From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by sourceware.org (Postfix) with ESMTPS id 6C5BC3858CDB for ; Mon, 12 Feb 2024 13:16:28 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6C5BC3858CDB Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.cz ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6C5BC3858CDB Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707743790; cv=none; b=RuZ6jSaE9ivkS759VtbxBXDG/+p8gqHhe4Iiq3HzCje17MqXvfeHqxz0QRgJwQWa2IoRKFIX60XNWjCgPiV72cg76fvxV0Rap4mzoc/fFV+dTmXyzp9Wmfy0Sx1QQ2mOx/T43hLSWCz9KNDEePNE74d2JnYxAkcNre/LlUUXG1g= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707743790; c=relaxed/simple; bh=JvGAEShjAc5aFHqkQXTN1k1TLdqWwobA6r08EUTCjHI=; h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature:From: To:Subject:Date:Message-ID:MIME-Version; b=OXsYTWEZavmDVmz0tsFHTY5C6zmIDVZCvlA8voXOiOPEh5eVExrdDZH0x3Ljp74GIV7fELaYUTDse7hreXv374MkIIZplX5XS5FZ9dbFsqNKF0QNlLmBqe6pABK+Hs3huDYTPHasEZYY74QElD9s/o1aJrLuxXXUB+RZUyflOEQ= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from imap2.dmz-prg2.suse.org (imap2.dmz-prg2.suse.org [10.150.64.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 747F221C0B; Mon, 12 Feb 2024 13:16:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1707743787; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qRIYtoe5GsOpuGAlD47HNxJAZANSJ1GztNCV67UgjV8=; b=vlFV4LyRxjUu/N68BQvZ4Q8Hjjskt36SYgnJdxBUqFVOb0yaCVV3K5GaixfueMeQiqz6QX jjMQlZ9iCMKYr8vchV4SmvnmnX+b/3jTn64oSCIpb7jtKuBxwXoCAJBZKGPGQsYBHH13iz GmGb1eDb5eCk+2ynNy6zwg59SIHYbjM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1707743787; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qRIYtoe5GsOpuGAlD47HNxJAZANSJ1GztNCV67UgjV8=; b=9tKGihUktYpjN+WhA7YQ6MoFASlFvcsQNOAf8T1T3hWp5NZL3aCzIONSt43U9F7r7UWLIk EU45M9IuLvHO1fAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1707743787; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qRIYtoe5GsOpuGAlD47HNxJAZANSJ1GztNCV67UgjV8=; b=vlFV4LyRxjUu/N68BQvZ4Q8Hjjskt36SYgnJdxBUqFVOb0yaCVV3K5GaixfueMeQiqz6QX jjMQlZ9iCMKYr8vchV4SmvnmnX+b/3jTn64oSCIpb7jtKuBxwXoCAJBZKGPGQsYBHH13iz GmGb1eDb5eCk+2ynNy6zwg59SIHYbjM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1707743787; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qRIYtoe5GsOpuGAlD47HNxJAZANSJ1GztNCV67UgjV8=; b=9tKGihUktYpjN+WhA7YQ6MoFASlFvcsQNOAf8T1T3hWp5NZL3aCzIONSt43U9F7r7UWLIk EU45M9IuLvHO1fAw== Received: from imap2.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap2.dmz-prg2.suse.org (Postfix) with ESMTPS id 6D5FB13212; Mon, 12 Feb 2024 13:16:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([10.150.64.162]) by imap2.dmz-prg2.suse.org with ESMTPSA id T1uxGisaymVKMQAAn2gu4w (envelope-from ); Mon, 12 Feb 2024 13:16:27 +0000 From: Martin Jambor To: Siddhesh Poyarekar Cc: David Edelsohn , GCC Patches , Carlos O'Donell , Richard Biener Subject: Re: [RFC] GCC Security policy In-Reply-To: References: <5dab0019-a28e-f6b1-c822-9217d4d2f59f@gotplt.org> User-Agent: Notmuch/0.38.2 (https://notmuchmail.org) Emacs/29.2 (x86_64-suse-linux-gnu) Date: Mon, 12 Feb 2024 14:16:27 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain Authentication-Results: smtp-out1.suse.de; none X-Spam-Level: X-Spam-Score: -2.79 X-Spamd-Result: default: False [-2.79 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.19)[-0.935]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_CC(0.00)[gmail.com,gcc.gnu.org,redhat.com]; RCVD_TLS_ALL(0.00)[]; SUSPICIOUS_RECIPS(1.50)[] X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi, On Fri, Feb 09 2024, Siddhesh Poyarekar wrote: > On 2024-02-09 10:38, Martin Jambor wrote: >> If anyone is interested in scoping this and then mentoring this as a >> Google Summer of Code project this year then now is the right time to >> speak up! > > I can help with mentoring and reviews, although I'll need someone to > assist with actual approvals. I'm sure that we could manage that. The project does not look like it would be a huge one. > > There are two distinct sets of ideas to explore, one is privilege > management and the other sandboxing. > > For privilege management we could add a --allow-root driver flag that > allows gcc to run as root. Without the flag one could either outright > refuse to run or drop privileges and run. Dropping privileges will be a > bit tricky to implement because it would need a user to drop privileges > to and then there would be the question of how to manage file access to > read the compiler input and write out the compiler output. If there's > no such user, gcc could refuse to run as root by default. I wonder > though if from a security posture perspective it makes sense to simply > discourage running as root all the time and not bother trying to make it > work with dropped privileges and all that. Of course it would mean that > this would be less of a "project"; it'll be a simple enough patch to > refuse to run until --allow-root is specified. Yeah, this would not be enough for a GSoC project, not even for their new small project category. Additionally, I think that many, if not all, Linux distributions that build binary packages do it in a VM/container/chroot where they do it simply under root because the whole environment is there just for the build. So this would complicate lives for an important set of our users. > > This probably ties in somewhat with an idea David Malcolm had riffed on > with me earlier, of caching files for diagnostics. If we could unify > file accesses somehow, we could make this happen, i.e. open/read files > as root and then do all execution as non-root. > > Sandboxing will have similar requirements, i.e. map in input files and > an output file handle upfront and then unshare() into a sandbox to do > the actual compilation. This will make sure that at least the > processing of inputs does not affect the system on which the compilation > is being run. Right. As we often just download some (sometimes large) pre-processed source from Bugzilla and then happily run GCC on it on our computers, this feature might be actually useful for us (still, we'd probably need a more concrete description of what we want, would e.g. using "-wrapper gdb,--args" work in such a sandbox?). I agree that for some even semi-complex builds, a more general sandboxing solution is probably better. Martin