[CRIU] Hardening the criu service daemon

Pavel Emelyanov xemul at parallels.com
Fri Sep 11 06:06:06 PDT 2015


On 09/11/2015 03:59 PM, Adrian Reber wrote:
> On Tue, Aug 25, 2015 at 01:55:38PM +0200, Florian Weimer wrote:
> [...]
>> The service daemon currently has at least two sets of security issues:
>>
>> * CVE-2015-5228
>> https://bugzilla.redhat.com/show_bug.cgi?id=1255782
>>
>> The service daemon writes to arbitrary places in the file system.  One
>> file file (criu.log) is even created with ownership matching that of the
>> requesting process, which gives a fairly direct privilege escalation
>> path to full root for any local user.  The dump files themselves have
>> user-controlled contents, which can likely be exploited as well.
>>
>> * CVE-2015-5231
>> https://bugzilla.redhat.com/show_bug.cgi?id=1256728
>>
>> The service daemon disregards security policies regarding non-dumpable
>> processes.  This includes the kernel.yama.ptrace_scope=1 setting, but
>> also prctrl changes (or changes implied ).  Currently, the enforced
>> security restriction is based on UID/GID matching, which is insufficient.
> 
> Pavel, as the service daemon is rather an unusual use case right now I
> would like to remove the systemd files from Fedora's criu package.
> 
> Are there any objections because the service daemon is seen as an
> important feature or is it okay to be removed?

I'm OK with it.

I would even suggest deprecating the service as a whole, but before doing
this we should implement the "self dump" facility via swrk and then audit
the swrk mode for not be subject to the same cves.

-- Pavel



More information about the CRIU mailing list