From: Oleg Nesterov <oleg@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Alexei Starovoitov <ast@plumgrid.com>,
Andrew Morton <akpm@linux-foundation.org>,
Daniel Borkmann <dborkman@redhat.com>,
Will Drewry <wad@chromium.org>, Julien Tinnes <jln@chromium.org>,
David Drysdale <drysdale@google.com>,
Linux API <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
linux-mips@linux-mips.org,
linux-arch <linux-arch@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
Date: Wed, 25 Jun 2014 18:52:09 +0200 [thread overview]
Message-ID: <20140625165209.GA14720@redhat.com> (raw)
In-Reply-To: <CAGXu5jJtLrjbobZC1FD4WV-Jm2p7cRGa1aSPK-d_isnfCZAHdA@mail.gmail.com>
On 06/25, Kees Cook wrote:
>
> On Wed, Jun 25, 2014 at 7:21 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > But. Doesn't this change add a new security hole?
> >
> > Obviously, we should not allow to install a filter and then (say) exec
> > a suid binary, that is why we have no_new_privs/LSM_UNSAFE_NO_NEW_PRIVS.
> >
> > But what if "thread->seccomp.filter = caller->seccomp.filter" races with
> > any user of task_no_new_privs() ? Say, suppose this thread has already
> > passed check_unsafe_exec/etc and it is going to exec the suid binary?
>
> Oh, ew. Yeah. It looks like there's a cred lock to be held to combat this?
Yes, cred_guard_mutex looks like an obvious choice... Hmm, but somehow
initially I thought that the fix won't be simple. Not sure why.
Yes, at least this should close the race with suid-exec. And there are no
other users. Except apparmor, and I hope you will check it because I simply
do not know what it does ;)
> I wonder if changes to nnp need to "flushed" during syscall entry
> instead of getting updated externally/asynchronously? That way it
> won't be out of sync with the seccomp mode/filters.
>
> Perhaps secure computing needs to check some (maybe seccomp-only)
> atomic flags and flip on the "real" nnp if found?
Not sure I understand you, could you clarify?
But I was also worried that task_no_new_privs(current) is no longer stable
inside the syscall paths, perhaps this is what you meant? However I do not
see something bad here... And this has nothing to do with the race above.
Also. Even ignoring no_new_privs, SECCOMP_FILTER_FLAG_TSYNC is not atomic
and we can do nothing with this fact (unless it try to freeze the thread
group somehow), perhaps it makes sense to document this somehow.
I mean, suppose you want to ensure write-to-file is not possible, so you
do seccomp(SECCOMP_FILTER_FLAG_TSYNC, nack_write_to_file_filter). You can't
assume that this has effect right after seccomp() returns, this can obviously
race with a sub-thread which has already entered sys_write().
Once again, I am not arguing, just I think it makes sense to at least mention
the limitations during the discussion.
Oleg.
WARNING: multiple messages have this Message-ID (diff)
From: oleg@redhat.com (Oleg Nesterov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
Date: Wed, 25 Jun 2014 18:52:09 +0200 [thread overview]
Message-ID: <20140625165209.GA14720@redhat.com> (raw)
In-Reply-To: <CAGXu5jJtLrjbobZC1FD4WV-Jm2p7cRGa1aSPK-d_isnfCZAHdA@mail.gmail.com>
On 06/25, Kees Cook wrote:
>
> On Wed, Jun 25, 2014 at 7:21 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > But. Doesn't this change add a new security hole?
> >
> > Obviously, we should not allow to install a filter and then (say) exec
> > a suid binary, that is why we have no_new_privs/LSM_UNSAFE_NO_NEW_PRIVS.
> >
> > But what if "thread->seccomp.filter = caller->seccomp.filter" races with
> > any user of task_no_new_privs() ? Say, suppose this thread has already
> > passed check_unsafe_exec/etc and it is going to exec the suid binary?
>
> Oh, ew. Yeah. It looks like there's a cred lock to be held to combat this?
Yes, cred_guard_mutex looks like an obvious choice... Hmm, but somehow
initially I thought that the fix won't be simple. Not sure why.
Yes, at least this should close the race with suid-exec. And there are no
other users. Except apparmor, and I hope you will check it because I simply
do not know what it does ;)
> I wonder if changes to nnp need to "flushed" during syscall entry
> instead of getting updated externally/asynchronously? That way it
> won't be out of sync with the seccomp mode/filters.
