From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=KuxV=JS=gotplt.org=siddhesh@sourceware.org>
Received: from seagreen.cherry.relay.mailchannels.net (seagreen.cherry.relay.mailchannels.net [23.83.223.160])
	by sourceware.org (Postfix) with ESMTPS id 95FDE3858403
	for <gcc-patches@gcc.gnu.org>; Fri,  9 Feb 2024 15:56:07 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 95FDE3858403
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 95FDE3858403
Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.223.160
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1707494170; cv=pass;
	b=GHJ6kfMqm7yRce1P7Lche+ZSiQH3AFjCi7ZAZrtQIkSWRJG/W9hNdU0n4hLvr9eft+sD1T3aEw53lDT8Kh/984FJQSkErJ9WQCOzfLH3jQ3R2FOf6l2f/5BM00IbgYgp+zRvIP6pZs56iOcfrkX6bRA0QuQJIyIscUBgpUnXGXk=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707494170; c=relaxed/simple;
	bh=hvNzFHqcEtT9e2pFdArfk6X2SyQsDI9qnJtPnkEyTi8=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=ZKKpxwEEpGrGAoNtAG31Y8QAkUW24jTzSrIr9tRcsiZwtz/31THQPQZT8kgKVLUC3RLAo0XAL8lQl0h5uIIqjjlW+eiulkMw9CqOmlX1Z8oltFp/cecfyJRPns4xC7DjOOqI+EXI/+sx672YLlU9RdDY3sbfvYG3xOKj0h3X2Q4=
ARC-Authentication-Results: i=2; server2.sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id 8A6B3C1CE5;
	Fri,  9 Feb 2024 15:56:06 +0000 (UTC)
Received: from pdx1-sub0-mail-a232.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id 21636C0CAD;
	Fri,  9 Feb 2024 15:56:06 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1707494166; a=rsa-sha256;
	cv=none;
	b=Be0KHBb++vV0X0MvfNUq7+GpjKPUrthfhVSfmbVOoHsYTr02VYNikYVFIQhuhRKEZHI7Dp
	DsYKdHaEdAuhVFp/H7rFgbeG8zJRsCpXIjUADRDTHbBy9N+cEj/XDPaPB6pF6AGBCInbnA
	CpYqyPA5HnsPt7lwKX9xvN2q1B08prMheyZ4gydaFtiazj3sm6KGxzknFLB4tiUhjLszkQ
	GBr7xDUoEgfYq+CbNC0bO2FV5lbmCAUnOW2ZOAe4NYiLSq+mEGqrvJwERBb0cXXIR/L2J7
	Nau9VoMkkWL+jM9+mPaeP+pSidyBqWWaghwn1cAKY661GkFUrsuKVbqXebBPeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1707494166;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=7nCGtkq1tsqTDF57GjWGNJSp6G+9fvjv4uGSgk5xzJE=;
	b=j+X33JbW2g8otWgZbjGQNrfBqBTog2QB8flJzDffY4EtWdgWs+xPYo7ucaUGxdK8WQ83ww
	VxJMx4dPrOMOs+M28lMX18JUYc1yZ4IfiBsRApi2NgPgmPhqIBaIsz/mDwFJUc6qRkovYL
	6+S5xdRDGah7M+mH8ugs2LPCNIHt61dqPMy0kQqE8nIsAWcCLkl4ZDLNdcYJEOfEW3S3RR
	0p50JH0iU8udd0b7Y2l1kLDDg3dYuqa4AZmdOHJ/DuV9toxEi2FR/K0R1Vb5GPH32rngH7
	8QekvXuCxCoN3I2gJRg+yTQVKaMfm50I5Dn3zORC5uOsLUymi7SOpP1dlgaN0Q==
ARC-Authentication-Results: i=1;
	rspamd-55b4bfd7cb-tjck5;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Descriptive-Rock: 7992130a6d8daa75_1707494166423_165651292
X-MC-Loop-Signature: 1707494166423:4045121216
X-MC-Ingress-Time: 1707494166423
Received: from pdx1-sub0-mail-a232.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.115.180.201 (trex/6.9.2);
	Fri, 09 Feb 2024 15:56:06 +0000
Received: from [192.168.0.182] (unknown [76.68.24.30])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a232.dreamhost.com (Postfix) with ESMTPSA id 4TWdkF4CJ1z7M;
	Fri,  9 Feb 2024 07:56:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
	s=dreamhost; t=1707494165;
	bh=7nCGtkq1tsqTDF57GjWGNJSp6G+9fvjv4uGSgk5xzJE=;
	h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding;
	b=iYPXYr72WUpw5Tw0cZ8g4btFpSO++rnelIu/mukFWAyybOLW+nS+jc8z4huD+fkNf
	 Sf0ZHIBLi/RqbSaUvpBCxu1cq/BjqcZes5T8R6rfVulkAHHhIPAenIXGO/hzcIZliG
	 ffLikaGpbyPV1Nu6eGJ73ZXrIVg7liiB/9Y3Wl3HtodO2ycLtuC7wS6hycSQeEMwZD
	 lyL6NgcBTXLGjHyYlFzQMfGhNpoBTMtPkjR6PRD+XQ7GBM69KAVYNo8FMlIbe2dXQu
	 UV/JJL32UesgTmSTujQznIcjxVv8PMAvaV3CGMbBbLQCI+RJYG9lm3iexe6xKUZkdH
	 6qDl82ecI8PzQ==
Message-ID: <aea34e30-1a90-4d70-90a0-6684a25d33a9@gotplt.org>
Date: Fri, 9 Feb 2024 10:55:54 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [RFC] GCC Security policy
Content-Language: en-US
To: Martin Jambor <mjambor@suse.cz>,
 Richard Biener <richard.guenther@gmail.com>
Cc: David Edelsohn <dje.gcc@gmail.com>, GCC Patches
 <gcc-patches@gcc.gnu.org>, Carlos O'Donell <carlos@redhat.com>
References: <CAGWvny=z1yotE-6geJL1j80qSeZU67h-ZENPowM=BSNm0nHOVA@mail.gmail.com>
 <CAFiYyc0QW53dapAXy1b8A8XnFqOypWaG2veVkruv2Fi_DyekBg@mail.gmail.com>
 <5dab0019-a28e-f6b1-c822-9217d4d2f59f@gotplt.org>
 <CAFiYyc3nQ3ihNvUL1-URVn74ExMPXsxcbFq5SZ6ESM5WZEK40g@mail.gmail.com>
 <ri6ttmhzlzm.fsf@virgil.suse.cz>
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
In-Reply-To: <ri6ttmhzlzm.fsf@virgil.suse.cz>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3029.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

