From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linux FS Devel <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>
Subject: Re: Connecting to sockets on MNT_READONLY mounts?
Date: Fri, 2 May 2014 01:56:59 +0100 [thread overview]
Message-ID: <20140502005659.GF18016@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CALCETrXhVKq33-KWLMVxPtCZgHddKsxCOQX9F-LGerXsCrLH5Q@mail.gmail.com>
On Thu, May 01, 2014 at 04:57:13PM -0700, Andy Lutomirski wrote:
> Suppose I bind-mount /usr into a private namespace with
> nosuid,nodev,ro. How can you use it to attack anything? The only
> thing I've thought of is to open fifos and connect to sockets. I'm
> assuming that there's a pid namespace blocking ptrace and such and a
> network namespace blocking abstract sockets.
How many FIFOs and sockets are there in your /usr? Here all I see
outside of /dev, /run and /tmp (across seven boxen; I can check more, but
I really doubt it'll catch anything) is the grand total of 4:
/lib/cryptsetup/passfifo
/var/lib/oprofile/opd_pipe
/var/lib/nfs/rpc_pipefs/nfs/clnt0/idmap
/var/lib/nfs/rpc_pipefs/gssd/clntXX/gssd
None of those in /usr and I don't believe that you seriously propose to
bind e.g. /lib/cryptsetup into your sandbox. And while we are at it,
exposing host /usr is *not* a good idea - if nothing else, it gives
quite a bit of information about the versions of software installed on
the host. Ability to watch atime of /usr/bin/* also might be interesting,
etc.
Do you, by any chance, plan to expose the host /tmp or /run? Or
rpc_pipefs, for that matter...
prev parent reply other threads:[~2014-05-02 0:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-01 22:20 Connecting to sockets on MNT_READONLY mounts? Andy Lutomirski
2014-05-01 22:34 ` Al Viro
2014-05-01 23:00 ` Andy Lutomirski
2014-05-01 23:51 ` Al Viro
2014-05-01 23:57 ` Andy Lutomirski
2014-05-02 0:56 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140502005659.GF18016@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.