>
> Perhaps secure computing needs to check some (maybe seccomp-only)
> atomic flags and flip on the "real" nnp if found?
Not sure I understand you, could you clarify?
But I was also worried that task_no_new_privs(current) is no longer stable
inside the syscall paths, perhaps this is what you meant? However I do not
see something bad here... And this has nothing to do with the race above.
Also. Even ignoring no_new_privs, SECCOMP_FILTER_FLAG_TSYNC is not atomic
and we can do nothing with this fact (unless it try to freeze the thread
group somehow), perhaps it makes sense to document this somehow.
I mean, suppose you want to ensure write-to-file is not possible, so you
do seccomp(SECCOMP_FILTER_FLAG_TSYNC, nack_write_to_file_filter). You can't
assume that this has effect right after seccomp() returns, this can obviously
race with a sub-thread which has already entered sys_write().
Once again, I am not arguing, just I think it makes sense to at least mention
the limitations during the discussion.
Oleg.
next prev parent reply other threads:[~2014-06-25 16:52 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 20:48 [PATCH v8 0/9] seccomp: add thread sync ability Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 1/9] seccomp: create internal mode-setting function Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 2/9] seccomp: split filter prep from check and apply Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 3/9] seccomp: introduce writer locking Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-27 17:27 ` Kees Cook
2014-06-27 17:27 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 4/9] sched: move no_new_privs into new atomic flags Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 14:44 ` Kees Cook
2014-06-25 14:44 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 5/9] seccomp: split mode set routines Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 14:51 ` Kees Cook
2014-06-25 14:51 ` Kees Cook
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:54 ` Kees Cook
2014-06-25 16:54 ` Kees Cook
[not found] ` <CAGXu5j+J11zJnuFR8bYKAXizAHhCx4R+uJE_QH6zC3q2udkpaQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:32 ` Oleg Nesterov
2014-06-25 17:32 ` Oleg Nesterov
[not found] ` <20140625173245.GA17695-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 18:00 ` Kees Cook
2014-06-25 18:00 ` Kees Cook
[not found] ` <CAGXu5jL17k6=GXju6x+eLU20FMwBHhnuRiHoQD1Bzj_EmpiKjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:39 ` Andy Lutomirski
2014-06-27 18:39 ` Andy Lutomirski
[not found] ` <CALCETrUPxTxseJ=sOhD9CyJPtOqCR5sL8yx7KezLmLZcFSFNMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 19:04 ` Kees Cook
2014-06-27 19:04 ` Kees Cook
[not found] ` <CAGXu5jL5rN6=2-SwHiiEVuGVain-T7Ucg2PsN7u08vQ5Rxz6Mg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:27 ` Oleg Nesterov
2014-06-27 19:27 ` Oleg Nesterov
[not found] ` <20140627192753.GA30752-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:55 ` Oleg Nesterov
2014-06-27 19:55 ` Oleg Nesterov
[not found] ` <20140627195559.GA31661-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-25 17:00 ` Oleg Nesterov
2014-06-25 17:00 ` Oleg Nesterov
2014-06-24 20:48 ` [PATCH v8 6/9] seccomp: add "seccomp" syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 7/9] ARM: add seccomp syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 8/9] MIPS: " Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 15:08 ` Kees Cook
2014-06-25 15:08 ` Kees Cook
2014-06-25 16:52 ` Oleg Nesterov [this message]
2014-06-25 16:52 ` Oleg Nesterov
[not found] ` <20140625165209.GA14720-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:57 ` Kees Cook
2014-06-25 17:57 ` Kees Cook
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:20 ` Oleg Nesterov
2014-06-25 18:20 ` Oleg Nesterov
[not found] ` <20140625182012.GA19437-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-24 20:56 ` [PATCH v8 1/1] man-pages: seccomp.2: document syscall Kees Cook
2014-06-24 20:56 ` Kees Cook
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 15:10 ` Kees Cook
2014-06-25 15:10 ` Kees Cook
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140625165209.GA14720@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ast@plumgrid.com \
--cc=dborkman@redhat.com \
--cc=drysdale@google.com \
--cc=jln@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.