Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4465165pxf; Tue, 16 Mar 2021 14:21:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxiCFkoBqDgGWMgohAI9/T77hoDp3zW7ehx2+7zysude+fRy0QIiIefYqaJcV8cf2nFy80I X-Received: by 2002:a05:6402:2058:: with SMTP id bc24mr38890030edb.243.1615929678689; Tue, 16 Mar 2021 14:21:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615929678; cv=none; d=google.com; s=arc-20160816; b=Wz3JRpyAAsZQ3/CNr7TZnwNeihL+PvXBS4Wga6P+0VFuWvD0uT24MgIfUO+jauSKCC 68dnePH6FaEG2tHfqLunaQ0JnpeG+BDtPxilh7iJn1rwKASxwZFXuyTNso/SmO5M0/Tl HeYaOLdt4NkXTh/JRKnhVYjkR+g9rXj+SLVxPqXP93rc767pZWq/MD8SJKOCXpQW6ptK SuGN/Llgcg4r8QAQraLd4EOFa9W/pEukieSEwNiFMbOxeh7ZVFqy/0Utx029dwNlSk4n Bcg4yhl408FJtpp56X/a203S6l+MJqSWVFv0RXYAkHZBbypIiYTcNvbWmYXiLzewSwXr L94Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=OptPjRnwjXC7zKbUBkw8dw6CLa96GSPlm9wOKUYzD7E=; b=FiglqjhbcKsRNPyT8JGSwmppqYgo+tWzXmFANvPczmo+4kkYfswoy8JCTDiZWBQ+n/ mllsf2NHJQmbUJk6qJ4hN+V+rorasA1s6EWXNS25z7LQ0kFUEyO+ny/uduNQDcCyKHdt y+VcJU5276F6N4dK3uxuDDbgo7T0T6bUpbN28pWJbiefOlId5/fgtg9eSF0LDZfRRAbR qI6Iua8rAVyv5WlN2ic0kz5g9nKfx8fdWzJ2U6HQxo7NhkTELy6iPNLIztuvpg49g6vo IWDC8S7z9CHxg2hLy5lDtaUrmGmaKVIvEdN6fNBBkGpObALOoP0fiBU2ynfnHkOscoRL DUBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dCguvI+V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si14305837ejw.670.2021.03.16.14.20.31; Tue, 16 Mar 2021 14:21:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dCguvI+V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234263AbhCPSnf (ORCPT + 99 others); Tue, 16 Mar 2021 14:43:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234506AbhCPSnL (ORCPT ); Tue, 16 Mar 2021 14:43:11 -0400 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 572FAC061756 for ; Tue, 16 Mar 2021 11:43:08 -0700 (PDT) Received: by mail-pj1-x1034.google.com with SMTP id gb6so11108698pjb.0 for ; Tue, 16 Mar 2021 11:43:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=OptPjRnwjXC7zKbUBkw8dw6CLa96GSPlm9wOKUYzD7E=; b=dCguvI+VWcGOGobPRiPVUdxUKgZvETSN+uJx0tokpIzqQM7+LmH15/c5uSWcXJmc0e +x08CsN0VFPVtk/HBfRMKXWIPypf+5ywRpGhkC173FdfoKCV/OVegFVHgMF4tVUEw2Rr zWV2O615wxmjD8JuHbVV4hcka6k1YXb+hR0Jg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=OptPjRnwjXC7zKbUBkw8dw6CLa96GSPlm9wOKUYzD7E=; b=rEa1nIikygaWiYR93867oASYgL0T9dLVzifHfCP63uivN7iDq9TNEhrM5MFP9HdXvM FdiCb+TEPAG83nS9iCdgBam5bt26Nqz1yzidjCY7F1ZHHLmFsIu4DkS3cZSacDofo4uw 5xjqky3IVP635vqEQaUfllPaOH7iir9CQtWpusHu/7mNv8/V+GsU3rZrZMWXn+T9szBM 9NxRBQymSivOfjDa+Dnd7qg5jmK3ZaEJz4d6ESbndeQl3nw4VODylIyy6mEbaxyooVxb klmAZ29+if4zpalEf99XUZI4EA1KsCHD59HciSr8Bm6Npwm+hTfc1L+dndjs8G4MT0Ho wNmA== X-Gm-Message-State: AOAM531oddVxfSN2Cz300YklT1IZw722AnfwoBJ6eaEwsltP+pDPjTGE UACPdwsJuzBi0hag3eJ1/S6sgIRPPxvq2w== X-Received: by 2002:a17:902:bb8e:b029:e6:3b2:5834 with SMTP id m14-20020a170902bb8eb02900e603b25834mr869082pls.38.1615920187759; Tue, 16 Mar 2021 11:43:07 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q5sm16729260pfk.219.2021.03.16.11.43.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Mar 2021 11:43:07 -0700 (PDT) Date: Tue, 16 Mar 2021 11:43:06 -0700 From: Kees Cook To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: Al Viro , James Morris , Serge Hallyn , Andy Lutomirski , Casey Schaufler , Christian Brauner , Christoph Hellwig , David Howells , Dominik Brodowski , "Eric W . Biederman" , John Johansen , Kentaro Takeda , Tetsuo Handa , kernel-hardening@lists.openwall.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Subject: Re: [PATCH v4 1/1] fs: Allow no_new_privs tasks to call chroot(2) Message-ID: <202103161142.87100A8133@keescook> References: <20210316170135.226381-1-mic@digikod.net> <20210316170135.226381-2-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210316170135.226381-2-mic@digikod.net> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 16, 2021 at 06:01:35PM +0100, Micka?l Sala?n wrote: > From: Micka?l Sala?n > > Being able to easily change root directories enables to ease some > development workflow and can be used as a tool to strengthen > unprivileged security sandboxes. chroot(2) is