write/use a safe usermodehelper

[justincormack]

Linux 4.11 has a much safer mechanism for the user mode helpers. We should use this.

read-only usermodehelper

A common way attackers use to escape confinement is by rewriting the user-mode helper sysctls
 (e.g. /proc/sys/kernel/modprobe) to run something of their choosing in the init namespace. To 
reduce attack surface within the kernel, Greg KH introduced CONFIG_STATIC_USERMODEHELPER,
 which switches all user-mode helper binaries to a single read-only path (which defaults to 
/sbin/usermode-helper). Userspace will need to support this with a new helper tool that can 
demultiplex the kernel request to a set of known binaries.

cc @riyazdf @tych0

[tych0]

I booted a 4.11 kernel in linuxkit and played around with this, here's what I came up with: tych0@7629d01

Seems as though we don't use much in the way of usermodehelpers today (just two), so it's a relatively simple thing to enforce for now. Perhaps we want a policy?

Anyway, I'll make a PR when we land a 4.11 kernel so we can discuss.

[justincormack]

Yes, it seems sane to make a custom one for our needs.

What are the other helpers now?

[justincormack]

I guess we can add this to base, and conditionally use it if the kernel interface is there, so you get the benefits if on 1.11+

[rn]

4.11 probably early next week. I should get a new version of the Hyper-V socket patch maybe tomorrow and then need to integrate etc

[tych0]

Yep, no rush. Right now we're just using the uevent helper (briefly), and modprobe. From a kernel grep,

+		/* This means either we got an unexpected call from the kernel
 +		 * or someone is doing something nefarious. Some other possible
 +		 * expected callers are:
 +		 *  - for core dumps. we don't have a "core" binary, and don't
 +		 *    set this by default to anything. when we do, we need to
 +		 *    whitelist it here
 +		 *  - /linuxrc: we're not doing legacy root setup, so we don't
 +		 *     need this
 +		 *  - a few drivers and filesystems (drbd, nfs, nfsd, ocfs2)
 +		 *  - cgroup notify_on_release handlers, which we do not set
 +		 *    (but e.g. systemd needs, if anyone ever tries to boot
 +		 *    that on linuxkit)
 +		 *  - /sbin/request-key, which we don't provide
 +		 *  - on x86, machine check

[justincormack]

We should also generally review kernel config for 4.11 in case there are other things that need to be enabled/disabled it is being added in #1785

[rn]

I just ran it through defconfig/oldconfig so haven't done a thorough review