Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp879998imm; Wed, 11 Jul 2018 12:36:59 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfRZKzI665xyeSQDrrv0P17zpxSWlOjq4+u/qUGAhQhYZrnm4RijjXYkiG9DUUh8G2DOwv6 X-Received: by 2002:a17:902:b717:: with SMTP id d23-v6mr29998981pls.105.1531337819558; Wed, 11 Jul 2018 12:36:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531337819; cv=none; d=google.com; s=arc-20160816; b=rwT8jEwf0mZcq3FYGv65l0irRaGnLkGVgtpUOjLN7FrUD95peB39xcstSJlZiF7683 Zipe4bs3HIA/bjthaKtSjemg7k8xjDBwpBR5WNdXolCI1Hhxhy6Y3BB4lrM2kLy+QoA2 IACDeIptEBey/sIWrPJC47PeWZ5ZoQU6gBbfW/kAk8TJ6F/n8Zykb+15DUaN/HAp5LMz tH/o4YFw4KU8558X0DK4I8qWtBMFLARZBX0iLsvwu/THDI/GPy6z1FbKB0sub8Nfbdba MylJr/44ecfEoQnCxHgaQ+5UuJdxzIw+DN1TsBWUfKWjS4iEES5R4m2JdS2hjRRpV4Sp Ujww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:arc-authentication-results; bh=EHcHgZ4qYtiHjSWaoit5dto2O1iBQd7SzJGH9Kl7Mms=; b=0wl/AnMaAAimM82lkkR1eM8uuda8iOx/HLTby6jCzUSGYuV4Ti69JaIijlF7BRJHLC tjYZyN0ZSv+uw/h7rgjPP6wMY0sOKXX6FFO5+WMb12Ns2jfZRqCqJE/W0Kjoe/4wcEeN X8vALJBKs9Oy0LXthn4ZknSA8KBPnQt5KzFc4yfBIsSxMiASQBBFNw0U+LjJ10rQuBZW UxMcMqSCIJzSPZQgtihBpNGhdq44tlQRzs/cjqg8y0QODek9tT/9vogpiz0Z9WjWRm1X jklX/Tyr+83EKn1UkJ+ejRuVcVzM0GaWW+7kcScDeZu0PhteBLmH+LGAT6CdR90w6tne 0Ciw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yzZazvHP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3-v6si19389569plp.506.2018.07.11.12.36.43; Wed, 11 Jul 2018 12:36:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yzZazvHP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390045AbeGKRMS (ORCPT + 99 others); Wed, 11 Jul 2018 13:12:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:58616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389992AbeGKRMR (ORCPT ); Wed, 11 Jul 2018 13:12:17 -0400 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EB5C920C51 for ; Wed, 11 Jul 2018 17:07:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1531328822; bh=9gyKV9vHCNyDoP3pLznaETU8anFK912ao1NFzOzEhdA=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=yzZazvHP/FuEu/qDM0mBMxHs1JHDgsZbjZoCM/uEumdc7SIKGyFric3c2ZtkLQ4Ch ZVms6bcq4dHVD+jnckrMfKCcqnNWubKnaUaIJ7j93/iGmb2JAB6dc33n7yEXv+Ocd6 pHImQ/UOySPpUbVF4sV+1q7YW/+wsXRKW2SISyYs= Received: by mail-wr1-f45.google.com with SMTP id h9-v6so18919880wro.3 for ; Wed, 11 Jul 2018 10:07:01 -0700 (PDT) X-Gm-Message-State: APt69E00LhEjM5INODpMosSOuCoQT2/2xftHhrjb+tDmIFhSBBjG1stX myXmkIBmCAp07vM9vI1d1Aup/jVsGrelDeLdm2xf8Q== X-Received: by 2002:adf:e0cc:: with SMTP id e12-v6mr21096020wri.199.1531328820431; Wed, 11 Jul 2018 10:07:00 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1c:d548:0:0:0:0:0 with HTTP; Wed, 11 Jul 2018 10:06:39 -0700 (PDT) In-Reply-To: <22370.1531293761@warthog.procyon.org.uk> References: <153126248868.14533.9751473662727327569.stgit@warthog.procyon.org.uk> <153126264966.14533.3388004240803696769.stgit@warthog.procyon.org.uk> <686E805C-81F3-43D0-A096-50C644C57EE3@amacapital.net> <22370.1531293761@warthog.procyon.org.uk> From: Andy Lutomirski Date: Wed, 11 Jul 2018 10:06:39 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 24/32] vfs: syscall: Add fsopen() to prepare for superblock creation [ver #9] To: David Howells Cc: Al Viro , Linux API , Linux FS Devel , Linus Torvalds , LKML , Jann Horn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Jul 11, 2018, at 12:22 AM, David Howells wrote: > > Andy Lutomirski wrote: > >>> sfd =3D fsopen("ext4", FSOPEN_CLOEXEC); >>> write(sfd, "s /dev/sdb1"); // note I'm ignoring write's length arg >> >> Imagine some malicious program passes sfd as stdout to a setuid >> program. That program gets persuaded to write "s /etc/shadow". What >> happens? You=E2=80=99re okay as long as *every single fs* gets it right= , but that=E2=80=99s >> asking a lot. > > Do note that you must already have CAP_SYS_ADMIN to be able to call fsope= n(). If you=E2=80=99re not allowing it already, someone will want user namespace root to be able to use this very, very soon.