MIME-Version: 1.0
In-Reply-To: <CALCETrVhvvhwdqER25_dKbGXX35UYvwfQrxz9VfofbKCqTQLRQ@mail.gmail.com>
References: <1499126133.2707.20.camel@decadent.org.uk> <CA+55aFzMX72+Kb=zNgjCf6UfPt+C+e7WDp_rpbSLuOVx1k7iqg@mail.gmail.com>
 <20170704084122.GC14722@dhcp22.suse.cz> <20170704093538.GF14722@dhcp22.suse.cz>
 <20170704094728.GB22013@1wt.eu> <20170704104211.GG14722@dhcp22.suse.cz>
 <20170704113611.GA4732@decadent.org.uk> <1499209315.2707.29.camel@decadent.org.uk>
 <CA+55aFzjibuaV=GBZQN8KOaCpf1P3B1abJCYGaxEM9RVpf9fXg@mail.gmail.com>
 <1499257180.2707.34.camel@decadent.org.uk> <20170705142354.GB21220@dhcp22.suse.cz>
 <CALCETrW5P8ZhuOJ4bL0x+hx52RdFkG4_x0qAQofrdBi2JavxmA@mail.gmail.com>
 <CA+55aFwn3bbfxXMTafQVXz0nx5hWTUzQFdaqOFvJSY96Muc3VA@mail.gmail.com>
 <CALCETrUMsnV=jWJBtFxfJPdnoszLvkXwT8NuaQnOQOoUOpVjCw@mail.gmail.com>
 <CAGXu5j+khT6eirko-HLnimZZXe6h2XMWZQCYj8b_ARr-j67J8Q@mail.gmail.com> <CALCETrVhvvhwdqER25_dKbGXX35UYvwfQrxz9VfofbKCqTQLRQ@mail.gmail.com>
From: Kees Cook <keescook@chromium.org>
Date: Wed, 5 Jul 2017 19:45:25 -0700
Message-ID: <CAGXu5jJimVeaMxh43LURsK+nJ9RxR0ifnm80W6qfNoJBcU6uzg@mail.gmail.com>
Subject: Re: [PATCH] mm: larger stack guard gap, between vmas
To: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Michal Hocko <mhocko@kernel.org>, Ben Hutchings <ben@decadent.org.uk>,
        Willy Tarreau <w@1wt.eu>, Hugh Dickins <hughd@google.com>,
        Oleg Nesterov <oleg@redhat.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>, Rik van Riel <riel@redhat.com>,
        Larry Woodman <lwoodman@redhat.com>,
        "Kirill A. Shutemov" <kirill@shutemov.name>,
        Tony Luck <tony.luck@intel.com>,
        "James E.J. Bottomley" <jejb@parisc-linux.org>,
        Helge Diller <deller@gmx.de>, James Hogan <james.hogan@imgtec.com>,
        Laura Abbott <labbott@redhat.com>, Greg KH <greg@kroah.com>,
        "security@kernel.org" <security@kernel.org>,
        Qualys Security Advisory <qsa@qualys.com>,
        LKML <linux-kernel@vger.kernel.org>, Ximin Luo <infinity0@debian.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1386
Lines: 30

On Wed, Jul 5, 2017 at 5:19 PM, Andy Lutomirski <luto@kernel.org> wrote:
> On Wed, Jul 5, 2017 at 4:50 PM, Kees Cook <keescook@chromium.org> wrote:
>> As part of that should we put restrictions on the environment of
>> set*id exec too? Part of the risks demonstrated by Qualys was that
>> allowing a privilege-elevating binary to inherit rlimits can have lead
>> to the nasty memory layout side-effects. That would fall into the
>> "hardening" bucket as well. And if it turns out there is some set*id
>> binary out there that can't run with "only", e.g., 128MB of stack, we
>> can make it configurable...
>
> Yes.  I think it's ridiculous that you can change rlimits and then
> exec a setuid thing.  It's not so easy to fix, though.  Maybe track,
> per-task, inherited by clone and exec, what the rlimits were the last
> time the process had privilege and reset to those limits when running
> something setuid.  But a better approach might be to have some sysctls
> that say what the rlimits become when doing setuid.
>
> We need per-user-ns sysctls for stuff like this, and we don't really
> have them...

In userspace, the way that sensible rlimit defaults were selected by
PAM when building an initial environment is to just examine the
rlimits of init. Maybe we could just do the same thing here, which
gives us some level of namespace control.

-Kees

-- 
Kees Cook
Pixel Security