not an access-control > mechanism per se, but it can be used to limit the absolute view of the > filesystem, and then limit ways to access data and kernel interfaces > (e.g. /proc, /sys, /dev, etc.). > > Users may not wish to expose namespace complexity to potentially > malicious processes, or limit their use because of limited resources. > The chroot feature is much more simple (and limited) than the mount > namespace, but can still be useful. As for containers, users of > chroot(2) should take care of file descriptors or data accessible by > other means (e.g. current working directory, leaked FDs, passed FDs, > devices, mount points, etc.). There is a lot of literature that discuss > the limitations of chroot, and users of this feature should be aware of > the multiple ways to bypass it. Using chroot(2) for security purposes > can make sense if it is combined with other features (e.g. dedicated > user, seccomp, LSM access-controls, etc.). > > One could argue that chroot(2) is useless without a properly populated > root hierarchy (i.e. without /dev and /proc). However, there are > multiple use cases that don't require the chrooting process to create > file hierarchies with special files nor mount points, e.g.: > * A process sandboxing itself, once all its libraries are loaded, may > not need files other than regular files, or even no file at all. > * Some pre-populated root hierarchies could be used to chroot into, > provided for instance by development environments or tailored > distributions. > * Processes executed in a chroot may not require access to these special > files (e.g. with minimal runtimes, or by emulating some special files > with a LD_PRELOADed library or seccomp). > > Unprivileged chroot is especially interesting for userspace developers > wishing to harden their applications. For instance, chroot(2) and Yama > enable to build a capability-based security (i.e. remove filesystem > ambient accesses) by calling chroot/chdir with an empty directory and > accessing data through dedicated file descriptors obtained with > openat2(2) and RESOLVE_BENEATH/RESOLVE_IN_ROOT/RESOLVE_NO_MAGICLINKS. > > Allowing a task to change its own root directory is not a threat to the > system if we can prevent confused deputy attacks, which could be > performed through execution of SUID-like binaries. This can be > prevented if the calling task sets PR_SET_NO_NEW_PRIVS on itself with > prctl(2). To only affect this task, its filesystem information must not > be shared with other tasks, which can be achieved by not passing > CLONE_FS to clone(2). A similar no_new_privs check is already used by > seccomp to avoid the same kind of security issues. Furthermore, because > of its security use and to avoid giving a new way for attackers to get > out of a chroot (e.g. using /proc//root, or chroot/chdir), an > unprivileged chroot is only allowed if the calling process is not > already chrooted. This limitation is the same as for creating user > namespaces. > > This change may not impact systems relying on other permission models > than POSIX capabilities (e.g. Tomoyo). Being able to use chroot(2) on > such systems may require to update their security policies. > > Only the chroot system call is relaxed with this no_new_privs check; the > init_chroot() helper doesn't require such change. > > Allowing unprivileged users to use chroot(2) is one of the initial > objectives of no_new_privs: > https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html > This patch is a follow-up of a previous one sent by Andy Lutomirski: > https://lore.kernel.org/lkml/0e2f0f54e19bff53a3739ecfddb4ffa9a6dbde4d.1327858005.git.luto@amacapital.net/ > > Cc: Al Viro > Cc: Andy Lutomirski > Cc: Christian Brauner > Cc: Christoph Hellwig > Cc: David Howells > Cc: Dominik Brodowski > Cc: Eric W. Biederman > Cc: James Morris > Cc: John Johansen > Cc: Kees Cook > Cc: Kentaro Takeda > Cc: Serge Hallyn > Cc: Tetsuo Handa > Signed-off-by: Micka?l Sala?n Thanks for the updates! I find this version much easier to read. :) Reviewed-by: Kees Cook -- Kees Cook