Received: by 10.223.185.116 with SMTP id b49csp6039515wrg;
        Thu, 8 Mar 2018 00:23:47 -0800 (PST)
X-Google-Smtp-Source: AG47ELvpZoh3gKx0HNGo4pCj3Lf2fBlinVKB/a++Quozuikex6qw3xOal9c4XspCCaNQmF6VQFRR
X-Received: by 10.99.109.67 with SMTP id i64mr16545702pgc.238.1520497427007;
        Thu, 08 Mar 2018 00:23:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520497426; cv=none;
        d=google.com; s=arc-20160816;
        b=0arXl9/u1uV3D03omoqm8B8Qg9/OkDn6nw2KkzLQvT5jpT7Y8o+vKkfhxWLvLE0D97
         Za+jWVwSD33dLvincIwKJRKCGHlvQmk1BKY1O+6VTGn2f+PJ96kxKcoSJ5hQyWW8efmE
         O7GK5FVw/kW4iOvlO3Vq4RO9+hri+357+EMK4PD219j1+cxZAHc1E1Y+xy0o7eTWY1ec
         mv84mE+Tw5j7y2NbP9ieUhZ3rgV3c3R3qelaxEy4Q/8tsfosFIRqgqNKe+2Ln3tlCou/
         w1XSHObZUPX1h9KU0xcF0vfHyMCLUiiicmYUqYT7fz2vi9/TYAetNbCkh1x2e0ZTbLEh
         RvUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:date:from
         :arc-authentication-results;
        bh=T6ji0v1WhXddhVmtAO7m3qF4L903NJYGQtgFfZSuGws=;
        b=L+VtmQRIVhN5DGJBt8nKFB/mFJDc0yuZgoyRNvfw4yv0vLFurqCnC1wmdj4VOrJ+gL
         nIjzyZ/ytWsEkMv9UBqQ3hH5l/sqkqdZpbaJXhLaC2HbE3PTsdfBv3W2FW21a/9d/27k
         hOJk1Amo85fqsDPmgKGo+/XWbHw+bR3Axf6FJKfEBnwk631HBSg+nXMn/SJJFKxGfT5Z
         R/HmK+wXjoE3SXfr48qAmwzfoR46s2A2Ypp8V2GJKBPex3bfCWfg0I61vBexsYOb2mLg
         l7DP2OGBGpZgVkex6mL5Q3VQYhicuflfd9gPGwQkIx0QW/CVnkNsDKARguSZwofGR0DW
         spGQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w61-v6si14431491plb.733.2018.03.08.00.23.32;
        Thu, 08 Mar 2018 00:23:46 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755259AbeCHIWe (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Thu, 8 Mar 2018 03:22:34 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:45207 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751315AbeCHIWc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Mar 2018 03:22:32 -0500
Received: from mail-wm0-f69.google.com ([74.125.82.69])
        by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
        (Exim 4.76)
        (envelope-from <christian.brauner@canonical.com>)
        id 1etqop-00014t-Jr
        for linux-kernel@vger.kernel.org; Thu, 08 Mar 2018 08:22:31 +0000
Received: by mail-wm0-f69.google.com with SMTP id p13so2293628wmc.6
        for <linux-kernel@vger.kernel.org>; Thu, 08 Mar 2018 00:22:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:date:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to:user-agent;
        bh=T6ji0v1WhXddhVmtAO7m3qF4L903NJYGQtgFfZSuGws=;
        b=REj3dRb2haHMFP6pvRqk3ZAnL8KoRKww9DQQEjuf8OFGhWpli2OfhRCtZsvEMUxR9z
         8oj3IjYzAXUU5b9ZIzz8/uepm/GvAbIHqrpu4kTX73B6TDk7yE89FzPNXXggd/VHNGZ6
         K5QtpuxfnFtBRrYMDIOnEhpCNEnu1p1X0BcvYmnv+ay3DUhOatPS9DSeKGg3TfDnsCPM
         ZdES8zCrOIuIjzL6FadmPFKKoRTFo/3z70tHi82+G7ZarTYvGYjPvjmY9mhR8izuw3tX
         u5klTBIR5GOylPL7dtNRapxPZZf5+Hx9/alipRw7IrixlDCVRoFdAHqMD8dWzMqdZ2WA
         pE9A==
X-Gm-Message-State: APf1xPDHWKCN+eldVFetpFpQsu32x25twJjNp+MtZTGGLAAJoW4Hh3Lw
        Cn9j6ntuOtfxB6D/2ff2F+2d4vZ86+wQlWbW95pwIW+15vlhIQeraKU2D2uEve6Q7LrBQvb0O+/
        wgP/ngejeooZmB1SxgKVEAuBU0MnMBnGv9pqsv1mwbA==
X-Received: by 10.223.175.235 with SMTP id y43mr20902973wrd.41.1520497351199;
        Thu, 08 Mar 2018 00:22:31 -0800 (PST)
X-Received: by 10.223.175.235 with SMTP id y43mr20902953wrd.41.1520497350870;
        Thu, 08 Mar 2018 00:22:30 -0800 (PST)
Received: from gmail.com ([37.220.133.201])
        by smtp.gmail.com with ESMTPSA id m62sm20912374wmi.19.2018.03.08.00.22.29
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 08 Mar 2018 00:22:30 -0800 (PST)
From:   Christian Brauner <christian.brauner@canonical.com>
X-Google-Original-From: Christian Brauner <christian.brauner@ubuntu.com>
