From: "Zack Weinberg" <zack@owlfolio.org>
To: "Michael Hudson-Doyle" <michael.hudson@canonical.com>
Cc: "Szabolcs Nagy" <szabolcs.nagy@arm.com>,
"Siddhesh Poyarekar" <siddhesh@sourceware.org>,
"Adhemerval Zanella" <adhemerval.zanella@linaro.org>,
"GNU libc development" <libc-alpha@sourceware.org>,
"Florian Weimer" <fweimer@redhat.com>,
"Carlos O'Donell" <carlos@redhat.com>
Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE
Date: Tue, 31 Oct 2023 15:58:35 -0400 [thread overview]
Message-ID: <f91effd0-c996-4a79-835f-b1c12d310a3d@app.fastmail.com> (raw)
In-Reply-To: <CAJ8wqtcL=mLsxqtZA0bB1xG_7pgdYT2PLe53uLrrs6uJP_JTKg@mail.gmail.com>
On Sun, Oct 8, 2023, at 3:51 PM, Michael Hudson-Doyle wrote:
> On Fri, 6 Oct 2023 at 07:32, Zack Weinberg <zack@owlfolio.org> wrote:
>> I also think we ought to be talking about a very short *whitelist* of
>> environment variables that are allowed to survive execve() of a
>> setxid binary -- off the top of my head, TERM, LANG, LANGUAGE, LC_*,
>> and maybe *nothing else* -- and putting that list into the kernel
>> itself.
>
> That would break at least one application I know about (snapd):
> https://bugs.launchpad.net/snapd/+bug/1682308
Flip answer: I don't think snapd ought to exist in the first place
(because it violates the Highlander Principle of Package Management),
so I don't care if it gets broken.
More serious answer: The specific thing snapd is doing here could be
handled via some sort of client-server protocol, with a *non*-setxid
client. This would allow the code running at elevated privilege to
treat the environment variables as an opaque blob of data to be copied
into the nascent sandboxed process, which would be safer.
Complementary serious answer: Are you sure there's no way to leverage
the ability to set arbitrary environment variables inside the sandbox
to carry out a sandbox escape? Are you *certain*?
zw
prev parent reply other threads:[~2023-10-31 19:59 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 20:11 [PATCH 0/2] make all tunables SXID_ERASE Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 1/2] Make all malloc " Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Siddhesh Poyarekar
2023-10-04 7:29 ` Szabolcs Nagy
2023-10-04 11:59 ` Siddhesh Poyarekar
2023-10-04 14:04 ` Szabolcs Nagy
2023-10-04 14:23 ` Siddhesh Poyarekar
2023-10-04 14:51 ` Szabolcs Nagy
2023-10-04 14:53 ` Siddhesh Poyarekar
2023-10-04 15:05 ` Siddhesh Poyarekar
2023-10-04 17:01 ` Adhemerval Zanella Netto
2023-10-05 8:19 ` Szabolcs Nagy
2023-10-05 12:55 ` Siddhesh Poyarekar
2023-10-05 13:59 ` Szabolcs Nagy
2023-10-05 14:05 ` Siddhesh Poyarekar
2023-10-05 18:31 ` Zack Weinberg
2023-10-05 19:11 ` Siddhesh Poyarekar
2023-10-06 12:25 ` Zack Weinberg
2023-10-06 12:41 ` Siddhesh Poyarekar
2023-10-06 17:10 ` Adhemerval Zanella Netto
2023-10-06 18:04 ` Siddhesh Poyarekar
2023-10-08 19:51 ` Michael Hudson-Doyle
2023-10-31 19:58 ` Zack Weinberg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f91effd0-c996-4a79-835f-b1c12d310a3d@app.fastmail.com \
--to=zack@owlfolio.org \
--cc=adhemerval.zanella@linaro.org \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=michael.hudson@canonical.com \
--cc=siddhesh@sourceware.org \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).