On 2019-03-21, Andy Lutomirski <luto@xxxxxxxxxx> wrote: > On Wed, Mar 20, 2019 at 7:38 AM Aleksa Sarai <cyphar@xxxxxxxxxx> wrote: > > Now that the holiday break is over, it's time to re-send this patch > > series (with a few additions, due to new information we got from > > CVE-2019-5736 -- which this patchset mostly protected against but had > > some holes with regards to #!-style scripts). > > I generally like this, but, as Linus pointed out, it will be > unfortunate if application authors see this as just another > non-portable weird Linux API and don't use it. Would it be worthwhile > to put some thought into making it an API that other OSes might be > willing to implement? As it stands, the openat(2) flags are getting > rather crazy in this patch set. > > Aleksa had a resolveat(2) proposal that really didn't seem too bad. I agree having a bunch of O_* flags for resolution feels quite ugly (and crazy) -- but the last time I pitched resolveat(2) the reaction was lukewarm to say the least. It's basically an O_PATHv2 and I don't know how popular that suggestion might be. I wouldn't mind pitching it again though (now that I have a better idea of how to handle some of the UX worries I had). But, if we have a resolveat(2) we'll need to add O_EMPTYPATH support for openat(2) so that you can open scoped paths without using the /proc/self/fd/$n trick. However, you run into reopening permission issues (as we saw in CVE-2019-5736 and countless other CVEs). There might be a solution for this which Andy and I have talked about off-list. There is also the problem of the execveat(2) attack -- which is dealt with in patch 5 of this series. In order to scope #!-script resolution we need to have AT_* flags for the same resolution restriction (defeating the point of a resolveat(2) slightly). There is an argument that we shouldn't need AT_THIS_ROOT or AT_BENEATH support (because ideally you should be doing execve(2) in a pivot_root anyway) but AT_NO_MAGICLINKS is pretty important -- since it allows you to block the circumvention mm->dumpable in certain situations (as we saw in CVE-2019-5736). The solution Andy and I have discussed is a way to make fd-reopening (a seemingly little-known trick outside of container runtimes) much safer such that we don't need mitigations like AT_NO_MAGICLINKS on execveat(2). If we assume that idea works out (I'm still trying to get a working patch for that idea) then resolveat(2) would be sufficient and we don't need AT_* flags on execveat(2). tl;dr: I think resolveat(2) is much nicer, and assuming it's not an unpopular idea I think we should go for it. But there are several other threads of discussion that we might want to have first (such as how to improve the fd-reopening design so it's safer before we expose it to everyone). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature