On Tue, Apr 07, 2020 at 11:48:10AM +0300, Topi Miettinen wrote: > On 7.4.2020 0.24, Jarkko Sakkinen wrote: > > In my opinion udev defining the whole /dev as noexec has zero technical > > merits. It is same as they would say that "we don't trust our own > > database". There are no real security benefits as long as dev nodes are > > configured correctly. > > The threat is not that the device nodes would have execute permissions, but > that a malicious entity with write access to /dev would create a new > executable and run it, or rather, trick another (perhaps more privileged or > more vulnerable) entity to do so. The malicious entity does not need any > capabilities and it can be constrained by any number of typical seccomp > filters which just don't block such basic system calls as open(), write(), > [f]chmod() and close(). It simply needs to have UID 0 (possibly something > else, like suitable GID could also be sufficient for some subdirectories) > and write access to /dev (or its subdirectories) in its mount namespace. > > My philosophy is that "trust" means confidence that an action will not be > done even when there's no control over it. "Control" means that it's > possible to make active decision on whether the action can or cannot be > allowed to be done. Trust in security mindset is a weak thing, control is > stronger, but the strongest case is when you don't need trust nor control: > the action simply can't ever happen because it's impossible or always > forbidden. This idea is shown in such famous principles as "least > privilege", "need to know" or compartmentalization. If the additional > privilege of exec is not needed, it should not exist. > > -Topi I get the threat scenario, thanks. The problem (as Jethro correctly pointed out) with noexec /dev is somewhat broad. Thank you anyway for taking time describing the threat scenario. /Jarkko
