Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Laura Abbott
On 12/12/2017 11:56 AM, Kees Cook wrote: On Tue, Dec 12, 2017 at 11:52 AM, Laura Abbott wrote: On 12/12/2017 11:23 AM, Kees Cook wrote: On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: Hello, Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec:

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Laura Abbott
On 12/12/2017 11:56 AM, Kees Cook wrote: On Tue, Dec 12, 2017 at 11:52 AM, Laura Abbott wrote: On 12/12/2017 11:23 AM, Kees Cook wrote: On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: Hello, Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK races with

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Kees Cook
On Tue, Dec 12, 2017 at 11:52 AM, Laura Abbott wrote: > On 12/12/2017 11:23 AM, Kees Cook wrote: >> >> On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: >>> >>> Hello, >>> >>> Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK >>> races

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Kees Cook
On Tue, Dec 12, 2017 at 11:52 AM, Laura Abbott wrote: > On 12/12/2017 11:23 AM, Kees Cook wrote: >> >> On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: >>> >>> Hello, >>> >>> Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK >>> races with prlimit()" that made it into

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Laura Abbott
On 12/12/2017 11:23 AM, Kees Cook wrote: On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: Hello, Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK races with prlimit()" that made it into 4.14.4 effectively changes the default hard RLIMIT_STACK on

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Laura Abbott
On 12/12/2017 11:23 AM, Kees Cook wrote: On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: Hello, Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK races with prlimit()" that made it into 4.14.4 effectively changes the default hard RLIMIT_STACK on machines with

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Tomáš Trnka
On Tuesday, 12 December 2017 20:23:47 CET Kees Cook wrote: > This is an interesting state for the system to be in, though, it means > AT_SECURE is being set for virtually all processes too? I would expect > that might break a lot too (but clearly it hasn't). Not really. AT_SECURE is set only for

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Tomáš Trnka
On Tuesday, 12 December 2017 20:23:47 CET Kees Cook wrote: > This is an interesting state for the system to be in, though, it means > AT_SECURE is being set for virtually all processes too? I would expect > that might break a lot too (but clearly it hasn't). Not really. AT_SECURE is set only for

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Kees Cook
On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: > Hello, > > Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK > races with prlimit()" that made it into 4.14.4 effectively changes the default > hard RLIMIT_STACK on machines with SELinux (seen on Fedora

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Kees Cook
On Tue, Dec 12, 2017 at 2:58 AM, Tomáš Trnka wrote: > Hello, > > Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK > races with prlimit()" that made it into 4.14.4 effectively changes the default > hard RLIMIT_STACK on machines with SELinux (seen on Fedora 27). > >

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Tomáš Trnka
> Of course this can be somewhat worked around by adjusting the SELinux policy > (allowing blanket noatsecure permission for init_t and possibly others) or > by pam_limits (for components using PAM). Correction: pam_limits also usually doesn't help here, as it's often followed by another

Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Tomáš Trnka
> Of course this can be somewhat worked around by adjusting the SELinux policy > (allowing blanket noatsecure permission for init_t and possibly others) or > by pam_limits (for components using PAM). Correction: pam_limits also usually doesn't help here, as it's often followed by another

System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Tomáš Trnka
Hello, Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK races with prlimit()" that made it into 4.14.4 effectively changes the default hard RLIMIT_STACK on machines with SELinux (seen on Fedora 27). selinux_bprm_set_creds() sets bprm->secureexec for any SELinux domain

System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

2017-12-12 Thread Tomáš Trnka
Hello, Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK races with prlimit()" that made it into 4.14.4 effectively changes the default hard RLIMIT_STACK on machines with SELinux (seen on Fedora 27). selinux_bprm_set_creds() sets bprm->secureexec for any SELinux domain