User: Password:
|
|
Subscribe / Log in / New account

Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

From:  Alan Cox <alan-AT-lxorguk.ukuu.org.uk>
To:  Oleg Nesterov <oleg-AT-redhat.com>
Subject:  Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Date:  Fri, 13 Jan 2012 18:24:22 +0000
Message-ID:  <20120113182422.28e648fb@pyramind.ukuu.org.uk>
Cc:  Andy Lutomirski <luto-AT-amacapital.net>, Will Drewry <wad-AT-chromium.org>, torvalds-AT-linux-foundation.org, linux-kernel-AT-vger.kernel.org, keescook-AT-chromium.org, john.johansen-AT-canonical.com, serge.hallyn-AT-canonical.com, coreyb-AT-linux.vnet.ibm.com, pmoore-AT-redhat.com, eparis-AT-redhat.com, djm-AT-mindrot.org, segoon-AT-openwall.com, rostedt-AT-goodmis.org, jmorris-AT-namei.org, scarybeasts-AT-gmail.com, avi-AT-redhat.com, penberg-AT-cs.helsinki.fi, viro-AT-zeniv.linux.org.uk, luto-AT-MIT.EDU, mingo-AT-elte.hu, akpm-AT-linux-foundation.org, khilman-AT-ti.com, borislav.petkov-AT-amd.com, amwang-AT-redhat.com, ak-AT-linux.intel.com, eric.dumazet-AT-gmail.com, gregkh-AT-suse.de, dhowells-AT-redhat.com, daniel.lezcano-AT-free.fr, linux-fsdevel-AT-vger.kernel.org, linux-security-module-AT-vger.kernel.org, olofj-AT-chromium.org, mhalcrow-AT-google.com, dlaor-AT-redhat.com, corbet-AT-lwn.net
Archive-link:  Article

This still appears to be a bit broken

There are three problems here

1. I can stop an app changing privs which in some SELinux or APParmour
cases might mean I prevent it being dropped into a less privileged
position. That's something only the security policy knows.

So for SELinux and Apparmour and the like in some situations you are
potentially adding a security hole. That one seems hard to fix unless you
fail the exec if it causes a security transition, as opposed to just
keeping the old one. For non change cases we can however still pass the
filter on, which is the usual sane case.

2. ptrace

You neeed to also stop ptrace otherwise the locked down process can use
ptrace to proxy its activity via another task with the same uid. That's
easy enough to add fortunately.

3. file access

You have the same attacks via patching files of running apps etc. In the
intended circumstances I'm not sure this matters or is cleanly fixable.
It's the point at which you need a real system wide policy and SELinux
etc anyway.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



(Log in to post comments)


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds