minijail0 does not consider fcaps of binary
Reported by
graziano...@gmail.com,
Oct 25 2017
|
||||
Issue descriptionWhile playing with minijail I noticed that I could launch a service with _higher_ permissions if I launched minijail as a normal user. ``` [gmisuraca@grazberrypi:~/code/test]$ ../minijail/minijail0 -u gmisuraca ./testsched x CapInh: 0000000000000000 CapPrm: 0000000000800000 CapEff: 0000000000800000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Sched before 0 Sched after 1 [gmisuraca@grazberrypi:~/code/test]$ sudo ../minijail/minijail0 -u gmisuraca ./testsched x CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Sched before 0 Failed to set scheduler! ``` I could also circumvent minijail shedding capabilities by pretending the binary is static: ``` [gmisuraca@grazberrypi:~/code/test]$ sudo ../minijail/minijail0 -u gmisuraca -T static ./testsched x CapInh: 0000000000000000 CapPrm: 0000000000800000 CapEff: 0000000000800000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Sched before 0 Sched after 1 ``` Turns out it's dependent on whether minijail has the permissions to mess with caps (only in sudo cases) and whether execve happens before or after these are shed (after in the `-T static` case. What the bug is here is up for debate, but I think the fact that the behaviour is different depending on whether the binary is static or not suggests that at least the inconsistency should be fixed. That said, if fcaps were taken into consideration (e.g. mask against that set) we would avoid this issue while preserving the ability (with -c) to explicitly set caps.
,
Oct 27 2017
Maybe we can get this done by 64.
,
Oct 27 2017
i don't think this applies to any CrOS system, so we can consider it a feature request w/out any schedule requirements just to be clear though, passing diff flags to minijail (like -T static) to bypass security behavior isn't something the minijail program itself needs to "protect" against ... that isn't part of the attack surface. although we could be clearer in the man page as to the implications of disabling the preload hook. and add some text discussing expected usage scenarios.
,
Oct 27 2017
That's fair, adjusting flags. It's also true that we don't consider the Minijail invocation to be inside the threat model. However, as Mike mentions, this can be confusing behaviour, especially when Minijail is not executed as root, so we should make things clearer.
,
Jun 21 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by ajha@chromium.org
, Oct 26 2017