[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZdbstX5p4M_-RjXC@archie.me>
Date: Thu, 22 Feb 2024 13:41:57 +0700
From: Bagas Sanjaya <bagasdotme@...il.com>
To: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Security Module Subsystem <linux-security-module@...r.kernel.org>
Cc: Kees Cook <keescook@...omium.org>,
Andy Lutomirski <luto@...capital.net>,
Will Drewry <wad@...omium.org>,
Mickaël Salaün <mic@...ikod.net>,
Theodore Ts'o <tytso@....edu>,
Alan Stern <stern@...land.harvard.edu>,
Ali Polatel <alip@...sswob.org>
Subject: TOCTOU-free exec(), chdir(), open() with O_PATH sandbox emulation
support?
Hi,
Ali Polatel <alip@...sswob.org> opened feature request bug on Bugzilla
regarding TOCTOU-free sandbox emulation support [1]. He wrote:
> Thanks to the addition of seccomp_addfd, now it is possible to emulate a vast number of system calls to achieve a TOCTOU-free sandbox in userspace. There're however three exceptions to this:
> 1. exec family calls cannot be emulated so a sandbox disallowing exec calls has no choice but to continue the exec call in sandbox process allowing TOCTOU.
> 2. chdir family calls cannot be emulated so a sandbox disallowing chdir calls to hide paths has no choice but to continue the chdir call in sandbox process allowing TOCTOU.
> 3. open calls with the O_PATH flag cannot be emulated (addfd returns EBADF on o_path fds) again a sandbox disallowing open calls with O_PATH flag to hide paths has no choice but to continue the open call in sandbox process allowing TOCTOU.
>
> It'd be awesome for the kernel to provide TOCTOU-free ways to sandbox these three cases.
>
> For a bit of context, I am the author of syd, a seccomp and landlock based application sandbox with support for namespaces, you can read here about why this feature request is relevant and more: http://man.exherbolinux.org/syd.7.html
>
> To quote the relevant bit from the manual page:
>> BUGS
>>
>> In the operation of syd, certain system calls are not fully emulated due to seccomp(2) limitations, resulting in the sandbox process continuing these calls directly. These include execve(2), execveat(2) for execution, chdir(2), fchdir(2) for directory changes, and open(2) operations with O_PATH flag. Consequently, this behavior exposes vulnerabilities to time-of-check to time-of-use attacks, allowing for the circumvention of Exec Sandboxing to execute denylisted paths, the bypass of Stat Sandboxing for unauthorized directory access without disclosing directory contents (owing to getdents(2) call emulation), and the detection of hidden files without revealing file metadata, as stat(2) calls are emulated.
Is the feature request viable/realistic?
Thanks.
[1]: https://bugzilla.kernel.org/show_bug.cgi?id=218501
--
An old man doll... just what I always wanted! - Clara
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists