From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A35CC4332F for ; Fri, 14 Oct 2022 15:36:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5625C6B0074; Fri, 14 Oct 2022 11:36:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4EA646B0075; Fri, 14 Oct 2022 11:36:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 33CE26B0078; Fri, 14 Oct 2022 11:36:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 160106B0074 for ; Fri, 14 Oct 2022 11:36:05 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id D24ED1204C5 for ; Fri, 14 Oct 2022 15:36:04 +0000 (UTC) X-FDA: 80019955848.27.53F5437 Received: from mail-il1-f172.google.com (mail-il1-f172.google.com [209.85.166.172]) by imf17.hostedemail.com (Postfix) with ESMTP id 7001340032 for ; Fri, 14 Oct 2022 15:36:03 +0000 (UTC) Received: by mail-il1-f172.google.com with SMTP id i9so2699333ilv.9 for ; Fri, 14 Oct 2022 08:36:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Ytj3+kIoMyv4FX1lyc9tQ8OGwlhuPVWv2RqpKd5YyDU=; b=JR0xr0fIsskJTzO427SqrUgqb1DWjVVtwkmODGGjkSZJ4FMfX2ZsXK6Mm2spguP5Fi nyMmB82X0MA3h2JOCrtW3gl25dxsj4jiveXGKR6Z8STGPeeVjmS2VTjycP+RBn0tVhJl RTnAEkh5Qc5sIHtelNV80ZV0a1sV1g2AGrc8jU/2ZL2m19qrw9p6cxMlxHCX1YxptKvv NWg2UfEw3P0qeI86qPSMdLeiUDU5LTngBxTc3KHC3yReE92Ufkh4RP9JTPdhqddOZWDg 6zCkai4UfclKgR3ffQ4VMj7CkN9eR7ciGLAV2JgtjXPGADfXQqzzW05FazqVHzwOwv/N dRvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ytj3+kIoMyv4FX1lyc9tQ8OGwlhuPVWv2RqpKd5YyDU=; b=g19IEZ1QAhWDdHqeEquPLyM7BMpDRu1lm7MbRmXuypu+4/mfLtIp7ERr1AQ/jLFreE EyT55Dw2lc535mkFZqsObA+IZ/yPKkIJiL5m+DP9MVhOapxR5I3bTi8SjylnaSFSBsXQ bmY7ceKkvMkMtCjthOOjCCb3mHzIy7KAfemb0IPfDdgOzyEKYA2TCKw1WHQGgHVDOG+L x7a6dm9gZAk1W9d+3oaXIq+4qBV6Mp3HYK5mAKU+AladmE1Fh3O1LZVYzu8B6++oS2tJ qU1qLeYcUEq98JwZQgEWNIo9NdeZRSPZoDANaq82VW3ENfQf7GQlRUrIl0/KTKBJ4otg YvPg== X-Gm-Message-State: ACrzQf0kV4jrTXCnfq9id3+piLFOo/lALwpJpQfBdmqTzCFjoUPOPpGA TlyJWKCjbrBhEY2raNPK9lMHNW5uR6865Zqhy48F/g== X-Google-Smtp-Source: AMsMyM7SIvsGjFVFdZwPi/xpWspvv9GkH6JpuhbcRadzt8f/XtARZ9xDpqKEwls7AQ8KnXFNx+6y9OAVQ6OkLrOgJ1E= X-Received: by 2002:a05:6e02:1c27:b0:2fc:6aa7:edda with SMTP id m7-20020a056e021c2700b002fc6aa7eddamr2701536ilh.177.1665761762432; Fri, 14 Oct 2022 08:36:02 -0700 (PDT) MIME-Version: 1.0 References: <20221006082735.1321612-1-keescook@chromium.org> <20221006082735.1321612-2-keescook@chromium.org> <20221006090506.paqjf537cox7lqrq@wittgenstein> <2032f766-1704-486b-8f24-a670c0b3cb32@app.fastmail.com> In-Reply-To: <2032f766-1704-486b-8f24-a670c0b3cb32@app.fastmail.com> From: Jann Horn Date: Fri, 14 Oct 2022 17:35:26 +0200 Message-ID: Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec To: Andy Lutomirski Cc: Christian Brauner , Kees Cook , "Eric W. Biederman" , Jorge Merlino , Al Viro , Thomas Gleixner , Sebastian Andrzej Siewior , Andrew Morton , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Richard Haines , Casey Schaufler , Xin Long , "David S. Miller" , Todd Kjos , Ondrej Mosnacek , Prashanth Prahlad , Micah Morton , Fenghua Yu , Andrei Vagin , Linux Kernel Mailing List , apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=JR0xr0fI; spf=pass (imf17.hostedemail.com: domain of jannh@google.com designates 209.85.166.172 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1665761763; a=rsa-sha256; cv=none; b=HPTT6++4QY3M2Ih3y4N4kPcsRzuDbRtI+2h0M2NDZaWurt/xj6H8paP0EW53amPCEv63P4 EzEf54Hnsod/CRJ17AsR2c/Y5uSWIbVFbas/2kkDGyrHf0asWMjIexz9T9YckTHXTUOv0/ IvtxbwVXeaB2bwur1ohSo9BscuWUHTE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1665761763; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Ytj3+kIoMyv4FX1lyc9tQ8OGwlhuPVWv2RqpKd5YyDU=; b=TQZB/PM/PlkM43QwVGZVY5kI5FhLZWeqOhWHyXmMOdBhvGv5kauhWtDcvqnlbyG4Ntc7+C 7oYbR+BkXORU+WneOHT0VBieBYKMqlXGxPzXdnuNLS84w/ynJ+wgTqiDSG0PdeJbjBBoXy 4ffuL8+ZiJKqP2G6MOufZSEfXMhF4xw= X-Rspamd-Server: rspam05 X-Rspam-User: Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=JR0xr0fI; spf=pass (imf17.hostedemail.com: domain of jannh@google.com designates 209.85.166.172 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com X-Stat-Signature: aww4cajjrnubb93mjb3ooacyj918tr33 X-Rspamd-Queue-Id: 7001340032 X-HE-Tag: 1665761763-208408 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Oct 14, 2022 at 5:18 AM Andy Lutomirski wrote: > On Thu, Oct 6, 2022, at 7:13 AM, Jann Horn wrote: > > On Thu, Oct 6, 2022 at 11:05 AM Christian Brauner = wrote: > >> On Thu, Oct 06, 2022 at 01:27:34AM -0700, Kees Cook wrote: > >> > The check_unsafe_exec() counting of n_fs would not add up under a he= avily > >> > threaded process trying to perform a suid exec, causing the suid por= tion > >> > to fail. This counting error appears to be unneeded, but to catch an= y > >> > possible conditions, explicitly unshare fs_struct on exec, if it end= s up > >> > >> Isn't this a potential uapi break? Afaict, before this change a call t= o > >> clone{3}(CLONE_FS) followed by an exec in the child would have the > >> parent and child share fs information. So if the child e.g., changes t= he > >> working directory post exec it would also affect the parent. But after > >> this change here this would no longer be true. So a child changing a > >> workding directoro would not affect the parent anymore. IOW, an exec i= s > >> accompanied by an unshare(CLONE_FS). Might still be worth trying ofc b= ut > >> it seems like a non-trivial uapi change but there might be few users > >> that do clone{3}(CLONE_FS) followed by an exec. > > > > I believe the following code in Chromium explicitly relies on this > > behavior, but I'm not sure whether this code is in active use anymore: > > > > https://source.chromium.org/chromium/chromium/src/+/main:sandbox/linux/= suid/sandbox.c;l=3D101?q=3DCLONE_FS&sq=3D&ss=3Dchromium > > Wait, this is absolutely nucking futs. On a very quick inspection, the s= harable things like this are fs, files, sighand, and io. files and sigha= nd get unshared, which makes sense. fs supposedly checks for extra refs an= d prevents gaining privilege. io is... ignored! At least it's not immedia= tely obvious that io is a problem. > > But seriously, this makes no sense at all. It should not be possible to = exec a program and then, without ptrace, change its cwd out from under it. = Do we really need to preserve this behavior? I agree that this is pretty wild. The single user I'm aware of is Chrome, and as far as I know, they use it for establishing their sandbox on systems where unprivileged user namespaces are disabled - see . They also have seccomp-based sandboxing, but IIRC there are some small holes that mean it's still useful for them to be able to set up namespaces, like how sendmsg() on a unix domain socket can specify a file path as the destination address. (By the way, I think maybe Chrome wouldn't need this wacky trick with the shared fs_struct if the "NO_NEW_PRIVS permits chroot()" thing had ever landed that you (https://lore.kernel.org/lkml/0e2f0f54e19bff53a3739ecfddb4ffa9a6dbde4d.1327= 858005.git.luto@amacapital.net/) and Micka=C3=ABl Sala=C3=BCn proposed in the past... or alternatively, if t= here was a way to properly filter all the syscalls that Chrome has to permit for renderers.) (But also, to be clear, I don't speak for Chrome, this is just my understanding of how their stuff works.)