Re: chroot(2) and bind mounts as non-root

["Serge E. Hallyn" <serge@hallyn.com>]

Quoting Colin Walters (walters@verbum.org):
> But it was pretty trivial to modify my tool to make a MS_NOSUID bind
> mount over /:
> 
>       mount (NULL, "/", "none", MS_PRIVATE | MS_REMOUNT | MS_NOSUID,
> NULL);
> 
> That's hopefully enough to plug that hole (right?), albeit not in a

Heh, yeah I think that suffices :)

...

> Looks to me like the MS_NOSUID bind mount prevents acquisition of file
> capabilities too.

Yup.

> I experimented with dropping all capabilities from the capability
> bounding set, but the API seems a bit lame in that CAP_LAST_CAP is
> encoded in the kernel capability.h, but if an old binary is run on a new
> kernel, I might silently fail to drop a newly added capability.  Right?

Look at the cap_get_bound.3 manpage, and look for CAP_IS_SUPPORTED.
If you start at CAP_LAST_CAP and keep going up/down depending on whether
it was support or not it shouldn't take too long to find the last
valid value.  Not ideal, but should be reliable.

> Steve Grubb's "libcap-ng" appears to not handle this scenario at all;
> Steve, am I missing something?
> 
> Anyways, in the big picture here I think this tool is now pretty safe to
> install suid root, since we rely on MS_NOSUID to close all privilege

I haven't taken a critical look at the mount code but other than that
it seems reasonable and useful to me!  Thanks.

> escalation mechanisms today from plugging in a USB drive, which is
> effectively "user controls arbitrary filesystem layout".
> 
> But getting in Eric's patch for disabling suid binaries from a process
> tree would be really nice.  Alan, do you still object?  Your main issue
> seemed to be that it should be in a LSM, but the suid issue does span
> existing LSMs.  And as far as adding restrictions introduces new attack
> vectors, pretty much all of those are abusing suid binaries, precisely
> what we just want to axe off entirely.

-serge