On 7.4.2020 0.24, Jarkko Sakkinen wrote:
In my opinion udev defining the whole /dev as noexec has zero technical merits. It is same as they would say that "we don't trust our own database". There are no real security benefits as long as dev nodes are configured correctly.
The threat is not that the device nodes would have execute permissions, but that a malicious entity with write access to /dev would create a new executable and run it, or rather, trick another (perhaps more privileged or more vulnerable) entity to do so. The malicious entity does not need any capabilities and it can be constrained by any number of typical seccomp filters which just don't block such basic system calls as open(), write(), [f]chmod() and close(). It simply needs to have UID 0 (possibly something else, like suitable GID could also be sufficient for some subdirectories) and write access to /dev (or its subdirectories) in its mount namespace.
My philosophy is that "trust" means confidence that an action will not be done even when there's no control over it. "Control" means that it's possible to make active decision on whether the action can or cannot be allowed to be done. Trust in security mindset is a weak thing, control is stronger, but the strongest case is when you don't need trust nor control: the action simply can't ever happen because it's impossible or always forbidden. This idea is shown in such famous principles as "least privilege", "need to know" or compartmentalization. If the additional privilege of exec is not needed, it should not exist.
-Topi
