From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/pax-utils:master commit in: /
Date: Thu, 20 Aug 2015 14:39:29 +0000 (UTC) [thread overview]
Message-ID: <1440081515.a743806ea4868371cf182f783fdcfbf1b1f98202.vapier@gentoo> (raw)
commit: a743806ea4868371cf182f783fdcfbf1b1f98202
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 14 02:58:37 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Aug 20 14:38:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=a743806e
security: leverage namespaces to restrict the runtime a bit
In practice this isn't terribly useful as people aren't attacking these
tools, but might as well be paranoid.
It'd be nice to use mount & net namespaces too, but they're way too slow.
Makefile | 2 +-
Makefile.am | 3 +++
dumpelf.c | 1 +
paxinc.h | 1 +
porting.h | 1 +
pspax.c | 4 +++
scanelf.c | 5 ++++
scanmacho.c | 1 +
security.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
security.h | 29 ++++++++++++++++++++
10 files changed, 135 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index ba3b6a2..ac5e9cc 100644
--- a/Makefile
+++ b/Makefile
@@ -61,7 +61,7 @@ ELF_TARGETS = scanelf dumpelf $(shell echo | $(CC) -dM -E - | grep -q __svr4__
ELF_OBJS = paxelf.o
MACH_TARGETS = scanmacho
MACH_OBJS = paxmacho.o
-COMMON_OBJS = paxinc.o xfuncs.o
+COMMON_OBJS = paxinc.o security.o xfuncs.o
TARGETS = $(ELF_TARGETS) $(MACH_TARGETS)
SCRIPTS_SH = lddtree symtree
SCRIPTS_PY = lddtree
diff --git a/Makefile.am b/Makefile.am
index 5db3f75..e42dce4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,6 +12,7 @@ libpaxutils_la_SOURCES = \
paxelf.c \
paxinc.c \
paxmacho.c \
+ security.c \
xfuncs.c
LDADD = libpaxutils.la $(top_builddir)/autotools/gnulib/libgnu.a
@@ -84,6 +85,8 @@ EXTRA_DIST += \
pspax.c \
scanelf.c \
scanmacho.c \
+ security.c \
+ security.h \
symtree.sh \
tests/Makefile \
tests/lddtree/Makefile \
diff --git a/dumpelf.c b/dumpelf.c
index 3035b24..e9b1771 100644
--- a/dumpelf.c
+++ b/dumpelf.c
@@ -384,6 +384,7 @@ static void parseargs(int argc, char *argv[])
int main(int argc, char *argv[])
{
+ security_init(false);
if (argc < 2)
usage(EXIT_FAILURE);
parseargs(argc, argv);
diff --git a/paxinc.h b/paxinc.h
index 0a8e08a..a8d6d9b 100644
--- a/paxinc.h
+++ b/paxinc.h
@@ -13,6 +13,7 @@
#include "porting.h"
#include "xfuncs.h"
+#include "security.h"
#ifndef VERSION
# define VERSION "git"
diff --git a/porting.h b/porting.h
index 1f989d2..9dea528 100644
--- a/porting.h
+++ b/porting.h
@@ -29,6 +29,7 @@
#include <limits.h>
#include <pwd.h>
#include <regex.h>
+#include <sched.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
diff --git a/pspax.c b/pspax.c
index e27b7eb..c64472c 100644
--- a/pspax.c
+++ b/pspax.c
@@ -535,6 +535,10 @@ int main(int argc, char *argv[])
{
char *name = NULL;
+ /* We unshare pidns but don't actually enter it. That means
+ * we still get to scan /proc, but just not fork children. */
+ security_init(false);
+
color_init(false);
parseargs(argc, argv);
diff --git a/scanelf.c b/scanelf.c
index 99192b2..7e3b077 100644
--- a/scanelf.c
+++ b/scanelf.c
@@ -2472,6 +2472,10 @@ static int parseargs(int argc, char *argv[])
}
if (be_verbose > 2) printf("Format: %s\n", out_format);
+ /* Now lock down the pidns since we know whether we'll be forking. */
+ if (!show_textrels || !be_verbose)
+ security_init_pid();
+
/* now lets actually do the scanning */
if (load_cache_config)
load_ld_cache_config(__PAX_UTILS_DEFAULT_LD_CACHE_CONFIG);
@@ -2570,6 +2574,7 @@ static void cleanup(void)
int main(int argc, char *argv[])
{
int ret;
+ security_init(true);
if (argc < 2)
usage(EXIT_FAILURE);
parseenv();
diff --git a/scanmacho.c b/scanmacho.c
index ee713f9..5a0afd5 100644
--- a/scanmacho.c
+++ b/scanmacho.c
@@ -764,6 +764,7 @@ static int parseargs(int argc, char *argv[])
int main(int argc, char *argv[])
{
int ret;
+ security_init(false);
if (argc < 2)
usage(EXIT_FAILURE);
color_init(false);
diff --git a/security.c b/security.c
new file mode 100644
index 0000000..9b48a9a
--- /dev/null
+++ b/security.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright 2015 Gentoo Foundation
+ * Distributed under the terms of the GNU General Public License v2
+ *
+ * Copyright 2015 Mike Frysinger - <vapier@gentoo.org>
+ */
+
+#include "paxinc.h"
+
+#ifdef __linux__
+
+#ifdef __SANITIZE_ADDRESS__
+/* ASAN does some weird stuff. */
+# define ALLOW_PIDNS 0
+#else
+# define ALLOW_PIDNS 1
+#endif
+
+static int ns_unshare(int flags)
+{
+ int flag, ret = 0;
+
+ /* Try to oneshot it. Maybe we'll get lucky! */
+ if (unshare(flags) == 0)
+ return flags;
+ /* No access at all, so don't waste time below. */
+ else if (errno == EPERM)
+ return ret;
+
+ /*
+ * We have to run these one permission at a time because if any are
+ * not supported (too old a kernel, or it's disabled), then all of
+ * them will be rejected and we won't know which one is a problem.
+ */
+
+ /* First the ones that work against the current process. */
+ flag = 1;
+ while (flags) {
+ if (flags & flag) {
+ if (unshare(flag) == 0)
+ ret |= flag;
+ flags &= ~flag;
+ }
+ flag <<= 1;
+ }
+
+ return ret;
+}
+
+void security_init_pid(void)
+{
+ int flags;
+
+ if (!ALLOW_PIDNS)
+ return;
+
+ flags = ns_unshare(CLONE_NEWPID);
+ if (USE_SLOW_SECURITY) {
+ if (flags & CLONE_NEWPID)
+ if (vfork() == 0)
+ _exit(0);
+ }
+}
+
+void security_init(bool allow_forking)
+{
+ int flags;
+
+ if (!ALLOW_PIDNS)
+ allow_forking = true;
+
+ /* None of the pax tools need access to these features. */
+ flags = CLONE_NEWIPC | CLONE_NEWUTS;
+ /* Would be nice to leverage mount/net ns, but they're just way too slow. */
+ if (USE_SLOW_SECURITY)
+ flags |= CLONE_NEWNET | CLONE_NEWNS;
+ if (!allow_forking)
+ flags |= CLONE_NEWPID;
+ flags = ns_unshare(flags);
+
+ if (USE_SLOW_SECURITY) {
+ /* We spawn one child and kill it so the kernel will fail in the future. */
+ if (flags & CLONE_NEWPID)
+ if (vfork() == 0)
+ _exit(0);
+ }
+}
+
+#endif
diff --git a/security.h b/security.h
new file mode 100644
index 0000000..c93ec3e
--- /dev/null
+++ b/security.h
@@ -0,0 +1,29 @@
+/* Various security related features.
