From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dog.birch.relay.mailchannels.net (dog.birch.relay.mailchannels.net [23.83.209.48]) by sourceware.org (Postfix) with ESMTPS id E80833858C2F for ; Thu, 5 Oct 2023 19:11:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E80833858C2F Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D92471021A7; Thu, 5 Oct 2023 19:11:19 +0000 (UTC) Received: from pdx1-sub0-mail-a312.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 408ED102224; Thu, 5 Oct 2023 19:11:18 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696533078; a=rsa-sha256; cv=none; b=1vofza0d36xcdxpa46ghhmCukiXPs2O2MK4+5SC6GG6RbtWYsxz+7SPRKv6jiQsqZlbzXI 9NLYiscCamvB7xBHmzzTHIM8m+dlCK8WAgxoyr8WjCEJrQP4H0yaCHNkFkuE7z+2UE7Rpy u/2b8w6mHAgJGxhnqMS2VM6HacYhTWbOl9ddK5nYx2Kx2QPQASygYpKDbt8x1ZalRBCk4w +PTlrR5BurJjnh2hgjQJjJGUBMyOuZ8vpmcKngAk9Sm9kqR7vYfMJg3tbGTjMONPW1abLu O9IPszMAeDDoA58t/7WP35K5iIp6urWDaOI9HSNbmikREGPkEeF0y2BOT3jCkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1696533078; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iRe0UKI62XIpDxQHKnHqsFe1YTMmyC6TJdmVAj1MQag=; b=b22APxS4b5bJcW+QoImTcEAI83xLUOBdfzPo1JhEzh88oCwrMth+DF7Kk8mssnajl8JeiD zi5C/mYL9uL80LEAttAv4Zk/djTH2bKuos3RNHTPj8nod/FFlJY55C4vii36ByFNOgq6lb zK+U2PFsBs/p3K5RPTliXR9dgcRGWdNpTdj2D/BXdi2wBPVWv5HA8A+ghyA2cGIsZ9j1ul hLc3FCNa6Ct5242V/TXzQAR315Fd0V7P+OykokSTbv4dqJJ4mUtCVnOP9MPGwM22xPb2QH KBR0Qm1SC/a+25ZG8UndDpjWD6MWfPXGbIzFYZ8ECsI94tk6k0gjLBESeQCvYA== ARC-Authentication-Results: i=1; rspamd-7c449d4847-gz5js; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Minister-Spot: 1b60fd443a2746e7_1696533078541_676987160 X-MC-Loop-Signature: 1696533078541:1032976043 X-MC-Ingress-Time: 1696533078541 Received: from pdx1-sub0-mail-a312.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.104.112.135 (trex/6.9.1); Thu, 05 Oct 2023 19:11:18 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a312.dreamhost.com (Postfix) with ESMTPSA id 4S1h454Wc6zBF; Thu, 5 Oct 2023 12:11:17 -0700 (PDT) Message-ID: Date: Thu, 5 Oct 2023 15:11:16 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Content-Language: en-US To: Zack Weinberg , Szabolcs Nagy , Adhemerval Zanella , GNU libc development Cc: Florian Weimer , Carlos O'Donell References: <1d301638-abaa-4f0b-89a5-7fa75250bf5d@app.fastmail.com> From: Siddhesh Poyarekar In-Reply-To: <1d301638-abaa-4f0b-89a5-7fa75250bf5d@app.fastmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1168.5 required=5.0 tests=BAYES_00,KAM_DMARC_NONE,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-10-05 14:31, Zack Weinberg wrote: > On Thu, Oct 5, 2023, at 9:59 AM, Szabolcs Nagy wrote: >> The 10/05/2023 08:55, Siddhesh Poyarekar wrote: >>> The current unsetenv logic is well reasoned IMO; the tunables layer made it >>> complicated and it ought to be sufficient to just remove that. But that >>> would require dropping the memory tagging tunable from SXID_IGNORE and >>> erasing GLIBC_TUNABLES by putting it in unsecvars.h. >> >> i think it is broken to rewrite env[] that is passed by >> the kernel. but since glibc always did this i guess it's >> fine. > > I think the CVE that prompted this discussion demonstrates that it's *insecure* > to allow children of setxid processes to inherit any environment variable that is > considered insecure to consult in the setxid process itself. I don't completely disagree with the conclusion below, but the CVE that prompted this discussion doesn't say anything about environment inheritance because the vulnerability had nothing to do with environment processing and inheritance. The issue there is limited to complex parsing of a particular environment variable in a setxid context and the main lesson there IMO is to keep any kind of processing to a bare minimum in a setxid context. Processing for environment inheritance (specifically, cleaning out unsecvars) is fairly stable code that has stood the test of time. It makes sense like you suggest below, to make it an inclusion list rather than an exclusion list, but IMO that's a separate hardening exercise from ripping tunables out of the setxid context. > I also think we ought to be talking about a very short *whitelist* of environment > variables that are allowed to survive execve() of a setxid binary -- off the top > of my head, TERM, LANG, LANGUAGE, LC_*, and maybe *nothing else* -- and putting > that list into the kernel itself. > > zw > Thanks, Sid