2012-08-10 20:58:41

by Colin Walters

[permalink] [raw]
Subject: linux-user-chroot 2012.2

Hi,

This is the release of linux-user-chroot 2012.2. The major change now
is that it makes use of Andy's new PR_SET_NO_NEW_PRIVS. This doesn't
close any security hole I'm aware of - our previous use of the MS_NOSUID
bind mount over / should work - but, belt and suspenders as they say.

The code:
http://git.gnome.org/browse/linux-user-chroot/commit/?id=515c714471d0b5923f6633ef44a2270b23656ee9

As for how linux-user-chroot and PR_SET_NO_NEW_PRIVS relate, see this
thread:
http://thread.gmane.org/gmane.linux.kernel.lsm/15339

Summary
-------

This tool allows regular (non-root) users to call chroot(2), create
Linux bind mounts, and use some Linux container features. It's
primarily intended for use by build systems.

Project information
-------------------

There's no web page yet; send patches to
Colin Walters <[email protected]>



2012-08-13 18:11:10

by Andy Lutomirski

[permalink] [raw]
Subject: Re: linux-user-chroot 2012.2

On Fri, Aug 10, 2012 at 1:58 PM, Colin Walters <[email protected]> wrote:
> Hi,
>
> This is the release of linux-user-chroot 2012.2. The major change now
> is that it makes use of Andy's new PR_SET_NO_NEW_PRIVS. This doesn't
> close any security hole I'm aware of - our previous use of the MS_NOSUID
> bind mount over / should work - but, belt and suspenders as they say.
>
> The code:
> http://git.gnome.org/browse/linux-user-chroot/commit/?id=515c714471d0b5923f6633ef44a2270b23656ee9
>
> As for how linux-user-chroot and PR_SET_NO_NEW_PRIVS relate, see this
> thread:
> http://thread.gmane.org/gmane.linux.kernel.lsm/15339
>
> Summary
> -------
>
> This tool allows regular (non-root) users to call chroot(2), create
> Linux bind mounts, and use some Linux container features. It's
> primarily intended for use by build systems.

Nifty.

One of these days, I intend to resurrect my unprivileged chroot kernel
patches. My current thought is to add a new syscall weak_chroot,
which should have these properties:

1. Can't be used unless no_new_privs is set or you have CAP_SYS_ADMIN.
2. Can't be used if fs->users > 1 (to avoid a trivial no_new_privs bypass).
3. Can't be used to break out of chroot jail.

The interface might be:

weak_chroot_at(int fd, const char *path, int flags)

Sets fs->weak_root to path, as seen from fd, according to flags.
Works if (no_new_privs && fs->users == 1) || capable(CAP_SYS_ADMIN).

Modify chroot to change fs->weak_root and fs->root. Further modify
the path walking code so that / sees weak_root instead of root and so
that .. will not traverse root or weak_root.

I'm somewhat tempted to add a flag to weak_chroot_at to break out of
weak_root jail to prevent people from thinking that it's a security
feature. I'm not sure about that, though.

--Andy