+ *
+ * Copyright 2015 Gentoo Foundation
+ * Distributed under the terms of the GNU General Public License v2
+ *
+ * Copyright 2015 Mike Frysinger - <vapier@gentoo.org>
+ */
+
+#ifndef _PAX_SECURITY_H
+#define _PAX_SECURITY_H
+
+/* Whether to enable features that significantly impact speed. */
+#ifdef SLOW_SECURITY
+# define USE_SLOW_SECURITY 1
+#else
+# define USE_SLOW_SECURITY 0
+#endif
+
+#ifdef __linux__
+/* Lock down the runtime; allow_forking controls whether to use a pidns. */
+void security_init(bool allow_forking);
+/* Disable forking; usable only when allow_forking above was true. */
+void security_init_pid(void);
+#else
+static inline void security_init(bool allow_forking) {}
+static inline void security_init_pid(void) {}
+#endif
+
+#endif
next reply other threads:[~2015-08-20 14:39 UTC|newest]
Thread overview: 253+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-20 14:39 Mike Frysinger [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-09-22 4:33 [gentoo-commits] proj/pax-utils:master commit in: / Sam James
2024-09-22 4:30 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:02 Sam James
2024-07-22 21:07 Mike Gilbert
2024-07-22 20:08 Mike Gilbert
2024-01-25 6:52 Mike Frysinger
2024-01-25 5:57 Mike Frysinger
2024-01-25 5:57 Mike Frysinger
2024-01-25 5:36 Mike Frysinger
2024-01-25 5:21 Mike Frysinger
2024-01-25 5:06 Mike Frysinger
2024-01-25 5:06 Mike Frysinger
2024-01-25 4:44 Mike Frysinger
2024-01-25 2:53 Mike Frysinger
2024-01-25 2:53 Mike Frysinger
2024-01-25 2:53 Mike Frysinger
2024-01-25 2:14 Mike Frysinger
2024-01-24 22:53 Mike Frysinger
2024-01-24 22:15 Mike Frysinger
2024-01-24 15:44 Mike Frysinger
2024-01-16 5:13 Mike Frysinger
2024-01-16 5:13 Mike Frysinger
2024-01-10 8:05 Mike Frysinger
2024-01-10 8:02 Mike Frysinger
2024-01-10 8:02 Mike Frysinger
2024-01-10 7:58 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 16:28 Mike Frysinger
2024-01-01 15:43 Mike Frysinger
2024-01-01 15:43 Mike Frysinger
2023-12-22 5:31 Mike Frysinger
2023-12-22 5:31 Mike Frysinger
2023-12-22 5:31 Mike Frysinger
2023-12-22 2:31 Mike Frysinger
2023-12-22 2:31 Mike Frysinger
2023-12-22 2:31 Mike Frysinger
2023-12-14 21:28 Mike Frysinger
2023-12-14 21:28 Mike Frysinger
2023-12-14 19:57 Mike Frysinger
2023-11-23 13:31 Sam James
2023-02-13 5:26 Sam James
2023-02-13 5:26 Sam James
2023-01-29 5:56 Sam James
2023-01-29 5:56 Sam James
2023-01-29 5:56 Sam James
2023-01-29 3:41 Sam James
2023-01-29 3:36 Sam James
2023-01-29 3:36 Sam James
2023-01-26 21:46 Sam James
2023-01-06 7:15 Sam James
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-21 8:28 Mike Frysinger
2022-09-21 8:26 Mike Frysinger
2022-09-21 8:20 Mike Frysinger
2022-07-31 4:56 Sam James
2022-07-12 6:33 Sam James
2022-07-12 6:33 Sam James
2022-04-25 1:20 WANG Xuerui
2022-03-24 15:42 Sam James
2022-03-09 8:01 Mike Frysinger
2022-02-07 7:18 Fabian Groffen
2022-01-23 2:47 Mike Frysinger
2021-12-24 1:45 Sam James
2021-12-17 5:19 Mike Frysinger
2021-10-17 5:15 Mike Frysinger
2021-10-05 1:05 Mike Frysinger
2021-10-04 22:05 Mike Frysinger
2021-09-20 4:51 Sam James
2021-07-22 21:31 Sergei Trofimovich
2021-07-22 21:16 Sergei Trofimovich
2021-07-02 22:04 Sergei Trofimovich
2021-06-10 7:07 Sergei Trofimovich
2021-06-10 7:02 Sergei Trofimovich
2021-04-19 4:58 Mike Frysinger
2021-04-18 18:29 Mike Frysinger
2021-04-17 5:39 Mike Frysinger
2021-04-17 5:39 Mike Frysinger
2021-04-17 0:38 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:03 Mike Frysinger
