All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "John Stultz" <john.stultz@linaro.org>,
	"Alexei Starovoitov" <alexei.starovoitov@gmail.com>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Mickaël Salaün" <mic@digikod.net>,
	"Daniel Mack" <daniel@zonque.org>,
	"David S. Miller" <davem@davemloft.net>,
	kafai@fb.com, "Florian Westphal" <fw@strlen.de>,
	"Harald Hoyer" <harald@redhat.com>,
	"Network Development" <netdev@vger.kernel.org>,
	"Sargun Dhillon" <sargun@sargun.me>,
	"Pablo Neira Ayuso" <pablo@netfilter.org>,
	lkml <linux-kernel@vger.kernel.org>, "Tejun Heo" <tj@kernel.org>,
	"Li Zefan" <lizefan@huawei.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
	"Android Kernel Team" <kernel-team@android.com>,
	"Rom Lemarchand" <romlem@android.com>,
	"Colin Cross" <ccross@android.c>
Subject: Re: [RESEND][PATCH v4] cgroup: Use CAP_SYS_RESOURCE to allow a process to migrate other tasks between cgroups
Date: Mon, 5 Dec 2016 20:00:11 -0600	[thread overview]
Message-ID: <20161206020011.GA22261@mail.hallyn.com> (raw)
In-Reply-To: <CALCETrWuKpmXQqoQmcy4Va8abdpfCnMBYHWSD0nK5pocj2nfXA@mail.gmail.com>

On Mon, Dec 05, 2016 at 04:36:51PM -0800, Andy Lutomirski wrote:
> On Mon, Dec 5, 2016 at 4:28 PM, John Stultz <john.stultz@linaro.org> wrote:
> > On Tue, Nov 22, 2016 at 4:57 PM, John Stultz <john.stultz@linaro.org> wrote:
> >> On Tue, Nov 8, 2016 at 4:12 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> >>> On Tue, Nov 8, 2016 at 4:03 PM, Alexei Starovoitov
> >>> <alexei.starovoitov@gmail.com> wrote:
> >>>> On Tue, Nov 08, 2016 at 03:51:40PM -0800, Andy Lutomirski wrote:
> >>>>>
> >>>>> I hate to say it, but I think I may see a problem.  Current
> >>>>> developments are afoot to make cgroups do more than resource control.
> >>>>> For example, there's Landlock and there's Daniel's ingress/egress
> >>>>> filter thing.  Current cgroup controllers can mostly just DoS their
> >>>>> controlled processes.  These new controllers (or controller-like
> >>>>> things) can exfiltrate data and change semantics.
> >>>>>
> >>>>> Does anyone have a security model in mind for these controllers and
> >>>>> the cgroups that they're attached to?  I'm reasonably confident that
> >>>>> CAP_SYS_RESOURCE is not the answer...
> >>>>
> >>>> and specifically the answer is... ?
> >>>> Also would be great if you start with specifying the question first
> >>>> and the problem you're trying to solve.
> >>>>
> >>>
> >>> I don't have a good answer right now.  Here are some constraints, though:
> >>>
> >>> 1. An insufficiently privileged process should not be able to move a
> >>> victim into a dangerous cgroup.
> >>>
> >>> 2. An insufficiently privileged process should not be able to move
> >>> itself into a dangerous cgroup and then use execve to gain privilege
> >>> such that the execve'd program can be compromised.
> >>>
> >>> 3. An insufficiently privileged process should not be able to make an
> >>> existing cgroup dangerous in a way that could compromise a victim in
> >>> that cgroup.
> >>>
> >>> 4. An insufficiently privileged process should not be able to make a
> >>> cgroup dangerous in a way that bypasses protections that would
> >>> otherwise protect execve() as used by itself or some other process in
> >>> that cgroup.
> >>>
> >>> Keep in mind that "dangerous" may apply to a cgroup's descendents in
> >>> addition to the cgroup being controlled.
> >>
> >> Sorry for taking awhile to get back to you here.  I'm a little
> >> befuddled as to what next steps I should consider (and honestly, I'm
> >> not totally sure I really grok your concern here, particularly what
> >> you mean with "dangrous cgroups").
> >>
> >> So is going back to the CAP_CGROUP_MIGRATE approach (to properly
> >> separate "sufficiently" from "insufficiently privileged") better?
> >>
> >> Or something closer to the original method Android used of each cgroup
> >> having an allow_attach() check which could determine what is
> >> sufficiently privledged for the respective level of danger the cgroup
> >> might poise?
> >>
> >> Or just stepping back, what method would you imagine to be reasonable
> >> to allow a specified task to migrate other tasks between cgroups
> >> without it having to be root/suid?
> >
> > Any suggested feedback here?
> 
> I really don't know.  The cgroupfs interface is a bit unfortunate in
> that it doesn't really express the constraints.  To safely migrate a
> task, ISTM you ought to have some form of privilege over the task
> *and* some form of privilege over the cgroup.

