Re: Design patterns for privilege separating systemd services?

Pekka Paalanen <ppaalanen@xxxxxxxxx> · Fri, 19 Feb 2021 09:57:33 +0200

On Thu, 18 Feb 2021 17:01:10 -0500
"Colin Walters" <walters@xxxxxxxxxx> wrote:

> The thing I mainly like about socketpair() is that I know it's *only*
> accessible via the fd - it's
> https://en.wikipedia.org/wiki/Capability-based_security - except
> Linux has kind of broken that by creating /proc/N/fd anyways.  So
> relying on unlinking the socket seems fine, it's easy code to write
> and verify.

Hi,

I don't think the /proc breaks this aspect of security, because looking
at a process that uses sockets, those symlinks are broken. For Weston:

$ ls -lh /proc/31229/fd
total 0
lrwx------ 1 pq pq 64 Feb 19 09:49 0 -> /dev/pts/5
lrwx------ 1 pq pq 64 Feb 19 09:49 1 -> /dev/pts/5
lrwx------ 1 pq pq 64 Feb 19 09:49 10 -> 'socket:[49705213]'
lrwx------ 1 pq pq 64 Feb 19 09:49 11 -> /dev/dri/card0
lrwx------ 1 pq pq 64 Feb 19 09:49 12 -> /dev/dri/card0
lrwx------ 1 pq pq 64 Feb 19 09:49 13 -> '/memfd:weston-shared (deleted)'
lrwx------ 1 pq pq 64 Feb 19 09:49 14 -> 'socket:[49705213]'
lrwx------ 1 pq pq 64 Feb 19 09:49 15 -> /run/user/1000/wayland-1.lock
lrwx------ 1 pq pq 64 Feb 19 09:49 16 -> 'socket:[49705227]'
lrwx------ 1 pq pq 64 Feb 19 09:49 17 -> 'socket:[49705227]'
lrwx------ 1 pq pq 64 Feb 19 09:49 18 -> 'socket:[49705229]'
lrwx------ 1 pq pq 64 Feb 19 09:49 19 -> 'socket:[49705229]'
lrwx------ 1 pq pq 64 Feb 19 09:49 2 -> /dev/pts/5
lrwx------ 1 pq pq 64 Feb 19 09:49 20 -> 'socket:[49703721]'
lrwx------ 1 pq pq 64 Feb 19 09:49 21 -> 'socket:[49703722]'
lrwx------ 1 pq pq 64 Feb 19 09:49 22 -> 'socket:[49703721]'
lrwx------ 1 pq pq 64 Feb 19 09:49 23 -> 'socket:[49703722]'
lrwx------ 1 pq pq 64 Feb 19 09:49 24 -> 'anon_inode:[signalfd]'
lrwx------ 1 pq pq 64 Feb 19 09:49 25 -> 'socket:[49703723]'
lrwx------ 1 pq pq 64 Feb 19 09:49 26 -> 'socket:[49703723]'
lr-x------ 1 pq pq 64 Feb 19 09:49 27 -> anon_inode:sync_file
lr-x------ 1 pq pq 64 Feb 19 09:49 28 -> anon_inode:sync_file
l-wx------ 1 pq pq 64 Feb 19 09:49 3 -> /home/pq/.fluxbox/fluxbox.log
lrwx------ 1 pq pq 64 Feb 19 09:49 4 -> 'anon_inode:[eventpoll]'
lrwx------ 1 pq pq 64 Feb 19 09:49 5 -> 'anon_inode:[signalfd]'
lrwx------ 1 pq pq 64 Feb 19 09:49 6 -> 'anon_inode:[signalfd]'

$ cat /proc/31229/fd/16
cat: /proc/31229/fd/16: No such device or address

Or is there some trick one can use to actually open the fds listed
instead of opening what the link points to (which may not exist in the
file system, hence fails)?

Thanks,
pq
Attachment:
pgpdkktpJxgy6.pgp

Description: OpenPGP digital signature
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel