Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 15 Jun 2011 18:38:44 +0400
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: HARDEN_VM86

Vasiliy,

On Tue, Jun 14, 2011 at 12:35:59PM +0400, Vasiliy Kulikov wrote:
> While actual implementation of CONFIG_HARDEN_VM86 is trivial, the most
> important part of pushing the feature into upstream is clarifying to
> what security domain vm86(2)/vm86old(2) should be restricted.  In -ow
> and -grsecurity it is restricted to CAP_SYS_RAWIO.
> 
> I see 3 possibilities:
> 
> 1) Restrict it to CAP_SYS_RAWIO and make it configurable via sysctl
> kernel.vm86_restricted.  0 means current behaviour, 1 means
> CAP_SYS_RAWIO-only.
> 
> 2) The same as (1), but CAP_SYS_ADMIN.

CAP_SYS_RAWIO makes more sense to me.  This is relatively low level
access to hardware, similar in spirit to what e.g. X servers do/did.
There's little sysadmin'ish in running dosemu.

> 3) Restrict it to some group or CAP_SYS_ADMIN, configurable via
> kernel.vm86_group_allowed.  As vm86 is a rarely used thing, group range
> makes little sense for me.  0 means root only, -1 means current
> behaviour, X>0 means group X.

This would definitely be more usable than a capability, because both
CAP_SYS_RAWIO and CAP_SYS_ADMIN grant way too much (actually "root").

If upstream is fine with sysctl's setting gids, and this appears to be
the case, then let's go for this.

A group range would make some sense to me, but a single group is also
fine.  With just a single number to specify, you reserve two values for
special meaning, but that's OK.  Just make sure you don't grant anything
to group root by default, because gid 0 is sometimes leaked to a user
inadvertently.

BTW, a related syscall is modify_ldt(2).  You could want to research
what programs use it, and consider restricting it as well.  Perhaps with
a separate sysctl?

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.