Agreed.  The problem is that the privilege required should depend on
the controller (I guess).  For memory and cpuset, CAP_SYS_NICE seems
right.  Perhaps CAP_SYS_RESOURCE would be needed for some..  but then,
as I look through the lists (capabilities(7) and the list of controllers),
it seems like CAP_SYS_NICE works for everything.  What else would we need?
Maybe CAP_NET_ADMIN for net_cls and net_prio?  CAP_SYS_RESOURCE|CAP_SYS_ADMIN
for pids?

>   cgroupfs only handles
> the latter.

If we need different checks for different controllers, we can add
checks to cgroupfs.

> CAP_CGROUP_MIGRATE ought to be okay.  Or maybe cgroupfs needs to gain
> a concept of "dangerous" cgroups and further restrict them and
> CAP_SYS_RESOURCE should be fine for non-dangerous cgroups?  I think I
> favor the latter, but it might be nice to hear from Tejun first.
> 
> --Andy

WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "John Stultz" <john.stultz@linaro.org>,
	"Alexei Starovoitov" <alexei.starovoitov@gmail.com>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Mickaël Salaün" <mic@digikod.net>,
	"Daniel Mack" <daniel@zonque.org>,
	"David S. Miller" <davem@davemloft.net>,
	kafai@fb.com, "Florian Westphal" <fw@strlen.de>,
	"Harald Hoyer" <harald@redhat.com>,
	"Network Development" <netdev@vger.kernel.org>,
	"Sargun Dhillon" <sargun@sargun.me>,
	"Pablo Neira Ayuso" <pablo@netfilter.org>,
	lkml <linux-kernel@vger.kernel.org>, "Tejun Heo" <tj@kernel.org>,
	"Li Zefan" <lizefan@huawei.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
	"Android Kernel Team" <kernel-team@android.com>,
	"Rom Lemarchand" <romlem@android.com>,
	"Colin Cross" <ccross@android.com>,
	"Dmitry Shmidt" <dimitrysh@google.com>,
	"Todd Kjos" <tkjos@google.com>,
	"Christian Poetzsch" <christian.potzsch@imgtec.com>,
	"Amit Pundir" <amit.pundir@linaro.org>,
	"Dmitry Torokhov" <dmitry.torokhov@gmail.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	"Linux API" <linux-api@vger.kernel.org>
Subject: Re: [RESEND][PATCH v4] cgroup: Use CAP_SYS_RESOURCE to allow a process to migrate other tasks between cgroups
Date: Mon, 5 Dec 2016 20:00:11 -0600	[thread overview]
Message-ID: <20161206020011.GA22261@mail.hallyn.com> (raw)
In-Reply-To: <CALCETrWuKpmXQqoQmcy4Va8abdpfCnMBYHWSD0nK5pocj2nfXA@mail.gmail.com>

On Mon, Dec 05, 2016 at 04:36:51PM -0800, Andy Lutomirski wrote:
> On Mon, Dec 5, 2016 at 4:28 PM, John Stultz <john.stultz@linaro.org> wrote:
> > On Tue, Nov 22, 2016 at 4:57 PM, John Stultz <john.stultz@linaro.org> wrote:
> >> On Tue, Nov 8, 2016 at 4:12 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> >>> On Tue, Nov 8, 2016 at 4:03 PM, Alexei Starovoitov
> >>> <alexei.starovoitov@gmail.com> wrote:
> >>>> On Tue, Nov 08, 2016 at 03:51:40PM -0800, Andy Lutomirski wrote:
> >>>>>
> >>>>> I hate to say it, but I think I may see a problem.  Current
> >>>>> developments are afoot to make cgroups do more than resource control.
> >>>>> For example, there's Landlock and there's Daniel's ingress/egress
> >>>>> filter thing.  Current cgroup controllers can mostly just DoS their
> >>>>> controlled processes.  These new controllers (or controller-like
> >>>>> things) can exfiltrate data and change semantics.
> >>>>>
> >>>>> Does anyone have a security model in mind for these controllers and
> >>>>> the cgroups that they're attached to?  I'm reasonably confident that
> >>>>> CAP_SYS_RESOURCE is not the answer...
> >>>>
> >>>> and specifically the answer is... ?
> >>>> Also would be great if you start with specifying the question first
> >>>> and the problem you're trying to solve.
> >>>>
> >>>
> >>> I don't have a good answer right now.  Here are some constraints, though:
> >>>
> >>> 1. An insufficiently privileged process should not be able to move a
> >>> victim into a dangerous cgroup.
> >>>
> >>> 2. An insufficiently privileged process should not be able to move
> >>> itself into a dangerous cgroup and then use execve to gain privilege
> >>> such that the execve'd program can be compromised.
> >>>
> >>> 3. An insufficiently privileged process should not be able to make an
> >>> existing cgroup dangerous in a way that could compromise a victim in
> >>> that cgroup.
> >>>
> >>> 4. An insufficiently privileged process should not be able to make a
> >>> cgroup dangerous in a way that bypasses protections that would
> >>> otherwise protect execve() as used by itself or some other process in
> >>> that cgroup.
> >>>
> >>> Keep in mind that "dangerous" may apply to a cgroup's descendents in
> >>> addition to the cgroup being controlled.
> >>
> >> Sorry for taking awhile to get back to you here.  I'm a little
> >> befuddled as to what next steps I should consider (and honestly, I'm
> >> not totally sure I really grok your concern here, particularly what
> >> you mean with "dangrous cgroups").
> >>
> >> So is going back to the CAP_CGROUP_MIGRATE approach (to properly
> >> separate "sufficiently" from "insufficiently privileged") better?
> >>
> >> Or something closer to the original method Android used of each cgroup
> >> having an allow_attach() check which could determine what is
> >> sufficiently privledged for the respective level of danger the cgroup
> >> might poise?
> >>
> >> Or just stepping back, what method would you imagine to be reasonable
> >> to allow a specified task to migrate other tasks between cgroups
> >> without it having to be root/suid?
> >
> > Any suggested feedback here?
> 
> I really don't know.  The cgroupfs interface is a bit unfortunate in
> that it doesn't really express the constraints.  To safely migrate a
> task, ISTM you ought to have some form of privilege over the task
> *and* some form of privilege over the cgroup.

