Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752713AbdF2QeM (ORCPT ); Thu, 29 Jun 2017 12:34:12 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:35328 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751783AbdF2QeF (ORCPT ); Thu, 29 Jun 2017 12:34:05 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski Cc: Kees Cook , Shuah Khan , Greg KH , Naresh Kamboju , "open list\:KERNEL SELFTEST FRAMEWORK" , "linux-kernel\@vger.kernel.org" , Shuah Khan References: <20170627151359.GA11756@kroah.com> <20170627151600.GB11756@kroah.com> <87fuei6gdu.fsf@xmission.com> <878tka6ffw.fsf@xmission.com> Date: Thu, 29 Jun 2017 11:26:47 -0500 In-Reply-To: (Andy Lutomirski's message of "Thu, 29 Jun 2017 08:39:59 -0700") Message-ID: <87tw2y4v5k.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1dQcOC-0005VO-KT;;;mid=<87tw2y4v5k.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18r7dWas///oE/Me4aCS0ywC8a2bNyX0G4= X-SA-Exim-Connect-IP: 67.3.213.87 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4736] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa02 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Andy Lutomirski X-Spam-Relay-Country: X-Spam-Timing: total 5561 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 3.0 (0.1%), b_tie_ro: 2.0 (0.0%), parse: 1.35 (0.0%), extract_message_metadata: 27 (0.5%), get_uri_detail_list: 4.6 (0.1%), tests_pri_-1000: 10 (0.2%), tests_pri_-950: 2.1 (0.0%), tests_pri_-900: 1.66 (0.0%), tests_pri_-400: 37 (0.7%), check_bayes: 35 (0.6%), b_tokenize: 14 (0.2%), b_tok_get_all: 9 (0.2%), b_comp_prob: 5 (0.1%), b_tok_touch_all: 2.6 (0.0%), b_finish: 0.84 (0.0%), tests_pri_0: 616 (11.1%), check_dkim_signature: 0.90 (0.0%), check_dkim_adsp: 4.7 (0.1%), tests_pri_500: 4858 (87.4%), poll_dns_idle: 4847 (87.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+ X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3079 Lines: 75 Andy Lutomirski writes: > On Thu, Jun 29, 2017 at 7:23 AM, Eric W. Biederman > wrote: >> ebiederm@xmission.com (Eric W. Biederman) writes: >> >>> Andy Lutomirski writes: >>>> >>>> Hi Eric- >>>> >>>> This is rather odd. The selftest >>>> (tools/testing/selftests/capabilities/test_execve), run as root, fails >>>> on current kernels. The failure is worked around by this: >>>> >>>> diff --git a/tools/testing/selftests/capabilities/test_execve.c >>>> b/tools/testing/selftests/capabilities/test_execve.c >>>> index 10a21a958aaf..6db60889b211 100644 >>>> --- a/tools/testing/selftests/capabilities/test_execve.c >>>> +++ b/tools/testing/selftests/capabilities/test_execve.c >>>> @@ -139,8 +139,8 @@ static void chdir_to_tmpfs(void) >>>> if (chdir(cwd) != 0) >>>> err(1, "chdir to private tmpfs"); >>>> >>>> - if (umount2(".", MNT_DETACH) != 0) >>>> - err(1, "detach private tmpfs"); >>>> +// if (umount2(".", MNT_DETACH) != 0) >>>> +// err(1, "detach private tmpfs"); >>>> } >>>> >>>> static void copy_fromat_to(int fromfd, const char *fromname, const >>>> char *toname) >>>> >>>> I think this is due to the line: >>>> >>>> p->mnt_ns = NULL; >>>> >>>> in umount_tree(). The test is putting us into a situation in which >>>> our cwd has ->mnt_ns = NULL, which is making it act as if it's nosuid. >>>> I can imagine this breaking some weird user code (like my test!). Is >>>> it a real problem, though? >> >> I just wanted to follow up and say this the mnt_may_suid test appears >> to be doing exactly what it was designed to do. >> >> It's goal is not to allow a suid exec from another mount namespace and >> in this test the umount2(".", MNT_DETACH) creates a poor man's mount >> namespace. >> >> So assuming that we want to not allow execing executables from other >> mount namespaces the behavior appears to be exactly correct in this >> case. > > Fair enough. Given that the only known failure is my really wonky > test case, I'll just fix my test. > > That being said, I do know of production code that uses MNT_DETACH: > Sandstorm. It mounts a tmpfs, opens an fd to it, and MNT_DETACHes it. > That gives it a directory that can't be seen by its children. Using > mount namespaces for this would be awkward. Admittedly, MNT_DETACH is > a bit of an awful way to do this -- what it really wants is the > ability to set up a mount tree that logically belongs to its mount > namespace but isn't bound anywhere. A couple years ago, we talked > about adding an API for more or less that: first create a filesystem > (i.e. superblock) and then bind it in if you want it bound. > > But Sandstorm still works, so this isn't a big deal. If it proved desirable I think we could remove the check_mnt test in mnt_may_suid. I believe the current_in_userns check actually handles the namespace confusion case. At the same time using check_mnt does make it easier to think about these things. Which if it doesn't limit us in the real world is a plus. Eric