Re: [PATCH] fexecve

[David Holland <dholland-tech%netbsd.org@localhost>]

On Thu, Nov 15, 2012 at 11:03:15AM -0500, Thor Lancelot Simon wrote:
 > > Here is a patch that implements fexecve(2) for review:
 > > http://ftp.espci.fr/shadow/manu/fexecve.patch
 > 
 > This strikes me as profoundly dangerous.  Among other things, it
 > means you can't allow any program running in a chroot to receive
 > unix-domain messages any more since they might get passed a file
 > descriptor to code they should not be able to execute.

I have two immediate reactions to this: (1) being able to pass
executables to something untrusted in a controlled manner sounds
useful, not dangerous; and (2) please define your threat model,
because you appear to be assuming the chrooted process is colluding
with something outside the chroot, and if that's really true it
already effectively has access to everything outside the chroot.

Granted we may want to put some controls on fd passing that don't
currently exist.

 > If there is not some explanation I am missing for why this doesn't
 > basically blow up chroot's security in the very common case where
 > chroot is used to build a W^X environment, I am strongly opposed to
 > ever including this system call in NetBSD.

What mechanism prevents processes from calling mprotect with PROT_EXEC
on their own memory?

-- 
David A. Holland
dholland%netbsd.org@localhost