lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1eizez3r5.fsf@frodo.ebiederm.org>
Date:	Wed, 07 Jan 2009 22:54:54 -0800
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	James Morris <jmorris@...ei.org>
Cc:	Michael Stone <michael@...top.org>, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] Security: Implement and document RLIMIT_NETWORK. (fwd)

James Morris <jmorris@...ei.org> writes:

> Would you be able to help answer these queries on the list?
>
> I'm not sure what the network namespace semantics are in (2) below.
>
> ---------- Forwarded message ----------
> Date: Wed, 7 Jan 2009 22:34:54 -0500
> From: Michael Stone <michael@...top.org>
> To: James Morris <jmorris@...ei.org>
> Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
>     linux-security-module@...r.kernel.org
> Subject: Re: [PATCH] Security: Implement and document RLIMIT_NETWORK.
>
> On Thu, Jan 08, 2009 at 12:22:17PM +1100, James Morris wrote:
>> Have you considered utilizing network namespaces [1] ?  A process created with
>> a private network namespace has no network interfaces configured, except
>> loopback, which is down.  Does this do what you want?  The launcher could
>> optionally allow local IP by bringing up the loopback interface.
>
> James,
>
> This net-namespaces work sounds quite apropos to some of my other
> projects but I'm having trouble figuring out whether it can be used to
> solve my current problem. Two questions which immediately occur to me
> include:
>
>  1) As with the netfilter suggestions provided by Andi and Evgeniy, it
>  seems that processes require special privileges (e.g. CAP_NET_ADMIN) in
>  order to drop network privileges by means of entering a new net
>  namespace. Is this correct? If so, why is it necessary or appropriate?

Yes.

Mostly general paranoia.  The problem is that the process could later
exec a suid root executable.  Potentially that suid root executable
could be fooled into a breach of security (such as not logging audit
records) because it is running in a network namespace.

The classic example of this class of exploits is using a mount
namespace to replace libc or /etc/passwd.  Both of which can lead
to privilege escalation.

I'm not creative enough at the moment to see how that class of exploits
would apply to a network namespace, but that is the reasoning for
requiring privilege.  

Let's see.  Having a network namespace namespace could allow you
to impersonate the local X server and steal a more privileged
users authentication tokens, provided by a suid binary.

>  2) What happens if I call unshare(CLONE_NEWNET) after I've bound some
>  sockets to an address or connected some sockets to remote endpoints?

All sockets are associated with a network namespace, and they don't change
when an unshare happens.  Accept still continues to work, and create
new sockets in the original network namespace.

However all calls to socket and to socketpair create new sockets that are
limited to living in the processes default network namespace.

> Perhaps you can help straighten me out, e.g. by pointing me at the
> relevant code?
>

Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