From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "John Stultz" <john.stultz@linaro.org>,
"Alexei Starovoitov" <alexei.starovoitov@gmail.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Daniel Mack" <daniel@zonque.org>,
"David S. Miller" <davem@davemloft.net>,
kafai@fb.com, "Florian Westphal" <fw@strlen.de>,
"Harald Hoyer" <harald@redhat.com>,
"Network Development" <netdev@vger.kernel.org>,
"Sargun Dhillon" <sargun@sargun.me>,
"Pablo Neira Ayuso" <pablo@netfilter.org>,
lkml <linux-kernel@vger.kernel.org>, "Tejun Heo" <tj@kernel.org>,
"Li Zefan" <lizefan@huawei.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
"Android Kernel Team" <kernel-team@android.com>,
"Rom Lemarchand" <romlem@android.com>,
"Colin Cross" <ccross@android.c>
Subject: Re: [RESEND][PATCH v4] cgroup: Use CAP_SYS_RESOURCE to allow a process to migrate other tasks between cgroups
Date: Mon, 5 Dec 2016 20:00:11 -0600 [thread overview]
Message-ID: <20161206020011.GA22261@mail.hallyn.com> (raw)
In-Reply-To: <CALCETrWuKpmXQqoQmcy4Va8abdpfCnMBYHWSD0nK5pocj2nfXA@mail.gmail.com>
On Mon, Dec 05, 2016 at 04:36:51PM -0800, Andy Lutomirski wrote:
> On Mon, Dec 5, 2016 at 4:28 PM, John Stultz <john.stultz@linaro.org> wrote:
> > On Tue, Nov 22, 2016 at 4:57 PM, John Stultz <john.stultz@linaro.org> wrote:
> >> On Tue, Nov 8, 2016 at 4:12 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> >>> On Tue, Nov 8, 2016 at 4:03 PM, Alexei Starovoitov
> >>> <alexei.starovoitov@gmail.com> wrote:
> >>>> On Tue, Nov 08, 2016 at 03:51:40PM -0800, Andy Lutomirski wrote:
> >>>>>
> >>>>> I hate to say it, but I think I may see a problem. Current
> >>>>> developments are afoot to make cgroups do more than resource control.
> >>>>> For example, there's Landlock and there's Daniel's ingress/egress
> >>>>> filter thing. Current cgroup controllers can mostly just DoS their
> >>>>> controlled processes. These new controllers (or controller-like
> >>>>> things) can exfiltrate data and change semantics.
> >>>>>
> >>>>> Does anyone have a security model in mind for these controllers and
> >>>>> the cgroups that they're attached to? I'm reasonably confident that
> >>>>> CAP_SYS_RESOURCE is not the answer...
> >>>>
> >>>> and specifically the answer is... ?
> >>>> Also would be great if you start with specifying the question first
> >>>> and the problem you're trying to solve.
> >>>>
> >>>
> >>> I don't have a good answer right now. Here are some constraints, though:
> >>>
> >>> 1. An insufficiently privileged process should not be able to move a
> >>> victim into a dangerous cgroup.
> >>>
> >>> 2. An insufficiently privileged process should not be able to move
> >>> itself into a dangerous cgroup and then use execve to gain privilege
> >>> such that the execve'd program can be compromised.
> >>>
> >>> 3. An insufficiently privileged process should not be able to make an
> >>> existing cgroup dangerous in a way that could compromise a victim in
> >>> that cgroup.
> >>>
> >>> 4. An insufficiently privileged process should not be able to make a
> >>> cgroup dangerous in a way that bypasses protections that would
> >>> otherwise protect execve() as used by itself or some other process in
> >>> that cgroup.
> >>>
> >>> Keep in mind that "dangerous" may apply to a cgroup's descendents in
> >>> addition to the cgroup being controlled.
> >>
> >> Sorry for taking awhile to get back to you here. I'm a little
> >> befuddled as to what next steps I should consider (and honestly, I'm
> >> not totally sure I really grok your concern here, particularly what
> >> you mean with "dangrous cgroups").
> >>
> >> So is going back to the CAP_CGROUP_MIGRATE approach (to properly
> >> separate "sufficiently" from "insufficiently privileged") better?
> >>
> >> Or something closer to the original method Android used of each cgroup
> >> having an allow_attach() check which could determine what is
> >> sufficiently privledged for the respective level of danger the cgroup
> >> might poise?
> >>
> >> Or just stepping back, what method would you imagine to be reasonable
> >> to allow a specified task to migrate other tasks between cgroups
> >> without it having to be root/suid?
> >
> > Any suggested feedback here?
>
> I really don't know. The cgroupfs interface is a bit unfortunate in
> that it doesn't really express the constraints. To safely migrate a
> task, ISTM you ought to have some form of privilege over the task
> *and* some form of privilege over the cgroup.
Agreed. The problem is that the privilege required should depend on
the controller (I guess). For memory and cpuset, CAP_SYS_NICE seems
right. Perhaps CAP_SYS_RESOURCE would be needed for some.. but then,
as I look through the lists (capabilities(7) and the list of controllers),
it seems like CAP_SYS_NICE works for everything. What else would we need?
Maybe CAP_NET_ADMIN for net_cls and net_prio? CAP_SYS_RESOURCE|CAP_SYS_ADMIN
for pids?
> cgroupfs only handles
> the latter.
If we need different checks for different controllers, we can add
checks to cgroupfs.
> CAP_CGROUP_MIGRATE ought to be okay. Or maybe cgroupfs needs to gain
> a concept of "dangerous" cgroups and further restrict them and
> CAP_SYS_RESOURCE should be fine for non-dangerous cgroups? I think I
> favor the latter, but it might be nice to hear from Tejun first.
>
> --Andy
next prev parent reply other threads:[~2016-12-06 2:00 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1478647728-30357-1-git-send-email-john.stultz@linaro.org>
2016-11-08 23:51 ` [RESEND][PATCH v4] cgroup: Use CAP_SYS_RESOURCE to allow a process to migrate other tasks between cgroups Andy Lutomirski
2016-11-09 0:03 ` Alexei Starovoitov
2016-11-09 0:12 ` Andy Lutomirski
2016-11-23 0:57 ` John Stultz
2016-12-06 0:28 ` John Stultz
[not found] ` <CALAqxLW-mq4Lnudtn5KMBPdzBTg5bhTXV9QmUC2vfabVru+fUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-06 0:36 ` Andy Lutomirski
2016-12-06 2:00 ` Serge E. Hallyn [this message]
[not found] ` <20161206020011.GA22261-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-12-06 16:57 ` Tejun Heo
2016-12-06 16:55 ` Tejun Heo
[not found] ` <20161206165519.GA17648-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-12-06 17:01 ` Andy Lutomirski
[not found] ` <CALCETrV3Yrq1hRcoGCTU_z-T-6hmq-gY-HytR2HGkvnRK-W1SQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-06 18:12 ` Tejun Heo
2016-12-06 18:13 ` Andy Lutomirski
2016-12-06 18:23 ` Tejun Heo
[not found] ` <20161206182315.GB2625-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-12-09 5:39 ` John Stultz
2016-12-09 13:27 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161206020011.GA22261@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=alexei.starovoitov@gmail.com \
--cc=ccross@android.c \
--cc=cgroups@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=harald@redhat.com \
--cc=john.stultz@linaro.org \
--cc=kafai@fb.com \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=romlem@android.com \
--cc=sargun@sargun.me \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).