Re: [RFC 0/4] make call_usermodehelper a bit more "safe"

From: Jiri Kosina
Date: Tue Dec 20 2016 - 05:27:21 EST


On Tue, 20 Dec 2016, Greg KH wrote:

> > Sorry, I really don't get this.
> >
> > If kernel memory can be easily changed (which is assumed here), why bother
> > with all this? I'll just set current->uid to 0 and be done.
>
> Because you don't want your current process to uid 0, you want some
> other program to run as root. It's quite common for exploits to work
> this way, take a look at how the p0wn-to-own "contests" usually break
> out of sandboxed systems like browsers.

So what kind of sandbox are we talking about here?

namespaces-based sanbox? If you have direct access to kernel memory, you
can just assign whatever context you want to task_struct's fs struct, and
you are out of a sandbox.

chroot-based sandbox? Exactly the same argument (you just reset fs->root
in task_struct).

I stay totally unconvinced that such kind of countermeasure brings any
value whatsoever. Could you please bring up a particular usecase, where
you have complete control over kernel memory, and still the only possible
exploit factor is redirecting usermodhelper? It feels like rather random
shot into darkness.

Thanks,

--
Jiri Kosina
SUSE Labs