Re: [systemd-devel] Creating executable device nodes in /dev?
On Wed, Dec 9, 2020 at 11:22 AM Topi Miettinen wrote: > > On 9.12.2020 17.14, Andy Lutomirski wrote: > > > Maybe also malware which can escape all means of detection, enforced by > the CPU? Though I don't know if any malware scanners for Linux work can > check for fileless, memory only malware. I don't think this is really relevant to malware detection. You can't do syscalls from SGX code, for example, and, even if you could, malware behavior analysis would be unaffected. The concern seems to be more that, once someone has discovered some malware, if it's protected by SGX then it's plausible that you can't disassemble it. > > > > > In Intel’s original vision, only specially licensed vendors could create > > SGX software, but Linux pushed back against this quite hard, and new CPUs > > allow unlicensed enclaves. So your Skylake CPUs support SGX, but not on > > Linux. > > Kudos to Linux for the push. :) I don't know if Linux gets full credit for this, but I think we at least had some impact. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 9.12.2020 17.14, Andy Lutomirski wrote: On Dec 9, 2020, at 12:58 AM, Topi Miettinen wrote: On 9.12.2020 2.42, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? Typo: "of" = "of /dev" For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? The debate is circled around something not well defined. Of course you get theoretically more safe system when you decrease priviliges anywhere in the system. Like you could start do grazy things with stuff that unprivilged user has access, in order to prevent malware to elevate to UID 0 in the first place. I think where this go intellectually wrong is that we are talking about *default installation* of a distribution. That should have somewhat sane common sense access control settings. For like a normal desktop user noexec /dev will not do any possible favor. Then there is the case when you want to harden installation for an application, let's' say some server. In that case you will anyway fine-tune the security settings and go grazy enough with hardening. When you tailor a server, it's a standard practice to enumerate and adjust the mount points if needed. I think we agree that there's a need for either way to allow SGX (if default is hardened) or a hardening option (in the opposite case). For systemd I see two approaches: 1. Default noexec /dev, override with something like - ExecPaths=/dev - MountOptions=/dev:rw,exec,dev,nosuid - or even MountOptions=/dev/sgx:rw,exec,dev,nosuid - ProtectDev=no - AllowSGX=yes 2. Default exec /dev, override with - NoExecPaths=/dev - MountOptions=/dev:rw,noexec,dev,nosuid - ProtectDev=yes - DenySGX=yes I'd prefer 1. but of course 2. would be reasonable. I would argue for 2, for the following reason. I absolutely agree that hardening a system by making it impossible to create executable code dynamically is valuable, but I don’t think it’s a good default. By default, programs like gcc and clang should work, but so should JITs, and JITs are getting more popular and powerful all the time. In a default setting that allows JITs, etc, I see no benefit at all to making /dev noexec. To the contrary, making /dev noexec seems like plugging a little restricted corner of code creation (because it requires UID=0) while allowing the easy ways (/tmp, /home, /dev/shm, unshare(2), mmap(), etc). By all means let admins harden this, but I see no reason to apply some of the hardening when the rest is disabled. Makes sense, especially if anything in theory could be expected to use SGX. In practice, probably no system services will at least initially, so hardening knobs make also sense. To summarize, I neither understand the intended target audience. We have something in common: me neither. What's the target audience for SGX? What's the use case? What are the users: browsers, system services? How would applications use SGX? Should udev rules for /dev/sgx make it available to any logged in users with uaccess tags? I would certainly like it to be available to all software, with the possible exception of extra-hardened systems. Using SGX is not really an interesting attack surface. The main threat is that malware might use SGX to make itself hard to reverse engineer. Maybe also malware which can escape all means of detection, enforced by the CPU? Though I don't know if any malware scanners for Linux work can check for fileless, memory only malware. In Intel’s original vision, only specially licensed vendors could create SGX software, but Linux pushed back against this quite hard, and new CPUs allow unlicensed enclaves. So your Skylake CPUs support SGX, but not on Linux. Kudos to Linux for the push. -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org
Re: [systemd-devel] RFC: Moving fully to OpenSSL (aka. stopping support for gnutls/gcrypt)?
On Wed, 2020-12-09 at 10:50 +0100, Lennart Poettering wrote: > Heya! > > Currently, some parts of the systemd tree link against OpenSSL, others > link against gnutls and libgcrypt, and even others support either, > controlled by a compile time switch. > > This is of course less than ideal, since it means we need to maintain > needlessly complex, redundant code to support this, it's not complete > (as not all combinations are supported), and footprint for general > purpose distros is effectively doubled. > > I think we should go OpenSSL all the way, and replace/drop support for > gnutls and libgcrypt, unifying on a single crypto library. This was > previously problematic since on Debian linking LGPL code against > OpenSSL was considered legally "unclean". This has recently changed > though: > > https://github.com/systemd/systemd/pull/14743#issuecomment-739001595 > > Hence, given that the legal issues around going OpenSSL exclusively > all the way are gone, I think it's time to do the full switch. Hence > I'd like to propose that we start transitioning with depending only on > OpenSSL sooner or later. This means: > > 1. Porting the currently remaining GnuTLS/gcrypt-only code over to openssl > > 2. Dropping redundant implementations for gnutls/gcrypt where we >already have openssl support > > 3. Require for new code to be openssl-only. > > Ultimately this should provide us with a smaller codebase, smaller OS > footprint and easier maintainance. > > Before we make this decision and switch over I'd like to hear opinions > on this, though. Maybe I am missing something, and there are other > reasons why people want to keep gnutls/gcrypt support around? > > Why unify on OpenSSL instead of doing it the other way and unify on > gnutls + gcrypt, btw? We don't really have any horse in that race. All > crypto libraries have well documented issues, like any code. It > appears to me though that OpenSSL has the more active and larger > community and wider industry support. It appears to me that dropping > gntuls/gcrypt frrom the basic OS package set is easier to reach then > dropping OpenSSL. In the interest of making the minimal set of OS > packages required to boot a system smaller I think OpenSSL is the > better choice. > > The fabled future OpenSSL 3 release is supposed to come with a changed > license, which will attack the Debian license incompatibility from > another angle btw. It was supposed to be released many months ago > already, afaiu, but that unfortunately never happened. So far we were > counting on this to resolve the licensing situation around crypto > libraries. Due to the Debian change I figure we can speed up things > now, though. > > Lennart Hi, I cannot think of any reason to maintain compatibility with multiple ssl libraries, nor for preferring GnuTLS/gcrypt. Choosing OpenSSL sounds just fine. With my downstream-maintainer-of-minimal-distro at $work hat on, I am super in favour for this change, and it will help us greatly. With my Debian Dev hat on, I can add that another nice thing about the recent decision by the FTP Team is that it instantly applies to all Debian releases - there is nothing to wait for, nothing to update, nothing to change. We can just start linking things, in downstreams too. And I can add a couple more references for those interested: http://meetbot.debian.net/debian-ftp/2020/debian-ftp.2020-03-13-20.02.html https://bugs.debian.org/972181 The only question I have is, was it checked whether the required features currently provided by GnuTLS/gcrypt are all available in OpenSSL? I know there is more or less feature parity, but devil's in the details. As far as I can see, the only pieces using GnuTLS unconditionally right now are systemd-journal-gatewayd and systemd-journal-remote. Regarding gcrypt, journald uses it for sealing and resolved for dnssec. dnssec looks like the most complex feature to port over, in terms of klocs. Everything else supports OpenSSL already. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
> On Dec 9, 2020, at 12:58 AM, Topi Miettinen wrote: > > On 9.12.2020 2.42, Jarkko Sakkinen wrote: >>> On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote: >>> On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: >>> As a further argument, I just did this on a Fedora system: >>> $ find /dev -perm /ugo+x -a \! -type d -a \! -type l >>> No results. So making /dev noexec doesn't seem to have any benefit. >> >> It's no surprise that there aren't any executables in /dev since >> removing MAKEDEV ages ago. That's not the issue, which is that >> /dev is a writable directory (for UID=0 but no capabilities are >> needed) and thus a potential location for constructing unapproved >> executables if it is also mounted exec (W^X). > > UID 0 can just change mount options, though, unless SELinux or similar is > used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi >>> >>> What's the data that supports having noexec /dev anyway? With root >>> access I can then just use something else like /dev/shm mount. >>> >>> Has there been out in the wild real world cases that noexec mount >>> of would have prevented? >> Typo: "of" = "of /dev" >>> For me this sounds a lot just something that "feels more secure" >>> without any measurable benefit. Can you prove me wrong? >> The debate is circled around something not well defined. Of course you >> get theoretically more safe system when you decrease priviliges anywhere >> in the system. Like you could start do grazy things with stuff that >> unprivilged user has access, in order to prevent malware to elevate to >> UID 0 in the first place. >> I think where this go intellectually wrong is that we are talking about >> *default installation* of a distribution. That should have somewhat sane >> common sense access control settings. For like a normal desktop user >> noexec /dev will not do any possible favor. >> Then there is the case when you want to harden installation for an >> application, let's' say some server. In that case you will anyway >> fine-tune the security settings and go grazy enough with hardening. >> When you tailor a server, it's a standard practice to enumerate and >> adjust the mount points if needed. > > I think we agree that there's a need for either way to allow SGX (if default > is hardened) or a hardening option (in the opposite case). For systemd I see > two approaches: > > 1. Default noexec /dev, override with something like > - ExecPaths=/dev > - MountOptions=/dev:rw,exec,dev,nosuid > - or even MountOptions=/dev/sgx:rw,exec,dev,nosuid > - ProtectDev=no > - AllowSGX=yes > > 2. Default exec /dev, override with > - NoExecPaths=/dev > - MountOptions=/dev:rw,noexec,dev,nosuid > - ProtectDev=yes > - DenySGX=yes > > I'd prefer 1. but of course 2. would be reasonable. I would argue for 2, for the following reason. I absolutely agree that hardening a system by making it impossible to create executable code dynamically is valuable, but I don’t think it’s a good default. By default, programs like gcc and clang should work, but so should JITs, and JITs are getting more popular and powerful all the time. In a default setting that allows JITs, etc, I see no benefit at all to making /dev noexec. To the contrary, making /dev noexec seems like plugging a little restricted corner of code creation (because it requires UID=0) while allowing the easy ways (/tmp, /home, /dev/shm, unshare(2), mmap(), etc). By all means let admins harden this, but I see no reason to apply some of the hardening when the rest is disabled. > >> To summarize, I neither understand the intended target audience. > > We have something in common: me neither. What's the target audience for SGX? > What's the use case? What are the users: browsers, system services? How would > applications use SGX? Should udev rules for /dev/sgx make it available to any > logged in users with uaccess tags? > > I would certainly like it to be available to all software, with the possible exception of extra-hardened systems. Using SGX is not really an interesting attack surface. The main threat is that malware might use SGX to make itself hard to reverse engineer. In Intel’s original vision, only specially licensed vendors could create SGX software, but Linux pushed back against this quite hard, and new CPUs allow unlicensed enclaves. So your Skylake CPUs support SGX, but not on Linux. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Antw: [EXT] RFC: Moving fully to OpenSSL (aka. stopping support for gnutls/gcrypt)?
On Mi, 09.12.20 10:55, Ulrich Windl (ulrich.wi...@rz.uni-regensburg.de) wrote: > > This is of course less than ideal, since it means we need to maintain > > needlessly complex, redundant code to support this, it's not complete > > (as not all combinations are supported), and footprint for general > > purpose distros is effectively doubled. > > > > I think we should go OpenSSL all the way, and replace/drop support for > > gnutls and libgcrypt, unifying on a single crypto library. This was > > previously problematic since on Debian linking LGPL code against > > OpenSSL was considered legally "unclean". This has recently changed > > though: > > What about this: > Have a mechanism to select either gnutls or openssl for everything. Hu, no. I am not gonna write *more* code to get rid of code. The goal is to make the footprint smaller, not to make it larger. > Then see how many people will use gnutls and how many will use openssl. > Then decide what to do. We won't see that. The distro people make decisions what to enable and what not. They might as well tell us right-away then. Which is what I am asking for here: if anyone actually cares about gnutls/gcrypt support and what the reasons for them are. I want something stronger than "I like" and "I dislike". I want to hear technical, or legal reasons. Not "taste". Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Antw: [EXT] RFC: Moving fully to OpenSSL (aka. stopping support for gnutls/gcrypt)?
>>> Lennart Poettering schrieb am 09.12.2020 um 10:50 in Nachricht <20201209095057.GA30977@gardel-login>: > Heya! > > Currently, some parts of the systemd tree link against OpenSSL, others > link against gnutls and libgcrypt, and even others support either, > controlled by a compile time switch. > > This is of course less than ideal, since it means we need to maintain > needlessly complex, redundant code to support this, it's not complete > (as not all combinations are supported), and footprint for general > purpose distros is effectively doubled. > > I think we should go OpenSSL all the way, and replace/drop support for > gnutls and libgcrypt, unifying on a single crypto library. This was > previously problematic since on Debian linking LGPL code against > OpenSSL was considered legally "unclean". This has recently changed > though: What about this: Have a mechanism to select either gnutls or openssl for everything. Then see how many people will use gnutls and how many will use openssl. Then decide what to do. > > https://github.com/systemd/systemd/pull/14743#issuecomment‑739001595 > > Hence, given that the legal issues around going OpenSSL exclusively > all the way are gone, I think it's time to do the full switch. Hence > I'd like to propose that we start transitioning with depending only on > OpenSSL sooner or later. This means: > > 1. Porting the currently remaining GnuTLS/gcrypt‑only code over to openssl > > 2. Dropping redundant implementations for gnutls/gcrypt where we >already have openssl support > > 3. Require for new code to be openssl‑only. > > Ultimately this should provide us with a smaller codebase, smaller OS > footprint and easier maintainance. > > Before we make this decision and switch over I'd like to hear opinions > on this, though. Maybe I am missing something, and there are other > reasons why people want to keep gnutls/gcrypt support around? > > Why unify on OpenSSL instead of doing it the other way and unify on > gnutls + gcrypt, btw? We don't really have any horse in that race. All > crypto libraries have well documented issues, like any code. It > appears to me though that OpenSSL has the more active and larger > community and wider industry support. It appears to me that dropping > gntuls/gcrypt frrom the basic OS package set is easier to reach then > dropping OpenSSL. In the interest of making the minimal set of OS > packages required to boot a system smaller I think OpenSSL is the > better choice. > > The fabled future OpenSSL 3 release is supposed to come with a changed > license, which will attack the Debian license incompatibility from > another angle btw. It was supposed to be released many months ago > already, afaiu, but that unfortunately never happened. So far we were > counting on this to resolve the licensing situation around crypto > libraries. Due to the Debian change I figure we can speed up things > now, though. > > Lennart > > ‑‑ > Lennart Poettering, Berlin > ___ > systemd‑devel mailing list > systemd‑de...@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd‑devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] RFC: Moving fully to OpenSSL (aka. stopping support for gnutls/gcrypt)?
