From: Jarkko Sakkinen <jarkko@kernel.org>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: "Andy Lutomirski" <luto@amacapital.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
linux-hotplug@vger.kernel.org,
"systemd Mailing List" <systemd-devel@lists.freedesktop.org>,
"Jarkko Sakkinen" <jarkko.sakkinen@linux.intel.com>,
"Jethro Beekman" <jethro@fortanix.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
linux-sgx@vger.kernel.org, "Svahn, Kai" <kai.svahn@intel.com>,
"Schlobohm, Bruce" <bruce.schlobohm@intel.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Haitao Huang" <haitao.huang@linux.intel.com>,
"Ben Hutchings" <ben@decadent.org.uk>
Subject: Re: Creating executable device nodes in /dev?
Date: Wed, 09 Dec 2020 00:15:21 +0000 [thread overview]
Message-ID: <20201209001521.GA64007@kernel.org> (raw)
In-Reply-To: <bbdedcfd-cc24-1616-7f87-3c7f62571b22@gmail.com>
On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote:
> > > > As a further argument, I just did this on a Fedora system:
> > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l
> > > > No results. So making /dev noexec doesn't seem to have any benefit.
> > >
> > > It's no surprise that there aren't any executables in /dev since
> > > removing MAKEDEV ages ago. That's not the issue, which is that
> > > /dev is a writable directory (for UID=0 but no capabilities are
> > > needed) and thus a potential location for constructing unapproved
> > > executables if it is also mounted exec (W^X).
> >
> > UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec.
>
> Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux
> is not universal and the policies might not contain all users or services.
>
> -Topi
What's the data that supports having noexec /dev anyway? With root
access I can then just use something else like /dev/shm mount.
Has there been out in the wild real world cases that noexec mount
of would have prevented?
For me this sounds a lot just something that "feels more secure"
without any measurable benefit. Can you prove me wrong?
/Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: "Andy Lutomirski" <luto@amacapital.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
linux-hotplug@vger.kernel.org,
"systemd Mailing List" <systemd-devel@lists.freedesktop.org>,
"Jarkko Sakkinen" <jarkko.sakkinen@linux.intel.com>,
"Jethro Beekman" <jethro@fortanix.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
linux-sgx@vger.kernel.org, "Svahn, Kai" <kai.svahn@intel.com>,
"Schlobohm, Bruce" <bruce.schlobohm@intel.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Haitao Huang" <haitao.huang@linux.intel.com>,
"Ben Hutchings" <ben@decadent.org.uk>
Subject: Re: Creating executable device nodes in /dev?
Date: Wed, 9 Dec 2020 02:15:21 +0200 [thread overview]
Message-ID: <20201209001521.GA64007@kernel.org> (raw)
In-Reply-To: <bbdedcfd-cc24-1616-7f87-3c7f62571b22@gmail.com>
On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote:
> > > > As a further argument, I just did this on a Fedora system:
> > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l
> > > > No results. So making /dev noexec doesn't seem to have any benefit.
> > >
> > > It's no surprise that there aren't any executables in /dev since
> > > removing MAKEDEV ages ago. That's not the issue, which is that
> > > /dev is a writable directory (for UID=0 but no capabilities are
> > > needed) and thus a potential location for constructing unapproved
> > > executables if it is also mounted exec (W^X).
> >
> > UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec.
>
> Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux
> is not universal and the policies might not contain all users or services.
>
> -Topi
What's the data that supports having noexec /dev anyway? With root
access I can then just use something else like /dev/shm mount.
Has there been out in the wild real world cases that noexec mount
of would have prevented?
For me this sounds a lot just something that "feels more secure"
without any measurable benefit. Can you prove me wrong?
/Jarkko
next prev parent reply other threads:[~2020-12-09 0:15 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 16:17 Creating executable device nodes in /dev? Andy Lutomirski
2020-11-19 16:17 ` Andy Lutomirski
2020-11-19 16:32 ` Zbigniew Jędrzejewski-Szmek
2020-11-19 18:05 ` Topi Miettinen
2020-11-19 18:05 ` Topi Miettinen
2020-12-08 18:07 ` Andy Lutomirski
2020-12-08 18:07 ` Andy Lutomirski
2020-12-08 20:45 ` Topi Miettinen
2020-12-08 20:45 ` Topi Miettinen
2020-12-08 21:30 ` Andy Lutomirski
2020-12-08 21:30 ` Andy Lutomirski
2020-12-08 23:15 ` Topi Miettinen
2020-12-08 23:15 ` Topi Miettinen
2020-12-09 0:15 ` Jarkko Sakkinen [this message]
2020-12-09 0:15 ` Jarkko Sakkinen
2020-12-09 0:42 ` Jarkko Sakkinen
2020-12-09 0:42 ` Jarkko Sakkinen
2020-12-09 8:58 ` Topi Miettinen
2020-12-09 8:58 ` Topi Miettinen
2020-12-09 9:07 ` Jethro Beekman
2020-12-09 9:07 ` Jethro Beekman
2020-12-09 15:14 ` Andy Lutomirski
2020-12-09 15:14 ` Andy Lutomirski
2020-12-09 19:22 ` Topi Miettinen
2020-12-09 19:22 ` Topi Miettinen
2020-12-09 19:32 ` Andy Lutomirski
2020-12-09 19:32 ` Andy Lutomirski
2020-12-09 21:58 ` Ben Hutchings
2020-12-09 21:58 ` Ben Hutchings
2020-12-11 11:36 ` Zbigniew Jędrzejewski-Szmek
2020-12-09 7:58 ` Antw: [EXT] Re: [systemd-devel] " Ulrich Windl
2020-12-09 7:58 ` Ulrich Windl
2020-12-11 10:40 ` Jarkko Sakkinen
2020-12-11 10:40 ` Jarkko Sakkinen
2020-12-09 8:35 ` Topi Miettinen
2020-12-09 8:35 ` Topi Miettinen
2020-12-11 10:46 ` Jarkko Sakkinen
2020-12-11 10:46 ` Jarkko Sakkinen
2020-12-11 11:29 ` Greg KH
2020-12-11 11:29 ` Greg KH
2020-12-12 11:51 ` [systemd-devel] " Christian Brauner
2020-12-12 11:51 ` Christian Brauner
2020-12-12 12:32 ` Christian Brauner
2020-12-12 12:32 ` Christian Brauner
2020-12-11 11:46 ` Topi Miettinen
2020-12-11 11:46 ` Topi Miettinen
2020-12-14 7:25 ` Antw: [EXT] Re: [systemd-devel] " Ulrich Windl
2020-12-14 7:25 ` Ulrich Windl
2020-12-15 4:19 ` Jarkko Sakkinen
2020-12-15 4:19 ` Jarkko Sakkinen
2020-12-15 4:27 ` Jarkko Sakkinen
2020-12-15 4:27 ` Jarkko Sakkinen
2020-12-16 10:03 ` Ulrich Windl
2020-12-16 10:03 ` Ulrich Windl
2020-12-16 13:05 ` Topi Miettinen
2020-12-16 13:05 ` Topi Miettinen
2020-12-22 22:14 ` Jarkko Sakkinen
2020-12-22 22:14 ` Jarkko Sakkinen
2020-12-09 0:03 ` Jarkko Sakkinen
2020-12-09 0:03 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209001521.GA64007@kernel.org \
--to=jarkko@kernel.org \
--cc=ben@decadent.org.uk \
--cc=bruce.schlobohm@intel.com \
--cc=casey@schaufler-ca.com \
--cc=haitao.huang@linux.intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=kai.svahn@intel.com \
--cc=linux-hotplug@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=systemd-devel@lists.freedesktop.org \
--cc=toiwoton@gmail.com \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.