/proc hardening #7
Labels
security
A security issue or hardening problem.
Comments
This was referenced Dec 23, 2019
Closed
|
A way, at least for sufficiently privileged processes, to avoid bind-mount attacks is to create a private procfs instance with new mount API and then operate on the detached, untainted tree. Edit: Nevermind, I see that's already mentioned in one of the linked issues. |
|
Yeah that is one of the options. Ideally that will be the long-term solution (with |
|
cyphar/filepath-securejoin#13 has an implementation of most of this, though it only works for privileged users and on a new enough kernel (Linux 5.8-ish). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, we do a few security checks when operating on
/proc, namely:That
/prochas anfs_typeofPROC_SUPER_MAGIC(which can't be faked by FUSE), to make sure we're dealing with a real procfs.That
/prochas an inode number of1to indicate that it is the root of aprocfsmount -- which is part of the API of Linux and will always be the case.Unfortunately, this method is still vulnerable to potential attacks if we're in a situation where
/proc(usually thanks to a confused deputy) has been set up in such a way to trick us into thinking (for instance) that we are writing an AppArmor label when in fact we aren't.Effectively we need to use the resolution capabilities of
libpathrsfor/proc(which leads to some fun re-entrancy issues sincelibpathrsdepends on using/procduring resolution). So that will need some attention.Note that checking that a given
HandlehasPROC_SUPER_MAGICis not sufficient at all because you can always bind-mount another process'sprocfsfile to your own -- and for write-related requests you can just bind-mount a file which no-ops on write like/proc/self/sched.The set of underlying features currently required are:
RESOLVE_NO_XDEVsupport for resolvers (RESOLVE_NO_XDEV support for emulated backend #8).O_EMPTYPATHkernel support (upstream kernel hardening: O_EMPTYPATH #16).pidfd_open("exe")kernel support (upstream kernel hardening: pidfd_open("exe") #17).readlinkat2(AT_EMPTY_PATH)kernel support (readlinkat2(AT_EMPTY_PATH) #18) -- optional.The text was updated successfully, but these errors were encountered: