From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aleksa Sarai Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters Date: Sun, 12 May 2019 23:35:49 +1000 Message-ID: <20190512133549.ymx5yg5rdqvavzyq@yavin> References: <20190506191735.nmzf7kwfh7b6e2tf@yavin> <20190510204141.GB253532@google.com> <20190510225527.GA59914@google.com> <9CD2B97D-A6BD-43BE-9040-B410D996A195@amacapital.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7ljvorpid7rujdy3" Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Linus Torvalds Cc: Andy Lutomirski , Andrew Lutomirski , Jann Horn , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linux Containers , linux-fsdevel List-Id: linux-api@vger.kernel.org --7ljvorpid7rujdy3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2019-05-12, Linus Torvalds wrote: > On Sat, May 11, 2019 at 7:37 PM Andy Lutomirski wro= te: > > I bet this will break something that already exists. An execveat() > > flag to turn off /proc/self/exe would do the trick, though. >=20 > Thinking more about it, I suspect it is (once again) wrong to let the > thing that does the execve() control that bit. >=20 > Generally, the less we allow people to affect the lifetime and > environment of a suid executable, the better off we are. >=20 > But maybe we could limit /proc/*/exe to at least not honor suid'ness > of the target? Or does chrome/runc depend on that too? Speaking on the runc side, we don't depend on this. It's possible someone depends on this for fexecve(3) -- but as mentioned before in newer kernels glibc uses execve(AT_EMPTY_PATH). I would like to point out though that I'm a little bit cautious about /proc/self/exe-specific restrictions -- because a trivial way to get around them would be to just open it with O_PATH (and you end up with a /proc/self/fd/ which is equivalent). Unfortunately blocking setuid exec on all O_PATH descriptors would break even execve(AT_EMPTY_PATH) of setuid descriptors. The patches I mentioned (which Andy and I discussed off-list) would effectively make the magiclink modes in /proc/ affect how you can operate on the path (no write bit in the mode, cannot re-open it write). One aspect of this is how to handle O_PATH and in particular how do we handle an O_PATH re-open of an already-restricted magiclink. Maybe we could make it so that setuid is disallowed if you are dealing with an O_PATH fd which was a magiclink. Effectively, on O_PATH open you get an fmode_t saying FMODE_SETUID_EXEC_ALLOWED *but* if the path is a magiclink this fmode gets dropped and when the fd is given to execveat(AT_EMPTY_PATH) the fmode is checked and setuid-exec is not allowed. [I assume in this discussion "setuid" means "setuid + setcap", right?] --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --7ljvorpid7rujdy3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEb6Gz4/mhjNy+aiz1Snvnv3Dem58FAlzYITIACgkQSnvnv3De m5+OKBAAiDKQq70XmSTMnQLoBSf5SB1ZyMZ3vJXt6n0euUe+wavft0DZtPTb0hY3 uKd7u/g38zUZ7baljhnkEJQAyZy27SG+2/3EAKSAE9jtMS6pdksQWYwjOwXdMu50 1lnSKVxGnLLWWFw223hgh9DFnoK4VcWVIclLW2h+Hvx0ZdOgGxJGN90e+E8bHjKi 9M1A4asRFL84bm3wFqTwnYSulEKLlt2N6RsEg9jgtc4LSqkqniv3GqyFdtdfhJ4x +6O80qPV9ZuPPhh9KH6lepHvlmJTUvHjrNbUbdfqqRmL1FaxvhOmLTezUWrpxOVB 3Y5PlLCKAeIpILMMDhwKFwRKFv3rVaPV7hrF/7W3dhtaafsEiiOVPvR5EOibckW8 Sjxjfk/9GMpojh4fQW8kMA6oUoK6t0C3whZ/lkIG5tHP5NfTmy0mAkM8792lMTCP fXoEREetPz7fTgqLSWIviE1B8R2639WE9U33+7szv091/9k5sF6IWIihgu76eCnK fYEULllNXG6rVrUFRi3TPQayufLiwtHBkS2EYmTI4LnMl8FF3epFieIxkuIT/CZl khWT2EXGmkflqCTR6pS3ctBPAZ+tHpzjSo9j0/U0r3moNUP7OBLhFPWWvZ1Qvo8i dZKy9IVwy3ycjoDurTWk3/UOfa4XFBgBb07HxAp8W5yE39Bk89s= =2vc5 -----END PGP SIGNATURE----- --7ljvorpid7rujdy3--