On 2024-02-09 10:38, Martin Jambor wrote:
> If anyone is interested in scoping this and then mentoring this as a
> Google Summer of Code project this year then now is the right time to
> speak up!

I can help with mentoring and reviews, although I'll need someone to 
assist with actual approvals.

There are two distinct sets of ideas to explore, one is privilege 
management and the other sandboxing.

For privilege management we could add a --allow-root driver flag that 
allows gcc to run as root.  Without the flag one could either outright 
refuse to run or drop privileges and run.  Dropping privileges will be a 
bit tricky to implement because it would need a user to drop privileges 
to and then there would be the question of how to manage file access to 
read the compiler input and write out the compiler output.  If there's 
no such user, gcc could refuse to run as root by default.  I wonder 
though if from a security posture perspective it makes sense to simply 
discourage running as root all the time and not bother trying to make it 
work with dropped privileges and all that.  Of course it would mean that 
this would be less of a "project"; it'll be a simple enough patch to 
refuse to run until --allow-root is specified.

This probably ties in somewhat with an idea David Malcolm had riffed on 
with me earlier, of caching files for diagnostics.  If we could unify 
file accesses somehow, we could make this happen, i.e. open/read files 
as root and then do all execution as non-root.

Sandboxing will have similar requirements, i.e. map in input files and 
an output file handle upfront and then unshare() into a sandbox to do 
the actual compilation.  This will make sure that at least the 
processing of inputs does not affect the system on which the compilation 
is being run.

Sid