public inbox for kernel-hardening@lists.openwall.com
 help / color / mirror / Atom feed
From: Solar Designer <solar@openwall.com>
To: kernel-hardening@lists.openwall.com
Cc: Chris Evans <scarybeasts@gmail.com>, djm@mindrot.org
Subject: Re: [kernel-hardening] 32/64 bitness restriction for pid namespace
Date: Sun, 14 Aug 2011 13:50:10 +0400	[thread overview]
Message-ID: <20110814095010.GA14443@openwall.com> (raw)
In-Reply-To: <20110813165502.GA9328@albatros>

Vasiliy,

On Sat, Aug 13, 2011 at 08:55:02PM +0400, Vasiliy Kulikov wrote:
> Some thoughts about prctl() approach.

Here's a further thought:

The feature makes sense not only for pid namespaces, but also for some
daemons, and especially for their privsep child processes - regardless
of whether they make use of namespaces (vsftpd) or not (openssh).

So maybe the restriction should apply to a process tree rather than to a
namespace?  Sure, in some cases it could be bypassed via ptrace(), but
the intended uses would be either in containers (separate pid namespace)
or in daemons' privsep child processes, which are hopefully running as a
pseudo-user dedicated to the daemon - so can't ptrace() anything else
because of uid mismatch, and can't ptrace() other instances because of
their dumpable flag having been reset on setuid().

Specifically, the prctl() could set your two proposed flag bits
affecting the following execve(), but it could also set a third bit,
which, when set, would immediately lock the current process to its
current bitness (or to current ABI in general) and would also lock
execve()'d binaries in the same way (although in practice such
processes will tend to be chrooted to /var/empty).

So we have three bits:

bit 0 - lock next execve() to 32-bit
bit 1 - lock next execve() to 64-bit
bit 2 - lock current process and execve() to current bitness/ABI

Specific bit combinations are interpreted as follows:

0 - no locking (current behavior)
1 - lock next execve() to 32-bit, fail it if not 32-bit ELF
2 - lock next execve() to 64-bit, fail it if not 64-bit ELF
3 - lock the next execve()'d process to its actual bitness
4 - lock current process and execve() to current bitness
5 - lock current process to current bitness, but execve() to 32-bit ELF
6 - lock current process to current bitness, but execve() to 64-bit ELF
7 - lock current process to current bitness, but next execve() to its actual bitness

5 to 7 are probably not very useful, but are defined for consistency.

Maybe when bit 2 is set, it should also disable ptrace() for the current
process (so that it can't ptrace() other processes even of matching uid).

How does this sound to you?

Concern/to-do: need to figure out how x32 and other ABIs fit into this.

Alexander

  parent reply	other threads:[~2011-08-14  9:50 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-07 11:00 [kernel-hardening] 32/64 bitness restriction for pid namespace Vasiliy Kulikov
2011-08-08 17:39 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-10  9:52   ` Vasiliy Kulikov
2011-08-10 13:03     ` [kernel-hardening] " Solar Designer
2011-08-10 13:27       ` Vasiliy Kulikov
2011-08-10 14:26         ` Solar Designer
2011-08-10 15:02           ` Vasiliy Kulikov
2011-08-10 15:40             ` Solar Designer
2011-08-10 16:21               ` Vasiliy Kulikov
2011-08-10 16:42                 ` Solar Designer
2011-08-12 12:07                   ` Vasiliy Kulikov
2011-08-12 12:23                     ` Solar Designer
2011-08-13 15:12                       ` Vasiliy Kulikov
2011-08-13 15:19                         ` Solar Designer
2011-08-13 16:55                           ` Vasiliy Kulikov
2011-08-13 17:31                             ` Vasiliy Kulikov
2011-08-13 19:25                               ` Solar Designer
2011-08-13 19:22                             ` Solar Designer
2011-08-14  9:50                             ` Solar Designer [this message]
2011-08-14 10:16                               ` Vasiliy Kulikov
2011-08-14 11:29                                 ` Solar Designer
2011-08-14 11:55                                   ` Vasiliy Kulikov
2011-08-14 12:04                                     ` Solar Designer
2011-08-14 12:16                                       ` Vasiliy Kulikov
2011-08-15 15:38                                       ` Vasiliy Kulikov
2011-08-15 21:33                                         ` Solar Designer
2011-08-16  6:39                                           ` Vasiliy Kulikov
2011-08-15 21:46                                         ` Solar Designer
2011-08-16  6:25                                           ` Vasiliy Kulikov
2011-08-18 10:34                                         ` Solar Designer
2011-08-18 14:42                                           ` Vasiliy Kulikov
2011-08-12  9:09                 ` Vasiliy Kulikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110814095010.GA14443@openwall.com \
    --to=solar@openwall.com \
    --cc=djm@mindrot.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=scarybeasts@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox