From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: Martin Jambor <mjambor@suse.cz>,
Richard Biener <richard.guenther@gmail.com>
Cc: David Edelsohn <dje.gcc@gmail.com>,
GCC Patches <gcc-patches@gcc.gnu.org>,
Carlos O'Donell <carlos@redhat.com>
Subject: Re: [RFC] GCC Security policy
Date: Fri, 9 Feb 2024 10:55:54 -0500 [thread overview]
Message-ID: <aea34e30-1a90-4d70-90a0-6684a25d33a9@gotplt.org> (raw)
In-Reply-To: <ri6ttmhzlzm.fsf@virgil.suse.cz>
On 2024-02-09 10:38, Martin Jambor wrote:
> If anyone is interested in scoping this and then mentoring this as a
> Google Summer of Code project this year then now is the right time to
> speak up!
I can help with mentoring and reviews, although I'll need someone to
assist with actual approvals.
There are two distinct sets of ideas to explore, one is privilege
management and the other sandboxing.
For privilege management we could add a --allow-root driver flag that
allows gcc to run as root. Without the flag one could either outright
refuse to run or drop privileges and run. Dropping privileges will be a
bit tricky to implement because it would need a user to drop privileges
to and then there would be the question of how to manage file access to
read the compiler input and write out the compiler output. If there's
no such user, gcc could refuse to run as root by default. I wonder
though if from a security posture perspective it makes sense to simply
discourage running as root all the time and not bother trying to make it
work with dropped privileges and all that. Of course it would mean that
this would be less of a "project"; it'll be a simple enough patch to
refuse to run until --allow-root is specified.
This probably ties in somewhat with an idea David Malcolm had riffed on
with me earlier, of caching files for diagnostics. If we could unify
file accesses somehow, we could make this happen, i.e. open/read files
as root and then do all execution as non-root.
Sandboxing will have similar requirements, i.e. map in input files and
an output file handle upfront and then unshare() into a sandbox to do
the actual compilation. This will make sure that at least the
processing of inputs does not affect the system on which the compilation
is being run.
Sid
next prev parent reply other threads:[~2024-02-09 15:56 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-07 17:29 David Edelsohn
2023-08-08 8:16 ` Richard Biener
2023-08-08 12:33 ` Siddhesh Poyarekar
2023-08-08 12:52 ` Richard Biener
2023-08-08 13:01 ` Jakub Jelinek
2023-08-08 13:21 ` Richard Biener
2023-08-08 13:24 ` Michael Matz
2023-08-08 13:33 ` Paul Koning
2023-08-08 15:48 ` David Malcolm
2023-08-08 15:55 ` Siddhesh Poyarekar
2023-08-08 16:35 ` Paul Koning
2023-08-08 20:02 ` Joseph Myers
2023-08-08 13:34 ` Ian Lance Taylor
2023-08-08 14:04 ` Richard Biener
2023-08-08 14:06 ` Siddhesh Poyarekar
2023-08-08 14:14 ` David Edelsohn
2023-08-08 14:30 ` Siddhesh Poyarekar
2023-08-08 14:37 ` Jakub Jelinek
2023-08-08 14:40 ` Siddhesh Poyarekar
2023-08-08 16:22 ` Richard Earnshaw (lists)
2023-08-08 17:35 ` Ian Lance Taylor
2023-08-08 17:46 ` David Edelsohn
2023-08-08 19:39 ` Carlos O'Donell
2023-08-09 13:25 ` Richard Earnshaw (lists)
2023-08-09 17:32 ` Siddhesh Poyarekar
2023-08-09 18:17 ` David Edelsohn
2023-08-09 20:12 ` Siddhesh Poyarekar
2023-08-10 18:28 ` Richard Sandiford
2023-08-10 18:50 ` Siddhesh Poyarekar
2023-08-11 14:36 ` Siddhesh Poyarekar
2023-08-11 15:09 ` Paul Koning
2023-08-11 15:20 ` Siddhesh Poyarekar
2023-08-10 19:27 ` Richard Biener
2023-08-11 15:12 ` David Edelsohn
2023-08-11 15:22 ` Siddhesh Poyarekar
2024-02-09 15:38 ` Martin Jambor
2024-02-09 15:55 ` Siddhesh Poyarekar [this message]
2024-02-09 17:14 ` Joseph Myers
2024-02-09 17:39 ` Siddhesh Poyarekar
2024-02-09 20:06 ` Joseph Myers
2024-02-12 13:32 ` Siddhesh Poyarekar
2024-02-12 13:16 ` Martin Jambor
2024-02-12 13:35 ` Siddhesh Poyarekar
2024-02-12 15:00 ` Richard Biener
2024-02-13 12:34 ` Siddhesh Poyarekar
2023-08-14 13:26 ` Siddhesh Poyarekar
2023-08-14 18:51 ` Richard Sandiford
2023-08-14 19:31 ` Siddhesh Poyarekar
2023-08-14 21:16 ` Alexander Monakov
2023-08-14 21:50 ` Siddhesh Poyarekar
2023-08-15 5:59 ` Alexander Monakov
2023-08-15 10:33 ` Siddhesh Poyarekar
2023-08-15 14:07 ` Alexander Monakov
2023-08-15 14:54 ` Paul Koning
2023-08-15 19:13 ` Siddhesh Poyarekar
2023-08-15 23:07 ` Alexander Monakov
2023-08-15 23:45 ` David Edelsohn
2023-08-16 0:37 ` Alexander Monakov
2023-08-16 0:50 ` Paul Koning
2023-08-16 7:53 ` Alexander Monakov
2023-08-16 13:06 ` Paul Koning
2023-08-16 9:05 ` Toon Moene
2023-08-16 12:19 ` Siddhesh Poyarekar
2023-08-16 15:06 ` Alexander Monakov
2023-08-16 15:18 ` Siddhesh Poyarekar
2023-08-16 16:02 ` Alexander Monakov
2023-08-15 23:45 ` David Malcolm
2023-08-16 8:25 ` Alexander Monakov
2023-08-16 11:39 ` Siddhesh Poyarekar
2023-08-16 11:50 ` Alexander Monakov
2023-09-06 11:23 ` Siddhesh Poyarekar
2023-09-20 7:36 ` Arnaud Charlet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aea34e30-1a90-4d70-90a0-6684a25d33a9@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=carlos@redhat.com \
--cc=dje.gcc@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=mjambor@suse.cz \
--cc=richard.guenther@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).