Re: [systemd-devel] Creating executable device nodes in /dev?
On Fri, Dec 11, 2020 at 12:29:31PM +0100, Greg KH wrote: > On Fri, Dec 11, 2020 at 12:46:35PM +0200, Jarkko Sakkinen wrote: > > On Wed, Dec 09, 2020 at 10:35:21AM +0200, Topi Miettinen wrote: > > > On 9.12.2020 2.15, Jarkko Sakkinen wrote: > > > > On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: > > > > > > > > As a further argument, I just did this on a Fedora system: > > > > > > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l > > > > > > > > No results. So making /dev noexec doesn't seem to have any > > > > > > > > benefit. > > > > > > > > > > > > > > It's no surprise that there aren't any executables in /dev since > > > > > > > removing MAKEDEV ages ago. That's not the issue, which is that > > > > > > > /dev is a writable directory (for UID=0 but no capabilities are > > > > > > > needed) and thus a potential location for constructing unapproved > > > > > > > executables if it is also mounted exec (W^X). > > > > > > > > > > > > UID 0 can just change mount options, though, unless SELinux or > > > > > > similar is used. And SELinux can protect /dev just fine without > > > > > > noexec. > > > > > > > > > > Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also > > > > > SELinux > > > > > is not universal and the policies might not contain all users or > > > > > services. > > > > > > > > > > -Topi > > > > > > > > What's the data that supports having noexec /dev anyway? With root > > > > access I can then just use something else like /dev/shm mount. > > > > > > > > Has there been out in the wild real world cases that noexec mount > > > > of would have prevented? > > > > > > > > For me this sounds a lot just something that "feels more secure" > > > > without any measurable benefit. Can you prove me wrong? > > > > > > I don't think security works that way. An attacker has various methods to > > > choose from, some are more interesting than others. The case where rw,exec > > > /dev would be interesting would imply that easier or more common avenues > > > would be blocked, for example rw,exec /dev/shm, /tmp, /var/tmp, or > > > /run/user/$UID/ for user. Also fileless malware with pure ROP/JOP approach > > > with no need for any file system access is getting more common. It does > > > not > > > mean that it would not be prudent to block the relatively easy approaches > > > too, including /dev. > > > > What if we add a new mount option "chrexec", which allows exec > > for character devices (S_IFCHR). > > Oh please no. (Once more because my I was subscribed with an old email address.) Greg's right. That's very obviously a horrible hack so this is an instant nak from my side. Christian ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
Good morning; A question can someone help me with this issue: the file */proc/kcore* has a size of 140G. How can I fix it, I must restart the server or is there another way to solve it? kernel-uek-2.6.39-400.211.1.el6uek evidence sections: 1.- the size of the kcore file 140737486266368 /proc/kcore 2.- Size execution [root@srv-ccs-sirweb-db2 mnt]# *lsof |grep deleted* NetworkMa 2905 root 15u REG 252,00 6686333 /var/lib/NetworkManager/timestamps.JCOXQ0 (deleted) NetworkMa 2905 root 16u REG 252,00 6689023 /var/run/nm-dhclient-em4.conf.FODXQ0 (deleted) NetworkMa 2905 root 17u REG 252,00 6689026 /var/lib/NetworkManager/timestamps.DJVWQ0 (deleted) NetworkMa 2905 root 18u REG 252,00 6689025 /var/run/nm-dhclient-em4.conf.QTKWQ0 (deleted) NetworkMa 2905 root 19u REG 252,00 6689028 /var/run/nm-dhclient-em4.conf.7NPWQ0 (deleted) NetworkMa 2905 root 20u REG 252,00 6689029 /var/run/nm-dhclient-em4.conf.C8JWQ0 (deleted) NetworkMa 2905 root 21u REG 252,00 6689030 /var/lib/NetworkManager/timestamps.P1GTQ0 (deleted) NetworkMa 2905 root 22u REG 252,00 6689031 /var/run/nm-dhclient-em4.conf.MMRTQ0 (deleted) NetworkMa 2905 root 23u REG 252,00 6689032 /var/run/nm-dhclient-em4.conf.M3NWQ0 (deleted) NetworkMa 2905 root 24u REG 252,00 6689033 /var/run/nm-dhclient-em4.conf.VPJWQ0 (deleted) NetworkMa 2905 root 25u REG 252,00 6689034 /var/run/nm-dhclient-em4.conf.0KMWQ0 (deleted) NetworkMa 2905 root 26u REG 252,00 6689060 /var/lib/NetworkManager/timestamps.BDTWQ0 (deleted) NetworkMa 2905 root 27u REG 252,00 6689059 /var/lib/NetworkManager/timestamps.LQCYQ0 (deleted) NetworkMa 2905 root 28u REG 252,00 6689061 /var/run/nm-dhclient-em4.conf.YI7WQ0 (deleted) NetworkMa 2905 root 29u REG 252,00 6689063 /var/run/nm-dhclient-em4.conf.VRNWQ0 (deleted) NetworkMa 2905 root 30u REG 252,00 6689064 /var/run/nm-dhclient-em4.conf.IBKWQ0 (deleted) NetworkMa 2905 root 31u REG 252,00 6689065 /var/run/nm-dhclient-em4.conf.HIMWQ0 (deleted) NetworkMa 2905 root 32u REG 252,00 6689066 /var/lib/NetworkManager/timestamps.HV0XQ0 (deleted) NetworkMa 2905 root 33u REG 252,00 6689067 /var/run/nm-dhclient-em4.conf.QL7WQ0 (deleted) NetworkMa 2905 root 34u REG 252,00 6689068 /var/run/nm-dhclient-em4.conf.75JWQ0 (deleted) NetworkMa 2905 root 35u REG 252,00 6689071 /var/lib/NetworkManager/timestamps.L30WQ0 (deleted) NetworkMa 2905 root 36u REG 252,00 6689070 /var/run/nm-dhclient-em4.conf.FZKWQ0 (deleted) NetworkMa 2905 root 37u REG 252,00 6689072 /var/run/nm-dhclient-em4.conf.XIMWQ0 (deleted) NetworkMa 2905 root 38u REG 252,00 6689092 /var/lib/NetworkManager/timestamps.U66WQ0 (deleted) NetworkMa 2905 root 39u REG 252,00 6689095 /var/run/nm-dhclient-em4.conf.0KAXQ0 (deleted) NetworkMa 2905 root 40u REG 252,00 6689096 /var/run/nm-dhclient-em4.conf.MGLWQ0 (deleted) NetworkMa 2905 root 41u REG 252,00 6689097 /var/run/nm-dhclient-em4.conf.1LMWQ0 (deleted) NetworkMa 2905 root 42u REG 252,00 6689100 /var/run/nm-dhclient-em4.conf.5AMWQ0 (deleted) NetworkMa 2905 root 43u REG 252,00 6689102 /var/lib/NetworkManager/timestamps.315VQ0 (deleted) NetworkMa 2905 root 44u REG 252,00 6689101 /var/lib/NetworkManager/timestamps.U5XWQ0 (deleted) NetworkMa 2905 root 45u REG 252,00 6689103 /var/run/nm-dhclient-em4.conf.2FLWQ0 (deleted) NetworkMa 2905 root 46u REG 252,00 6689104 /var/run/nm-dhclient-em4.conf.XPKWQ0 (deleted) NetworkMa 2905 root 47u REG 252,00 6689105 /var/run/nm-dhclient-em4.conf.47KWQ0 (deleted) NetworkMa 2905 root 48u REG 252,00 6689106 /var/run/nm-dhclient-em4.conf.WOTWQ0 (deleted) NetworkMa 2905 root 49u REG 252,00 6689107 /var/lib/NetworkManager/timestamps.6BZVQ0 (deleted) NetworkMa 2905 root 50u REG
Re: [systemd-devel] Creating executable device nodes in /dev?
On 11.12.2020 12.46, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 10:35:21AM +0200, Topi Miettinen wrote: On 9.12.2020 2.15, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? I don't think security works that way. An attacker has various methods to choose from, some are more interesting than others. The case where rw,exec /dev would be interesting would imply that easier or more common avenues would be blocked, for example rw,exec /dev/shm, /tmp, /var/tmp, or /run/user/$UID/ for user. Also fileless malware with pure ROP/JOP approach with no need for any file system access is getting more common. It does not mean that it would not be prudent to block the relatively easy approaches too, including /dev. What if we add a new mount option "chrexec", which allows exec for character devices (S_IFCHR). I think devices are a bad match for SGX because devices haven't been executable and SGX is actually an operation for memory. So something like memfd_create(, MFD_SGX) or mmap(,, PROT_READ|PROT_EXEC|PROT_SGX) would be much more natural. Even better would be something that conceptully also works for AMD version (either with the same flags or MFD_SGX / MFD_whatever_the_AMD_version_is). -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Wed, Dec 09, 2020 at 10:58:59PM +0100, Ben Hutchings wrote: > I'm convinced. I've committed a change to initramfs-tools that removes > the noexec mount option again. Systemd counterpart: https://github.com/systemd/systemd/pull/17940. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Fri, Dec 11, 2020 at 12:46:35PM +0200, Jarkko Sakkinen wrote: > On Wed, Dec 09, 2020 at 10:35:21AM +0200, Topi Miettinen wrote: > > On 9.12.2020 2.15, Jarkko Sakkinen wrote: > > > On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: > > > > > > > As a further argument, I just did this on a Fedora system: > > > > > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l > > > > > > > No results. So making /dev noexec doesn't seem to have any > > > > > > > benefit. > > > > > > > > > > > > It's no surprise that there aren't any executables in /dev since > > > > > > removing MAKEDEV ages ago. That's not the issue, which is that > > > > > > /dev is a writable directory (for UID=0 but no capabilities are > > > > > > needed) and thus a potential location for constructing unapproved > > > > > > executables if it is also mounted exec (W^X). > > > > > > > > > > UID 0 can just change mount options, though, unless SELinux or > > > > > similar is used. And SELinux can protect /dev just fine without > > > > > noexec. > > > > > > > > Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also > > > > SELinux > > > > is not universal and the policies might not contain all users or > > > > services. > > > > > > > > -Topi > > > > > > What's the data that supports having noexec /dev anyway? With root > > > access I can then just use something else like /dev/shm mount. > > > > > > Has there been out in the wild real world cases that noexec mount > > > of would have prevented? > > > > > > For me this sounds a lot just something that "feels more secure" > > > without any measurable benefit. Can you prove me wrong? > > > > I don't think security works that way. An attacker has various methods to > > choose from, some are more interesting than others. The case where rw,exec > > /dev would be interesting would imply that easier or more common avenues > > would be blocked, for example rw,exec /dev/shm, /tmp, /var/tmp, or > > /run/user/$UID/ for user. Also fileless malware with pure ROP/JOP approach > > with no need for any file system access is getting more common. It does not > > mean that it would not be prudent to block the relatively easy approaches > > too, including /dev. > > What if we add a new mount option "chrexec", which allows exec > for character devices (S_IFCHR). Oh please no. