From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] -ow features
Date: Fri, 29 Jul 2011 22:00:49 +0400 [thread overview]
Message-ID: <20110729180049.GA2623@albatros> (raw)
In-Reply-To: <20110729173037.GA12284@openwall.com>
On Fri, Jul 29, 2011 at 21:30 +0400, Solar Designer wrote:
> > HARDEN_LINK
> > HARDEN_FIFO
> >
> > These are implemented in YAMA LSM. Kees Cook's last attempt (AFAIK) is:
> >
> > http://marc.info/?l=linux-security-module&m=130023775422255&w=2
> >
> > James Morris' reaction:
> >
> > http://marc.info/?l=linux-security-module&m=130032319219333&w=2
> >
> > So, the issue is that LSM guys say that LSM is the place where only
> > enhanced access control schemes may be located, but VFS folks
> > say that all similar non-POSIX restrictions should go into LSM as a
> > configurable security feature (extern relative to VFS). This
> > inconsistency is really nasty :(
>
> So do you intend to skip HARDEN_LINK and HARDEN_FIFO, and work on them
> for RHEL6/OpenVZ kernels for Owl only (well, maybe also for OpenVZ and
> Red Hat if they choose accept this into their trees)?
Yes, I don't see how can I improve the situation with upstream. Kees
Cook tried to push it several times, providing various good arguments.
> I just recalled that in -ow I also patched the added RLIMIT_NPROC check
> into copies of the execve() code in 32-bit syscall wrappers on 64-bit
> systems - e.g., do_execve32() in arch/mips64/kernel/linux32.c. To give
> credit where it's due, per my notes it was Brad Spengler who noticed
> that these had been overlooked and informed me in 2003 or so. Is this
> still relevant to current kernels?
No, grep shows no usage in arch/.
> > Special handling of fd 0,1,2 (Linux 2.0/2.2) for set*id
> >
> > It is handled in glibc now by opening /dev/{null,full}, however, I see
> > (minor) drawbacks:
> >
> > 1) It's possible to have a chroot without polluted /dev/, so setuid
> > inside of chroot might fail to reopen fds.
> >
> > 2) It's not handled in other libc implementations.
> >
> > Other than that, it already works.
>
> Right. Is the glibc implementation fail-close or fail-open - that is,
> what happens if e.g. /dev/{null,full} don't exist? Does the program
> continue to start up, but without this safety measure?
No, it crashes (tries to execute "hlt" in a loop).
> Either way, I think we should propose this for the kernel - post an RFC.
OK. However, I think it will be rejected with a reason "it is a
doubtful feature, which breaks POSIX and it is already implemented in
a userspace libc".
Thanks,
--
Vasiliy
next prev parent reply other threads:[~2011-07-29 18:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-23 16:27 [kernel-hardening] -ow features Solar Designer
2011-07-29 9:00 ` Vasiliy Kulikov
2011-07-29 17:30 ` Solar Designer
2011-07-29 18:00 ` Vasiliy Kulikov [this message]
2011-07-29 18:06 ` Vasiliy Kulikov
2011-07-29 22:42 ` Solar Designer
2011-07-30 18:20 ` [kernel-hardening] BINFMT_ELF_AOUT (was: -ow features) Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110729180049.GA2623@albatros \
--to=segoon@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.