Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752730AbdGFCpd (ORCPT ); Wed, 5 Jul 2017 22:45:33 -0400 Received: from mail-it0-f51.google.com ([209.85.214.51]:38219 "EHLO mail-it0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752315AbdGFCpc (ORCPT ); Wed, 5 Jul 2017 22:45:32 -0400 MIME-Version: 1.0 In-Reply-To: References: <1499126133.2707.20.camel@decadent.org.uk> <20170704084122.GC14722@dhcp22.suse.cz> <20170704093538.GF14722@dhcp22.suse.cz> <20170704094728.GB22013@1wt.eu> <20170704104211.GG14722@dhcp22.suse.cz> <20170704113611.GA4732@decadent.org.uk> <1499209315.2707.29.camel@decadent.org.uk> <1499257180.2707.34.camel@decadent.org.uk> <20170705142354.GB21220@dhcp22.suse.cz> From: Kees Cook Date: Wed, 5 Jul 2017 19:45:25 -0700 X-Google-Sender-Auth: u1OETnrBdxcZ8OaXFRxNPEfnghE Message-ID: Subject: Re: [PATCH] mm: larger stack guard gap, between vmas To: Andy Lutomirski Cc: Linus Torvalds , Michal Hocko , Ben Hutchings , Willy Tarreau , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , Larry Woodman , "Kirill A. Shutemov" , Tony Luck , "James E.J. Bottomley" , Helge Diller , James Hogan , Laura Abbott , Greg KH , "security@kernel.org" , Qualys Security Advisory , LKML , Ximin Luo Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1386 Lines: 30 On Wed, Jul 5, 2017 at 5:19 PM, Andy Lutomirski wrote: > On Wed, Jul 5, 2017 at 4:50 PM, Kees Cook wrote: >> As part of that should we put restrictions on the environment of >> set*id exec too? Part of the risks demonstrated by Qualys was that >> allowing a privilege-elevating binary to inherit rlimits can have lead >> to the nasty memory layout side-effects. That would fall into the >> "hardening" bucket as well. And if it turns out there is some set*id >> binary out there that can't run with "only", e.g., 128MB of stack, we >> can make it configurable... > > Yes. I think it's ridiculous that you can change rlimits and then > exec a setuid thing. It's not so easy to fix, though. Maybe track, > per-task, inherited by clone and exec, what the rlimits were the last > time the process had privilege and reset to those limits when running > something setuid. But a better approach might be to have some sysctls > that say what the rlimits become when doing setuid. > > We need per-user-ns sysctls for stuff like this, and we don't really > have them... In userspace, the way that sensible rlimit defaults were selected by PAM when building an initial environment is to just examine the rlimits of init. Maybe we could just do the same thing here, which gives us some level of namespace control. -Kees -- Kees Cook Pixel Security