RFC: Adding a dyntrans in systemd pid1's forking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've recently become aware of systemd's credentials feature[1]. In a nutshell, the intent is to reduce privilege in units by systemd itself copying the credentials (crypto materials, passwords, though in practice it could be anything) and placing it in /run/credentials, with access managed by namespacing. This is intended to eliminate the need for the daemon in the unit directly accessing the data. My concern is the possibility of inadvertently leaking credentials or abuse. i.e. putting in

LoadCredential=foobar:/etc/shadow

This illustrative, as systemd can't read shadow if it's confined, but you could replace shadow with a private key or any other highly confidential data systemd needs to access. The common response to my concern is systemd units should be protected at high integrity; only root can modify them, etc. However, I think we can do better to reduce the possibility of errors.

I've discussed this with one of the systemd maintainers, and I'm proposing this change:

1. pid1 forks (to pidN) to run the unit, as usual.
2. pidN does security_compute_create() using the current domain and the label of the unit to get a new domain.
3. pidN does setcon() to the new domain.
4. pidN runs the unit as per usual (including the credentials stuff)

Then we'd need to add something like this to the policy:

allow init_t httpd_initrc_t:process dyntransition;
type_transition init_t httpd_unit_t:process httpd_initrc_t;

I have not yet prototyped this, but based on my discussion with the systemd maintainers, this should be doable. I believe the added benefit is we can decompose initrc_t's privilege and maybe even reduce init_t's privilege.

What are your thoughts?


[1] https://systemd.io/CREDENTIALS/

--
Chris




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux