From: Topi Miettinen <toiwoton@gmail.com>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: "Andy Lutomirski" <luto@amacapital.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
linux-hotplug@vger.kernel.org,
"systemd Mailing List" <systemd-devel@lists.freedesktop.org>,
"Jarkko Sakkinen" <jarkko.sakkinen@linux.intel.com>,
"Jethro Beekman" <jethro@fortanix.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
linux-sgx@vger.kernel.org, "Svahn, Kai" <kai.svahn@intel.com>,
"Schlobohm, Bruce" <bruce.schlobohm@intel.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Haitao Huang" <haitao.huang@linux.intel.com>,
"Ben Hutchings" <ben@decadent.org.uk>
Subject: Re: Creating executable device nodes in /dev?
Date: Wed, 09 Dec 2020 08:35:21 +0000 [thread overview]
Message-ID: <b1cf9503-0c1c-ab9e-3cc4-ef2b7611b280@gmail.com> (raw)
In-Reply-To: <20201209001521.GA64007@kernel.org>
On 9.12.2020 2.15, Jarkko Sakkinen wrote:
> On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote:
>>>>> As a further argument, I just did this on a Fedora system:
>>>>> $ find /dev -perm /ugo+x -a \! -type d -a \! -type l
>>>>> No results. So making /dev noexec doesn't seem to have any benefit.
>>>>
>>>> It's no surprise that there aren't any executables in /dev since
>>>> removing MAKEDEV ages ago. That's not the issue, which is that
>>>> /dev is a writable directory (for UID=0 but no capabilities are
>>>> needed) and thus a potential location for constructing unapproved
>>>> executables if it is also mounted exec (W^X).
>>>
>>> UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec.
>>
>> Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux
>> is not universal and the policies might not contain all users or services.
>>
>> -Topi
>
> What's the data that supports having noexec /dev anyway? With root
> access I can then just use something else like /dev/shm mount.
>
> Has there been out in the wild real world cases that noexec mount
> of would have prevented?
>
> For me this sounds a lot just something that "feels more secure"
> without any measurable benefit. Can you prove me wrong?
I don't think security works that way. An attacker has various methods
to choose from, some are more interesting than others. The case where
rw,exec /dev would be interesting would imply that easier or more common
avenues would be blocked, for example rw,exec /dev/shm, /tmp, /var/tmp,
or /run/user/$UID/ for user. Also fileless malware with pure ROP/JOP
approach with no need for any file system access is getting more common.
It does not mean that it would not be prudent to block the relatively
easy approaches too, including /dev.
-Topi
next prev parent reply other threads:[~2020-12-09 8:35 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 16:17 Creating executable device nodes in /dev? Andy Lutomirski
2020-11-19 16:32 ` Zbigniew Jędrzejewski-Szmek
2020-11-19 18:05 ` Topi Miettinen
2020-12-08 18:07 ` Andy Lutomirski
2020-12-08 20:45 ` Topi Miettinen
2020-12-08 21:30 ` Andy Lutomirski
2020-12-08 23:15 ` Topi Miettinen
2020-12-09 0:15 ` Jarkko Sakkinen
2020-12-09 0:42 ` Jarkko Sakkinen
2020-12-09 8:58 ` Topi Miettinen
2020-12-09 9:07 ` Jethro Beekman
2020-12-09 15:14 ` Andy Lutomirski
2020-12-09 19:22 ` Topi Miettinen
2020-12-09 19:32 ` Andy Lutomirski
2020-12-09 21:58 ` Ben Hutchings
2020-12-11 11:36 ` Zbigniew Jędrzejewski-Szmek
2020-12-09 7:58 ` Antw: [EXT] Re: [systemd-devel] " Ulrich Windl
2020-12-11 10:40 ` Jarkko Sakkinen
2020-12-09 8:35 ` Topi Miettinen [this message]
2020-12-11 10:46 ` Jarkko Sakkinen
2020-12-11 11:29 ` Greg KH
2020-12-12 11:51 ` [systemd-devel] " Christian Brauner
2020-12-12 12:32 ` Christian Brauner
2020-12-11 11:46 ` Topi Miettinen
2020-12-14 7:25 ` Antw: [EXT] Re: [systemd-devel] " Ulrich Windl
2020-12-15 4:19 ` Jarkko Sakkinen
2020-12-15 4:27 ` Jarkko Sakkinen
2020-12-16 10:03 ` Ulrich Windl
2020-12-16 13:05 ` Topi Miettinen
2020-12-22 22:14 ` Jarkko Sakkinen
2020-12-09 0:03 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1cf9503-0c1c-ab9e-3cc4-ef2b7611b280@gmail.com \
--to=toiwoton@gmail.com \
--cc=ben@decadent.org.uk \
--cc=bruce.schlobohm@intel.com \
--cc=casey@schaufler-ca.com \
--cc=haitao.huang@linux.intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jarkko@kernel.org \
--cc=jethro@fortanix.com \
--cc=kai.svahn@intel.com \
--cc=linux-hotplug@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=systemd-devel@lists.freedesktop.org \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).