Re: [Ksummit-discuss] [TOPIC] kernel hardening / self-protection / whatever

ksummit.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Andy Lutomirski <luto@amacapital.net>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jann@thejh.net>,
	"ksummit-discuss@lists.linuxfoundation.org"
	<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [TOPIC] kernel hardening / self-protection / whatever
Date: Tue, 19 Jul 2016 19:14:58 -0700	[thread overview]
Message-ID: <CALCETrVeNP=2WRYdT7ePFx=MURao4-XFHyx9U+VQmpcmyLjLfw@mail.gmail.com> (raw)
In-Reply-To: <87y44xr5zp.fsf@x220.int.ebiederm.org>

On Tue, Jul 19, 2016 at 8:40 AM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
> Jann Horn <jann@thejh.net> writes:
>
>> On Sun, Jul 10, 2016 at 09:28:53PM -0700, Andy Lutomirski wrote:
>>> Are there useful things to discuss in person about hardening? [...]
>>
>> I think that an interesting question to discuss might be whether, and
>> if so, how, it makes sense to add restrictions to namespaces.
>>
>> Namespaces, as a concept, aren't very scary when you keep in mind that
>> they only grant privileges to otherwise unprivileged users when they
>> interact with things inside their namespaces. However, in their
>> implementation, they are somewhat scary because they expose code to
>> unprivileged users that was written as code only root could reach. As
>> an example, have a look at NCC Group's netfilter bugs (and netfilter
>> in general; iirc, the filter parsing code has exponential complexity
>> without process death checks, which afaik shouldn't happen in any
>> code normal users can reach).
>>
>> User namespaces alone are pretty simple. I don't know everything
>> about mount namespaces, but I think they also don't expose big masses
>> of kernel code, and IPC, PID and UTS namespaces are pretty simple.
>
> Mount namespaces share a lot by default and as such there have been a
> lot of hard to resolve semantic difficulties that had to be sorted out.
>
> I am very grateful right now that the issues we are primary issues we
> are seeing now are primarily human error.
>
>> I think that network namespaces, compared to other namespace types,
>> expose a lot of code. Grepping for CAP_SYS_ADMIN with
>> `egrep -R '(ns_capable|netlink_net_capable).*CAP_NET_ADMIN'`
>> returns a bunch of things, including netlink stuff, netfilter,
>> sysctls, AF_KEY stuff, bridges, routing, socket repair, ARP and
>> tunnel devices. At the same time, they are one of the lesser-used
>> namespace types: Containers need them, but sandboxes don't really
>> need them for much apart from making abstract unix sockets and
>> networking in general inaccessible.
>
> Sort of.  A lot of the code is already exposed as the networking stack,
> and is exposed from the underside to packets from random strangers from
> the internet if not from the control side.
>

At least when that code was written the authors *knew* it was
security-sensitive.  The control stuff wasn't security sensitive in
the past.

--Andy

next prev parent reply	other threads:[~2016-07-20  2:15 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-11  4:28 Andy Lutomirski
2016-07-11 13:05 ` Rafael J. Wysocki
2016-07-11 16:30 ` Eric W. Biederman
2016-07-11 17:57   ` Kees Cook
2016-07-12 16:40     ` Eric W. Biederman
2016-07-21 15:54   ` Mark Rutland
2016-07-11 17:33 ` Jann Horn
2016-07-19 15:40   ` Eric W. Biederman
2016-07-20  2:14     ` Andy Lutomirski [this message]
2016-07-20  2:14       ` Eric W. Biederman
2016-07-20  6:42         ` Herbert Xu
2016-07-21 17:03           ` Eric W. Biederman
2016-07-11 17:53 ` Kees Cook
2016-07-11 18:07   ` Josh Triplett
2016-07-11 18:59     ` Kees Cook
2016-07-31  9:55   ` Paul Burton
2016-07-31 22:04     ` Kees Cook
2016-08-01 10:47       ` Mark Rutland
2016-08-01 19:42         ` Kees Cook
2016-08-03 22:53       ` Catalin Marinas
2016-08-04  5:32         ` Kees Cook
2016-08-04  5:45           ` Andy Lutomirski
2016-08-04  5:54             ` Kees Cook
2016-08-05  0:12               ` Andy Lutomirski
2016-09-08 23:54                 ` Kees Cook
2016-09-09  0:42                   ` Andy Lutomirski
2016-08-04 14:17           ` Dave Hansen
2016-08-04 22:29             ` Catalin Marinas
2016-08-01  9:34     ` [Ksummit-discuss] [nominations] " Mark Rutland

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALCETrVeNP=2WRYdT7ePFx=MURao4-XFHyx9U+VQmpcmyLjLfw@mail.gmail.com' \
    --to=luto@amacapital.net \
    --cc=ebiederm@xmission.com \
    --cc=jann@thejh.net \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox