| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Feb 2024 09:33:16 -0500 From: Rich Felker <dalias@...ifal.cx> To: Christian Brauner <brauner@...nel.org> Cc: Xi Ruoyao <xry111@...111.site>, Arnd Bergmann <arnd@...db.de>, Icenowy Zheng <uwu@...nowy.me>, Huacai Chen <chenhuacai@...nel.org>, WANG Xuerui <kernel@...0n.name>, Adhemerval Zanella <adhemerval.zanella@...aro.org>, linux-api@...r.kernel.org, Kees Cook <keescook@...omium.org>, Xuefeng Li <lixuefeng@...ngson.cn>, Jianmin Lv <lvjianmin@...ngson.cn>, Xiaotian Wu <wuxiaotian@...ngson.cn>, WANG Rui <wangrui@...ngson.cn>, Miao Wang <shankerwangmiao@...il.com>, "loongarch@...ts.linux.dev" <loongarch@...ts.linux.dev>, Linux-Arch <linux-arch@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: Chromium sandbox on LoongArch and statx -- seccomp deep argument inspection again? On Mon, Feb 26, 2024 at 01:57:55PM +0100, Christian Brauner wrote: > On Mon, Feb 26, 2024 at 07:57:56PM +0800, Xi Ruoyao wrote: > > On Mon, 2024-02-26 at 10:20 +0100, Arnd Bergmann wrote: > > > > /* snip */ > > > > > > > > > Or maybe we can just introduce a new AT_something to make statx > > > > completely ignore pathname but behave like AT_EMPTY_PATH + "". > > I'm not at all convinced about doing custom semantics for this. I did not follow the entirety of this thread. I've been aware for a while that the need to use AT_EMPTY_PATH (on archs that don't have old syscalls) is a performance problem in addition to being a sandboxing problem, because the semantics for it were defined to use the string argument if present, thereby requiring the kernel to perform an additional string read from user memory. Unfortunately, I don't see any good fix. Even if we could add AT_STATX_NO_PATH/AT_STATX_NULL_PATH, libc would not be using it, because using them would incur EINVAL-then-fallback on kernels that don't support it. In regards to the Chromium sandbox, I think Chromium is just wrong here. Blocking statx is not safe (it also does not work on 32-bit archs -- it breaks time64 support! and riscv32 doesn't even have legacy stat either, just like loongarch64), and there is really no serious security risk from being able to stat arbitrary pathnames. Maybe it's annoying from a theoretical purity standpoint that you can't block that, but from a practical standpoint it doesn't really matter. I'd like to see a solution to this, but all the possible ones look bad. And it's all a consequence of poor consideration of how AT_EMPTY_PATH should work when it was first invented/added. >_< > > > I think this is better than going back to fstat64_time64(), but > > > it's still not great because > > > > > > - all the reserved flags on statx() are by definition incompatible > > > with existing kernels that return -EINVAL for any flag they do > > > not recognize. > > > > Oops, we are deeming passing undefined flags in "mask" undefined > > behavior but not "flags", thus "wild software" may be relying on EINVAL > > for invalid flags... We *might* make this new AT_xxx a bit in mask > > instead of flags but it would be very dirty IMO. > > Uhm, no. AT_* flags have nothing to do in statx()'s mask argument at all. They definitely cannot go in mask; that's semantically wrong. Rich
Powered by blists - more mailing lists