lock down rsyslog a bit |
||||
Issue descriptioncurrently syslog runs in the root namespaces. lets see if we can restrict it a bit more.
,
Oct 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/c6206d52712673e25adde3e00a3c7517aade5cd0 commit c6206d52712673e25adde3e00a3c7517aade5cd0 Author: Mike Frysinger <vapier@chromium.org> Date: Wed Oct 18 06:14:19 2017 init: run syslog in a net namespace Since syslog shouldn't need access to the network, put it into a namespace without any access. BUG= chromium:764455 TEST=precq passes still Change-Id: Ib5b838833e73499547e2fde1610d145097f100ea Reviewed-on: https://chromium-review.googlesource.com/664002 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/c6206d52712673e25adde3e00a3c7517aade5cd0/init/upstart/syslog.conf
,
Nov 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/2569fd842fc4721c124939f7e0df5652efcdaf71 commit 2569fd842fc4721c124939f7e0df5652efcdaf71 Author: Mike Frysinger <vapier@chromium.org> Date: Tue Nov 14 11:22:33 2017 init: run syslog in a mount namespace BUG= chromium:764455 TEST=precq passes still Change-Id: Ic0a403d8b50388e2b1d04f3e0d55d9d4f67f0694 Reviewed-on: https://chromium-review.googlesource.com/717898 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/2569fd842fc4721c124939f7e0df5652efcdaf71/init/upstart/syslog.conf
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/985760565066e569ef700606e19d213eadbc3a48 commit 985760565066e569ef700606e19d213eadbc3a48 Author: Mike Frysinger <vapier@chromium.org> Date: Thu Nov 16 00:07:34 2017 init: run syslog with a unique /tmp mount BUG= chromium:764455 TEST=precq passes Change-Id: I4d98fe4294767ffa5369e9e4ec0b2f37bf0e24f5 Reviewed-on: https://chromium-review.googlesource.com/769412 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/985760565066e569ef700606e19d213eadbc3a48/init/upstart/syslog.conf
,
May 16 2018
Luis has further restricted this w/a clean mount namespace: https://chromium-review.googlesource.com/1053418
,
May 16 2018
i posted a CL a while back to reduce the access to /dev, but it's not as straight forward :(. when binding to a unix socket, the socket can't exist on the system beforehand, otherwise the bind() call fails. you can see this in the kernel sources: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/v4.14/net/unix/af_unix.c#1016 this means we can't create /dev/log before rsyslog itself which means we can't have the path pre-created in the root namespace in /dev/, then bind mount that into a reduced /dev/ path for rsyslog, and have rsyslog bind to that socket. this is what i tried (https://chromium-review.googlesource.com/769413): # Create a pseudo /dev, then bind mount /dev/log, /dev/console, and /dev/kmsg. exec /sbin/minijail0 -l --uts -i -v -e -t -P /var/empty \ --mount-dev -b /dev/log,,1 -b /dev/console,,1 -b /dev/kmsg \ -b / -b /proc -k tmpfs,/var,tmpfs,0xe -b /var/log,,1 \ /usr/sbin/rsyslogd -n -f /etc/rsyslog.chromeos -i /tmp/rsyslogd.pid note that this fails by itself (as the betty VM tests show) because /dev/log doesn't exist at all, so minijail aborted. creating the file as a proper socket (via some C code) ran into the bind problem i described above. trying to do it the other way around doesn't seem to work. i tried: # Create a pseudo /dev, then bind mount /dev/console and /dev/kmsg. /dev/log will be # created automatically by rsyslog. exec /sbin/minijail0 -l --uts -i -v -e -t -P /var/empty \ --mount-dev -b /dev/console,,1 -b /dev/kmsg \ -b / -b /proc -k tmpfs,/var,tmpfs,0xe -b /var/log,,1 \ /usr/sbin/rsyslogd -n -f /etc/rsyslog.chromeos -i /tmp/rsyslogd.pid post-start scripts pid=$(status syslog) pid=${pid##* } log="/proc/${pid}/root/dev/log" if net_poll_tool --timeout=60 --unix_socket="${log}"; then touch /dev/log mount -n --bind "${log}" /dev/log fi end script the code runs, but i can't get the mount to behave. this works: # logger -u /proc/4426/root/dev/log foo # tail -n1 /var/log/messages ...foo... but this fails: # strace -enetwork logger asdf socket(AF_UNIX, SOCK_DGRAM, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 ECONNREFUSED (Connection refused) socket(AF_UNIX, SOCK_STREAM, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 ECONNREFUSED (Connection refused) mount shows it was bind mounted: devtmpfs on /dev/log type devtmpfs (rw,nosuid,noexec,relatime,seclabel,size=4079660k,nr_inodes=1019915,mode=755) but `ls` looks wrong: # ls -l /dev/log -rw-r--r--. 1 root root 0 May 16 02:28 /dev/log using `cp -aZ /proc/4426/root/dev/log /dev/log` to at least pre-create it correctly doesn't help ... `ls` now looks good, but trying to use `logger` still runs into ECONNREFUSED. at this point, i'm going to give up on trying to reduce /dev.
,
May 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/a92c6720b02b83cd86f1f5e7c1ae50e12595fdee commit a92c6720b02b83cd86f1f5e7c1ae50e12595fdee Author: Mike Frysinger <vapier@chromium.org> Date: Wed May 16 23:43:06 2018 init: syslog: document /dev & /proc requirements BUG= chromium:764455 TEST=precq passes Change-Id: Ie7d6bf8efe59641ab6c59090f6ba8dc548690ebe Reviewed-on: https://chromium-review.googlesource.com/1061094 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/a92c6720b02b83cd86f1f5e7c1ae50e12595fdee/init/upstart/syslog.conf
,
May 17 2018
with Luis's help, i think we've made as much progress as we're going to here w/out getting our hands a lot dirtier. i'm pretty happy with rsyslog only having write access to /var/log/ files even if we can't (somehow) mask out the rest of /dev/.
,
Jun 21 2018
issue 854832 should improve the /dev situation by blocking access to most nodes via cgroups device controller |
||||
►
Sign in to add a comment |
||||
Comment 1 by bugdroid1@chromium.org
, Oct 15 2017