2021-04-16 19:03 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 3:41 Mike Frysinger
2021-04-16 3:39 Mike Frysinger
2021-04-16 3:39 Mike Frysinger
2021-04-16 1:56 Mike Frysinger
2021-04-16 1:56 Mike Frysinger
2021-04-16 0:48 Mike Frysinger
2021-04-16 0:48 Mike Frysinger
2021-02-26 11:51 Sergei Trofimovich
2021-02-04 18:51 Sergei Trofimovich
2021-02-03 20:41 Sergei Trofimovich
2021-02-03 20:17 Sergei Trofimovich
2021-02-03 19:46 Sergei Trofimovich
2021-01-01 14:08 Fabian Groffen
2021-01-01 14:08 Fabian Groffen
2020-12-20 19:53 Sergei Trofimovich
2020-10-05 17:46 Sergei Trofimovich
2020-08-14 22:17 Sergei Trofimovich
2020-04-13 10:41 Sergei Trofimovich
2020-04-06 18:00 Sergei Trofimovich
2020-03-26 19:27 Mike Frysinger
2020-03-26 17:09 Mike Frysinger
2020-03-26 17:09 Mike Frysinger
2020-03-19 0:00 Sergei Trofimovich
2020-03-18 23:39 Sergei Trofimovich
2020-02-16 10:57 Sergei Trofimovich
2020-02-16 10:50 Sergei Trofimovich
2020-02-16 10:48 Sergei Trofimovich
2020-02-16 10:17 Sergei Trofimovich
2019-01-14 22:53 Sergei Trofimovich
2018-11-19 22:20 Sergei Trofimovich
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 4:44 Mike Frysinger
2018-06-07 4:44 Mike Frysinger
2018-06-07 4:44 Mike Frysinger
2018-02-24 10:16 Sergei Trofimovich
2017-09-18 9:27 Fabian Groffen
2017-09-18 9:27 Fabian Groffen
2017-09-18 7:06 Fabian Groffen
2017-03-14 7:19 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-11 7:06 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-01-24 20:39 Mike Frysinger
2017-01-24 20:39 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2016-11-27 3:43 Mike Frysinger
2016-11-15 4:02 Mike Frysinger
2016-11-15 4:02 Mike Frysinger
2016-11-14 14:57 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-08 20:47 Mike Gilbert
2016-06-20 17:46 Mike Frysinger
2016-06-20 4:03 Mike Frysinger
2016-06-20 4:03 Mike Frysinger
2016-06-20 3:22 Mike Frysinger
2016-06-20 3:22 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-05-31 22:27 Mike Frysinger
2016-03-03 21:15 Mike Frysinger
2016-02-10 19:41 Mike Frysinger
2016-02-10 18:54 Mike Frysinger
2016-01-28 22:42 Mike Frysinger
2016-01-03 22:23 Mike Frysinger
2016-01-03 22:23 Mike Frysinger
2016-01-03 22:01 Mike Frysinger
2016-01-02 15:26 Mike Frysinger
2016-01-02 3:52 Mike Frysinger
2015-12-19 19:41 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-11-26 8:43 Mike Frysinger
2015-10-26 4:35 Mike Frysinger
2015-10-08 20:31 Mike Frysinger
2015-09-19 6:27 Mike Frysinger
2015-09-19 6:27 Mike Frysinger
2015-09-12 4:17 Mike Frysinger
2015-08-28 0:33 Mike Frysinger
2015-08-26 6:29 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-20 14:39 Mike Frysinger
2015-08-20 14:39 Mike Frysinger
2015-08-20 14:33 Mike Frysinger
2015-08-20 14:33 Mike Frysinger
2015-08-20 13:32 Mike Frysinger
2015-08-18 15:56 Mike Frysinger
2015-08-18 15:35 Mike Frysinger
2015-08-18 15:35 Mike Frysinger
2015-08-18 14:39 Mike Frysinger
2015-08-18 14:38 Mike Frysinger
2015-07-13 9:14 Mike Frysinger
2015-07-13 9:14 Mike Frysinger
2015-07-13 9:14 Mike Frysinger
2015-05-24 3:22 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-10 5:31 Mike Frysinger
2015-03-10 5:31 Mike Frysinger
2015-03-10 4:19 Mike Frysinger
2015-03-10 3:36 Mike Frysinger
2015-03-06 11:52 Mike Frysinger
2015-03-04 22:35 Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440081515.a743806ea4868371cf182f783fdcfbf1b1f98202.vapier@gentoo \
--to=vapier@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox