Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs

From: Andy Lutomirski
Date: Fri Jan 13 2012 - 14:39:38 EST

Next message: Ben Myers: "Re: [41/42] xfs: validate acl count"
Previous message: Nguyen Thai Ngoc Duy: "Re: [PATCH] merge: Make merge strategy message follow the diffstat"
In reply to: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Next in thread: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 13, 2012 at 11:12 AM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Jan 13, 2012 at 11:00 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>>
>> Changing it to fail the exec when a transition would occur will make
>> seccomp considerably less useful to selinux users -- the presence of
>> MAC policy on a program (regardless of what that policy is) will make
>> it unusable inside a sandbox.
>
> I don't agree. I think that's exactly what we want sandboxing for, to
> avoid any kind of subtle security issues.
>
> And in 99.99% of all sandboxes, you would never ever want to execute
> something with a different MAC policy on it. In fact, most of the
> whole point of the sandboxing tends to be to make sure that the user
> stays inside the exact *small* environment that was provided just for
> that thing.

Some day I want to run entire fancy desktop apps inside
non-root-controlled sandboxes. We're not there yet, but we're not
*that* far. Also, running things like MATLAB inside a chroot or mount
namespace is very useful (I've done it -- there are MATLAB programs
with remarkable dependencies on very particular versions of system
libraries), and being able to do it without custom setuid wrappers to
set everything up would be nice.

>
> So I bet the google chrome people are not at all interested in
> "running random binaries", and might want execve() very much for
> "running some specific binaries that we ship with or install from the
> browser".

I want to be able to run "magic_seccomp_sandbox gv somefile.ps". And
I want that to still work even if my distro gets fancy and uses
selinux policy to prevent gv from accessing the network (which would
not be an unreasonable thing to do). The chromium project already has
a little seccomp wrapper that can (sort of) do this.

>
> So I really think that the *only* valid model is the "fail the execve
> on any changes", not the "mnt-nosuid" approach of trying to run things
> with the wrong permissions and get perhaps odd results. And I think it
> works even - and perhaps *especially* - in models like selinux or
> apparmor that do have a lot of "implicit MAC knowledge" on specific
> binaries.

Is the current exec_no_trans check enough for you? With my patch,
selinux can already block the execve if it wants. (The policy is the
same as it would be if a program explicitly asked to run the new
executable with an unchanged security context.) I'd be happy to fail
the exec in AppArmor, and then maybe AppArmor will change its mind
if/when users get annoyed :)

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ben Myers: "Re: [41/42] xfs: validate acl count"
Previous message: Nguyen Thai Ngoc Duy: "Re: [PATCH] merge: Make merge strategy message follow the diffstat"
In reply to: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Next in thread: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]