hat.com
Subject: Re: [PATCH v4 1/3] exec: add PR_HIDE_SELF_EXE prctl

Giuseppe Scrivano <gscrivan@...hat.com> writes:

> This patch adds a new prctl called PR_HIDE_SELF_EXE which allows
> processes to hide their own /proc/self/exe file. When this prctl is
> used, every access to /proc/self/exe for the calling process will
> fail with EPERM.
>
> This is useful for preventing issues like CVE-2019-5736, where an
> attacker can gain host root access by overwriting the binary
> in OCI runtimes through file-descriptor mishandling in containers.
>
> The current fix for CVE-2019-5736 is to create a read-only copy or
> a bind-mount of the current executable, and then re-exec the current
> process.  With the new prctl, the read-only copy or bind-mount copy is
> not needed anymore.
>
> Once prctl(PR_HIDE_SELF_EXE) is set, it will blocks PR_SET_DUMPABLE to
> be set again.  It is not done automatically so that PR_SET_DUMPABLE
> can be set at a later time if needed, e.g. a container runtime might
> want to do that after the user namespace is joined.
>
> It is currently kind of expected that a container uses execve to pass
> control to a binary in the container chroot, since the /proc/self/exe
> and /proc/self/map_files refer to files that are not part of the
> container itself; so if the process can be compromised in any way
> (e.g. an interpreter running a script in the container without calling
> execve), it could potentially lead to host compromise.  It is
> necessary to ensure that the current process cannot be set to dumpable
> anymore, since that would allow another process in the container to
> get access to its proc files.
>
> A container runtime could use the new prctl in the following way:
>
> - run prctl(PR_HIDE_SELF_EXE) as soon as possible.
> - if prctl(PR_HIDE_SELF_EXE) fails then use the more expensive current
>   fallbacks mechanism.
> - perform all operations that require the process to be dumpable.
> - prctl(PR_SET_DUMPABLE, 0), as it is already done today.
> - execve the new binary or run directly the interpreter.
>
> Signed-off-by: Giuseppe Scrivano <gscrivan@...hat.com>
> ---
> v3: https://lkml.org/lkml/2023/1/20/434
>
> Differences from v3:
>
> - rebased on top of the latest upstream master.
> - now prctl(PR_HIDE_SELF_EXE) blocks access only from the same thread group, it
>   won't break CRIU as v3 did.
> - extend the prctl to also cover files under /proc/self/map_files.
> - once prctl(PR_HIDE_SELF_EXE) is used, it is not possible to unset
>   SUID_DUMP_DISABLE anymore.  This is useful for the case where the container
>   doesn't use execve to pass the control to a binary in the container chroot, and it
>   prevents the process to be set to dumpable again since it would allow a different
>   process in the container to get access to its proc files.
> - cleaned up the selftest and added more checks.

I've done a mistake in this version of the patchset, so please everyone just ignore it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