MIME-Version: 1.0
In-Reply-To: <CALCETrUJ_KuGJoVxuUjWGCNHBNs5Vk8E68MtsWoTdURJ+=iJnQ@mail.gmail.com>
References: <878u0s3orx.fsf_-_@x220.int.ebiederm.org>
	<1459819769-30387-1-git-send-email-ebiederm@xmission.com>
	<CA+55aFwv7d8XfeN8KvYaVcSs7V9XoHtS-1cqtkG4gF4yJwB5nA@mail.gmail.com>
	<87twjcorwg.fsf@x220.int.ebiederm.org>
	<20160409140909.42315e6d@lxorguk.ukuu.org.uk>
	<83FE8CD2-C0A2-4ADB-AEBD-8DD89AD4F88A@zytor.com>
	<87bn5ij0x1.fsf@x220.int.ebiederm.org>
	<78205895-E11D-417F-91DC-4BCA0B61A122@zytor.com>
	<CA+55aFyB7y8TfQ=_EvMAFONS6oSPs=uY88f+S6n_QWh4MkKTHg@mail.gmail.com>
	<FC521A3F-4BEB-427E-AE8E-CA54C0128AA3@zytor.com>
	<CA+55aFw62q5bjNiK7Q9dEQQEDZs5fbUxNPxDq376OZJ6JKT=Rg@mail.gmail.com>
	<CALCETrUZ=QVZbTCr3gvhSd2-j_U4R02y5fCxbddG_HsQdnuBkw@mail.gmail.com>
	<CA+55aFzs00iDkYhvFCq=AZMVcNL0+oZT4SeimTeVurJq=5ZS3A@mail.gmail.com>
	<CALCETrUQ_Oad61dYvPpYFxDBT++jhZoAT3e4n4yiu22iTNcxNQ@mail.gmail.com>
	<CALCETrUJ_KuGJoVxuUjWGCNHBNs5Vk8E68MtsWoTdURJ+=iJnQ@mail.gmail.com>
Date: Tue, 12 Apr 2016 11:12:37 -0700
Message-ID: <CA+55aFzchGpOp0R0RjM6Bsk23GWp1t76fgFi8q6FZQndHq5EtA@mail.gmail.com>
Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated
 devpts via path lookup
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: security@debian.org, "security@kernel.org" <security@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "security@ubuntu.com >> security" <security@ubuntu.com>,
        Peter Hurley <peter@hurleysoftware.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Serge Hallyn <serge.hallyn@ubuntu.com>, Willy Tarreau <w@1wt.eu>,
        Aurelien Jarno <aurelien@aurel32.net>,
        One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
        Jann Horn <jann@thejh.net>, Greg KH <greg@kroah.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Jiri Slaby <jslaby@suse.com>, Florian Weimer <fw@deneb.enyo.de>,
        "H. Peter Anvin" <hpa@zytor.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1957
Lines: 49

On Tue, Apr 12, 2016 at 10:44 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> Linus, you said that people who want to protect their pts should deny
> execute.  So I set it up:
>
> # ls -l
> total 0
> crw-------. 1 root root 5, 2 Apr 12 10:38 ptmx
> drwx------. 2 root root    0 Apr  2 11:35 pts

No you didn't. You're root, and you still have access to /dev/ptmx.

> And there goes your protection.  So the whole /dev directory would
> have to deny execute to protect against this.

Exactly. That's what I'm saying. If you want your ptmx to be private,
you need to make your /dev private.

Now, you can avoid the other attack that was talked about (which
involved bind-mounting the pts/ directory somewhere else) by making
just the pts/ directory non-execute, because afaik bind mount requires
the ability to do the lookup.

> But I think that gating this on mount options might be fine.  If
> devpts is mounted with newinstance, then /dev/ptmx *already doesn't
> work for it*, right?  So can we just say that the magic ptmx ->
> pts/ptmx redirect doesn't work if the pts filesystem in question is
> mounted with newinstance?

No, the problem that started this whole discussion is that

 (a) newinstance should go the f*ck away, because this whole duality is broken.

 (b) people wanted single instances and we couldn't even enable
default kernel support for DEVPTS_MULTIPLE_INSTANCES, because multiple
instances just don't work with /dev/ptmx.

So what I want to happen is to "just make /dev/ptmx work".  Get rid of
the broken "single instance" crap. The only reason it exists is
exactly because /dev/ptmx does not work.

I think the current situation is completely and utterly broken. We
should never have done what we did. I want to *fix* the kernel, not
add random new magic crap.

And I think we _can_ fix the kernel. Not add new mount options that
people already don't use (because they are broken for the normal
situation).

                Linus