From: Kees Cook <kees.cook@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-kernel@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>,
Andrew Morton <akpm@linux-foundation.org>,
Jiri Kosina <jkosina@suse.cz>,
Dave Young <hidave.darkstar@gmail.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Roland McGrath <roland@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
David Howells <dhowells@redhat.com>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
linux-doc@vger.kernel.org
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
Date: Thu, 17 Jun 2010 09:59:40 -0700 [thread overview]
Message-ID: <20100617165940.GU24749@outflux.net> (raw)
In-Reply-To: <m1hbl1eta6.fsf@fess.ebiederm.org>
Hi,
On Thu, Jun 17, 2010 at 05:29:53AM -0700, Eric W. Biederman wrote:
> Kees Cook <kees.cook@canonical.com> writes:
> > running state of any of their processes. For example, if one application
> > (e.g. Pidgin) was compromised, it would be possible for an attacker to
> > attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
> > etc) to extract additional credentials and continue to expand the scope
> > of their attack without resorting to user-assisted phishing.
>
> This is ineffective. As an attacker after I gain access to a users
> system on ubuntu I can wait around until a package gets an update,
> and then run sudo and gain the power to do whatever I want.
I doesn't stop phishing, correct. But it does stop immediate expansion of
an attack using already-existing credentials.
> Either that or I can inject something nasty into the suid pulse-audio.
Hmm?
$ ls -la /usr/bin/pulseaudio
-rwxr-xr-x 1 root root 71712 2010-06-10 11:59 /usr/bin/pulseaudio
But I take your meaning to be "can still exploit other vulnerabilities".
That'll always be true, but that's why I'm looking to make the attack
surface smaller.
> I tell you what. If you really want something effective, help Serge
> and I finish getting the cross namespace issues fixed for the user
> namespace. When complete, it will possible for an unprivileged process
> to create a new one, and since kernel capabilities along with everything
> else will be local to it, running pidgin, or firefox, or another network
> facing potentially buggy application in such a namespace will ensure that
> even if the process is compromised it won't have privileges to ptrace another
> process or do much else on the system.
It sounds pretty good, but isolating desktop applications is no simple
task. They tend to like to have free reign over a user's entire home
directory. But I think that's a bit of a tangent. That said, I'd like to
know more; where can I find details?
I'm all for better separations. In fact, I'd like to see /proc/sys using
caps instead of DAC so that containers mounting /proc can't fiddle with the
entire system. Has anyone done anything with this? It seems like it's
only seen sporadic attention (e.g. my patch to test CAP_SYS_RAWIO for
changing mmap_min_addr). I would assume there are others that need a
similar protection?
-Kees
--
Kees Cook
Ubuntu Security Team
next prev parent reply other threads:[~2010-06-17 17:00 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-16 22:18 [PATCH] ptrace: allow restriction of ptrace scope Kees Cook
2010-06-16 23:01 ` Alan Cox
2010-06-16 23:22 ` Kees Cook
2010-06-17 13:45 ` James Morris
2010-06-17 17:04 ` Kees Cook
2010-06-17 20:53 ` Alan Cox
2010-06-17 21:06 ` Randy Dunlap
2010-06-17 21:16 ` Kees Cook
2010-06-17 22:18 ` Alan Cox
2010-06-17 22:25 ` Kees Cook
2010-06-17 22:34 ` Alan Cox
2010-06-17 21:18 ` Alan Cox
2010-06-17 21:51 ` Kees Cook
2010-06-17 22:30 ` Alan Cox
2010-06-17 23:03 ` James Morris
2010-06-18 3:10 ` Casey Schaufler
2010-06-18 10:54 ` Theodore Tso
2010-06-18 13:50 ` Eric W. Biederman
2010-06-18 14:29 ` Serge E. Hallyn
2010-06-19 2:23 ` Casey Schaufler
2010-06-19 2:49 ` Eric W. Biederman
2010-06-21 0:52 ` James Morris
2010-06-21 2:16 ` Valdis.Kletnieks
2010-06-18 17:58 ` Kees Cook
2010-06-19 2:15 ` Tetsuo Handa
2010-06-19 3:19 ` Frank Ch. Eigler
2010-06-16 23:10 ` Roland McGrath
2010-06-16 23:39 ` Kees Cook
2010-06-17 0:11 ` Roland McGrath
2010-06-17 0:46 ` Kees Cook
2010-06-18 12:36 ` Serge E. Hallyn
2010-06-17 12:29 ` Eric W. Biederman
2010-06-17 16:59 ` Kees Cook [this message]
2010-06-17 20:45 ` Eric W. Biederman
2010-06-17 21:14 ` Kees Cook
2010-06-17 22:50 ` Serge E. Hallyn
2010-06-17 23:11 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100617165940.GU24749@outflux.net \
--to=kees.cook@canonical.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=hidave.darkstar@gmail.com \
--cc=hpa@zytor.com \
--cc=jkosina@suse.cz \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=roland@redhat.com \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.