• caglararli@hotmail.com
  • 05386281520

Does allowing binfmt_misc significantly increase the attack surface for unprivileged users that already can launch – native – binaries?

Çağlar Arlı      -    16 Views

Does allowing binfmt_misc significantly increase the attack surface for unprivileged users that already can launch – native – binaries?

The Linux kernel lets me register and execute additional binary formats as if they were regular executables.

I am thinking of this mostly as a convenience method, completing what specifying the interpreter via Shebang already partially accomplishes. Executed programs are as privileged and thus as dangerous as native binaries, but not any bit beyond that. Programs with slightly special format on disk; otherwise no special treatment. Is this assessment still correct on, say, a Ubuntu Linux desktop running all sorts of designed-for-single-user-systems setuid programs and permitting unprivileged user namespaces?

I am especially concerned about other privileged (setuid or talking to uid=0 daemons) programs such as pkexec, systemctl, snap, rtkit, fusermount3 making assumptions about binaries they under very limited circumstances would grant some privileges to; assumptions that are not true for non-native binaries launched via the binfmt_misc mechanism. Ideally, I am looking for an answer pointing to previous flaws proving that this can indeed interact dangerously - or design choices that entire rule out this kernel capability to have security-sensitive side-effects other than the convenience of launching alien formats.


For what the features on their own mean for security, see these existing questions: