From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D31BC433FE for ; Tue, 18 Oct 2022 07:09:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 546726B0072; Tue, 18 Oct 2022 03:09:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4D01E6B0075; Tue, 18 Oct 2022 03:09:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 348E86B0078; Tue, 18 Oct 2022 03:09:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 1D0F86B0072 for ; Tue, 18 Oct 2022 03:09:14 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id C8206160327 for ; Tue, 18 Oct 2022 07:09:13 +0000 (UTC) X-FDA: 80033193786.29.027AB80 Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by imf16.hostedemail.com (Postfix) with ESMTP id 5A58718002B for ; Tue, 18 Oct 2022 07:09:13 +0000 (UTC) Received: by mail-pg1-f177.google.com with SMTP id r18so12528680pgr.12 for ; Tue, 18 Oct 2022 00:09:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=iNEQRnMbbhNWubilbw/rj/P2d1G+agBoZ60I2f1f5Do=; b=X0ET30LPAg/2hhVOVOYU6Pr04DSI3Jm0DBzg+Dbc9pRLpg/gYYFfB2lWuUXdMW8x5y QMYGSvgNIFT5mwvtFI3z4wND4aavbws+5TizLg4YPcPHYHMgDLbkU5BJJ0LRZp5SMd+j E36rxqZu5Rf3DdSbuERN5DitzBEx14I8ec4Js= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iNEQRnMbbhNWubilbw/rj/P2d1G+agBoZ60I2f1f5Do=; b=ALyd/bdiDTy2Z6sGMMAGm6CuUSsXn9qcFIrAkivhJLpVpNKogK64IHWMxAlmMSkL4g UXqFZFJGDP7/7bFypowYuzeFHkPKKIjhll1+Yiq/qIzk67BiGVN8mL5rdOZBeAbh2sTw WPZPnLZhwV+lfvNfD8HaHX2wdf81Rqu51vGmFdAhfalmLLgjntVJO+uVaI6hKQFEh8iv Ok9U8zRdKYm0Yvk7pIwUplAMYyaVvJMH7aO3hFsZhyuBFHD3ZvLiLFZT5Pk+HM3OLK7e Ly3TaBn9S1K0p19UUariAFJSTamDGWLqzM5MZDGePI+qpOA91oTisN4/+2I2KRnrr0Zv V6Tw== X-Gm-Message-State: ACrzQf09sP4pF8FuksrIGgmLV5d2CEaOsdlPpjmJGwavJ+4cmeAcDnH9 J7M6WyKxQaTwjAs7QATMICcpHQ== X-Google-Smtp-Source: AMsMyM7O1F8/RnlgevXbqPsr/L7BpnVBiOy+1L4ZiF+iCfo11wW0RLSWGEv3YXYrEKpONV1OJxPM1Q== X-Received: by 2002:a05:6a00:2495:b0:562:c459:e327 with SMTP id c21-20020a056a00249500b00562c459e327mr1763013pfv.47.1666076952183; Tue, 18 Oct 2022 00:09:12 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id r2-20020a17090aa08200b0020b7de675a4sm7301841pjp.41.2022.10.18.00.09.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Oct 2022 00:09:11 -0700 (PDT) Date: Tue, 18 Oct 2022 00:09:10 -0700 From: Kees Cook To: Jann Horn Cc: Andy Lutomirski , Christian Brauner , "Eric W. Biederman" , Jorge Merlino , Al Viro , Thomas Gleixner , Sebastian Andrzej Siewior , Andrew Morton , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Richard Haines , Casey Schaufler , Xin Long , "David S. Miller" , Todd Kjos , Ondrej Mosnacek , Prashanth Prahlad , Micah Morton , Fenghua Yu , Andrei Vagin , Linux Kernel Mailing List , apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec Message-ID: <202210172359.EDF8021407@keescook> References: <20221006082735.1321612-1-keescook@chromium.org> <20221006082735.1321612-2-keescook@chromium.org> <20221006090506.paqjf537cox7lqrq@wittgenstein> <2032f766-1704-486b-8f24-a670c0b3cb32@app.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666076953; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=iNEQRnMbbhNWubilbw/rj/P2d1G+agBoZ60I2f1f5Do=; b=xT8MXjW7peAXd7fGIulKqsGkJgIwK3nS/wCSmLSkQS97cofmTzRYmjG+SoXIa/t7Dq+uwI qPb5xtgXUnEI2wVG0WlX0fFJBhRClLH9Gstsvw7aiYmr6l3k2wfxqa0Z9sU5zEC8lhdwlN QzeXQbGi2uHKEgXWH0iia2yPFNf9DDY= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=X0ET30LP; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf16.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.177 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666076953; a=rsa-sha256; cv=none; b=8AEiupUjU3x4W+YPj8bwveS7MPhuuQ46WLfo+VfY8ifm1t7zEzyDKWvi73TB6Oe3x9rCIr qfKfwlmFYx21bjK7MvRnFcvlIXGYTMfgP3FdRuUCmz71y3xfHsK/MWUP7j1bBDzDG2Ay/V Ow7J4y5kMbWknaGi+E/qftYIsl/zWmI= Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=X0ET30LP; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf16.