Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759007AbcDHVkt (ORCPT ); Fri, 8 Apr 2016 17:40:49 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:41286 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753056AbcDHVkr (ORCPT ); Fri, 8 Apr 2016 17:40:47 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski Cc: Linus Torvalds , security@debian.org, "security\@kernel.org" , Al Viro , "security\@ubuntu.com \>\> security" , Peter Hurley , Serge Hallyn , Willy Tarreau , Aurelien Jarno , Jann Horn , Greg KH , Linux Kernel Mailing List , Jiri Slaby , Florian Weimer , "H. Peter Anvin" References: <878u0s3orx.fsf_-_@x220.int.ebiederm.org> <1459819769-30387-1-git-send-email-ebiederm@xmission.com> <87twjcorwg.fsf@x220.int.ebiederm.org> Date: Fri, 08 Apr 2016 16:29:52 -0500 In-Reply-To: (Andy Lutomirski's message of "Fri, 8 Apr 2016 13:43:16 -0700") Message-ID: <87d1pzn60f.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX19tZpDIDt2S8kv+frKSfT47/uz18ubhOM4= X-SA-Exim-Connect-IP: 67.3.249.252 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Andy Lutomirski X-Spam-Relay-Country: X-Spam-Timing: total 384 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 4.6 (1.2%), b_tie_ro: 3.3 (0.9%), parse: 1.22 (0.3%), extract_message_metadata: 17 (4.5%), get_uri_detail_list: 1.90 (0.5%), tests_pri_-1000: 7 (1.8%), tests_pri_-950: 0.92 (0.2%), tests_pri_-900: 0.79 (0.2%), tests_pri_-400: 22 (5.8%), check_bayes: 21 (5.5%), b_tokenize: 6 (1.5%), b_tok_get_all: 7 (2.0%), b_comp_prob: 1.97 (0.5%), b_tok_touch_all: 3.5 (0.9%), b_finish: 0.84 (0.2%), tests_pri_0: 191 (49.8%), check_dkim_signature: 0.39 (0.1%), check_dkim_adsp: 3.7 (1.0%), tests_pri_500: 136 (35.4%), poll_dns_idle: 125 (32.5%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1868 Lines: 46 Andy Lutomirski writes: > On Apr 8, 2016 12:05 PM, "Linus Torvalds" wrote: >> >> On Fri, Apr 8, 2016 at 11:51 AM, Eric W. Biederman >> wrote: >> > >> > Given that concern under the rule we don't break userspace we have to >> > check the permissions of /dev/pts/ptmx when we are creating a new pty, >> > on a instance of devpts that was created with newinstance. >> >> The rule is that we don't break existing installations. >> >> If somebody has root and installs a "ptmx" node in an existing mount >> space next to a pts subdirectory, that's not a security issue, nor is >> it going to break any existing installation. > > What Eric's saying is that you don't have to be root for this. > > But Eric, I think there might be a better mitigation. For a ptmx > chardev, just fail the open if the chardev's vfsmount or the devpts's > vfsmount doesn't belong to the same userns as the devpts's superblock. > After all, setting this attack up requires the caps on one of the > vfsmounts, and if you have those caps you could attack your own devpts > instance quite easily. Would that work? I don't think so. For one it depends on getting s_user_ns which should happen but is not there yet. For another the way you describe it you would break the case of unshare(CLONE_NEWUSER); unshare(CLONE_NEWNS); open("/dev/ptmx"); Which is actually more likely to break userspace than anything else we have considered. I know people actually do that. Also using any property from a mount namespace or a vfs mount is usually an error, as it is an inconsistent model. Plus I don't think what you are suggesting would make anything simpler or easier to reason about. It only costs me about 3 lines of code to perform the permission checks. The complaint is that they exist at all. Eric