Re: systmd-analyze security as a release goal

To: debian-devel@lists.debian.org
Subject: Re: systmd-analyze security as a release goal
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 14 Jul 2023 11:50:04 +0100
Message-id: <[🔎] ZLEoXIxMRh4PoXhM@riva.ucam.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20230714070839.GA20173@srcf.ucam.org>
References: <[🔎] 5155934.GXAFRqVoOG@cupcakke> <[🔎] 19be22faf393fdcfe8f2b630f60d9807@debian.org> <[🔎] 87sfa21hno.fsf@hope.eyrie.org> <[🔎] 87h6qh2336.fsf@gmail.com> <[🔎] 87o7kp7odj.fsf@hope.eyrie.org> <[🔎] 87fs618vd9.fsf@gmail.com> <[🔎] 871qhl8m9p.fsf@gmail.com> <[🔎] ZLA2C+mOgpBO5Oz9@thunder.hadrons.org> <[🔎] 20230713180339.yg5znmhkydembrti@mail.gaussglocke.de> <[🔎] 20230714070839.GA20173@srcf.ucam.org>

On Fri, Jul 14, 2023 at 08:08:39AM +0100, Matthew Garrett wrote:
> On Thu, Jul 13, 2023 at 08:03:39PM +0200, Timo Röhling wrote:
> > qemu is basically an interpreter for foreign machine code. If your
> > threat model allows access to qemu-user-static for an attacker, they
> > can run pretty much any binary is if it were native, and the whole
> > SystemCallArchitectures hardening becomes meaningless.
> 
> My understanding of the threat is that compatibility syscalls (eg, x32 
> on amd64) are less well-tested than the local architecture syscalls, and 
> so allowing apps to call them increases the risk - a compromised app 
> that can make compatibility syscalls stands a higher probability of 
> being able to elevate privileges, either in userland or to the kernel 
> itself. Allowing qemu to translate syscalls from other architectures to 
> the local syscall ABI doesn't increase that risk, so isn't a concern. 
> The goal isn't to prevent code form other architectures from running, 
> it's to reduce the attack surface by preventing calls to the 
> compatbility syscalls.

Not just that, but also using compatibility syscalls allows
circumventing other systemd hardening that filters syscalls
(RestrictAddressFamilies=, MemoryDenyWriteExecute=, SystemCallFilter=).
Allowing qemu also doesn't make much difference either way to that
though - if your process can't make a syscall directly, it can't make it
via qemu either.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: systmd-analyze security as a release goal
  - From: Timo Röhling <roehling@debian.org>

References:
- Re: systmd-analyze security as a release goal
  - From: Russell Coker <russell@coker.com.au>
- Re: systmd-analyze security as a release goal
  - From: Philipp Kern <pkern@debian.org>
- Re: systmd-analyze security as a release goal
  - From: Russ Allbery <rra@debian.org>
- Re: systmd-analyze security as a release goal
  - From: "Trent W. Buck" <trentbuck@gmail.com>
- Re: systmd-analyze security as a release goal
  - From: Russ Allbery <rra@debian.org>
- Re: systmd-analyze security as a release goal
  - From: "Trent W. Buck" <trentbuck@gmail.com>
- Re: systmd-analyze security as a release goal
  - From: "Trent W. Buck" <trentbuck@gmail.com>
- Re: systmd-analyze security as a release goal
  - From: Guillem Jover <guillem@debian.org>
- Re: systmd-analyze security as a release goal
  - From: Timo Röhling <roehling@debian.org>
- Re: systmd-analyze security as a release goal
  - From: Matthew Garrett <mjg59@srcf.ucam.org>

Prev by Date: Re: systmd-analyze security as a release goal
Next by Date: Re: /usr-merge: continuous archive analysis
Previous by thread: Re: systmd-analyze security as a release goal
Next by thread: Re: systmd-analyze security as a release goal
Index(es):
- Date
- Thread