From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by sourceware.org (Postfix) with ESMTPS id 330263857703; Tue, 31 Oct 2023 19:59:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 330263857703 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=owlfolio.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=owlfolio.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 330263857703 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=66.111.4.29 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698782344; cv=none; b=g9eKZl609YnLK6qj2J/2ClIaIVniWIH5LGo4QH8vSStO65eMgpu3yjgtOIiW/cceISgTDNLXX+vjdVsd7BI0aNbGhtLqpv94HwHDOwId5TMybYEFFykwPtawbGHCHbyX437XHYXiuJcc5Onyz1BHOBr/D24JGokrw7199Lec5tg= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698782344; c=relaxed/simple; bh=WabQSdH7DOQwwLEaCZVLTZfwJXYlr86AFSX+9xvwM7A=; h=DKIM-Signature:DKIM-Signature:MIME-Version:Message-Id:Date:From: To:Subject; b=TZS0gozbtEZFBYrPrAdIc7qWjx9QxwwxT8xe8ElFKqbzJJ1rXSPU3NryMuDL77sWYii7VR/Nvqp6rf2rmbMx2X8voCWkC3smenl+gzTb1Vm1aiFeNQW9UgIxVRdq73xqnjzdl8T7bjDSSiH2sGt+m2Ndh5Hx6gyoBy+DKuCVHEo= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 66B985C0197; Tue, 31 Oct 2023 15:59:00 -0400 (EDT) Received: from imap45 ([10.202.2.95]) by compute5.internal (MEProxy); Tue, 31 Oct 2023 15:59:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlfolio.org; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1698782340; x=1698868740; bh=dA pVjj15iBBrYfeKRHqvOt75ojkgdOfj34jNaOn90ao=; b=dSgFOHcpnfT7tFXEXx lbRf6DCuq9UjxpAQKsdzN0RmkXPH1a3usJXrZwV8NXT2G1cxfydg0NcMYC35o9FC n//HUWxUBxA2dSTDfKDZiI/j0aNQKth1twLe2xaDTDs/4Lo2T5C1rkRALVSjs8es HJdVNP0oj/CjOEXjka5Jicl6HzY10Z1c+ZL+Bv3FVm7Uu907QrVJX9l43qYgqiUh +vD1GMOFNL6sZ+8hQNWjLsysG9Z6pbozzqa5yW9GzJmwwj+1hRMrRb4JeAanbLCv EB2huhGJUcesXJwkH6Ea4KzxaXEPh+fkFcc4C4uhrTZVF050R8cQPXTE+GkTKBkR 2RTQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1698782340; x=1698868740; bh=dApVjj15iBBrY feKRHqvOt75ojkgdOfj34jNaOn90ao=; b=IdRiC1BW3D0yYMewKP90aJFuoeC7I pVMtpFq2s3OTyLWBYmSzxWTdyIxz5hINn3HYwPkCfSo3pUtIecHmeHbjS3wLma7J Illz2Pl6+QTO1Cevh8Y6jXrCHU9gdnpv80t10wNtwBw+wum3QOsoNdi9dpLyGL5d OOrOVH9mLHIao0GF9rjWK4BUb0WAQ/ZWWoAuxtrs1hNjjjBLCZmbx/tPQqdxfMfj ENPkXL9QYVU2JNXVk3Izkb+UgRO6JCl8+i5AwNWibSpu2emMRrtpGz0LZQtzJpsR bsDPZXCnIA/mJnZwz8eMTfafLgy5xQ5E0ojsJRzY2PN2WKczQkRWlmV/g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedruddtvddguddvlecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvvefutgesthdtredtreertdenucfhrhhomhepfdgk rggtkhcuhggvihhnsggvrhhgfdcuoeiirggtkhesohiflhhfohhlihhordhorhhgqeenuc ggtffrrghtthgvrhhnpeevteeuvdeihfehueeugfdvfeehkeelffegtdeuieejteetlefg keffteevieegleenucffohhmrghinheplhgruhhntghhphgrugdrnhgvthenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeiirggtkhesohiflhhf ohhlihhordhorhhg X-ME-Proxy: Feedback-ID: i876146a2:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id DFE5C272007D; Tue, 31 Oct 2023 15:58:59 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.9.0-alpha0-1048-g9229b632c5-fm-20231019.001-g9229b632 MIME-Version: 1.0 Message-Id: In-Reply-To: References: <1d301638-abaa-4f0b-89a5-7fa75250bf5d@app.fastmail.com> Date: Tue, 31 Oct 2023 15:58:35 -0400 From: "Zack Weinberg" To: "Michael Hudson-Doyle" Cc: "Szabolcs Nagy" , "Siddhesh Poyarekar" , "Adhemerval Zanella" , "GNU libc development" , "Florian Weimer" , "Carlos O'Donell" Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Content-Type: text/plain X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,JMQ_SPF_NEUTRAL,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Sun, Oct 8, 2023, at 3:51 PM, Michael Hudson-Doyle wrote: > On Fri, 6 Oct 2023 at 07:32, Zack Weinberg wrote: >> I also think we ought to be talking about a very short *whitelist* of >> environment variables that are allowed to survive execve() of a >> setxid binary -- off the top of my head, TERM, LANG, LANGUAGE, LC_*, >> and maybe *nothing else* -- and putting that list into the kernel >> itself. > > That would break at least one application I know about (snapd): > https://bugs.launchpad.net/snapd/+bug/1682308 Flip answer: I don't think snapd ought to exist in the first place (because it violates the Highlander Principle of Package Management), so I don't care if it gets broken. More serious answer: The specific thing snapd is doing here could be handled via some sort of client-server protocol, with a *non*-setxid client. This would allow the code running at elevated privilege to treat the environment variables as an opaque blob of data to be copied into the nascent sandboxed process, which would be safer. Complementary serious answer: Are you sure there's no way to leverage the ability to set arbitrary environment variables inside the sandbox to carry out a sandbox escape? Are you *certain*? zw