Re: [PATCH v3 4/4] Allow unprivileged chroot when safe

From: Colin Walters
Date: Mon Jan 30 2012 - 17:49:14 EST

Next message: Andy Lutomirski: "Re: [PATCH v3 4/4] Allow unprivileged chroot when safe"
Previous message: Corey Bryant: "Re: [PATCH v6 3/3] Documentation: prctl/seccomp_filter"
In reply to: Will Drewry: "Re: [PATCH v3 4/4] Allow unprivileged chroot when safe"
Next in thread: Andy Lutomirski: "Re: [PATCH v3 4/4] Allow unprivileged chroot when safe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2012-01-30 at 16:38 -0600, Will Drewry wrote:
> On Mon, Jan 30, 2012 at 4:18 PM, Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> > On Mon, 2012-01-30 at 16:58 -0500, Colin Walters wrote:
> >> On Mon, 2012-01-30 at 08:17 -0800, Andy Lutomirski wrote:
> >> > Chroot can easily be used to subvert setuid programs. If no_new_privs,
> >> > then setuid programs don't gain any privilege, so allow chroot.
> >>
> >> Is this needed/desired by anyone now, or are you just using it to "demo"
> >> NO_NEW_PRIVS? I don't see it as very useful on its own, since in any
> >> "container"-type chroot you really want /proc and /dev, and your patch
> >> doesn't help with that.
> >>
> >> System daemons that do chroot for a modicum of security already start
> >> privileged, so this doesn't help them either.
> >
> > I thought this was all for sandboxing? If a browers (or user) wants to
> > run some untrusted code, perhaps a chroot is the best way to do so. It
> > just will break if it needs to access /proc or /dev.

I think you'll find your definition of "code" becomes very limited
without /dev/null, /dev/zero and /proc/cpuinfo for example, as used by
glibc.

Personally I find it amazing we're even debating putting new
security-relevant API in the kernel with no known userspace consumer.
It can always go in later if someone actually wants it.

> Interestingly, I believe this change would work for the Chromium
> setuid sandbox[1]. It uses a fancy clone trick (CLONE_FS) to start the
> process then chroot once all its dependencies are loaded. It then
> chroot()s to /proc/self/fd_info (or another empty process-specific
> directory).

But...it's setuid, so it can call chroot already? I'm not following how
this change would benefit the helper.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andy Lutomirski: "Re: [PATCH v3 4/4] Allow unprivileged chroot when safe"
Previous message: Corey Bryant: "Re: [PATCH v6 3/3] Documentation: prctl/seccomp_filter"
In reply to: Will Drewry: "Re: [PATCH v3 4/4] Allow unprivileged chroot when safe"
Next in thread: Andy Lutomirski: "Re: [PATCH v3 4/4] Allow unprivileged chroot when safe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]