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.177 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 5A58718002B X-Rspam-User: X-Stat-Signature: 5x6it1essego46qifrxcsch69b5ob31t X-HE-Tag: 1666076953-65389 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Oct 14, 2022 at 05:35:26PM +0200, Jann Horn wrote: > On Fri, Oct 14, 2022 at 5:18 AM Andy Lutomirski wrote: > > On Thu, Oct 6, 2022, at 7:13 AM, Jann Horn wrote: > > > On Thu, Oct 6, 2022 at 11:05 AM Christian Brauner wrote: > > >> On Thu, Oct 06, 2022 at 01:27:34AM -0700, Kees Cook wrote: > > >> > The check_unsafe_exec() counting of n_fs would not add up under a heavily > > >> > threaded process trying to perform a suid exec, causing the suid portion > > >> > to fail. This counting error appears to be unneeded, but to catch any > > >> > possible conditions, explicitly unshare fs_struct on exec, if it ends up > > >> > > >> Isn't this a potential uapi break? Afaict, before this change a call to > > >> clone{3}(CLONE_FS) followed by an exec in the child would have the > > >> parent and child share fs information. So if the child e.g., changes the > > >> working directory post exec it would also affect the parent. But after > > >> this change here this would no longer be true. So a child changing a > > >> workding directoro would not affect the parent anymore. IOW, an exec is > > >> accompanied by an unshare(CLONE_FS). Might still be worth trying ofc but > > >> it seems like a non-trivial uapi change but there might be few users > > >> that do clone{3}(CLONE_FS) followed by an exec. > > > > > > I believe the following code in Chromium explicitly relies on this > > > behavior, but I'm not sure whether this code is in active use anymore: > > > > > > https://source.chromium.org/chromium/chromium/src/+/main:sandbox/linux/suid/sandbox.c;l=101?q=CLONE_FS&sq=&ss=chromium > > > > Wait, this is absolutely nucking futs. On a very quick inspection, the sharable things like this are fs, files, sighand, and io. files and sighand get unshared, which makes sense. fs supposedly checks for extra refs and prevents gaining privilege. io is... ignored! At least it's not immediately obvious that io is a problem. > > > > But seriously, this makes no sense at all. It should not be possible to exec a program and then, without ptrace, change its cwd out from under it. Do we really need to preserve this behavior? > > I agree that this is pretty wild. > > The single user I'm aware of is Chrome, and as far as I know, they use > it for establishing their sandbox on systems where unprivileged user > namespaces are disabled - see > . > They also have seccomp-based sandboxing, but IIRC there are some small > holes that mean it's still useful for them to be able to set up > namespaces, like how sendmsg() on a unix domain socket can specify a > file path as the destination address. > > (By the way, I think maybe Chrome wouldn't need this wacky trick with > the shared fs_struct if the "NO_NEW_PRIVS permits chroot()" thing had > ever landed that you > (https://lore.kernel.org/lkml/0e2f0f54e19bff53a3739ecfddb4ffa9a6dbde4d.1327858005.git.luto@amacapital.net/) > and Mickaël Salaün proposed in the past... or alternatively, if there > was a way to properly filter all the syscalls that Chrome has to > permit for renderers.) > > (But also, to be clear, I don't speak for Chrome, this is just my > understanding of how their stuff works.) Chrome seems to just want a totally empty filesystem view, yes? Let's land the nnp+chroot change. :P Only 10 years late! Then we can have Chrome use this and we can unshare fs on exec... -- Kees Cook