Heya! Currently, some parts of the systemd tree link against OpenSSL, others link against gnutls and libgcrypt, and even others support either, controlled by a compile time switch. This is of course less than ideal, since it means we need to maintain needlessly complex, redundant code to support this, it's not complete (as not all combinations are supported), and footprint for general purpose distros is effectively doubled. I think we should go OpenSSL all the way, and replace/drop support for gnutls and libgcrypt, unifying on a single crypto library. This was previously problematic since on Debian linking LGPL code against OpenSSL was considered legally "unclean". This has recently changed though: https://github.com/systemd/systemd/pull/14743#issuecomment-739001595 Hence, given that the legal issues around going OpenSSL exclusively all the way are gone, I think it's time to do the full switch. Hence I'd like to propose that we start transitioning with depending only on OpenSSL sooner or later. This means: 1. Porting the currently remaining GnuTLS/gcrypt-only code over to openssl 2. Dropping redundant implementations for gnutls/gcrypt where we already have openssl support 3. Require for new code to be openssl-only. Ultimately this should provide us with a smaller codebase, smaller OS footprint and easier maintainance. Before we make this decision and switch over I'd like to hear opinions on this, though. Maybe I am missing something, and there are other reasons why people want to keep gnutls/gcrypt support around? Why unify on OpenSSL instead of doing it the other way and unify on gnutls + gcrypt, btw? We don't really have any horse in that race. All crypto libraries have well documented issues, like any code. It appears to me though that OpenSSL has the more active and larger community and wider industry support. It appears to me that dropping gntuls/gcrypt frrom the basic OS package set is easier to reach then dropping OpenSSL. In the interest of making the minimal set of OS packages required to boot a system smaller I think OpenSSL is the better choice. The fabled future OpenSSL 3 release is supposed to come with a changed license, which will attack the Debian license incompatibility from another angle btw. It was supposed to be released many months ago already, afaiu, but that unfortunately never happened. So far we were counting on this to resolve the licensing situation around crypto libraries. Due to the Debian change I figure we can speed up things now, though. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 9.12.2020 2.42, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? Typo: "of" = "of /dev" For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? The debate is circled around something not well defined. Of course you get theoretically more safe system when you decrease priviliges anywhere in the system. Like you could start do grazy things with stuff that unprivilged user has access, in order to prevent malware to elevate to UID 0 in the first place. I think where this go intellectually wrong is that we are talking about *default installation* of a distribution. That should have somewhat sane common sense access control settings. For like a normal desktop user noexec /dev will not do any possible favor. Then there is the case when you want to harden installation for an application, let's' say some server. In that case you will anyway fine-tune the security settings and go grazy enough with hardening. When you tailor a server, it's a standard practice to enumerate and adjust the mount points if needed. I think we agree that there's a need for either way to allow SGX (if default is hardened) or a hardening option (in the opposite case). For systemd I see two approaches: 1. Default noexec /dev, override with something like - ExecPaths=/dev - MountOptions=/dev:rw,exec,dev,nosuid - or even MountOptions=/dev/sgx:rw,exec,dev,nosuid - ProtectDev=no - AllowSGX=yes 2. Default exec /dev, override with - NoExecPaths=/dev - MountOptions=/dev:rw,noexec,dev,nosuid - ProtectDev=yes - DenySGX=yes I'd prefer 1. but of course 2. would be reasonable. To summarize, I neither understand the intended target audience. We have something in common: me neither. What's the target audience for SGX? What's the use case? What are the users: browsers, system services? How would applications use SGX? Should udev rules for /dev/sgx make it available to any logged in users with uaccess tags? -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating executable device nodes in /dev?
On 9.12.2020 2.15, Jarkko Sakkinen wrote: On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote: As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since removing MAKEDEV ages ago. That's not the issue, which is that /dev is a writable directory (for UID=0 but no capabilities are needed) and thus a potential location for constructing unapproved executables if it is also mounted exec (W^X). UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec. Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux is not universal and the policies might not contain all users or services. -Topi What's the data that supports having noexec /dev anyway? With root access I can then just use something else like /dev/shm mount. Has there been out in the wild real world cases that noexec mount of would have prevented? For me this sounds a lot just something that "feels more secure" without any measurable benefit. Can you prove me wrong? I don't think security works that way. An attacker has various methods to choose from, some are more interesting than others. The case where rw,exec /dev would be interesting would imply that easier or more common avenues would be blocked, for example rw,exec /dev/shm, /tmp, /var/tmp, or /run/user/$UID/ for user. Also fileless malware with pure ROP/JOP approach with no need for any file system access is getting more common. It does not mean that it would not be prudent to block the relatively easy approaches too, including /dev. -Topi ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel