diff mbox

Expose x_tables /proc entries as 0444 not 0440

Message ID 20151107074939.GA4003@compaq.slightly-cracked.com
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Philip Whineray Nov. 7, 2015, 7:49 a.m. UTC 
Reading these files is impossible in an unprivileged user namespace,
interfering with various firewall tools. For instance, iptables-save
relies on reading /proc/net/ip_tables_names to dump only loaded tables.

Hiding the contents from non-root users does not achieve anything
practical. Possible values are well-known and the specifics can
be inferred from a list of loaded modules on most systems.

Signed-off-by: Philip Whineray <phil@firehol.org>
---
An alternate might be to change the ownership of the files within the
namespace when it is created:

https://lists.linuxcontainers.org/pipermail/lxc-users/2014-November/008110.html

I do not see that there is much advantage to this, it just ties the
ability to read the files to the ability to create an unprivileged
namespace.

 net/netfilter/x_tables.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Pablo Neira Ayuso Nov. 11, 2015, 4:50 p.m. UTC | #1 
On Sat, Nov 07, 2015 at 07:49:39AM +0000, Philip Whineray wrote:
> Reading these files is impossible in an unprivileged user namespace,
> interfering with various firewall tools. For instance, iptables-save
> relies on reading /proc/net/ip_tables_names to dump only loaded tables.
> 
> Hiding the contents from non-root users does not achieve anything
> practical. Possible values are well-known and the specifics can
> be inferred from a list of loaded modules on most systems.
> 
> Signed-off-by: Philip Whineray <phil@firehol.org>
> ---
> An alternate might be to change the ownership of the files within the
> namespace when it is created:
> 
> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-November/008110.html
> 
> I do not see that there is much advantage to this, it just ties the
> ability to read the files to the ability to create an unprivileged
> namespace.

So I understood this correctly, this approach would set the ownership
of the /proc entry to the corresponding root uid mapping from the
unpriviledged namespace, right? If so, I would prefer that approach.

This is partially leaking the filtering policy to non-root users as it
contains what modules are being used, so you can at least infer how
complex your ruleset is.

And I guess it will not be long time until someone else will follow up
with a similar patch later on to expose the content of
/proc/net/nf_conntrack to get this working on unpriviledged namespaces
too.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jozsef Kadlecsik Nov. 11, 2015, 6:25 p.m. UTC | #2 
On Wed, 11 Nov 2015, Pablo Neira Ayuso wrote:

> On Sat, Nov 07, 2015 at 07:49:39AM +0000, Philip Whineray wrote:
> > Reading these files is impossible in an unprivileged user namespace,
> > interfering with various firewall tools. For instance, iptables-save
> > relies on reading /proc/net/ip_tables_names to dump only loaded tables.
> > 
> > Hiding the contents from non-root users does not achieve anything
> > practical. Possible values are well-known and the specifics can
> > be inferred from a list of loaded modules on most systems.
> > 
> > Signed-off-by: Philip Whineray <phil@firehol.org>
> > ---
> > An alternate might be to change the ownership of the files within the
> > namespace when it is created:
> > 
> > https://lists.linuxcontainers.org/pipermail/lxc-users/2014-November/008110.html
> > 
> > I do not see that there is much advantage to this, it just ties the
> > ability to read the files to the ability to create an unprivileged
> > namespace.
> 
> So I understood this correctly, this approach would set the ownership
> of the /proc entry to the corresponding root uid mapping from the
> unpriviledged namespace, right? If so, I would prefer that approach.
> 
> This is partially leaking the filtering policy to non-root users as it
> contains what modules are being used, so you can at least infer how
> complex your ruleset is.
> 
> And I guess it will not be long time until someone else will follow up
> with a similar patch later on to expose the content of
> /proc/net/nf_conntrack to get this working on unpriviledged namespaces
> too.

Can't it be worked out by using CAP_NET_ADMIN? I don't really like the 
idea to expose the files to non root users or users with not sufficient 
capabilities.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Florian Westphal Nov. 11, 2015, 6:40 p.m. UTC | #3 
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Hiding the contents from non-root users does not achieve anything
> > practical. Possible values are well-known and the specifics can
> > be inferred from a list of loaded modules on most systems.

I agree, thus
Acked-by: Florian Westphal <fw@strlen.de>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jan Engelhardt Nov. 11, 2015, 6:48 p.m. UTC | #4 
On Wednesday 2015-11-11 19:40, Florian Westphal wrote:
>Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > Hiding the contents from non-root users does not achieve anything
>> > practical. Possible values are well-known and the specifics can
>> > be inferred from a list of loaded modules on most systems.

Conversely, an administrator could just load all modules to give a false 
impression. Since the adversary can in turn expect it, he knows as 
little as before. In particular, containerized environments will have it 
such that many modules are loaded, but each container still has their 
own ruleset.
So yeah, hiding the contents is not going to achieve anything - nor is 
showing. (I am concurring here with the other respondents.)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Philip Whineray Nov. 11, 2015, 7:35 p.m. UTC | #5 
On Wed, Nov 11, 2015 at 07:48:11PM +0100, Jan Engelhardt wrote:
> On Wednesday 2015-11-11 19:40, Florian Westphal wrote:
> >Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >> > Hiding the contents from non-root users does not achieve anything
> >> > practical. Possible values are well-known and the specifics can
> >> > be inferred from a list of loaded modules on most systems.
> 
> Conversely, an administrator could just load all modules to give a false 
> impression. Since the adversary can in turn expect it, he knows as 
> little as before. In particular, containerized environments will have it 
> such that many modules are loaded, but each container still has their 
> own ruleset.
> So yeah, hiding the contents is not going to achieve anything - nor is 
> showing. (I am concurring here with the other respondents.)

Sorry - I've gotten confused about who thinks what exactly. I hope
the below isn't wasting everyone's time.

Unhiding /proc/ip_tables_names content achieves something specific: it
is used by iptables-save to determine what it should write out (in
the absence of a specific table being asked for, which I believe is
the norm).

I currently have a workaround using a horrific series of bind mounts
which substitutes in a normal file with the values iptables-save expects.

Two alternates on the table are:

- change ownership of the file in the namespace (wherein a user runs
  "unshare -U -r -n cat /proc/net/ip_tables_names" to do the same as
  "cat /proc/net/ip_tables_names" with 0444 perms, so not adding much
  unless unprivileged namespaces are disabled.
  
- try to do something with capabilities (I'd need to research this)

Given /proc/modules is 0444 and the observation that loaded != used
I don't think any significant information is leaked by the patch. I
don't mind having a stab at an alternate implementation but is it worth
it?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jozsef Kadlecsik Nov. 11, 2015, 8:10 p.m. UTC | #6 
On Wed, 11 Nov 2015, Phil Whineray wrote:

> On Wed, Nov 11, 2015 at 07:48:11PM +0100, Jan Engelhardt wrote:
> > On Wednesday 2015-11-11 19:40, Florian Westphal wrote:
> > >Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > >> > Hiding the contents from non-root users does not achieve anything
> > >> > practical. Possible values are well-known and the specifics can
> > >> > be inferred from a list of loaded modules on most systems.
> > 
> > Conversely, an administrator could just load all modules to give a false 
> > impression. Since the adversary can in turn expect it, he knows as 
> > little as before. In particular, containerized environments will have it 
> > such that many modules are loaded, but each container still has their 
> > own ruleset.
> > So yeah, hiding the contents is not going to achieve anything - nor is 
> > showing. (I am concurring here with the other respondents.)
> 
> Sorry - I've gotten confused about who thinks what exactly. I hope
> the below isn't wasting everyone's time.

My opinion is that the files should not be exposed. Whenever it does not 
clash something vital and cannot be resolved I run kernels with grsec, 
where normal user cannot list the loaded in kernel modules. By exposing 
these files, some part of that data would then be leaked out.

> Unhiding /proc/ip_tables_names content achieves something specific: it
> is used by iptables-save to determine what it should write out (in
> the absence of a specific table being asked for, which I believe is
> the norm).
> 
> I currently have a workaround using a horrific series of bind mounts
> which substitutes in a normal file with the values iptables-save expects.
> 
> Two alternates on the table are:
> 
> - change ownership of the file in the namespace (wherein a user runs
>   "unshare -U -r -n cat /proc/net/ip_tables_names" to do the same as
>   "cat /proc/net/ip_tables_names" with 0444 perms, so not adding much
>   unless unprivileged namespaces are disabled.

I don't quite understand this: if the ownership of the files are changed, 
then why do you need to change the access right to 0444?
   
> - try to do something with capabilities (I'd need to research this)
> 
> Given /proc/modules is 0444 and the observation that loaded != used
> I don't think any significant information is leaked by the patch. I
> don't mind having a stab at an alternate implementation but is it worth
> it?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Philip Whineray Nov. 11, 2015, 9:20 p.m. UTC | #7 
On Wed, Nov 11, 2015 at 09:10:13PM +0100, Jozsef Kadlecsik wrote:
> On Wed, 11 Nov 2015, Phil Whineray wrote:
> 
> > On Wed, Nov 11, 2015 at 07:48:11PM +0100, Jan Engelhardt wrote:
> > > On Wednesday 2015-11-11 19:40, Florian Westphal wrote:
> > > >Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > >> > Hiding the contents from non-root users does not achieve anything
> > > >> > practical. Possible values are well-known and the specifics can
> > > >> > be inferred from a list of loaded modules on most systems.
> > > 
> > > Conversely, an administrator could just load all modules to give a false 
> > > impression. Since the adversary can in turn expect it, he knows as 
> > > little as before. In particular, containerized environments will have it 
> > > such that many modules are loaded, but each container still has their 
> > > own ruleset.
> > > So yeah, hiding the contents is not going to achieve anything - nor is 
> > > showing. (I am concurring here with the other respondents.)
> > 
> > Sorry - I've gotten confused about who thinks what exactly. I hope
> > the below isn't wasting everyone's time.
> 
> My opinion is that the files should not be exposed. Whenever it does not 
> clash something vital and cannot be resolved I run kernels with grsec, 
> where normal user cannot list the loaded in kernel modules. By exposing 
> these files, some part of that data would then be leaked out.
> 
> > Unhiding /proc/ip_tables_names content achieves something specific: it
> > is used by iptables-save to determine what it should write out (in
> > the absence of a specific table being asked for, which I believe is
> > the norm).
> > 
> > I currently have a workaround using a horrific series of bind mounts
> > which substitutes in a normal file with the values iptables-save expects.
> > 
> > Two alternates on the table are:
> > 
> > - change ownership of the file in the namespace (wherein a user runs
> >   "unshare -U -r -n cat /proc/net/ip_tables_names" to do the same as
> >   "cat /proc/net/ip_tables_names" with 0444 perms, so not adding much
> >   unless unprivileged namespaces are disabled.
> 
> I don't quite understand this: if the ownership of the files are changed, 
> then why do you need to change the access right to 0444?

You're right, I don't. I was just noting point that if unprivileged
namespaces are available, either suffices for a regular user to see the
contents.

Cheers
Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 9b42b5e..c05adde 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1236,21 +1236,21 @@  int xt_proto_init(struct net *net, u_int8_t af)
 #ifdef CONFIG_PROC_FS
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_TABLES, sizeof(buf));
-	proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops,
+	proc = proc_create_data(buf, 0444, net->proc_net, &xt_table_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out;
 
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_MATCHES, sizeof(buf));
-	proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops,
+	proc = proc_create_data(buf, 0444, net->proc_net, &xt_match_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out_remove_tables;
 
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_TARGETS, sizeof(buf));
-	proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops,
+	proc = proc_create_data(buf, 0444, net->proc_net, &xt_target_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out_remove_matches;