On 08/26/2016 10:55 AM, Florian Weimer wrote:

On 08/25/2016 06:15 PM, James Bottomley wrote:

quoted

On Sun, 2016-08-21 at 21:01 -0700, Josh Max wrote:

quoted

This patch allows binfmt_misc to select the interpeter for
arbitrary binaries by comparing a specified registered keyword
with the value of a specified binary's extended attribute
(user.binfmt.interp), and then launching the program with the
registered interpreter.

This is useful when wanting to launch a collection of binaries
under the same interpreter, even when they do not necessarily
share a common extension or magic bits, or when their magic
conflics with the operation of binfmt_elf. Some examples of its
use would be to launch some executables of various different
architectures in a directory, or for running some native binaries
under a sandbox (like firejail) automatically during their
launch.

Could you expand on the use cases?

Likewise, I would also like to hear about the intended use cases.

A non-security use case would be to run the binary (without
modification) with a different ELF interpreter (assuming this allows
to override binfmt_elf, but self-sandboxing would need that as well).
This would make it easier to use older or newer libcs for select
binaries on the system.  Right now, one has to write wrappers for
that, and the explicit dynamic linker invocation is not completely
transparent to the application.

I think this is a slightly contrived use case. Normally you would just
use patchelf, or build the binary with a specific dynamic loader e.g.
-Wl,--dynamic-linker=file. What is restricting the use case from modifying
the binary or running under the new loader? Or to put it another way,
what requires the interpreter selection to be fully dynamic?

Why isn't the answer: Use ELF everywhere and specify the interpreter
you actually want? Likewise if you know you want to one-off run a native
binary in a sandbox or alternate loader then use a userspace tool to do
that?

Does the convenience gained justify the complexity we now have to explain
to our users "Oh, and watch out for the xattr keywords that change how
your application is started?" I'm doubtful. I haven't seen enough use
cases here to justify a fully dynamic interpreter selection.

It feels like a better use of our energy would be to make exec by the
kernel and exec by the dynamic loader look as similar as possible so you
can use one or the other without the application knowing the difference.

My worry is that this is a new knob for something we have previously
all expected to be a part of the binaries static definition.
What impact will have on security validation? Is the binary running
with the intended runtime? I assume that setting the xattr keyword 
requires write for the file in question, and that no capabilities
mismatch means we could set the keyword but have less than write
permissions on the file.

There would also be a non-zero performance cost to this and it would
be borne by all ELF/misc binaries at startup for what is a debugging
feature. This assumes we extend binfmt_elf to look for the same xattr
keyword to override the loader.

This ignores the fact that the alternate loader also needs to have
it's own ldconfig cache, implementation-dependent lookup paths etc,
all of which have to be keyed off the xattr keyword specified dynamic
loader. All of that is tractable though and can be done in userspace
keyed from the selected dynamic loader. Buy why? Why not use a mount
namespace and different loader e.g. lxc, docker, etc, or specify a
loader that is a wrapper and does this for you?

I'm not convinced this is a good idea, but I'm open to learning about
more use cases.

-- 
Cheers,
Carlos.