oss-sec mailing list archives

Re: Re: Firejail local root exploit

From: Simon McVittie <smcv () debian org>
Date: Sun, 8 Jan 2017 15:19:33 +0000

On Sun, 08 Jan 2017 at 12:51:58 +0100, Martin Carpenter wrote:

Here's
disable_coredumps() from sudo 1.8.9p5 (as shipped with Ubuntu 14.04,
which does not disable suid coredumps on desktop by default):

[... the active ingredient is ...]

 800     (void) getrlimit(RLIMIT_CORE, &corelimit);
 801     memcpy(&rl, &corelimit, sizeof(struct rlimit));
 802     rl.rlim_cur = 0;
 803     (void) setrlimit(RLIMIT_CORE, &rl);


This is not actually enough. dbus has one regression test involving a
binary that deliberately segfaults (so we can assert that the resulting
error is reported correctly) and we found that with tools like corekeeper
that set core_pattern="|some-helper", code similar to sudo's still resulted
in a core dump being written into the pipe to some-helper. In dbus this
was only a performance issue and not a security issue (dumping core
repeatedly made our unit tests really slow).

To address that, we added this:

#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
  /* Really, no core dumps please. On Linux, if core_pattern is
   * set to a pipe (for abrt/apport/corekeeper/etc.), RLIMIT_CORE of 0
   * is ignored (deliberately, so people can debug init(8) and other
   * early stuff); but Linux has PR_SET_DUMPABLE, so we can avoid core
   * dumps anyway. */
  prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
#endif

Reference: https://bugs.freedesktop.org/show_bug.cgi?id=83772
Rationale for RLIMIT_CORE=0 being ignored in this case:
https://lkml.org/lkml/2011/8/24/136

there just has to be more stuff out there like this. sudo was literally
the first thing I looked at... Disabling filter inheritance across the
privilege boundary doesn't seem like an obviously good solution(?).


bubblewrap opts-out of setuid and similar mechanisms by unconditionally
setting PR_SET_NO_NEW_PRIVS (and bailing out if that fails), which seems
a good idea for anything that claims to be a sandbox. If feasible, I would
recommend that firejail should do the same.

    S

Current thread:

Firejail local root exploit Sebastian Krahmer (Jan 04)
- Re: Firejail local root exploit cve-assign (Jan 04)
  - Re: Re: Firejail local root exploit Martin Carpenter (Jan 05)
    - Re: Firejail local root exploit cve-assign (Jan 06)
    - Re: Re: Firejail local root exploit sivmu (Jan 06)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
    - Re: Re: Firejail local root exploit Simon McVittie (Jan 08)
    - Re: Re: Firejail local root exploit Brad Spengler (Jan 08)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
    - Re: Re: Firejail local root exploit Lizzie Dixon (Jan 06)
    - Re: Firejail local root exploit cve-assign (Jan 07)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
    - Re: Firejail local root exploit cve-assign (Jan 07)
  - Re: Re: Firejail local root exploit Marcus Meissner (Jan 06)
    - Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Firejail local root exploit KellerFuchs (Jan 05)
- Re: Firejail local root exploit Ion Ionescu (Jan 29)

(Thread continues...)