Agreed.  The problem is that the privilege required should depend on
the controller (I guess).  For memory and cpuset, CAP_SYS_NICE seems
right.  Perhaps CAP_SYS_RESOURCE would be needed for some..  but then,
as I look through the lists (capabilities(7) and the list of controllers),
it seems like CAP_SYS_NICE works for everything.  What else would we need?
Maybe CAP_NET_ADMIN for net_cls and net_prio?  CAP_SYS_RESOURCE|CAP_SYS_ADMIN
for pids?

>   cgroupfs only handles
> the latter.

If we need different checks for different controllers, we can add
checks to cgroupfs.

> CAP_CGROUP_MIGRATE ought to be okay.  Or maybe cgroupfs needs to gain
> a concept of "dangerous" cgroups and further restrict them and
> CAP_SYS_RESOURCE should be fine for non-dangerous cgroups?  I think I
> favor the latter, but it might be nice to hear from Tejun first.
> 
> --Andy

  reply	other threads:[~2016-12-06  2:00 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-08 23:28 [RESEND][PATCH v4] cgroup: Use CAP_SYS_RESOURCE to allow a process to migrate other tasks between cgroups John Stultz
2016-11-08 23:28 ` John Stultz
     [not found] ` <1478647728-30357-1-git-send-email-john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2016-11-08 23:41   ` Kees Cook
2016-11-08 23:41     ` Kees Cook
2016-11-08 23:51 ` Andy Lutomirski
2016-11-09  0:03   ` Alexei Starovoitov
2016-11-09  0:03     ` Alexei Starovoitov
2016-11-09  0:12     ` Andy Lutomirski
2016-11-09  0:12       ` Andy Lutomirski
2016-11-23  0:57       ` John Stultz
2016-11-23  0:57         ` John Stultz
2016-12-06  0:28         ` John Stultz
2016-12-06  0:28           ` John Stultz
     [not found]           ` <CALAqxLW-mq4Lnudtn5KMBPdzBTg5bhTXV9QmUC2vfabVru+fUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-06  0:36             ` Andy Lutomirski
2016-12-06  0:36               ` Andy Lutomirski
2016-12-06  2:00               ` Serge E. Hallyn [this message]
2016-12-06  2:00                 ` Serge E. Hallyn
     [not found]                 ` <20161206020011.GA22261-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-12-06 16:57                   ` Tejun Heo
2016-12-06 16:57                     ` Tejun Heo
2016-12-06 16:55               ` Tejun Heo
2016-12-06 16:55                 ` Tejun Heo
     [not found]                 ` <20161206165519.GA17648-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-12-06 17:01                   ` Andy Lutomirski
2016-12-06 17:01                     ` Andy Lutomirski
     [not found]                     ` <CALCETrV3Yrq1hRcoGCTU_z-T-6hmq-gY-HytR2HGkvnRK-W1SQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-06 18:12                       ` Tejun Heo
2016-12-06 18:12                         ` Tejun Heo
2016-12-06 18:13                         ` Andy Lutomirski
2016-12-06 18:13                           ` Andy Lutomirski
2016-12-06 18:23                           ` Tejun Heo
2016-12-06 18:23                             ` Tejun Heo
     [not found]                             ` <20161206182315.GB2625-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-12-09  5:39                               ` John Stultz
2016-12-09  5:39                                 ` John Stultz
2016-12-09 13:27                                 ` Tejun Heo
2016-12-09 13:27                                   ` Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161206020011.GA22261@mail.hallyn.com \
    --to=serge@hallyn.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=ccross@android.c \
    --cc=cgroups@vger.kernel.org \
    --cc=corbet@lwn.net \
    --cc=daniel@zonque.org \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=harald@redhat.com \
    --cc=john.stultz@linaro.org \
    --cc=kafai@fb.com \
    --cc=kernel-team@android.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan@huawei.com \
    --cc=luto@amacapital.net \
    --cc=luto@kernel.org \
    --cc=mic@digikod.net \
    --cc=netdev@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=romlem@android.com \
    --cc=sargun@sargun.me \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.