oss-sec mailing list archives
Re: Re: Firejail local root exploit
From: Simon McVittie <smcv () debian org>
Date: Sun, 8 Jan 2017 15:19:33 +0000
On Sun, 08 Jan 2017 at 12:51:58 +0100, Martin Carpenter wrote:
Here's disable_coredumps() from sudo 1.8.9p5 (as shipped with Ubuntu 14.04, which does not disable suid coredumps on desktop by default):
[... the active ingredient is ...]
800 (void) getrlimit(RLIMIT_CORE, &corelimit); 801 memcpy(&rl, &corelimit, sizeof(struct rlimit)); 802 rl.rlim_cur = 0; 803 (void) setrlimit(RLIMIT_CORE, &rl);
This is not actually enough. dbus has one regression test involving a binary that deliberately segfaults (so we can assert that the resulting error is reported correctly) and we found that with tools like corekeeper that set core_pattern="|some-helper", code similar to sudo's still resulted in a core dump being written into the pipe to some-helper. In dbus this was only a performance issue and not a security issue (dumping core repeatedly made our unit tests really slow). To address that, we added this: #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Really, no core dumps please. On Linux, if core_pattern is * set to a pipe (for abrt/apport/corekeeper/etc.), RLIMIT_CORE of 0 * is ignored (deliberately, so people can debug init(8) and other * early stuff); but Linux has PR_SET_DUMPABLE, so we can avoid core * dumps anyway. */ prctl (PR_SET_DUMPABLE, 0, 0, 0, 0); #endif Reference: https://bugs.freedesktop.org/show_bug.cgi?id=83772 Rationale for RLIMIT_CORE=0 being ignored in this case: https://lkml.org/lkml/2011/8/24/136
there just has to be more stuff out there like this. sudo was literally the first thing I looked at... Disabling filter inheritance across the privilege boundary doesn't seem like an obviously good solution(?).
bubblewrap opts-out of setuid and similar mechanisms by unconditionally setting PR_SET_NO_NEW_PRIVS (and bailing out if that fails), which seems a good idea for anything that claims to be a sandbox. If feasible, I would recommend that firejail should do the same. S
Current thread:
- Firejail local root exploit Sebastian Krahmer (Jan 04)
- Re: Firejail local root exploit cve-assign (Jan 04)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 05)
- Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Re: Firejail local root exploit sivmu (Jan 06)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
- Re: Re: Firejail local root exploit Simon McVittie (Jan 08)
- Re: Re: Firejail local root exploit Brad Spengler (Jan 08)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 05)
- Re: Firejail local root exploit cve-assign (Jan 04)
- Re: Re: Firejail local root exploit Lizzie Dixon (Jan 06)
- Re: Firejail local root exploit cve-assign (Jan 07)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
- Re: Firejail local root exploit cve-assign (Jan 07)
- Re: Firejail local root exploit cve-assign (Jan 06)