Date:   Thu, 8 Mar 2018 09:22:29 +0100
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     linux-kernel@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: Invalid /proc/<pid>/fd/{0,1,2} symlinks with TIOCGPTPEER
Message-ID: <20180308082228.GD22728@gmail.com>
References: <20180307161744.GA17562@gmail.com>
 <878tb3u1hv.fsf@xmission.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <878tb3u1hv.fsf@xmission.com>
User-Agent: Mutt/1.9.3 (2018-01-21)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 07, 2018 at 01:30:52PM -0600, Eric W. Biederman wrote:
> Christian Brauner <christian.brauner@canonical.com> writes:
> 
> > Hey,
> >
> > We discovered a potential bug in the devpts implementation via
> > TIOCGPTPEER ioctl()s today. We've tackled a similar problem already in:
> >
> > commit 311fc65c9fb9c966bca8e6f3ff8132ce57344ab9
> > Author: Eric W. Biederman <ebiederm@xmission.com>
> > Date:   Thu Aug 24 15:13:29 2017 -0500
> >
> >     pty: Repair TIOCGPTPEER
> >
> > Most libcs will *still* look at /dev/ptmx when opening the master fd of
> > pty device. Usually, /dev/ptmx will nowadays be either a symlink to
> > /dev/pts/ptmx or it will be a second device node with permissions 666
> > whereas /dev/pts/ptmx will usually have permissions 000. Afaik, we've
> > also always supported making /dev/ptmx a bind-mount to /dev/pts/ptmx or
> > at least I haven't observed any issues with this so far and it's
> > something fairly common in containers. So in short, it should be legal
> > to do:
> >
> > mount --bind /dev/pts/ptmx /dev/ptmx
> > chmod 666 /dev/ptmx
> >
> > However, for any libc implementation or program that uses TIOCGPTPEER
> > the /proc/<pid>/fd/{0,1,2} symlinks are broken (currently affects at
> > least glibc 2.27) with bind-mounts of /dev/pts/ptmx to /dev/ptmx. A
> > quick reproducer is:
> >
> > unshare --mount
> > mount --bind /dev/pts/ptmx /dev/ptmx
> > chmod 666 /dev/ptmx
> > script
> > ls -al /proc/self/fd/0
> >
> > Let's assume the slave device index I received was 5 then I would expect to
> > see:
> >
> > ls -al /proc/self/fd/0
> > lrwx------ 1 chb chb 64 Mar  7 16:41 /proc/self/fd/0 -> /dev/pts/5
> >
> > But what I actually see is:
> >
> > ls -al /proc/self/fd/0
> > lrwx------ 1 chb chb 64 Mar  7 16:41 /proc/self/fd/0 -> /
> >
> > I think the explanation for this is fairly straightforward. When
> > userspace does:
> >
> > master = open("/dev/ptmx", O_RDWR | O_NOCTTY);
> > slave = ioctl(master, TIOCGPTPEER, O_RDWR | O_NOCTTY);
> >
> > and /dev/ptmx is a bind-mount of /dev/pts/ptmx looking up the root mount
> > of the dentry for the slave it appears to the kernel as if the dentry is
> > escaping it's bind-mount:
> >
> > ├─/dev        udev          devtmpfs   rw,nosuid,relatime,size=4001260k,nr_inodes=1000315,mode=755
> > │ ├─/dev/pts  devpts        devpts     rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
> > │ └─/dev/ptmx devpts[/ptmx] devpts     rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
> >
> > since the root mount of the dentry is /dev/pts but the root mount of
> > /dev/ptmx is /dev if I'm correct so similar to what Linus pointed out in
> > a previous discussion (see [1]) before. So we still record the "wrong"
> > vfsmount when /dev/ptmx is a bind-mount and then hit the problem when we
> > call devpts_mntget() in drivers/tty/pty.c.
> 
> I think your analysis of why we return / is correct. If the root of the
> mount is a file (aka /dev/pts/ptmx).  Then any other file will on that
> mount will not be under the root of the mount, and will be displayed
> as '/'.  Because we have in fact escaped the root of the mount.
> 
> I think this is more of a quality of implementation issue more than a
> bug per se.

It's at least a regression since this used to work before. :)

> 
> > So I thought about this and - in case my analysis is correct - the
> > solution didn't seem obvious to me as a bind-mount has no concept of
> > what it's "parent" is (Which in this case should be the devpts mount at
> > /dev/pts.).
> 
> We might be able to improve the quality of the implementation, by
> noticing this case early (sb->s_root != mnt->mnt_root) and using the
> same tricks on /dev/pts/ptmx as we do on /dev/ptmx.  That is looking
> in ../pts and see if the filesystem we want is there.
> 
> It would be a wee bit tricky but doable.  The practical question becomes
> what breaks and what makes it worth maintaining such a mechanism.
> 
> I don't remember how important it is to have a valid path in proc.  So
> I won't comment on how important it is to improve the quality of
> the implementation.

It's quite important for containers. The problem is that we can't (yet)
mknod() in a user namespace and making /dev/ptmx a symlink to
/dev/pts/ptmx will cause issues when used together with path-based LSMs
like AppArmor so a bind-mount is the only reliable option.

> 
> The code can be improved by doing something like:

Right, what do you think about Linus suggestion? I'm happy to look into
it.

Christian

> 
> static int devpts_ptmx_pts_path(struct path *path)
> {
> 	struct super_block *sb;
> 	int err;
> 
> 	/* Is a devpts filesystem at "pts" in the same directory? */
> 	err = path_pts(path);
> 	if (err)
> 		return err;
> 
> 	/* Is the path the root of a devpts filesystem? */
> 	sb = path->mnt->mnt_sb;
> 	if ((sb->s_magic != DEVPTS_SUPER_MAGIC) ||
> 	    (path->mnt->mnt_root != sb->s_root))
> 		return -ENODEV;
> 
> 	return 0;
> }
> 
> ....
> 	if ((DEVPTS_SB(path.mnt->mnt_sb) == fsi) &&
> 	    (path.mnt->mnt_root == fsi->ptmx_dentry)) {
> 		/* While the start point is a bind mount of single file
>                  * walk upwards.
>                  */
>             	while ((path.mnt->mnt_root == path.dentry) && follow_up(&path))
> 			;
> 		if (devpts_ptmx_pts_path(&path) == 0) {
>                 	dput(path.dentry);
>                    	return path.mnt;     
>                 }
>                 /* No luck fall through to the old code */
>                 path_put(path);
>                 path = filp->f_path;
>                 path_get(&path);
>         }
> 
> The fall through vs fail would be a judgement on how important it is to
> have a useable path in proc for TIOCPTPEER.
> 
> Eric