Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs

From: Andy Lutomirski
Date: Fri Jan 13 2012 - 15:06:18 EST

Next message: Felipe Balbi: "Re: RFC: usb: musb: Adding CPPI4.1 DMA driver under drivers/dma"
Previous message: Michal Nazarewicz: "Re: [PATCH 04/11] mm: page_alloc: introduce alloc_contig_range()"
In reply to: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Next in thread: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 13, 2012 at 11:45 AM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Jan 13, 2012 at 11:39 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>>
>> Is the current exec_no_trans check enough for you? With my patch,
>> selinux can already block the execve if it wants.
>
> If this feature has "selinux can do xyz if it wants", it is broken.
>
> The *whole* point is to get the f*^%ing crazy "security managers can
> do xyz" things away from it.
>
> The flag - when set - should give a 100% guarantee that security
> context doesn't change, and an operation that would change it would
> error out.
>
> Not a "selinux can block it if it wants". None of that "wants" crap.
> None of the "you can configure security rules to do xyz" crap.
>
> One simple rule: no security changes from the context that set the flag.
>
> Any other rule will inevitably cause random gray areas where some
> random security manager does something stupid. We have enough of those
> already. No more.

I'm confused. The patch does "no security context changes on execve".

My interpretation of the flag is "LSMs, file caps, and suid/sgid, stay
away". It does that. Users are welcome to shoot themselves in the
foot with this behavior (e.g. by setting the flag, running something
that selinux would otherwise have restricted, and getting it without
the restrictions).

If you are *already* in a selinux context that is forbidden from
executing something without changing security context, then you can't
execute the program. If no_new_privs is set or if you ask (via
selinuxfs) for no transition, then execve fails when selinux refuses
exec_no_trans. The exec_no_trans callback cannot *change* context --
it just asks whether *not* changing context is okay.

I think this is exactly the desired behavior. And I misunderstanding
you? (I can't speak for the AppArmor part of the patch -- I haven't
looked closely enough. But I think we want the equivalent behavior on
AppArmor.)

If this behavior is *not* okay, then I would rather just have the flag
disable execve entirely and consider execve_nosecurity instead. I
don't want a situation where fancy seccomp/chroot/whatever apps don't
even run on Fedora because of the mere existence of selinux policy.
If we go that route, I'd rather they didn't run anywhere so the
sandbox authors work around the problem appropriately.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Felipe Balbi: "Re: RFC: usb: musb: Adding CPPI4.1 DMA driver under drivers/dma"
Previous message: Michal Nazarewicz: "Re: [PATCH 04/11] mm: page_alloc: introduce alloc_contig_range()"
In reply to: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Next in thread: Linus Torvalds: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]