[CRIU] Hardening the criu service daemon
Pavel Emelyanov
xemul at parallels.com
Fri Sep 11 09:43:37 PDT 2015
On 08/25/2015 02:55 PM, Florian Weimer wrote:
> This was previously discussed privately, but we agreed to make this
> public even before fixes are available, to ensure broadest possible
> review of the solution we come up with.
>
> The service daemon currently has at least two sets of security issues:
>
> * CVE-2015-5228
> https://bugzilla.redhat.com/show_bug.cgi?id=1255782
>
> The service daemon writes to arbitrary places in the file system. One
> file file (criu.log) is even created with ownership matching that of the
> requesting process, which gives a fairly direct privilege escalation
> path to full root for any local user. The dump files themselves have
> user-controlled contents, which can likely be exploited as well.
>
> * CVE-2015-5231
> https://bugzilla.redhat.com/show_bug.cgi?id=1256728
>
> The service daemon disregards security policies regarding non-dumpable
> processes. This includes the kernel.yama.ptrace_scope=1 setting, but
> also prctrl changes (or changes implied ). Currently, the enforced
> security restriction is based on UID/GID matching, which is insufficient.
Florian, since these two CVE exists in suid-ed CRIU also, what's the
way these two should be handled? If we deprecate service daemon and
replace it with the mentioned swrk-mode of CRIU, will these two CVEs
get closed or will they be renamed to say "suid-ed CRIU is not secure"?
-- Pavel
More information about the CRIU
mailing list