From: Simo Sorce <ssorce-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public•gmane.org>
Cc: Daniel J Walsh <dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org>,
Vivek Goyal <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org>,
David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public•gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public•gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public•gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public•gmane.org>,
lpoetter-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public•gmane.org,
kay-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org,
Network Development
<netdev-u79uwXL29TY76Z2rM5mHXA@public•gmane.org>
Subject: Re: [PATCH 2/2] net: Implement SO_PASSCGROUP to enable passing cgroup path
Date: Thu, 17 Apr 2014 12:24:13 -0400 [thread overview]
Message-ID: <1397751853.2628.50.camel@willson.li.ssimo.org> (raw)
In-Reply-To: <CALCETrUrj2LtAoXp600BD2ANgE2UUEbTYQrK8hHqDR=qpeFPcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Thu, 2014-04-17 at 09:11 -0700, Andy Lutomirski wrote:
> On Thu, Apr 17, 2014 at 9:04 AM, Simo Sorce <ssorce-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org> wrote:
> > On Thu, 2014-04-17 at 08:41 -0700, Daniel J Walsh wrote:
> >> On 04/16/2014 11:59 AM, Vivek Goyal wrote:
> >> > On Wed, Apr 16, 2014 at 11:13:31AM -0700, Andy Lutomirski wrote:
> >> >> On Wed, Apr 16, 2014 at 11:06 AM, Vivek Goyal <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org> wrote:
> >> >>> On Wed, Apr 16, 2014 at 09:31:25AM -0700, Andy Lutomirski wrote:
> >> >>> I am not sure how same issue with happen with cgroups. In the case of
> >> >>> socket example, you are forcing a setuid program to write to standard
> >> >>> output and that setuid program will run in same cgroup as caller and
> >> >>> will have same cgroup as caller. So even if somebody was using cgroup
> >> >>> information for authentication, atleast in this particular case it
> >> >>> will not be a problem. Both unpriviliged and priviliged programs has
> >> >>> same cgroups.
> >> >>>
> >> >> I'm not sure that there's an actual attackable program. But I also
> >> >> see no reason to be convinced that there isn't one, and the problem
> >> >> can easily be avoided by requiring programs to explicitly ask to send
> >> >> their cgroup.
> >> > If you can't prove that there is something fundamentally wrong with
> >> > passing cgroup info to receiver, there is no reason to block these
> >> > patches either.
> >> >
> >> > We can't fix the problems which we can't see. You are saying that I
> >> > don't know what kind of problem can happen due to cgroup passing. Still
> >> > that does not mean none of the problems exist. So let us not pass cgroup
> >> > info by default and ask client to opt in.
> >> >
> >> > I don't think this is a very convincing argument.
> >> >
> >> > To me, if we can't see anything fundamentally wrong with passing cgroup
> >> > info, we should take these patches in. And once we figure out that there
> >> > is are problematic use cases, then implement SO_NOPASSCGROUP and
> >> > SO_NOPEERCRED and allow problematic clients to opt out.
> >> >
> >> > Thanks
> >> > Vivek
> >> The two use cases for this patch are:
> >
> > Let me add some caveats to explain what is used, as the 2 cases map to
> > the 2 different new options.
> >
> >> 1 Logging, to make sure the cgroup information gets correctly attributed
> >> to the caller.
> >
> > In here the logging system wants to know *who* logged, if the cgroups of
> > the process actually doing the logging changes, that's what the logging
> > system wants to know.
> > If somehow a setuid binary can change the cgroups, then the logging
> > system *wants* to know that these logs are coming from there, because
> > they sure are not coming from the original bounded process anymore.
> >
> > This use case wants to use SO_PASSCGROUP as it wants to know who the
> > current writer is, not who opened the file descriptor.
>
> No. The logging daemon thinks it wants to know who the writer is, but
> the logging daemon is wrong. It actually wants to know who composed a
> log message destined to it. The caller of write(2) may or may not be
> the same entity.
This works both ways, and doesn't really matter, you are *no* better off
w/o this interface.
> If this form of SO_PASSCGROUP somehow makes it into a pull request for
> Linus, I will ask him not to pull it and/or to revert it. I think
> he'll agree that write(2) MUST NOT care who called it.
And write() does not, there is no access control check being performed
here. This call is the same as getting the pid of the process and
crawling /proc with that information, just more efficient and race-free.
I repeat, it is *not* access control.
> Yes, I don't see how this is exploitable on my machine, but it's a mistake for the
> same reason that the netlink crap in CVE-2014-0181 is a mistake.
That is a different matter, that is an access control decision.
> FWIW, there are a handful of people who think about security and
> occasionally answer things on lkml. Some of them will tell you once
> that a patch is a problem, and then they'll watch you ignore it, and
> then they'll pwn you later on. This has happened to me. I'm not one
> of those people, though, but it's generally good policy to pay
> attention when people tell you that your proposed API *cannot* be used
> safely.
It is also important to understand why a mechanism is being proposed and
what is its intended usage. Cgroups information passed via SO_PASSCGROUP
is *not* to be used for access control, but logging is not access
control.
SO_PEERCGROUP instead checks for the cgroup determined at open() so it
could be used for access control.
Simo.
next prev parent reply other threads:[~2014-04-17 16:24 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-15 21:15 [PATCH 0/2] net: Implement SO_PEERCGROUP and SO_PASSCGROUP socket options Vivek Goyal
2014-04-15 21:15 ` [PATCH 1/2] net: Implement SO_PEERCGROUP Vivek Goyal
[not found] ` <1397596546-10153-2-git-send-email-vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-15 21:54 ` Andy Lutomirski
2014-04-16 0:22 ` Vivek Goyal
2014-04-15 21:15 ` [PATCH 2/2] net: Implement SO_PASSCGROUP to enable passing cgroup path Vivek Goyal
[not found] ` <1397596546-10153-3-git-send-email-vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-15 21:53 ` Andy Lutomirski
2014-04-15 23:09 ` Simo Sorce
2014-04-16 0:20 ` Vivek Goyal
[not found] ` <20140416002010.GA5035-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 1:05 ` David Miller
2014-04-16 3:47 ` Andy Lutomirski
[not found] ` <CALCETrWzHYN3kKcmDTFDfGhZqE4u9+6XDtiOu5nncbK_7KKH0g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 10:17 ` Vivek Goyal
[not found] ` <20140416101709.GA14131-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 14:34 ` Andy Lutomirski
[not found] ` <CALCETrUTMSpd=NYn9QuO5Y3WY0uBhjNEHO0jCwZu0L59CpeDew-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 15:10 ` Vivek Goyal
2014-04-16 12:57 ` David Miller
2014-04-16 14:37 ` Andy Lutomirski
[not found] ` <CALCETrVv8SPM5xjOVGy7qO2aq3FKtG2uG57J49nO7Wy0-gg0Ew-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 16:13 ` Simo Sorce
2014-04-16 16:21 ` Tejun Heo
[not found] ` <20140416162149.GI1257-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2014-04-16 16:54 ` Simo Sorce
[not found] ` <1397664837.19767.410.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-16 16:31 ` Andy Lutomirski
[not found] ` <CALCETrXn7b6UuALpGUVoyQYfR2uzk5tj2ABV=dkvtFNgqM5sxQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 17:02 ` Simo Sorce
2014-04-16 17:29 ` Andy Lutomirski
[not found] ` <CALCETrU_yKQVZyVug25cxwQFjWJ7Zf20FY-6ht+RJifXtDdDWg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 17:34 ` Simo Sorce
[not found] ` <1397669685.19767.450.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-16 17:53 ` Andy Lutomirski
2014-04-16 18:36 ` Vivek Goyal
[not found] ` <20140416183614.GH31074-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 18:40 ` Andy Lutomirski
2014-04-16 18:51 ` Vivek Goyal
2014-04-16 18:59 ` Andy Lutomirski
2014-04-16 18:06 ` Vivek Goyal
[not found] ` <20140416180642.GG31074-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 18:13 ` Andy Lutomirski
2014-04-16 18:25 ` Vivek Goyal
[not found] ` <20140416182530.GB550-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 18:35 ` Andy Lutomirski
[not found] ` <CALCETrUs1js3Br81ZkiQnsuWduzOiqDe3aV0K_z_zw0znSuiag-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 19:06 ` Vivek Goyal
2014-04-16 19:13 ` Andy Lutomirski
[not found] ` <CALCETrUv56awd+UoO_f8LLL2FVq-Hc6Bd6iBGMqWjVGpgxgTSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 19:39 ` Vivek Goyal
2014-04-16 20:24 ` Andy Lutomirski
2014-04-17 13:41 ` Vivek Goyal
[not found] ` <CALCETrVUw5+vCCONy1VTXpskbY_eZFo2CtbehwV5Mhj4d4+icw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 18:59 ` Vivek Goyal
2014-04-17 15:41 ` Daniel J Walsh
2014-04-17 16:05 ` Andy Lutomirski
[not found] ` <534FF61B.4010901-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 16:04 ` Simo Sorce
[not found] ` <1397750674.2628.44.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 16:11 ` Andy Lutomirski
[not found] ` <CALCETrUrj2LtAoXp600BD2ANgE2UUEbTYQrK8hHqDR=qpeFPcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 16:24 ` Simo Sorce [this message]
[not found] ` <1397751853.2628.50.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 16:37 ` Andy Lutomirski
[not found] ` <CALCETrWNWvumFg9Qba0GEOjYop4WYe530tCPtakrhnoCrHqhUQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 16:48 ` Simo Sorce
[not found] ` <1397753323.2628.60.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 16:55 ` Andy Lutomirski
