* Connecting to sockets on MNT_READONLY mounts? @ 2014-05-01 22:20 Andy Lutomirski 2014-05-01 22:34 ` Al Viro 0 siblings, 1 reply; 6+ messages in thread From: Andy Lutomirski @ 2014-05-01 22:20 UTC (permalink / raw) To: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development Is it supposed to work? It does, but this seems odd. If the current behavior is intentional, then I'll submit a patch to add a new mount flag to turn off ipc. If it's not, then I'll submit a patch to fix it. -- Andy Lutomirski AMA Capital Management, LLC ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Connecting to sockets on MNT_READONLY mounts? 2014-05-01 22:20 Connecting to sockets on MNT_READONLY mounts? Andy Lutomirski @ 2014-05-01 22:34 ` Al Viro 2014-05-01 23:00 ` Andy Lutomirski 0 siblings, 1 reply; 6+ messages in thread From: Al Viro @ 2014-05-01 22:34 UTC (permalink / raw) To: Andy Lutomirski Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote: > Is it supposed to work? Why the hell not? Same as opening a device node on r/o filesystem for write, or doing the same with FIFO. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Connecting to sockets on MNT_READONLY mounts? 2014-05-01 22:34 ` Al Viro @ 2014-05-01 23:00 ` Andy Lutomirski 2014-05-01 23:51 ` Al Viro 0 siblings, 1 reply; 6+ messages in thread From: Andy Lutomirski @ 2014-05-01 23:00 UTC (permalink / raw) To: Al Viro; +Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development On Thu, May 1, 2014 at 3:34 PM, Al Viro <viro@zeniv.linux.org.uk> wrote: > On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote: >> Is it supposed to work? > > Why the hell not? Same as opening a device node on r/o filesystem for > write, or doing the same with FIFO. You can't bind a socket on a read-only fs, so I thought it was a fair question. I'll write a patch to add MS_NOIPCCONNECT and MNT_NOIPCCONNECT to block connect on unix sockets and open on fifos. This will be useful for sandboxes that want to prevent sandboxed programs from accessing undesirable parts of the outside world. --Andy ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Connecting to sockets on MNT_READONLY mounts? 2014-05-01 23:00 ` Andy Lutomirski @ 2014-05-01 23:51 ` Al Viro 2014-05-01 23:57 ` Andy Lutomirski 0 siblings, 1 reply; 6+ messages in thread From: Al Viro @ 2014-05-01 23:51 UTC (permalink / raw) To: Andy Lutomirski Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development On Thu, May 01, 2014 at 04:00:49PM -0700, Andy Lutomirski wrote: > On Thu, May 1, 2014 at 3:34 PM, Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote: > >> Is it supposed to work? > > > > Why the hell not? Same as opening a device node on r/o filesystem for > > write, or doing the same with FIFO. > > You can't bind a socket on a read-only fs, so I thought it was a fair question. > > I'll write a patch to add MS_NOIPCCONNECT and MNT_NOIPCCONNECT to > block connect on unix sockets and open on fifos. This will be useful > for sandboxes that want to prevent sandboxed programs from accessing > undesirable parts of the outside world. Sigh... Don't expose those FIFOs et.al. to them, then. mount --bind /dev/null <pathname> as part of setting the sucker up. And if you *are* blindly exposing the host filesystems to them wholesale, sockets and fifos are the least of your problems, even if you do that read-only. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Connecting to sockets on MNT_READONLY mounts? 2014-05-01 23:51 ` Al Viro @ 2014-05-01 23:57 ` Andy Lutomirski 2014-05-02 0:56 ` Al Viro 0 siblings, 1 reply; 6+ messages in thread From: Andy Lutomirski @ 2014-05-01 23:57 UTC (permalink / raw) To: Al Viro; +Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development On Thu, May 1, 2014 at 4:51 PM, Al Viro <viro@zeniv.linux.org.uk> wrote: > On Thu, May 01, 2014 at 04:00:49PM -0700, Andy Lutomirski wrote: >> On Thu, May 1, 2014 at 3:34 PM, Al Viro <viro@zeniv.linux.org.uk> wrote: >> > On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote: >> >> Is it supposed to work? >> > >> > Why the hell not? Same as opening a device node on r/o filesystem for >> > write, or doing the same with FIFO. >> >> You can't bind a socket on a read-only fs, so I thought it was a fair question. >> >> I'll write a patch to add MS_NOIPCCONNECT and MNT_NOIPCCONNECT to >> block connect on unix sockets and open on fifos. This will be useful >> for sandboxes that want to prevent sandboxed programs from accessing >> undesirable parts of the outside world. > > Sigh... Don't expose those FIFOs et.al. to them, then. > mount --bind /dev/null <pathname> > as part of setting the sucker up. And if you *are* blindly exposing the > host filesystems to them wholesale, sockets and fifos are the least of your > problems, even if you do that read-only. Why? Suppose I bind-mount /usr into a private namespace with nosuid,nodev,ro. How can you use it to attack anything? The only thing I've thought of is to open fifos and connect to sockets. I'm assuming that there's a pid namespace blocking ptrace and such and a network namespace blocking abstract sockets. --Andy ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Connecting to sockets on MNT_READONLY mounts? 2014-05-01 23:57 ` Andy Lutomirski @ 2014-05-02 0:56 ` Al Viro 0 siblings, 0 replies; 6+ messages in thread From: Al Viro @ 2014-05-02 0:56 UTC (permalink / raw) To: Andy Lutomirski Cc: Linux FS Devel, linux-kernel@vger.kernel.org, Network Development On Thu, May 01, 2014 at 04:57:13PM -0700, Andy Lutomirski wrote: > Suppose I bind-mount /usr into a private namespace with > nosuid,nodev,ro. How can you use it to attack anything? The only > thing I've thought of is to open fifos and connect to sockets. I'm > assuming that there's a pid namespace blocking ptrace and such and a > network namespace blocking abstract sockets. How many FIFOs and sockets are there in your /usr? Here all I see outside of /dev, /run and /tmp (across seven boxen; I can check more, but I really doubt it'll catch anything) is the grand total of 4: /lib/cryptsetup/passfifo /var/lib/oprofile/opd_pipe /var/lib/nfs/rpc_pipefs/nfs/clnt0/idmap /var/lib/nfs/rpc_pipefs/gssd/clntXX/gssd None of those in /usr and I don't believe that you seriously propose to bind e.g. /lib/cryptsetup into your sandbox. And while we are at it, exposing host /usr is *not* a good idea - if nothing else, it gives quite a bit of information about the versions of software installed on the host. Ability to watch atime of /usr/bin/* also might be interesting, etc. Do you, by any chance, plan to expose the host /tmp or /run? Or rpc_pipefs, for that matter... ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-05-02 0:56 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-05-01 22:20 Connecting to sockets on MNT_READONLY mounts? Andy Lutomirski 2014-05-01 22:34 ` Al Viro 2014-05-01 23:00 ` Andy Lutomirski 2014-05-01 23:51 ` Al Viro 2014-05-01 23:57 ` Andy Lutomirski 2014-05-02 0:56 ` Al Viro
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).