Comment by charcircuit

Comment by charcircuit a month ago

>For example, the core-dump handler is launched by the kernel as a user-mode helper, meaning that it runs fully privileged in the root namespace.

Why is it not run as a dedicated core dump user?

>the core-dump socket to a helper can be intercepted

There have been several vulnerabilities related to this feature of passing core files to a container. I question if this feature is actually worth it considering one probably wants to have shared infrastructure for crash reporting anyways.

rwmj a month ago

> Why is it not run as a dedicated core dump user?

You could imagine an API that sets the UID of this user, and the kernel could easily run the coredump handler as that user, but the kernel can't so easily automate the creation of a complicated namespace to contain that process (and the process can't do it itself because it could be exploited before it gets around to it). Look at the code in runc some time to see how complicated setting up a namespace has got.

> one probably wants to have shared infrastructure for crash reporting anyways

Not really on a single machine. coredumpctl actually works very well for solo development, I use it all the time.

Reply View 4 replies

nolist_policy a month ago

You're thinking to complicated. You can configure the coredump helper in a way that the kernel presents it with the coredump on stdin. So you drop privileges and self-sandbox at startup and only then start reading the coredump from stdin.
IIUC Ubuntu and systemd however choose to dump the process manually for some reason and for that you need to have same permission as the target process.

Reply View | 2 replies
- pkhuong a month ago
  
  > start reading the coredump from stdin
  How does that work with multi-TB mappings, as used by niche functionality like asan?
  
  Reply View | 1 reply
  
  nolist_policy a month ago
  
  The coredump is sparse in elf format.
  
  Reply View | 0 replies
charcircuit a month ago

>You could imagine an API that sets the UID of this user
No, I think there should be a dedicated user. People will configure it in insecure ways if you let them.
>easily automate the creation of a complicated namespace to contain that process
Why is this being done. The core dump has already been created.
>coredumpctl actually works
Coredumpctl would still be possible without forwarding.

Reply View | 0 replies

bandrami a month ago

Wouldn't that user have to be able to access arbitrary kernel memory, meaning there's little point in it not being root?

Reply View 1 reply

charcircuit a month ago

Sharing a buffer or fd for the core file to a process running as a "core" user dies not require accessing arbitrary kernel memory.

Reply View | 0 replies