Re: systmd-analyze security as a release goal

To: debian-devel@lists.debian.org
Subject: Re: systmd-analyze security as a release goal
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Fri, 14 Jul 2023 08:08:39 +0100
Message-id: <[🔎] 20230714070839.GA20173@srcf.ucam.org>
In-reply-to: <[🔎] 20230713180339.yg5znmhkydembrti@mail.gaussglocke.de>
References: <[🔎] 13735258.RDIVbhacDa@cupcakke> <[🔎] 5155934.GXAFRqVoOG@cupcakke> <[🔎] 19be22faf393fdcfe8f2b630f60d9807@debian.org> <[🔎] 87sfa21hno.fsf@hope.eyrie.org> <[🔎] 87h6qh2336.fsf@gmail.com> <[🔎] 87o7kp7odj.fsf@hope.eyrie.org> <[🔎] 87fs618vd9.fsf@gmail.com> <[🔎] 871qhl8m9p.fsf@gmail.com> <[🔎] ZLA2C+mOgpBO5Oz9@thunder.hadrons.org> <[🔎] 20230713180339.yg5znmhkydembrti@mail.gaussglocke.de>

On Thu, Jul 13, 2023 at 08:03:39PM +0200, Timo Röhling wrote:

> qemu is basically an interpreter for foreign machine code. If your
> threat model allows access to qemu-user-static for an attacker, they
> can run pretty much any binary is if it were native, and the whole
> SystemCallArchitectures hardening becomes meaningless.

My understanding of the threat is that compatibility syscalls (eg, x32 
on amd64) are less well-tested than the local architecture syscalls, and 
so allowing apps to call them increases the risk - a compromised app 
that can make compatibility syscalls stands a higher probability of 
being able to elevate privileges, either in userland or to the kernel 
itself. Allowing qemu to translate syscalls from other architectures to 
the local syscall ABI doesn't increase that risk, so isn't a concern. 
The goal isn't to prevent code form other architectures from running, 
it's to reduce the attack surface by preventing calls to the 
compatbility syscalls.

Reply to:

Follow-Ups:
- Re: systmd-analyze security as a release goal
  - From: Colin Watson <cjwatson@debian.org>
- Re: systemd-analyze security as a release goal
  - From: "Trent W. Buck" <trentbuck@gmail.com>

References:
- systmd-analyze security as a release goal
  - From: Russell Coker <russell@coker.com.au>
- Re: systmd-analyze security as a release goal
  - From: Russell Coker <russell@coker.com.au>
- Re: systmd-analyze security as a release goal
  - From: Philipp Kern <pkern@debian.org>
- Re: systmd-analyze security as a release goal
  - From: Russ Allbery <rra@debian.org>
- Re: systmd-analyze security as a release goal
  - From: "Trent W. Buck" <trentbuck@gmail.com>
- Re: systmd-analyze security as a release goal
  - From: Russ Allbery <rra@debian.org>
- Re: systmd-analyze security as a release goal
  - From: "Trent W. Buck" <trentbuck@gmail.com>
- Re: systmd-analyze security as a release goal
  - From: "Trent W. Buck" <trentbuck@gmail.com>
- Re: systmd-analyze security as a release goal
  - From: Guillem Jover <guillem@debian.org>
- Re: systmd-analyze security as a release goal
  - From: Timo Röhling <roehling@debian.org>

Prev by Date: Fwd: Wayland and NVidia driver conflict
Next by Date: Re: systmd-analyze security as a release goal
Previous by thread: Re: systmd-analyze security as a release goal
Next by thread: Re: systmd-analyze security as a release goal
Index(es):
- Date
- Thread