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Wed, Dec 09, 2020 at 10:35:21AM +0200, Topi Miettinen wrote: > On 9.12.2020 2.15, Jarkko Sakkinen wrote: > > On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: > > > > > > As a further argument, I just did this on a Fedora system: > > > > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l > > > > > > No results. So making /dev noexec doesn't seem to have any benefit. > > > > > > > > > > It's no surprise that there aren't any executables in /dev since > > > > > removing MAKEDEV ages ago. That's not the issue, which is that > > > > > /dev is a writable directory (for UID=0 but no capabilities are > > > > > needed) and thus a potential location for constructing unapproved > > > > > executables if it is also mounted exec (W^X). > > > > > > > > UID 0 can just change mount options, though, unless SELinux or similar > > > > is used. And SELinux can protect /dev just fine without noexec. > > > > > > Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux > > > is not universal and the policies might not contain all users or services. > > > > > > -Topi > > > > What's the data that supports having noexec /dev anyway? With root > > access I can then just use something else like /dev/shm mount. > > > > Has there been out in the wild real world cases that noexec mount > > of would have prevented? > > > > For me this sounds a lot just something that "feels more secure" > > without any measurable benefit. Can you prove me wrong? > > I don't think security works that way. An attacker has various methods to > choose from, some are more interesting than others. The case where rw,exec > /dev would be interesting would imply that easier or more common avenues > would be blocked, for example rw,exec /dev/shm, /tmp, /var/tmp, or > /run/user/$UID/ for user. Also fileless malware with pure ROP/JOP approach > with no need for any file system access is getting more common. It does not > mean that it would not be prudent to block the relatively easy approaches > too, including /dev. What if we add a new mount option "chrexec", which allows exec for character devices (S_IFCHR). > -Topi /Jarkko ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Wed, Dec 9, 2020 at 11:22 AM Topi Miettinen wrote: > > On 9.12.2020 17.14, Andy Lutomirski wrote: > > > Maybe also malware which can escape all means of detection, enforced by > the CPU? Though I don't know if any malware scanners for Linux work can > check for fileless, memory only malware. I don't think this is really relevant to malware detection. You can't do syscalls from SGX code, for example, and, even if you could, malware behavior analysis would be unaffected. The concern seems to be more that, once someone has discovered some malware, if it's protected by SGX then it's plausible that you can't disassemble it. > > > > > In Intel’s original vision, only specially licensed vendors could create > > SGX software, but Linux pushed back against this quite hard, and new CPUs > > allow unlicensed enclaves. So your Skylake CPUs support SGX, but not on > > Linux. > > Kudos to Linux for the push. :) I don't know if Linux gets full credit for this, but I think we at least had some impact. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 9.12.2020 17.14, Andy Lutomirski wrote: On Dec 9, 2020, at 12:58 AM, Topi Miettinen wrote: On 9.12.2020 2.42, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? Typo: "of" = "of /dev" For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? The debate is circled around something not well defined. Of course you get theoretically more safe system when you decrease priviliges anywhere in the system. Like you could start do grazy things with stuff that unprivilged user has access, in order to prevent malware to elevate to UID 0 in the first place. I think where this go intellectually wrong is that we are talking about *default installation* of a distribution. That should have somewhat sane common sense access control settings. For like a normal desktop user noexec /dev will not do any possible favor. Then there is the case when you want to harden installation for an application, let's' say some server. In that case you will anyway fine-tune the security settings and go grazy enough with hardening. When you tailor a server, it's a standard practice to enumerate and adjust the mount points if needed. I think we agree that there's a need for either way to allow SGX (if default is hardened) or a hardening option (in the opposite case). For systemd I see two approaches: 1. Default noexec /dev, override with something like - ExecPaths=/dev - MountOptions=/dev:rw,exec,dev,nosuid - or even MountOptions=/dev/sgx:rw,exec,dev,nosuid - ProtectDev=no - AllowSGX=yes 2. Default exec /dev, override with - NoExecPaths=/dev - MountOptions=/dev:rw,noexec,dev,nosuid - ProtectDev=yes - DenySGX=yes I'd prefer 1. but of course 2. would be reasonable. I would argue for 2, for the following reason. I absolutely agree that hardening a system by making it impossible to create executable code dynamically is valuable, but I don’t think it’s a good default. By default, programs like gcc and clang should work, but so should JITs, and JITs are getting more popular and powerful all the time. In a default setting that allows JITs, etc, I see no benefit at all to making /dev noexec. To the contrary, making /dev noexec seems like plugging a little restricted corner of code creation (because it requires UID=0) while allowing the easy ways (/tmp, /home, /dev/shm, unshare(2), mmap(), etc). By all means let admins harden this, but I see no reason to apply some of the hardening when the rest is disabled. Makes sense, especially if anything in theory could be expected to use SGX. In practice, probably no system services will at least initially, so hardening knobs make also sense. To summarize, I neither understand the intended target audience. We have something in common: me neither. What's the target audience for SGX? What's the use case? What are the users: browsers, system services? How would applications use SGX? Should udev rules for /dev/sgx make it available to any logged in users with uaccess tags? I would certainly like it to be available to all software, with the possible exception of extra-hardened systems. Using SGX is not really an interesting attack surface. The main threat is that malware might use SGX to make itself hard to reverse engineer. Maybe also malware which can escape all means of detection, enforced by the CPU? Though I don't know if any malware scanners for Linux work can check for fileless, memory only malware. In Intel’s original vision, only specially licensed vendors could create SGX software, but Linux pushed back against this quite hard, and new CPUs allow unlicensed enclaves. So your Skylake CPUs support SGX, but not on Linux. Kudos to Linux for the push. -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop
Re: [systemd-devel] Creating executable device nodes in /dev?
> On Dec 9, 2020, at 12:58 AM, Topi Miettinen wrote: > > On 9.12.2020 2.42, Jarkko Sakkinen wrote: >>> On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote: >>> On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: >>> As a further argument, I just did this on a Fedora system: >>> $ find /dev -perm /ugo+x -a \! -type d -a \! -type l >>> No results. So making /dev noexec doesn't seem to have any benefit. >> >> It's no surprise that there aren't any executables in /dev since >> removing MAKEDEV ages ago. That's not the issue, which is that >> /dev is a writable directory (for UID=0 but no capabilities are >> needed) and thus a potential location for constructing unapproved >> executables if it is also mounted exec (W^X). > > UID 0 can just change mount options, though, unless SELinux or similar is > used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi >>> >>> What's the data that supports having noexec /dev anyway? With root >>> access I can then just use something else like /dev/shm mount. >>> >>> Has there been out in the wild real world cases that noexec mount >>> of would have prevented? >> Typo: "of" = "of /dev" >>> For me this sounds a lot just something that "feels more secure" >>> without any measurable benefit. Can you prove me wrong? >> The debate is circled around something not well defined. Of course you >> get theoretically more safe system when you decrease priviliges anywhere >> in the system. Like you could start do grazy things with stuff that >> unprivilged user has access, in order to prevent malware to elevate to >> UID 0 in the first place. >> I think where this go intellectually wrong is that we are talking about >> *default installation* of a distribution. That should have somewhat sane >> common sense access control settings. For like a normal desktop user >> noexec /dev will not do any possible favor. >> Then there is the case when you want to harden installation for an >> application, let's' say some server. In that case you will anyway >> fine-tune the security settings and go grazy enough with hardening. >> When you tailor a server, it's a standard practice to enumerate and >> adjust the mount points if needed. > > I think we agree that there's a need for either way to allow SGX (if default > is hardened) or a hardening option (in the opposite case). For systemd I see > two approaches: > > 1. Default noexec /dev, override with something like > - ExecPaths=/dev > - MountOptions=/dev:rw,exec,dev,nosuid > - or even MountOptions=/dev/sgx:rw,exec,dev,nosuid > - ProtectDev=no > - AllowSGX=yes > > 2. Default exec /dev, override with > - NoExecPaths=/dev > - MountOptions=/dev:rw,noexec,dev,nosuid > - ProtectDev=yes > - DenySGX=yes > > I'd prefer 1. but of course 2. would be reasonable. I would argue for 2, for the following reason. I absolutely agree that hardening a system by making it impossible to create executable code dynamically is valuable, but I don’t think it’s a good default. By default, programs like gcc and clang should work, but so should JITs, and JITs are getting more popular and powerful all the time. In a default setting that allows JITs, etc, I see no benefit at all to making /dev noexec. To the contrary, making /dev noexec seems like plugging a little restricted corner of code creation (because it requires UID=0) while allowing the easy ways (/tmp, /home, /dev/shm, unshare(2), mmap(), etc). By all means let admins harden this, but I see no reason to apply some of the hardening when the rest is disabled. > >> To summarize, I neither understand the intended target audience. > > We have something in common: me neither. What's the target audience for SGX? > What's the use case? What are the users: browsers, system services? How would > applications use SGX? Should udev rules for /dev/sgx make it available to any > logged in users with uaccess tags? > > I would certainly like it to be available to all software, with the possible exception of extra-hardened systems. Using SGX is not really an interesting attack surface. The main threat is that malware might use SGX to make itself hard to reverse engineer. In Intel’s original vision, only specially licensed vendors could create SGX software, but Linux pushed back against this quite hard, and new CPUs allow unlicensed enclaves. So your Skylake CPUs support SGX, but not on Linux. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 9.12.2020 2.42, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? Typo: "of" = "of /dev" For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? The debate is circled around something not well defined. Of course you get theoretically more safe system when you decrease priviliges anywhere in the system. Like you could start do grazy things with stuff that unprivilged user has access, in order to prevent malware to elevate to UID 0 in the first place. I think where this go intellectually wrong is that we are talking about *default installation* of a distribution. That should have somewhat sane common sense access control settings. For like a normal desktop user noexec /dev will not do any possible favor. Then there is the case when you want to harden installation for an application, let's' say some server. In that case you will anyway fine-tune the security settings and go grazy enough with hardening. When you tailor a server, it's a standard practice to enumerate and adjust the mount points if needed. I think we agree that there's a need for either way to allow SGX (if default is hardened) or a hardening option (in the opposite case). For systemd I see two approaches: 1. Default noexec /dev, override with something like - ExecPaths=/dev - MountOptions=/dev:rw,exec,dev,nosuid - or even MountOptions=/dev/sgx:rw,exec,dev,nosuid - ProtectDev=no - AllowSGX=yes 2. Default exec /dev, override with - NoExecPaths=/dev - MountOptions=/dev:rw,noexec,dev,nosuid - ProtectDev=yes - DenySGX=yes I'd prefer 1. but of course 2. would be reasonable. To summarize, I neither understand the intended target audience. We have something in common: me neither. What's the target audience for SGX? What's the use case? What are the users: browsers, system services? How would applications use SGX? Should udev rules for /dev/sgx make it available to any logged in users with uaccess tags? -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 9.12.2020 2.15, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? I don't think security works that way. An attacker has various methods to choose from, some are more interesting than others. The case where rw,exec /dev would be interesting would imply that easier or more common avenues would be blocked, for example rw,exec /dev/shm, /tmp, /var/tmp, or /run/user/$UID/ for user. Also fileless malware with pure ROP/JOP approach with no need for any file system access is getting more common. It does not mean that it would not be prudent to block the relatively easy approaches too, including /dev. -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote: > On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: > > > > > As a further argument, I just did this on a Fedora system: > > > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l > > > > > No results. So making /dev noexec doesn't seem to have any benefit. > > > > > > > > It's no surprise that there aren't any executables in /dev since > > > > removing MAKEDEV ages ago. That's not the issue, which is that > > > > /dev is a writable directory (for UID=0 but no capabilities are > > > > needed) and thus a potential location for constructing unapproved > > > > executables if it is also mounted exec (W^X). > > > > > > UID 0 can just change mount options, though, unless SELinux or similar is > > > used. And SELinux can protect /dev just fine without noexec. > > > > Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux > > is not universal and the policies might not contain all users or services. > > > > -Topi > > What's the data that supports having noexec /dev anyway? With root > access I can then just use something else like /dev/shm mount. > > Has there been out in the wild real world cases that noexec mount > of would have prevented? Typo: "of" = "of /dev" > For me this sounds a lot just something that "feels more secure" > without any measurable benefit. Can you prove me wrong? The debate is circled around something not well defined. Of course you get theoretically more safe system when you decrease priviliges anywhere in the system. Like you could start do grazy things with stuff that unprivilged user has access, in order to prevent malware to elevate to UID 0 in the first place. I think where this go intellectually wrong is that we are talking about *default installation* of a distribution. That should have somewhat sane common sense access control settings. For like a normal desktop user noexec /dev will not do any possible favor. Then there is the case when you want to harden installation for an application, let's' say some server. In that case you will anyway fine-tune the security settings and go grazy enough with hardening. When you tailor a server, it's a standard