From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from antelope.elm.relay.mailchannels.net (antelope.elm.relay.mailchannels.net [23.83.212.4]) by sourceware.org (Postfix) with ESMTPS id C07B1385703B for ; Tue, 16 Mar 2021 06:58:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org C07B1385703B X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 30B25641CAE; Tue, 16 Mar 2021 06:58:18 +0000 (UTC) Received: from pdx1-sub0-mail-a59.g.dreamhost.com (100-101-162-6.trex.outbound.svc.cluster.local [100.101.162.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 491FC641D6B; Tue, 16 Mar 2021 06:58:15 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a59.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.101.162.6 (trex/6.1.1); Tue, 16 Mar 2021 06:58:18 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Tasty-Lonely: 2e67bcb61fefc5e8_1615877895573_3475520864 X-MC-Loop-Signature: 1615877895573:2235963077 X-MC-Ingress-Time: 1615877895573 Received: from pdx1-sub0-mail-a59.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a59.g.dreamhost.com (Postfix) with ESMTP id 1FF398A69E; Mon, 15 Mar 2021 23:58:14 -0700 (PDT) Received: from [192.168.1.111] (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a59.g.dreamhost.com (Postfix) with ESMTPSA id BA8E28A69D; Mon, 15 Mar 2021 23:58:11 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a59 From: Siddhesh Poyarekar Subject: Re: [PATCH] Fix SXID_ERASE behavior in setuid programs (BZ #27471) To: Adhemerval Zanella , libc-alpha@sourceware.org References: <20210301141732.3433685-1-siddhesh@sourceware.org> Message-ID: Date: Tue, 16 Mar 2021 12:28:07 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3485.0 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2021 06:58:24 -0000 On 3/9/21 2:15 AM, Adhemerval Zanella via Libc-alpha wrote: > Which I think would require more fixes since I see at least two issues: > > 1. Invalid values for valid tunables are not being striped off as shown > by 1., 2., and 3. Although this will invalided by the code that > actually consumes it, I think we should be really careful and strip > off such cases for secured binaries. Can I do this as a separate hardening enhancement? As of now it behaves as designed and I also intend to merge SXID_IGNORE into SXID_ERASE so that tunables never cross setxid boundaries. > 2. Invalid namespaces stripping are inconsistent: if there on second > and forth they are corrected and further tunables are copied (3). > However if they are the first one, further valid tunables are > ignored (6). I was worried this might be a deeper problem, but turns out it's just a typo in your test; it should be glibc.malloc.mmap_threshold, not glibc_malloc.mmap_threshold :) I'm about to post a v2 with the rest of the changes you requested. Siddhesh