On Fri, 2023-01-06 at 18:21 +0100, Lennart Poettering wrote: > On Fr, 06.01.23 10:10, Steve Grubb (sgrubb@xxxxxxxxxx) wrote: > > > Hello, > > > > On Friday, January 6, 2023 9:33:12 AM EST Lennart Poettering wrote: > > > On Do, 05.01.23 20:17, Steve Grubb (sgrubb@xxxxxxxxxx) wrote: > > > > I work on RHEL security problems. I have been looking into a number of > > > > exploits and I think we have a problem that has an easy fix. We are not > > > > using the CONFIG_STATIC_USERMODEHELPER_PATH kernel config option. There > > > > are a number of exploits that overwrite the path to modprobe and then > > > > pass something weird that causes modprobe to be invoked. But instead of > > > > modprobe, it's their reverse shell. > > > > > > umh is such a problematic interface. The processes forked off that way > > > live in a weird netherworld besides the init system, in the root > > > cgroup (and that even though inner cgroups in cgroupsv2 are not > > > supposed to have processes in them) without any of the resource or > > > security restrictions we otherwise make on all of userspace. > > > > One approach to solving this is to use selinux policy. > > selinux cannot apply resource controls, not can it arrange processes > properly in the cgroup tree, nor can it apply seccomp filters, > namespacing and so on. > > selinux can do some things, sure, but an init system is not a MAC, it > does a lot more (and also a lot less). > > > Yeah, that's another approach that may have merit. But with the asynchronous > > nature of that approach, I don't know how the kernel would know it can now > > make calls into the module it needed to have loaded. > > Well, umh is async too in a way, kernel must wait for the userspace > process to finish. There's not much of a difference to say "fork off + > wait for process exit" and "send netlink message to userspace + wait > for reply". If I remember correctly the claim was that umh is robust if the user space fails and just terminates. As then the kernel know user space is gone, whether it got the data it needed or not and can stop waiting. While messages may never get replied to and require handling timeouts and then handling the case a user space process was slow and ignoring late replies. Not sure this is really a good point given waiting indefinitely for a user space program that hangs for some reason seems worse to me. When I had to code a call from knfsd to user space for GSS-Proxy I used unix sockets. I think that is better than netlink in some cases as sockets are simpler to handle from user space programs and are also easily namespaced... Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