practice to enumerate and adjust the mount points if needed. To summarize, I neither understand the intended target audience. /Jarkko ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: > > > > As a further argument, I just did this on a Fedora system: > > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l > > > > No results. So making /dev noexec doesn't seem to have any benefit. > > > > > > It's no surprise that there aren't any executables in /dev since > > > removing MAKEDEV ages ago. That's not the issue, which is that > > > /dev is a writable directory (for UID=0 but no capabilities are > > > needed) and thus a potential location for constructing unapproved > > > executables if it is also mounted exec (W^X). > > > > UID 0 can just change mount options, though, unless SELinux or similar is > > used. And SELinux can protect /dev just fine without noexec. > > Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux > is not universal and the policies might not contain all users or services. > > -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? /Jarkko ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Tue, Dec 08, 2020 at 10:07:17AM -0800, Andy Lutomirski wrote: > On Thu, Nov 19, 2020 at 10:05 AM Topi Miettinen wrote: > > > > On 19.11.2020 18.32, Zbigniew Jędrzejewski-Szmek wrote: > > > On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: > > >> Hi udev people- > > >> > > >> The upcoming Linux SGX driver has a device node /dev/sgx. User code > > >> opens it, does various setup things, mmaps it, and needs to be able to > > >> create PROT_EXEC mappings. This gets quite awkward if /dev is mounted > > >> noexec. > > >> > > >> Can udev arrange to make a device node executable on distros that make > > >> /dev noexec? This could be done by bind-mounting from an exec tmpfs. > > >> Alternatively, the kernel could probably learn to ignore noexec on > > >> /dev/sgx, but that seems a little bit evil. > > > > > > I'd be inclined to simply drop noexec from /dev by default. > > > We don't do noexec on either /tmp or /dev/shm (because that causes > > > immediate > > > problems with stuff like Java and cffi). And if you have those two at your > > > disposal anyway, having noexec on /dev doesn't seem important. > > > > I'd propose to not enable exec globally, but if a service needs SGX, it > > could use something like MountOptions=/dev:exec only in those cases > > where it's needed. That way it's possible to disallow writable and > > executable file systems for most services (which typically don't need > > /tmp or /dev/shm either). Of course the opposite > > (MountOptions=/dev:noexec) would be also possible, but I'd expect that > > this would be needed to be used more often. > > > > I imagine the opposite would be more sensible. It seems odd to me > that we would want any SGX-using service to require both special mount > options and regular ACL permissions. > > As a further argument, I just did this on a Fedora system: > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l > > No results. So making /dev noexec doesn't seem to have any benefit. Neither does my Ubuntu installation with '-xdev' added (because of /dev/shm mount). find /dev -xdev -perm /ugo+x -a \! -type d -a \! -type l /Jarkko ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 8.12.2020 23.30, Andy Lutomirski wrote: On Dec 8, 2020, at 12:45 PM, Topi Miettinen wrote: On 8.12.2020 20.07, Andy Lutomirski wrote: On Thu, Nov 19, 2020 at 10:05 AM Topi Miettinen wrote: On 19.11.2020 18.32, Zbigniew Jędrzejewski-Szmek wrote: On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: Hi udev people- The upcoming Linux SGX driver has a device node /dev/sgx. User code opens it, does various setup things, mmaps it, and needs to be able to create PROT_EXEC mappings. This gets quite awkward if /dev is mounted noexec. Can udev arrange to make a device node executable on distros that make /dev noexec? This could be done by bind-mounting from an exec tmpfs. Alternatively, the kernel could probably learn to ignore noexec on /dev/sgx, but that seems a little bit evil. I'd be inclined to simply drop noexec from /dev by default. We don't do noexec on either /tmp or /dev/shm (because that causes immediate problems with stuff like Java and cffi). And if you have those two at your disposal anyway, having noexec on /dev doesn't seem important. I'd propose to not enable exec globally, but if a service needs SGX, it could use something like MountOptions=/dev:exec only in those cases where it's needed. That way it's possible to disallow writable and executable file systems for most services (which typically don't need /tmp or /dev/shm either). Of course the opposite (MountOptions=/dev:noexec) would be also possible, but I'd expect that this would be needed to be used more often. I imagine the opposite would be more sensible. It seems odd to me that we would want any SGX-using service to require both special mount options and regular ACL permissions. How common are thes SGX-using services? Will every service start using it without any special measures taken on it's behalf, or perhaps only a special SGX control tool needs access? What about unprivileged user applications, do they ever want to access SGX? Could something like Widevine deep in a browser need to talk to SGX in a DRM scheme? I honestly don’t know. Widevine is probably some unholy mess of SGX and ME crud. But regular user programs may well end up using SGX for little non-evil enclaves, e.g. storing their keys securely. It would be nice if unprivileged enclaves just work as long as the use has appropriate permissions on the device nodes. Maybe, it would be also great if the access could be limited to those users or services which actually need it, by principle of least privilege. SGX adoption has been severely hampered by the massive series of recent vulnerabilities and by Intel’s silly licensing scheme. The latter won’t be supported upstream. As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
> On Dec 8, 2020, at 12:45 PM, Topi Miettinen wrote: > > On 8.12.2020 20.07, Andy Lutomirski wrote: >>> On Thu, Nov 19, 2020 at 10:05 AM Topi Miettinen wrote: >>> >>> On 19.11.2020 18.32, Zbigniew Jędrzejewski-Szmek wrote: On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: > Hi udev people- > > The upcoming Linux SGX driver has a device node /dev/sgx. User code > opens it, does various setup things, mmaps it, and needs to be able to > create PROT_EXEC mappings. This gets quite awkward if /dev is mounted > noexec. > > Can udev arrange to make a device node executable on distros that make > /dev noexec? This could be done by bind-mounting from an exec tmpfs. > Alternatively, the kernel could probably learn to ignore noexec on > /dev/sgx, but that seems a little bit evil. I'd be inclined to simply drop noexec from /dev by default. We don't do noexec on either /tmp or /dev/shm (because that causes immediate problems with stuff like Java and cffi). And if you have those two at your disposal anyway, having noexec on /dev doesn't seem important. >>> >>> I'd propose to not enable exec globally, but if a service needs SGX, it >>> could use something like MountOptions=/dev:exec only in those cases >>> where it's needed. That way it's possible to disallow writable and >>> executable file systems for most services (which typically don't need >>> /tmp or /dev/shm either). Of course the opposite >>> (MountOptions=/dev:noexec) would be also possible, but I'd expect that >>> this would be needed to be used more often. >>> >> I imagine the opposite would be more sensible. It seems odd to me >> that we would want any SGX-using service to require both special mount >> options and regular ACL permissions. > > How common are thes SGX-using services? Will every service start using it > without any special measures taken on it's behalf, or perhaps only a special > SGX control tool needs access? What about unprivileged user applications, do > they ever want to access SGX? Could something like Widevine deep in a browser > need to talk to SGX in a DRM scheme? I honestly don’t know. Widevine is probably some unholy mess of SGX and ME crud. But regular user programs may well end up using SGX for little non-evil enclaves, e.g. storing their keys securely. It would be nice if unprivileged enclaves just work as long as the use has appropriate permissions on the device nodes. SGX adoption has been severely hampered by the massive series of recent vulnerabilities and by Intel’s silly licensing scheme. The latter won’t be supported upstream. > >> As a further argument, I just did this on a Fedora system: >> $ find /dev -perm /ugo+x -a \! -type d -a \! -type l >> No results. So making /dev noexec doesn't seem to have any benefit. > > It's no surprise that there aren't any executables in /dev since removing > MAKEDEV ages ago. That's not the issue, which is that /dev is a writable > directory (for UID=0 but no capabilities are needed) and thus a potential > location for constructing unapproved executables if it is also mounted exec > (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. > > -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 8.12.2020 20.07, Andy Lutomirski wrote: On Thu, Nov 19, 2020 at 10:05 AM Topi Miettinen wrote: On 19.11.2020 18.32, Zbigniew Jędrzejewski-Szmek wrote: On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: Hi udev people- The upcoming Linux SGX driver has a device node /dev/sgx. User code opens it, does various setup things, mmaps it, and needs to be able to create PROT_EXEC mappings. This gets quite awkward if /dev is mounted noexec. Can udev arrange to make a device node executable on distros that make /dev noexec? This could be done by bind-mounting from an exec tmpfs. Alternatively, the kernel could probably learn to ignore noexec on /dev/sgx, but that seems a little bit evil. I'd be inclined to simply drop noexec from /dev by default. We don't do noexec on either /tmp or /dev/shm (because that causes immediate problems with stuff like Java and cffi). And if you have those two at your disposal anyway, having noexec on /dev doesn't seem important. I'd propose to not enable exec globally, but if a service needs SGX, it could use something like MountOptions=/dev:exec only in those cases where it's needed. That way it's possible to disallow writable and executable file systems for most services (which typically don't need /tmp or /dev/shm either). Of course the opposite (MountOptions=/dev:noexec) would be also possible, but I'd expect that this would be needed to be used more often. I imagine the opposite would be more sensible. It seems odd to me that we would want any SGX-using service to require both special mount options and regular ACL permissions. How common are thes SGX-using services? Will every service start using it without any special measures taken on it's behalf, or perhaps only a special SGX control tool needs access? What about unprivileged user applications, do they ever want to access SGX? Could something like Widevine deep in a browser need to talk to SGX in a DRM scheme? As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Thu, Nov 19, 2020 at 10:05 AM Topi Miettinen wrote: > > On 19.11.2020 18.32, Zbigniew Jędrzejewski-Szmek wrote: > > On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: > >> Hi udev people- > >> > >> The upcoming Linux SGX driver has a device node /dev/sgx. User code > >> opens it, does various setup things, mmaps it, and needs to be able to > >> create PROT_EXEC mappings. This gets quite awkward if /dev is mounted > >> noexec. > >> > >> Can udev arrange to make a device node executable on distros that make > >> /dev noexec? This could be done by bind-mounting from an exec tmpfs. > >> Alternatively, the kernel could probably learn to ignore noexec on > >> /dev/sgx, but that seems a little bit evil. > > > > I'd be inclined to simply drop noexec from /dev by default. > > We don't do noexec on either /tmp or /dev/shm (because that causes immediate > > problems with stuff like Java and cffi). And if you have those two at your > > disposal anyway, having noexec on /dev doesn't seem important. > > I'd propose to not enable exec globally, but if a service needs SGX, it > could use something like MountOptions=/dev:exec only in those cases > where it's needed. That way it's possible to disallow writable and > executable file systems for most services (which typically don't need > /tmp or /dev/shm either). Of course the opposite > (MountOptions=/dev:noexec) would be also possible, but I'd expect that > this would be needed to be used more often. > I imagine the opposite would be more sensible. It seems odd to me that we would want any SGX-using service to require both special mount options and regular ACL permissions. As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 19.11.2020 18.32, Zbigniew Jędrzejewski-Szmek wrote: On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: Hi udev people- The upcoming Linux SGX driver has a device node /dev/sgx. User code opens it, does various setup things, mmaps it, and needs to be able to create PROT_EXEC mappings. This gets quite awkward if /dev is mounted noexec. Can udev arrange to make a device node executable on distros that make /dev noexec? This could be done by bind-mounting from an exec tmpfs. Alternatively, the kernel could probably learn to ignore noexec on /dev/sgx, but that seems a little bit evil. I'd be inclined to simply drop noexec from /dev by default. We don't do noexec on either /tmp or /dev/shm (because that causes immediate problems with stuff like Java and cffi). And if you have those two at your disposal anyway, having noexec on /dev doesn't seem important. I'd propose to not enable exec globally, but if a service needs SGX, it could use something like MountOptions=/dev:exec only in those cases where it's needed. That way it's possible to disallow writable and executable file systems for most services (which typically don't need /tmp or /dev/shm either). Of course the opposite (MountOptions=/dev:noexec) would be also possible, but I'd expect that this would be needed to be used more often. -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: > Hi udev people- > > The upcoming Linux SGX driver has a device node /dev/sgx. User code > opens it, does various setup things, mmaps it, and needs to be able to > create PROT_EXEC mappings. This gets quite awkward if /dev is mounted > noexec. > > Can udev arrange to make a device node executable on distros that make > /dev noexec? This could be done by bind-mounting from an exec tmpfs. > Alternatively, the kernel could probably learn to ignore noexec on > /dev/sgx, but that seems a little bit evil. I'd be inclined to simply drop noexec from /dev by default. We don't do noexec on either /tmp or /dev/shm (because that causes immediate problems with stuff like Java and cffi). And if you have those two at your disposal anyway, having noexec on /dev doesn't seem important. Afaik, the kernel would refuse execve() on a character or block device anyway. Thus noexec on /dev matters only for actual binaries copied to /dev, which requires root privileges in the first place. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Creating executable device nodes in /dev?
Hi udev people- The upcoming Linux SGX driver has a device node /dev/sgx. User code opens it, does various setup things, mmaps it, and needs to be able to create PROT_EXEC mappings. This gets quite awkward if /dev is mounted noexec. Can udev arrange to make a device node executable on distros that make /dev noexec? This could be done by bind-mounting from an exec tmpfs. Alternatively, the kernel could probably learn to ignore noexec on /dev/sgx, but that seems a little bit evil. Thanks, Andy ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
