Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp885956imm; Wed, 6 Jun 2018 07:23:43 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ5+FUhA9T1dWA3VHXtzoT+88bE36Qq5dSBx6FgUVh9xug7WH0TG5llYihy5J3yYGMYwpGf X-Received: by 2002:a17:902:3081:: with SMTP id v1-v6mr3527071plb.266.1528295023897; Wed, 06 Jun 2018 07:23:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528295023; cv=none; d=google.com; s=arc-20160816; b=SSwyGXsKeb1awEOgvfVN56LIoYps6+Ihg1SaQ+PTU510YZ2EgUmnxBf0sakjDMCtg6 cH5WEkLV4eBDLLZLYYlzo5v4QLJ5yXQrEGa9LrLRnxlHBS/qoEweaPsuQwURF9/SATc9 m9DOvkPvHsxcdYmK2hi8BIDyzFp2BWzmQTXbc7RxsgSI/eB9UJI3+LQTyVk/FM+cCWc8 f0uFc0J5CGbrvXuNXD0d2CP2dCsl3hF9e22rW0Hv5NXZZNOKByqjALLnS6KdJzkE8eZQ xHkjsV9Ws0hIS4/Fm1DqRTOjMizPumeWxobn9MzTiTK8uYcuhzRYSn7J/sBcMukxIE2j R5WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :mime-version:user-agent:message-id:in-reply-to:date:references:cc :to:from:arc-authentication-results; bh=m7EcP7MYVVBhh5xku95MV924xDsw0v690/17LTxJqNo=; b=jI/qfYwo2ffF3mk/r/7gCmxyoU5mdjA3J63VP3Qk0KQ8rsl5szd64aEmbPYq6/sfFq KMQAYjAuWU9+dsFs8wAhj3bUuDXheD5cJZMOFs3s1CMAi5lwfZoNWvqph0+NIpnVyL24 Jm3LJd68eCMq3yTx8rEN3ta9JOzE26iBakvdaiKDeGyukMOdTq/L9tZM9u8RiKnvRnZ2 DwTvXyoKk1fRbsW0fEepkegLYwKjbBB/whthvfIXj69lJJ7v8qBt0EJnGgkwIM3yINR6 b7ijVetmA0tgDOlWwIritJTIcpWhWn2a4VvcBT/O/F5++ZIar1pMA/5xL8VI1MvclDCh adVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y23-v6si118483pfk.75.2018.06.06.07.23.21; Wed, 06 Jun 2018 07:23:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752265AbeFFOWq convert rfc822-to-8bit (ORCPT + 99 others); Wed, 6 Jun 2018 10:22:46 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:36836 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752136AbeFFOWo (ORCPT ); Wed, 6 Jun 2018 10:22:44 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fQZKk-0007C5-VE; Wed, 06 Jun 2018 08:22:43 -0600 Received: from 97-119-124-205.omah.qwest.net ([97.119.124.205] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fQZKj-0000Ff-Hq; Wed, 06 Jun 2018 08:22:42 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Ilya Matveychikov Cc: linux-kernel@vger.kernel.org, Alexander Viro , linux-fsdevel@vger.kernel.org References: <87o9gpatxs.fsf@xmission.com> <64021AF2-81EE-439C-91D4-9A33AB0D08F7@gmail.com> Date: Wed, 06 Jun 2018 09:22:32 -0500 In-Reply-To: <64021AF2-81EE-439C-91D4-9A33AB0D08F7@gmail.com> (Ilya Matveychikov's message of "Wed, 6 Jun 2018 13:32:12 +0400") Message-ID: <87muw8805z.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1fQZKj-0000Ff-Hq;;;mid=<87muw8805z.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=97.119.124.205;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19DJFTbzHmDjkwT3ggQOr8YHd60cDyP+Qs= X-SA-Exim-Connect-IP: 97.119.124.205 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sa03.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,XMSubLong autolearn=disabled version=3.4.0 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa03 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Ilya Matveychikov X-Spam-Relay-Country: X-Spam-Timing: total 1086 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 3.1 (0.3%), b_tie_ro: 2.1 (0.2%), parse: 1.34 (0.1%), extract_message_metadata: 38 (3.5%), get_uri_detail_list: 4.2 (0.4%), tests_pri_-1000: 17 (1.6%), tests_pri_-950: 2.3 (0.2%), tests_pri_-900: 1.89 (0.2%), tests_pri_-400: 40 (3.7%), check_bayes: 38 (3.5%), b_tokenize: 12 (1.1%), b_tok_get_all: 11 (1.1%), b_comp_prob: 5 (0.5%), b_tok_touch_all: 4.6 (0.4%), b_finish: 0.91 (0.1%), tests_pri_0: 732 (67.4%), check_dkim_signature: 1.06 (0.1%), check_dkim_adsp: 5 (0.5%), tests_pri_500: 245 (22.5%), poll_dns_idle: 235 (21.6%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] ksys_mount: check for permissions before resource allocation X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ilya Matveychikov writes: >> On Jun 5, 2018, at 11:56 PM, Eric W. Biederman wrote: >> >> Ilya Matveychikov writes: >> >>> Just CC’ed to some of maintainers. >>> >>> $ perl scripts/get_maintainer.pl fs/0001-ksys_mount-check-for-permissions-before-resource-all.patch >>> Alexander Viro (maintainer:FILESYSTEMS (VFS and infrastructure)) >>> linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)) >>> linux-kernel@vger.kernel.org (open list) >>> >>>> On Jun 5, 2018, at 6:00 AM, Ilya Matveychikov wrote: >>>> >>>> Early check for mount permissions prevents possible allocation of 3 >>>> pages from kmalloc() pool by unpriveledged user which can be used for >>>> spraying the kernel heap. >> >> *Snort* >> >> You clearly have not read may_mount. Your modified code still >> let's unprivileged users in. So even if all of Al's good objections >> were not applicable this change would still be buggy and wrong. >> >> Nacked-by: "Eric W. Biederman" > > > Don’t get me wrong but may_mount() is: > > static inline bool may_mount(void) > { > return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN); > } > > What do you mean by "You clearly have not read may_mount”? The only thing that > can affect may_mount result (as mentioned earlier) is that task’s NS capability > might be changed by security_sb_mount() hook. > > So, do you think that is’s possible to NOT have CAP_SYS_ADMIN while entering to > ksys_mount() but getting it with the security_sb_mount() hook? I mean it works for unprivileged users. You can try "unshare -Urm" on a reasonably recent kernel and it will work and you can then mount and unmount things. Strictly speaking it only works if you have the appropriate set of capabilities in your user namespace. But that does not imply you are a privileged user in the broader sense. Any user can create a user namespace, and become the root user in a user namespace. The root user in a user namespace can create a mount namespace. The root user in a user namespace can mount and unmount filesystems in their namespace. Or in net anyone can call mount and get past the may_mount test. Without reducing who can cause the kernel allocation moving the test is pointless. Eric