Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3626251yba; Sat, 11 May 2019 15:41:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqzy4YWpoA35GyvtaotLQQwpNc1XNXg49L0olF88LsvqvCh2HSt7hx/XbvfTrWLYnGRzaAUQ X-Received: by 2002:a62:62c1:: with SMTP id w184mr23920156pfb.95.1557614506320; Sat, 11 May 2019 15:41:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557614506; cv=none; d=google.com; s=arc-20160816; b=r7WV1Pp39m/JL0o7d0EnET3fZnaZyto0g5xYcmoyuDu7XX0UU5PjF/JVntLY7CDgfu RA4WPVY/x0UhTqAuI44KmQqMWpy59+MDCqLFbqY7M6tZcHyDxEHjWSYqKaycJfKFHK2V x7qZSwTIBUcGIGohEr7ZfTSZHSsY5gfCugMir9BQbnlsNkNhHdeSRPQESri9fAfqrKBv XaryvN7OU9/FIPDC1hhj/Lf5kx3dOusSRI/5UhXJJCy+JA5Tcm6TP7urOvAZOHD3orxx NcvV1HhsdzuHafNu+YRlaAUqK+WkiR6C3G//npREsJzdGXUrItN53sKwWo15RHQYScd6 rgnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=NUf/TcqAx/VZP3NNi26DP03zUjHkHy+KrniF6vD+ClY=; b=AVueN19LkFSYDKGYMwbV7uPM9eIeJre5d3EAJ405aprtmEQVZXILmIoyNqUPI8/cjH y5INGLduBQDDuiNfu1DoBP9TLS+Tl6haDuF8V0wGLZFYYBVPsLU5q8uVY/cbFriZ3pDh h0MIMvay4ZAsJUVGYzLGZsebvD/d/r+++nEi52b7T0FHpZN/c2GnAIdt/XPuFi+k7d57 FlAFd3/omfOGzJzAnewyda3KwF6cFXotOTJNRUjRNBhlt7hK0rAwBYVkmq5Czuimtvsg 9IfWE7nejSKKd98FJmBxJw9SPe+xm+xuhymNDz0Dczpq5nJi6e+VFFY4PUo4ZYyRSfEa XXEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oOZpwkFy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 187si14318560pfe.116.2019.05.11.15.41.29; Sat, 11 May 2019 15:41:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oOZpwkFy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726380AbfEKWkD (ORCPT + 99 others); Sat, 11 May 2019 18:40:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:33524 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726033AbfEKWkB (ORCPT ); Sat, 11 May 2019 18:40:01 -0400 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CBA3B21852 for ; Sat, 11 May 2019 22:39:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557614400; bh=6aAVxVoG0YErbZEF5yAMdrjDFqc8XWrGVGwGxXiD2h8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=oOZpwkFy4KvTDWQ5x5WmN/Wa2/j/gcwfjt6x79ZL178HwDByZxOuKJdbpmoh5MPbi Q9L2idDgToQpAZDmoMzdQolUzlnxexTRLumvHOVlxwJkKKLK5rfwiShuaMuNv4Sneh xYPL1JqnSu3BKdnF/2mH8CY5/L/nb0cln6QvsWkc= Received: by mail-wm1-f47.google.com with SMTP id y3so1127819wmm.2 for ; Sat, 11 May 2019 15:39:59 -0700 (PDT) X-Gm-Message-State: APjAAAU8bRr2TqO/iKUCIjHbzhfoEUKRfHNngg5j8gASGIm8UFIT2DBx je+49K9NzheISliwWygMLA1JGduHiPJf6EBUQ9Bm2w== X-Received: by 2002:a1c:eb18:: with SMTP id j24mr11759062wmh.32.1557614396632; Sat, 11 May 2019 15:39:56 -0700 (PDT) MIME-Version: 1.0 References: <20190506165439.9155-1-cyphar@cyphar.com> <20190506165439.9155-6-cyphar@cyphar.com> <20190506191735.nmzf7kwfh7b6e2tf@yavin> <20190510204141.GB253532@google.com> <20190510225527.GA59914@google.com> In-Reply-To: From: Andy Lutomirski Date: Sat, 11 May 2019 15:39:45 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters To: Linus Torvalds Cc: Jann Horn , Andy Lutomirski , Aleksa Sarai , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linux Containers , linux-fsdevel , Linux API , kernel list , linux-arch Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On May 11, 2019, at 10:21 AM, Linus Torvalds wrote: > >> On Sat, May 11, 2019 at 1:00 PM Andy Lutomirski wr= ote: >> >> A better =E2=80=9Cspawn=E2=80=9D API should fix this. > > Andy, stop with the "spawn would be better". It doesn=E2=80=99t have to be spawn per se. But the current situation suck= s. > > Notice? None of the real problems are about execve or would be solved > by any spawn API. You just think that because you've apparently been > talking to too many MS people that think fork (and thus indirectly > execve()) is bad process management. > > I=E2=80=99ve literally never spoken to an MS person about it. What container managers and init systems *want* is a way to drop privileges, change namespaces, etc and then run something in a controlled way so that the intermediate states aren=E2=80=99t dangerous. An API for this could be spawn-like or exec-like =E2=80=94 that particular distinction is beside the point. Having personally written code that mucks with namepsaces, I've wanted two particular abilities that are both quite awkward: a) Change all my UIDs and GIDs to match a container, enter that container's namespaces, and run some binary in the container's filesystem, all atomically enough that I don't need to worry about accidentally leaking privileges into the container. A super-duper-non-dumpable mode would kind of allow this, but I'd worry that there's some other hole besides ptrace() and /proc/self. b) Change all my UIDs and GIDs to match a container, enter that container's namespaces, and run some binary that is *not* in the container's filesystem. This happens, for example, if the container's mount namespace has no exec mounts at all. We don't have a fantastic way to do this at all right now due to /proc/self/exe. Regardless, the actual CVE at hand would have been nicely avoided if writing to /proc/self/exe didn=E2=80=99t work, and I see no reason we can= =E2=80=99t make that happen. I suppose we could also consider a change to disable /proc/self/exe if it's not reachable from /proc/self/root. By "disable", I mean that readlink() should maybe still work, but actually trying to open it could probably fail safely.