From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0817AC433FE for ; Tue, 18 Oct 2022 11:19:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 43DF36B0072; Tue, 18 Oct 2022 07:19:40 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3ED916B0075; Tue, 18 Oct 2022 07:19:40 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2B5C86B0078; Tue, 18 Oct 2022 07:19:40 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 1D77E6B0072 for ; Tue, 18 Oct 2022 07:19:40 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id D8EF5160EEA for ; Tue, 18 Oct 2022 11:19:39 +0000 (UTC) X-FDA: 80033824878.03.FE3FC40 Received: from mail-il1-f172.google.com (mail-il1-f172.google.com [209.85.166.172]) by imf20.hostedemail.com (Postfix) with ESMTP id E3F571C0046 for ; Tue, 18 Oct 2022 11:19:37 +0000 (UTC) Received: by mail-il1-f172.google.com with SMTP id r20so7256396ilt.11 for ; Tue, 18 Oct 2022 04:19:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=fAhbWS2r+kZh1CW1h6OenJ9QjBTytqKLyQ/pXA2P2K0=; b=EIk/Kpc4vGn1CCgUwxqJ0g9qrIF8uy+2DQFZx6/0JpAeX9DYMTx5JXVkPBYtgQPrZD w5ckB2FyJECCFZ7TR5oVdLKM3JLtg8LbrnuzoEXxcJQrlWrBJhDOqqunlGUkyYiYusmg 4pZkzmwM+9f/7V2lVghKTwiM+YaQh3cp9ZZvUSDOsWutc4janERggmG80EYtDBsmm5FR 3Qexg8CkIUzBKrmcgVunCJJTsDfpAftOZMfOV1FpySB9PQZpPxpWdrR2KhN6f8f5sev9 BOvCNSY0IU2n3X0trRvB4A9oGJsk1h0bFLOBqjFDLcPxyl2bl058Kyw+oCFBFADmeDKL 3t1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fAhbWS2r+kZh1CW1h6OenJ9QjBTytqKLyQ/pXA2P2K0=; b=2ZfZmC0b909H3ie3pAqzvf67+4eiXWNIieHZPEv3UpkF0/DbKGV2kWyWOF7izAhUYL FGmqVW1Ozy3h7D7jLwPa4Uuowm8SmUL7Ucrefo/ySe8ks/7klSJ7jC3q2OxBDsVuSYVo aDP3gQehvlbCSgNSpzSGyBGg4AlfXNpIlmn8+9zCddbn476U4AoVsDaFMcKgufIxl5Ew FuVJw5y4fEOu2MVYJWEOcN2k6ez7VhEMTnOi9IKGhiGAdKC0bySZZ6Wkt+rIlG16TUP7 D64Alc6fFz1BI5ZqRHwa+O38T/rlH7ott8UIb7RP3WHvKtwVMykXo6ZMnSzXxfxIe5Lv NtIg== X-Gm-Message-State: ACrzQf1QwuhfSNrmZuYooxtUtAnnCVnVN2VBcVYhcsxPeZYFMl0+eIMO 0I/XtCJauwS0zIX2R+4OUfAod3Uq4kgzqeSweU6rAg== X-Google-Smtp-Source: AMsMyM5JK/czEGcdqbcmVXAa+iPQxFN5IfdfeKyvqXfD69WzM51dWHMxMw0qfiz3oZW7DVcBpgcr/vJENhoNl1bXbqk= X-Received: by 2002:a05:6e02:930:b0:2f9:9d1b:2525 with SMTP id o16-20020a056e02093000b002f99d1b2525mr1392129ilt.173.1666091977094; Tue, 18 Oct 2022 04:19:37 -0700 (PDT) MIME-Version: 1.0 References: <20221006082735.1321612-1-keescook@chromium.org> <20221006082735.1321612-2-keescook@chromium.org> <20221006090506.paqjf537cox7lqrq@wittgenstein> <2032f766-1704-486b-8f24-a670c0b3cb32@app.fastmail.com> <202210172359.EDF8021407@keescook> In-Reply-To: <202210172359.EDF8021407@keescook> From: Jann Horn Date: Tue, 18 Oct 2022 13:19:00 +0200 Message-ID: Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec To: Kees Cook Cc: Andy Lutomirski , Christian Brauner , "Eric W. Biederman" , Jorge Merlino , Al Viro , Thomas Gleixner , Sebastian Andrzej Siewior , Andrew Morton , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Richard Haines , Casey Schaufler , Xin Long , "David S. Miller" , Todd Kjos , Ondrej Mosnacek , Prashanth Prahlad , Micah Morton , Fenghua Yu , Andrei Vagin , Linux Kernel Mailing List , apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666091977; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fAhbWS2r+kZh1CW1h6OenJ9QjBTytqKLyQ/pXA2P2K0=; b=xyUnxt9jmfbdvnJbXX0/CMIwcFoNCMSpC88qOhT9msywlIlWnPJn2ebE8tRVkk/FyZsBdp JDOJouF2yTGxJ2dfcDl8S8AWd8kedfF9BKVcUIfT+NaacF6MIotKX5a2Cg5qzbd/fEWIbX 6ARX+qTOzy00J/y4NGfBHx7pmp7R4Kk= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b="EIk/Kpc4"; spf=pass (imf20.hostedemail.com: domain of jannh@google.com designates 209.85.166.172 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666091977; a=rsa-sha256; cv=none; b=4toSK7TF04RnWQN+VEx/CjsyTtm7d40jvOoJAjpo7hXVAs/Hihd/zekpedR0QXSOfxIwly zaCY+Y2zAUqs9UgLe01JkStek1fW23ojzcupvMEYBju0C7H2D1Jpx8N8TphT8VxFJIo9m7 vDQ1DTSdywD+QhAHh6romp6pt91FvWI= X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: E3F571C0046 X-Rspam-User: Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b="EIk/Kpc4"; spf=pass (imf20.hostedemail.com: domain of jannh@google.com designates 209.85.166.172 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com X-Stat-Signature: k3n6qg13deuwuseuwqz55yudaerait4x X-HE-Tag: 1666091977-196296 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Oct 18, 2022 at 9:09 AM Kees Cook wrote: > On Fri, Oct 14, 2022 at 05:35:26PM +0200, Jann Horn wrote: > > On Fri, Oct 14, 2022 at 5:18 AM Andy Lutomirski wrote= : > > > On Thu, Oct 6, 2022, at 7:13 AM, Jann Horn wrote: > > > > On Thu, Oct 6, 2022 at 11:05 AM Christian Brauner wrote: > > > >> On Thu, Oct 06, 2022 at 01:27:34AM -0700, Kees Cook wrote: > > > >> > The check_unsafe_exec() counting of n_fs would not add up under = a heavily > > > >> > threaded process trying to perform a suid exec, causing the suid= portion > > > >> > to fail. This counting error appears to be unneeded, but to catc= h any > > > >> > possible conditions, explicitly unshare fs_struct on exec, if it= ends up > > > >> > > > >> Isn't this a potential uapi break? Afaict, before this change a ca= ll to > > > >> clone{3}(CLONE_FS) followed by an exec in the child would have the > > > >> parent and child share fs information. So if the child e.g., chang= es the > > > >> working directory post exec it would also affect the parent. But a= fter > > > >> this change here this would no longer be true. So a child changing= a > > > >> workding directoro would not affect the parent anymore. IOW, an ex= ec is > > > >> accompanied by an unshare(CLONE_FS). Might still be worth trying o= fc but > > > >> it seems like a non-trivial uapi change but there might be few use= rs > > > >> that do clone{3}(CLONE_FS) followed by an exec. > > > > > > > > I believe the following code in Chromium explicitly relies on this > > > > behavior, but I'm not sure whether this code is in active use anymo= re: > > > > > > > > https://source.chromium.org/chromium/chromium/src/+/main:sandbox/li= nux/suid/sandbox.c;l=3D101?q=3DCLONE_FS&sq=3D&ss=3Dchromium > > > > > > Wait, this is absolutely nucking futs. On a very quick inspection, t= he sharable things like this are fs, files, sighand, and io. files and s= ighand get unshared, which makes sense. fs supposedly checks for extra ref= s and prevents gaining privilege. io is... ignored! At least it's not imm= ediately obvious that io is a problem. > > > > > > But seriously, this makes no sense at all. It should not be possible= to exec a program and then, without ptrace, change its cwd out from under = it. Do we really need to preserve this behavior? > > > > I agree that this is pretty wild. > > > > The single user I'm aware of is Chrome, and as far as I know, they use > > it for establishing their sandbox on systems where unprivileged user > > namespaces are disabled - see > > . > > They also have seccomp-based sandboxing, but IIRC there are some small > > holes that mean it's still useful for them to be able to set up > > namespaces, like how sendmsg() on a unix domain socket can specify a > > file path as the destination address. > > > > (By the way, I think maybe Chrome wouldn't need this wacky trick with > > the shared fs_struct if the "NO_NEW_PRIVS permits chroot()" thing had > > ever landed that you > > (https://lore.kernel.org/lkml/0e2f0f54e19bff53a3739ecfddb4ffa9a6dbde4d.= 1327858005.git.luto@amacapital.net/) > > and Micka=C3=ABl Sala=C3=BCn proposed in the past... or alternatively, = if there > > was a way to properly filter all the syscalls that Chrome has to > > permit for renderers.) > > > > (But also, to be clear, I don't speak for Chrome, this is just my > > understanding of how their stuff works.) > > Chrome seems to just want a totally empty filesystem view, yes? > Let's land the nnp+chroot change. :P Only 10 years late! Then we can > have Chrome use this and we can unshare fs on exec... Someone should check with Chrome first though to make sure what I said accurately represents what they think...