Re: [PATCH v4 1/3] exec: add PR_HIDE_SELF_EXE prctl

[Giuseppe Scrivano <gscrivan@redhat.com>]

Giuseppe Scrivano <gscrivan@redhat.com> writes:

> This patch adds a new prctl called PR_HIDE_SELF_EXE which allows
> processes to hide their own /proc/self/exe file. When this prctl is
> used, every access to /proc/self/exe for the calling process will
> fail with EPERM.
>
> This is useful for preventing issues like CVE-2019-5736, where an
> attacker can gain host root access by overwriting the binary
> in OCI runtimes through file-descriptor mishandling in containers.
>
> The current fix for CVE-2019-5736 is to create a read-only copy or
> a bind-mount of the current executable, and then re-exec the current
> process.  With the new prctl, the read-only copy or bind-mount copy is
> not needed anymore.
>
> Once prctl(PR_HIDE_SELF_EXE) is set, it will blocks PR_SET_DUMPABLE to
> be set again.  It is not done automatically so that PR_SET_DUMPABLE
> can be set at a later time if needed, e.g. a container runtime might
> want to do that after the user namespace is joined.
>
> It is currently kind of expected that a container uses execve to pass
> control to a binary in the container chroot, since the /proc/self/exe
> and /proc/self/map_files refer to files that are not part of the
> container itself; so if the process can be compromised in any way
> (e.g. an interpreter running a script in the container without calling
> execve), it could potentially lead to host compromise.  It is
> necessary to ensure that the current process cannot be set to dumpable
> anymore, since that would allow another process in the container to
> get access to its proc files.
>
> A container runtime could use the new prctl in the following way:
>
> - run prctl(PR_HIDE_SELF_EXE) as soon as possible.
> - if prctl(PR_HIDE_SELF_EXE) fails then use the more expensive current
>   fallbacks mechanism.
> - perform all operations that require the process to be dumpable.
> - prctl(PR_SET_DUMPABLE, 0), as it is already done today.
> - execve the new binary or run directly the interpreter.
>
> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
> ---
> v3: https://lkml.org/lkml/2023/1/20/434
>
> Differences from v3:
>
> - rebased on top of the latest upstream master.
> - now prctl(PR_HIDE_SELF_EXE) blocks access only from the same thread group, it
>   won't break CRIU as v3 did.
> - extend the prctl to also cover files under /proc/self/map_files.
> - once prctl(PR_HIDE_SELF_EXE) is used, it is not possible to unset
>   SUID_DUMP_DISABLE anymore.  This is useful for the case where the container
>   doesn't use execve to pass the control to a binary in the container chroot, and it
>   prevents the process to be set to dumpable again since it would allow a different
>   process in the container to get access to its proc files.
> - cleaned up the selftest and added more checks.

I've done a mistake in this version of the patchset, so please everyone just ignore it.