Connecting to sockets on MNT

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Connecting to sockets on MNT_READONLY mounts?
@ 2014-05-01 22:20 Andy Lutomirski
  2014-05-01 22:34 ` Al Viro
  0 siblings, 1 reply; 6+ messages in thread
From: Andy Lutomirski @ 2014-05-01 22:20 UTC (permalink / raw)
  To: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development

Is it supposed to work?  It does, but this seems odd.  If the current
behavior is intentional, then I'll submit a patch to add a new mount
flag to turn off ipc.  If it's not, then I'll submit a patch to fix
it.

-- 
Andy Lutomirski
AMA Capital Management, LLC

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Connecting to sockets on MNT_READONLY mounts?
  2014-05-01 22:20 Connecting to sockets on MNT_READONLY mounts? Andy Lutomirski
@ 2014-05-01 22:34 ` Al Viro
  2014-05-01 23:00   ` Andy Lutomirski
  0 siblings, 1 reply; 6+ messages in thread
From: Al Viro @ 2014-05-01 22:34 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development

On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote:
> Is it supposed to work?

Why the hell not?  Same as opening a device node on r/o filesystem for
write, or doing the same with FIFO.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Connecting to sockets on MNT_READONLY mounts?
  2014-05-01 22:34 ` Al Viro
@ 2014-05-01 23:00   ` Andy Lutomirski
  2014-05-01 23:51     ` Al Viro
  0 siblings, 1 reply; 6+ messages in thread
From: Andy Lutomirski @ 2014-05-01 23:00 UTC (permalink / raw)
  To: Al Viro; +Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development

On Thu, May 1, 2014 at 3:34 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote:
>> Is it supposed to work?
>
> Why the hell not?  Same as opening a device node on r/o filesystem for
> write, or doing the same with FIFO.

You can't bind a socket on a read-only fs, so I thought it was a fair question.

I'll write a patch to add MS_NOIPCCONNECT and MNT_NOIPCCONNECT to
block connect on unix sockets and open on fifos.  This will be useful
for sandboxes that want to prevent sandboxed programs from accessing
undesirable parts of the outside world.

--Andy

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Connecting to sockets on MNT_READONLY mounts?
  2014-05-01 23:00   ` Andy Lutomirski
@ 2014-05-01 23:51     ` Al Viro
  2014-05-01 23:57       ` Andy Lutomirski
  0 siblings, 1 reply; 6+ messages in thread
From: Al Viro @ 2014-05-01 23:51 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development

On Thu, May 01, 2014 at 04:00:49PM -0700, Andy Lutomirski wrote:
> On Thu, May 1, 2014 at 3:34 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote:
> >> Is it supposed to work?
> >
> > Why the hell not?  Same as opening a device node on r/o filesystem for
> > write, or doing the same with FIFO.
> 
> You can't bind a socket on a read-only fs, so I thought it was a fair question.
> 
> I'll write a patch to add MS_NOIPCCONNECT and MNT_NOIPCCONNECT to
> block connect on unix sockets and open on fifos.  This will be useful
> for sandboxes that want to prevent sandboxed programs from accessing
> undesirable parts of the outside world.

Sigh...  Don't expose those FIFOs et.al. to them, then.
mount --bind /dev/null <pathname>
as part of setting the sucker up.  And if you *are* blindly exposing the
host filesystems to them wholesale, sockets and fifos are the least of your
problems, even if you do that read-only.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Connecting to sockets on MNT_READONLY mounts?
  2014-05-01 23:51     ` Al Viro
@ 2014-05-01 23:57       ` Andy Lutomirski
  2014-05-02  0:56         ` Al Viro
  0 siblings, 1 reply; 6+ messages in thread
From: Andy Lutomirski @ 2014-05-01 23:57 UTC (permalink / raw)
  To: Al Viro; +Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development

On Thu, May 1, 2014 at 4:51 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, May 01, 2014 at 04:00:49PM -0700, Andy Lutomirski wrote:
>> On Thu, May 1, 2014 at 3:34 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
>> > On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote:
>> >> Is it supposed to work?
>> >
>> > Why the hell not?  Same as opening a device node on r/o filesystem for
>> > write, or doing the same with FIFO.
>>
>> You can't bind a socket on a read-only fs, so I thought it was a fair question.
>>
>> I'll write a patch to add MS_NOIPCCONNECT and MNT_NOIPCCONNECT to
>> block connect on unix sockets and open on fifos.  This will be useful
>> for sandboxes that want to prevent sandboxed programs from accessing
>> undesirable parts of the outside world.
>
> Sigh...  Don't expose those FIFOs et.al. to them, then.
> mount --bind /dev/null <pathname>
> as part of setting the sucker up.  And if you *are* blindly exposing the
> host filesystems to them wholesale, sockets and fifos are the least of your
> problems, even if you do that read-only.

Why?

Suppose I bind-mount /usr into a private namespace with
nosuid,nodev,ro.  How can you use it to attack anything?  The only
thing I've thought of is to open fifos and connect to sockets.  I'm
assuming that there's a pid namespace blocking ptrace and such and a
network namespace blocking abstract sockets.

--Andy

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Connecting to sockets on MNT_READONLY mounts?
  2014-05-01 23:57       ` Andy Lutomirski
@ 2014-05-02  0:56         ` Al Viro
  0 siblings, 0 replies; 6+ messages in thread
From: Al Viro @ 2014-05-02  0:56 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development

On Thu, May 01, 2014 at 04:57:13PM -0700, Andy Lutomirski wrote:

> Suppose I bind-mount /usr into a private namespace with
> nosuid,nodev,ro.  How can you use it to attack anything?  The only
> thing I've thought of is to open fifos and connect to sockets.  I'm
> assuming that there's a pid namespace blocking ptrace and such and a
> network namespace blocking abstract sockets.

How many FIFOs and sockets are there in your /usr?  Here all I see
outside of /dev, /run and /tmp (across seven boxen; I can check more, but
I really doubt it'll catch anything) is the grand total of 4:
/lib/cryptsetup/passfifo
/var/lib/oprofile/opd_pipe
/var/lib/nfs/rpc_pipefs/nfs/clnt0/idmap
/var/lib/nfs/rpc_pipefs/gssd/clntXX/gssd

None of those in /usr and I don't believe that you seriously propose to
bind e.g. /lib/cryptsetup into your sandbox.  And while we are at it,
exposing host /usr is *not* a good idea - if nothing else, it gives
quite a bit of information about the versions of software installed on
the host.  Ability to watch atime of /usr/bin/* also might be interesting,
etc.

Do you, by any chance, plan to expose the host /tmp or /run?  Or
rpc_pipefs, for that matter...

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-05-02  0:56 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-01 22:20 Connecting to sockets on MNT_READONLY mounts? Andy Lutomirski
2014-05-01 22:34 ` Al Viro
2014-05-01 23:00   ` Andy Lutomirski
2014-05-01 23:51     ` Al Viro
2014-05-01 23:57       ` Andy Lutomirski
2014-05-02  0:56         ` Al Viro

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).