CAP_PERFMON — and new capabilities in general
CAP_PERFMON — and new capabilities in general
Posted Feb 21, 2020 21:57 UTC (Fri) by pbonzini (subscriber, #60935)In reply to: CAP_PERFMON — and new capabilities in general by NYKevin
Parent article: CAP_PERFMON — and new capabilities in general
> "Mount and unmount any filesystem" can be used to create a setuid-root binary, to backdoor anything in /bin or /sbin, and for a variety of other privilege escalation attacks.
Not in combination with mount namespaces + seccomp to block exec, for example. A program that is launched as root can set them up before dropping all other capabilities.
> "Call setuid(2) with any value" can be used to become root, and then full capabilities are regained on calling execve(2).
Besides using seccomp to block execve, you can also use inheritable capabilities so that children do not keep them.
In other cases, the environment around the program can limit the root-equivalence of capabilities:
> "Load kernel modules" can be used to execute arbitrary code in kernel space, because that's exactly what it is meant to do.
You can use SELinux to prevent the program from loading a .ko file that wasn't given a particular SELinux label; or you can reject non-signed modules.
> "ptrace any process" can be used to execute arbitrary code as any user who is running code on the machine, which will generally include root.
A process that runs in a pid namespace will not be able to exit it and do ptrace outside its pid namespace (IIRC).
Posted Feb 23, 2020 12:35 UTC (Sun)
by ibukanov (subscriber, #3942)
[Link] (1 responses)
Posted Feb 23, 2020 12:45 UTC (Sun)
by pbonzini (subscriber, #60935)
[Link]
CAP_PERFMON — and new capabilities in general
CAP_PERFMON — and new capabilities in general