[not found] ` <CALCETrXj6kD3E+vsaWmkrSbaQYTu=c-Hsw640jh4O+FbojYk2g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 17:12 ` Vivek Goyal
2014-04-17 17:26 ` Andy Lutomirski
[not found] ` <CALCETrVq4HRpfWOAbZAQbyjuraQd=OxnW=WjSoe5JgBzRStiKg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 17:33 ` Simo Sorce
[not found] ` <1397756025.2628.64.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 17:35 ` Andy Lutomirski
[not found] ` <CALCETrVBJFgKwRKBE2jAG6kiGgkJ+MyQiw2nyz5yj0h68kCk9A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 17:47 ` Simo Sorce
[not found] ` <1397756821.2628.69.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 18:05 ` Andy Lutomirski
2014-04-17 18:23 ` Simo Sorce
[not found] ` <1397759013.2628.86.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 18:33 ` Andy Lutomirski
2014-04-17 18:50 ` Vivek Goyal
[not found] ` <20140417185023.GA32527-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 18:57 ` Vivek Goyal
[not found] ` <20140417185742.GB32527-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 19:06 ` Andy Lutomirski
[not found] ` <CALCETrXJPJeGBdauQS_WR5FNaZXR=05NjNKuC6r0xFORt+eaJQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 19:15 ` Simo Sorce
2014-04-17 19:19 ` Andy Lutomirski
2014-04-17 19:10 ` Simo Sorce
[not found] ` <1397761817.2628.113.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 19:16 ` Vivek Goyal
[not found] ` <20140417191646.GA2461-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 19:46 ` Andy Lutomirski
[not found] ` <CALCETrW3F1+3qF3thrAmuoWVbRveBJ2=owpigh4mv6iAafoQCw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-21 15:03 ` Vivek Goyal
2014-04-21 15:47 ` Andy Lutomirski
2014-04-23 15:07 ` Vivek Goyal
2014-04-23 15:37 ` Andy Lutomirski
2014-04-23 16:01 ` Vivek Goyal
2014-04-17 19:23 ` Andy Lutomirski
2014-04-17 17:52 ` Simo Sorce
[not found] ` <1397757169.2628.75.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 18:04 ` Andy Lutomirski
[not found] ` <CALCETrUon7mZzp12th2bZ=cJyTjn8ePwg_VtPWL_bykjnnpKLw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 18:31 ` Simo Sorce
2014-04-17 16:38 ` Vivek Goyal
2014-04-17 16:12 ` Vivek Goyal
2014-04-23 16:45 ` Vivek Goyal
2014-04-23 17:29 ` David Miller
[not found] ` <20140423.132955.671992126955940387.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-24 20:34 ` Vivek Goyal
[not found] ` <20140424203427.GC19091-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-24 20:48 ` David Miller
2014-04-24 21:04 ` Vivek Goyal
2014-04-24 21:11 ` David Miller
[not found] ` <20140424.171155.806959282091051918.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-25 0:29 ` Simo Sorce
[not found] ` <1397596546-10153-1-git-send-email-vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-22 20:05 ` [PATCH 0/2] net: Implement SO_PEERCGROUP and SO_PASSCGROUP socket options David Miller
2014-04-22 20:08 ` Andy Lutomirski
2014-04-22 20:29 ` David Miller
2014-04-22 20:31 ` Andy Lutomirski
2014-04-22 20:32 ` David Miller
[not found] ` <20140422.163251.1863774803211446171.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-23 0:37 ` Andy Lutomirski
[not found] ` <CALCETrX_TCbKy-3W590wG3rq9O3Hzbqc_wu3EGg7PKn2NNsTpQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-23 19:05 ` Vivek Goyal
2014-04-23 20:53 ` Daniel J Walsh
[not found] ` <5358284B.7020706-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-24 13:01 ` Vivek Goyal
[not found] ` <20140422.160558.627080587952506099.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-23 15:55 ` Vivek Goyal
[not found] ` <20140423155512.GA24651-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-23 16:16 ` Vivek Goyal
2014-04-23 17:21 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1397751853.2628.50.camel@willson.li.ssimo.org \
--to=ssorce-h+wxahxf7alqt0dzr+alfa@public$(echo .)gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public$(echo .)gmane.org \
--cc=dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public$(echo .)gmane.org \
--cc=kay-H+wXaHxf7aLQT0dZR+AlfA@public$(echo .)gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
--cc=lpoetter-H+wXaHxf7aLQT0dZR+AlfA@public$(echo .)gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public$(echo .)gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public$(echo .)gmane.org \
--cc=vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public$(echo .)gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox