Proposal: ReadOnlyDirectories /etc and /usr for network-services

Daniel P. Berrange berrange at redhat.com
Mon Jul 22 16:43:54 UTC 2013 

On Mon, Jul 22, 2013 at 06:37:01PM +0200, Miloslav Trmač wrote:
> On Mon, Jul 22, 2013 at 6:22 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> > On Mon, Jul 22, 2013 at 04:53:36PM +0200, Miloslav Trmač wrote:
> >> On Mon, Jul 22, 2013 at 12:02 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> >> > has anybody considered to put the following as default in systemd-units of
> >> > network services? cross-posting to  users-list intented because i think it
> >> > is a good idea to bring it to a broader userbase!
> >> >
> >> > ReadOnlyDirectories=/etc
> >> > ReadOnlyDirectories=/usr
> >>
> >> I think it's generally known by now that I don't like namespaces as a
> >> security mechanism.  At best, this is duplicating SELinux policy with
> >> less transparency and worse tools.
> >
> > Namespaces really aren't duplicating SELinux policy, they are working
> > in a complementary fashion. There is clear value in having multiple
> > layers of security defence because things do fail for any number of
> > reasons.
> 
> The returns to additional layers enforcing the same policy are rapidly
> diminishing, though.  We already have DAC permissions, and MAC policy,
> and a third layer is being proposed.  Why not have four or ten?  We
> have to stop somewhere.

Counting layers of protection is not a helpful way to make decisions
on usage of security. As I said in my previous mail you should evaluate
the benefits of any proposed technology, and not rule it out simply
because we already have other options.

> >> (The network services shouldn't be running as root in the first place.)
> >
> > No argument there, but even if something is running as non-root there is
> > the potential for privilege escalation through security flaws in some
> > thing that they use. In such a scenario having a separate filesystem
> > namespace which has made certain areas read-only may well stop the
> > exploit.
> 
> If I am able to escalate to root privileges, I can just switch back to
> the system namespace using setns(2), so the protection doesn't
> actually exist.  So we're talking about limited circumstances where
> the attacker can modify files and not execute code, or where the
> attacker is root but not CAP_SYS_ADMIN (or whatever it is).

Using setns() requires opening a FD to /proc/$PID/ns/mount for a $PID in
the target namespace. If putting the service in a separate mount namespace,
it is easy to also set CLONE_PID, at which point the /proc/$PID/ns files
for any other process are no longer accessible.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the devel mailing list