Re: [RFC] capabilities: add capability cgroup controller

From: Kees Cook
Date: Thu Jun 23 2016 - 01:59:32 EST


On Wed, Jun 22, 2016 at 5:01 PM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
> Quoting Kees Cook (keescook@xxxxxxxxxxxx):
>> On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
>> > Quoting Topi Miettinen (toiwoton@xxxxxxxxx):
>> >> On 06/22/16 17:14, Serge E. Hallyn wrote:
>> >> > Quoting Topi Miettinen (toiwoton@xxxxxxxxx):
>> >> >> On 06/21/16 15:45, Serge E. Hallyn wrote:
>> >> >>> Quoting Topi Miettinen (toiwoton@xxxxxxxxx):
>> >> >>>> On 06/19/16 20:01, serge@xxxxxxxxxx wrote:
>> >> >>>>> apologies for top posting, this phone doesn't support inline)
>> >> >>>>>
>> >> >>>>> Where are you preventing less privileged tasks from limiting the caps of a more privileged task? It looks like you are relying on the cgroupfs for that?
>> >> >>>>
>> >> >>>> I didn't think that aspect. Some of that could be dealt with by
>> >> >>>> preventing tasks which don't have CAP_SETPCAP to make other tasks join
>> >> >>>> or set the bounding set. One problem is that the privileges would not be
>> >> >>>> checked at cgroup.procs open(2) time but only when writing. In general,
>> >> >>>> less privileged tasks should not be able to gain new capabilities even
>> >> >>>> if they were somehow able to join the cgroup and also your case must be
>> >> >>>> addressed in full.
>> >> >>>>
>> >> >>>>>
>> >> >>>>> Overall I'm not a fan of this for several reasons. Can you tell us precisely what your use case is?
>> >> >>>>
>> >> >>>> There are two.
>> >> >>>>
>> >> >>>> 1. Capability use tracking at cgroup level. There is no way to know
>> >> >>>> which capabilities have been used and which could be trimmed. With
>> >> >>>> cgroup approach, we can also keep track of how subprocesses use
>> >> >>>> capabilities. Thus the administrator can quickly get a reasonable
>> >> >>>> estimate of a bounding set just by reading the capability.used file.
>> >> >>>
>> >> >>> So to estimate the privileges needed by an application? Note this
>> >> >>> could also be done with something like systemtap, but that's not as
>> >> >>> friendly of course.
>> >> >>>
>> >> >>
>> >> >> I've used systemtap to track how a single process uses capabilities, but
>> >> >> I can imagine that without the cgroup, using it to track several
>> >> >> subprocesses could be difficult.
>> >> >>
>> >> >>> Keeping the tracking part separate from enforcement might be worthwhile.
>> >> >>> If you wanted to push that part of the patchset, we could keep
>> >> >>> discussing the enforcement aspect separately.
>> >> >>>
>> >> >>
>> >> >> OK, I'll prepare the tracking part first.
>> >> >
>> >> > So this does still have some security concerns, namely leaking information
>> >> > to a less privileged process about what privs a root owned process used.
>> >> > That's not on the same level as giving away details about memory mappings,
>> >> > but could be an issue. Kees (cc'd), do you see that as an issue ?
>> >> >
>> >> > thanks,
>> >> > -serge
>> >> >
>> >>
>> >> Anyone can see the full set of capabilities available to each process
>> >
>> > But not the capabilities used. That's much more invasive.
>> >
>> >> via /proc/pid/status. But should I for example add a new flag
>> >> CFTYPE_OWNER_ONLY to limit reading capability.used file to only owner
>> >> (root) and use it here?
>> >
>> > Not sure that it's needed, let's see what Kees says. However if it is,
>> > then using owner would not suffice, since that's tangential to the
>> > privilege level of the task.
>>
>> I don't see a problem exposing the history of used capabilities to
>
> Thanks, Kees.
>
>> less privileged processes. The only thing I could see that being used
>> for would be to improve some kind of race against a buggy process
>> where you know caps get used at a certain time in the code, so
>> spinning on reading /proc/pid/status might give you a better chance of
>
> It would actually be a cgroup file, I think someone else was suggesting
> a /proc/pid/status enhancement to the same effect a few weeks ago.

Oh! Sorry, I misunderstood. What does the interface look like for the
new cgroup file? (I assume my evaluation remains the same, though.)

-Kees

>
>> timing the race. That seems like a pretty far-out exposure, though. I
>> imagine instruction counters would give a way finer grained timing
>> too, so I wouldn't object to this being visible.
>>
>> -Kees
>>
>> --
>> Kees Cook
>> Chrome OS & Brillo Security



--
Kees Cook
Chrome OS & Brillo Security