From: Michael Stone <michael@laptop.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org,
"Andi Kleen" <andi@firstfloor.org>, "David Lang" <david@lang.hm>,
"Oliver Hartkopp" <socketcan@hartkopp.net>,
"Alan Cox" <alan@lxorguk.ukuu.org.uk>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>,
"Bryan Donlan" <bdonlan@gmail.com>,
"Evgeniy Polyakov" <zbr@ioremap.net>,
"C. Scott Ananian" <cscott@cscott.net>,
"James Morris" <jmorris@namei.org>,
"Bernie Innocenti" <bernie@codewiz.org>,
"Mark Seaborn" <mrs@mythic-beasts.com>,
"Randy Dunlap" <randy.dunlap@oracle.com>,
"Américo Wang" <xiyou.wangcong@gmail.com>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
"Samir Bellabes" <sam@synack.fr>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serue@us.ibm.com>,
"Pavel Machek" <pavel@ucw.cz>,
"Al Viro" <viro@ZenIV.linux.org.uk>
Subject: Re: RFC: disablenetwork facility. (v4)
Date: Tue, 29 Dec 2009 11:06:20 -0500 [thread overview]
Message-ID: <20091229160620.GB14668@heat> (raw)
In-Reply-To: <m1y6km11lj.fsf@fess.ebiederm.org>
Eric Biederman writes:
> Serge,
>
> Michael Stone <michael@laptop.org> writes:
>> I think that Pavel's point, at its strongest and most general, could be
>> rephrased as:
>>
>> "Adding *any* interesting isolation facility to the kernel breaks backwards
>> compatibility for *some* program [in a way that violates security goals]."
>
>*some* privileged program.
Your amendment is a good one; it makes the statement better reflect your and
Pavel's concern. Thanks.
>> The reason is the one that I identified in my previous note:
>>
>> "The purpose of isolation facilities is to create membranes inside which
>> grievous security faults are converted into availability faults."
>>
>> The question then is simply:
>>
>> "How do we want to deal with the compatibility-breaking changes created by
>> introducing new isolation facilities?"
> You have a very peculiar taxonomy of the suggestions,
> that fails to capture the concerns.
Do you agree with my assessment that this is fundamentally a
backwards-compatibility problem with security consequences?
> I strongly recommend working out a way to disable
> setuid exec. Ideally we would use capabilities to
> achieve this.
>
> ...
>
> I can see one of two possible reasons you are avoiding the
> suggestion to disable setuid root...
Heard and understood. I'll start thinking about how to do it (and about what
the consequences might be). However, those aren't my reasons for wariness.
My reasons have to do with history, preparation, and logic:
1. I first began playing with disablenetwork about two years ago and I missed
both the need to restrict ptrace and the fact that the interaction with
privileged executables would be a problem for other people.
2. With disablenetwork, I was already building on clear (if slightly
incomplete) design by djb. We have none of that prep work here.
3. We have definite reasons, laid out by my argument above about the general
compatibility cost of isolation facilities, to suspect that disablesuid
in any form will break at least one other interesting use case. I don't
know what that use case is yet but I'm fairly sure that it exists.
> The problem with the disable_network semantics you want
> is that they allow you to perform a denial of service attack
> on privileged users. An unprivileged DOS attack is unsuitable
> for a general purpose feature in a general purpose kernel.
Then where did rlimits come from? rlimits *can* DoS privileged processes and
people are pretty much okay with the idea. People who are concerned can raise
the rlimits in their privileged processes and get on with life.
Second, as you point out, I am willing to audit and to modify my setuid
executables *in exchange* for having a kernel that changes in useful ways.
Obviously, not everyone is willing to pay this upkeep.
At any rate, I hope all this helps make my position clearer. I'll think more
about your suggestions.
Regards,
Michael
next prev parent reply other threads:[~2009-12-29 16:06 UTC|newest]
Thread overview: 157+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-27 1:04 RFC: disablenetwork facility. (v4) Michael Stone
2009-12-27 1:06 ` [PATCH 1/3] Security: Add disablenetwork interface. (v4) Michael Stone
2009-12-27 3:26 ` Serge E. Hallyn
2009-12-28 18:13 ` Serge E. Hallyn
2009-12-29 1:21 ` Michael Stone
2009-12-29 5:26 ` Serge E. Hallyn
2009-12-27 7:53 ` Pavel Machek
2009-12-29 1:25 ` Michael Stone
2009-12-30 10:09 ` Pavel Machek
2009-12-30 18:47 ` Serge E. Hallyn
2009-12-27 1:06 ` [PATCH 2/3] Security: Implement disablenetwork semantics. (v4) Michael Stone
2009-12-27 1:20 ` Tetsuo Handa
2009-12-30 18:50 ` Serge E. Hallyn
2010-01-01 14:31 ` Pavel Machek
2010-01-10 21:11 ` James Morris
2010-01-10 21:16 ` Pavel Machek
2010-01-10 21:44 ` James Morris
2010-01-10 21:54 ` Michael Stone
2010-01-10 21:58 ` Pavel Machek
2010-01-10 22:40 ` Michael Stone
2010-01-11 1:07 ` Tetsuo Handa
2010-01-11 1:45 ` Michael Stone
2010-01-11 17:49 ` Serge E. Hallyn
2010-01-12 6:10 ` Michael Stone
2010-01-12 15:52 ` Serge E. Hallyn
2010-01-14 9:23 ` Pavel Machek
2010-01-14 15:00 ` Serge E. Hallyn
2010-01-14 16:36 ` Michael Stone
2010-01-14 16:47 ` Serge E. Hallyn
[not found] ` <20100114171309.GA6372@heat>
2010-01-14 17:36 ` Serge E. Hallyn
2010-01-15 8:10 ` disablenetwork (v5) patches Michael Stone
2010-01-15 8:12 ` disablenetwork (v5): Remove a TOCTTOU race by passing flags by value Michael Stone
2010-01-15 8:12 ` disablenetwork (v5): Simplify the disablenetwork sendmsg hook Michael Stone
2010-01-15 8:13 ` disablenetwork (v5): Require CAP_SETPCAP to enable disablenetwork Michael Stone
2010-01-17 2:58 ` Andrew G. Morgan
[not found] ` <20100117044825.GA2712@heat>
2010-01-17 4:58 ` disablenetwork (v5): Require CAP_SETPCAP to enable Andrew G. Morgan
2010-01-18 19:30 ` Serge E. Hallyn
2010-01-15 8:13 ` disablenetwork (v5): Update documentation for PR_NETWORK_ENABLE_DN Michael Stone
2010-01-17 6:01 ` disablenetwork (v5) patches Kyle Moffett
[not found] ` <20100117180728.GA2848@heat>
2010-01-17 21:17 ` Kyle Moffett
2010-01-11 1:46 ` [PATCH 2/3] Security: Implement disablenetwork semantics. (v4) Casey Schaufler
2010-01-12 3:19 ` Valdis.Kletnieks
2010-01-12 4:01 ` Casey Schaufler
2010-01-11 12:01 ` Pavel Machek
2010-01-12 2:54 ` Valdis.Kletnieks
2010-01-12 7:59 ` Pavel Machek
2010-01-12 14:28 ` Valdis.Kletnieks
2010-01-14 9:22 ` Pavel Machek
2010-01-18 12:54 ` Valdis.Kletnieks
2010-01-18 15:56 ` Andrew G. Morgan
2010-01-10 22:18 ` Kyle Moffett
2010-01-10 23:08 ` Michael Stone
2010-01-10 23:41 ` Bryan Donlan
2010-01-11 1:50 ` Casey Schaufler
2010-01-11 2:15 ` Bryan Donlan
2010-01-11 11:53 ` Pavel Machek
2010-01-10 22:58 ` James Morris
2009-12-27 1:07 ` [PATCH 3/3] Security: Document disablenetwork. (v4) Michael Stone
2009-12-27 1:39 ` Tetsuo Handa
2009-12-27 16:25 ` Michael Stone
2009-12-27 8:36 ` RFC: disablenetwork facility. (v4) Tetsuo Handa
2009-12-27 8:38 ` Pavel Machek
2009-12-27 11:49 ` Tetsuo Handa
2009-12-27 12:18 ` Al Viro
2009-12-27 15:03 ` Serge E. Hallyn
2009-12-27 15:47 ` Michael Stone
2009-12-27 16:12 ` Serge E. Hallyn
2009-12-27 16:36 ` Michael Stone
2009-12-27 18:06 ` Pavel Machek
2009-12-27 19:08 ` Pavel Machek
2009-12-28 6:07 ` Michael Stone
2009-12-28 10:10 ` Pavel Machek
2009-12-28 14:37 ` Valdis.Kletnieks
2009-12-28 20:55 ` Pavel Machek
2009-12-28 21:28 ` Valdis.Kletnieks
2009-12-28 21:33 ` Bryan Donlan
2009-12-29 6:08 ` Serge E. Hallyn
2010-01-01 15:06 ` Pavel Machek
2009-12-28 16:31 ` Michael Stone
2009-12-28 21:08 ` Pavel Machek
2009-12-28 21:24 ` Valdis.Kletnieks
2009-12-28 18:13 ` Serge E. Hallyn
2009-12-29 5:01 ` Michael Stone
2009-12-29 5:56 ` Serge E. Hallyn
2009-12-29 16:31 ` Michael Stone
2009-12-29 11:06 ` Eric W. Biederman
2009-12-29 15:11 ` Serge E. Hallyn
2009-12-29 16:05 ` Bryan Donlan
2009-12-29 16:39 ` Serge E. Hallyn
2009-12-29 17:01 ` Bryan Donlan
2009-12-29 18:36 ` Eric W. Biederman
2009-12-29 19:08 ` Bryan Donlan
2009-12-29 20:56 ` Eric W. Biederman
2009-12-29 21:27 ` Serge E. Hallyn
2009-12-29 21:46 ` Valdis.Kletnieks
2009-12-29 22:16 ` Serge E. Hallyn
2009-12-29 20:10 ` Benny Amorsen
2009-12-29 20:40 ` Eric W. Biederman
2009-12-29 20:43 ` Bryan Donlan
2009-12-29 21:11 ` Alan Cox
2009-12-29 21:14 ` Bryan Donlan
2009-12-29 21:35 ` Alan Cox
2009-12-29 21:29 ` Eric W. Biederman
2009-12-29 22:36 ` Serge E. Hallyn
2009-12-30 3:26 ` Eric W. Biederman
2009-12-30 3:50 ` Serge E. Hallyn
2009-12-30 4:29 ` Eric W. Biederman
2009-12-30 18:00 ` Serge E. Hallyn
2009-12-30 21:12 ` Eric W. Biederman
2009-12-30 3:35 ` [RFC][PATCH] Unprivileged: Disable acquisition of privileges Eric W. Biederman
2009-12-30 3:54 ` Bryan Donlan
2009-12-30 4:33 ` Eric W. Biederman
2009-12-30 4:57 ` Bryan Donlan
2009-12-30 12:47 ` Eric W. Biederman
2009-12-30 12:49 ` [RFC][PATCH v2] Unprivileged: Disable raising " Eric W. Biederman
2009-12-30 14:52 ` Andrew G. Morgan
2009-12-30 18:35 ` Serge E. Hallyn
2009-12-30 20:07 ` Eric W. Biederman
2009-12-30 20:17 ` Serge E. Hallyn
2009-12-30 21:15 ` [RFC][PATCH v3] " Eric W. Biederman
2009-12-30 21:29 ` Alan Cox
2009-12-30 21:36 ` Eric W. Biederman
2009-12-30 23:00 ` Alan Cox
2009-12-31 2:44 ` Bryan Donlan
2009-12-31 17:33 ` Alan Cox
2009-12-31 17:52 ` Serge E. Hallyn
2009-12-31 18:20 ` Andrew G. Morgan
2009-12-31 18:32 ` Eric W. Biederman
2010-01-01 14:43 ` Alan Cox
2010-01-01 14:53 ` Pavel Machek
2010-01-01 16:26 ` Eric W. Biederman
2010-01-01 21:35 ` Casey Schaufler
2010-01-01 22:39 ` Alan Cox
2010-01-01 23:18 ` Casey Schaufler
2010-01-02 0:42 ` Peter Dolding
[not found] ` <4B3FB0FC.3030809@schaufler-ca.com>
2010-01-03 1:43 ` Peter Dolding
2009-12-31 18:41 ` Eric W. Biederman
2009-12-31 21:46 ` Serge E. Hallyn
2010-01-01 21:17 ` Andrew G. Morgan
2010-01-01 14:57 ` Alan Cox
2009-12-31 8:57 ` Eric W. Biederman
2009-12-31 13:00 ` Samir Bellabes
2009-12-31 14:08 ` Peter Dolding
2009-12-31 17:06 ` Alan Cox
2010-01-01 0:12 ` Peter Dolding
2010-01-01 10:28 ` Pavel Machek
2009-12-31 15:25 ` Serge E. Hallyn
2009-12-31 16:48 ` Eric W. Biederman
2009-12-30 18:29 ` [RFC][PATCH v2] " Serge E. Hallyn
2009-12-30 20:45 ` Eric W. Biederman
2009-12-29 18:03 ` RFC: disablenetwork facility. (v4) Eric W. Biederman
2009-12-29 16:06 ` Michael Stone [this message]
2010-01-01 15:11 ` Pavel Machek
2009-12-27 8:51 ` Al Viro
2009-12-27 11:23 ` Valdis.Kletnieks
2009-12-27 12:45 ` Andi Kleen
2009-12-27 15:55 ` Michael Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091229160620.GB14668@heat \
--to=michael@laptop.org \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=andi@firstfloor.org \
--cc=bdonlan@gmail.com \
--cc=bernie@codewiz.org \
--cc=casey@schaufler-ca.com \
--cc=cscott@cscott.net \
--cc=david@lang.hm \
--cc=ebiederm@xmission.com \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mrs@mythic-beasts.com \
--cc=netdev@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=randy.dunlap@oracle.com \
--cc=sam@synack.fr \
--cc=serue@us.ibm.com \
--cc=socketcan@hartkopp.net \
--cc=viro@ZenIV.linux.org.uk \
--cc=xiyou.wangcong@gmail.com \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox