Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1791568imm; Thu, 12 Jul 2018 07:56:05 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcu2f/z8TD70waNZEFs0CPADJ5wmGwTvogZ5yPWUfPgohnd+4yAIQKaHsjB73wPRhDYSnmv X-Received: by 2002:a62:ec41:: with SMTP id k62-v6mr2776230pfh.206.1531407365099; Thu, 12 Jul 2018 07:56:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531407365; cv=none; d=google.com; s=arc-20160816; b=tDJPkGyNRw/MN8NZ9VbjXsXy3v2Chb5ThGr8jq67u7/SkzfpmlctREFb5FpPz9UsgV ZT8pWSwMO+joJijRIWtKVOLAZHVAbSlK/UZiL2pGhtCu6bKkWPacEcuh5WoJGJgNk01I Q+dRteptP7z07KaG5wK/9hOphjfGuxs0C4MEVnHJBJ3DRjtJNwQeTfKmc0dseAJLR2bL /u580Wq1wF6l5Q0WMqrlpcBBrb70FPhrDvW5AGZiJRx1NWx3gtFaSDStnFZ+pjZxX7Xk zfhn5VjjzVUFP1JfE0cfYGYy4J95CihA/Vj0UtIbloY//QQwVgHR52DHGGJTLOp3eKrY twIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :mime-version:subject:cc:to:references:in-reply-to:from:organization :arc-authentication-results; bh=GRoHtDEnKwr7L8UpSeYAkQu3zzDOtyQkyNyeDfaeehU=; b=Ti0zbNfUoM42Hrerg9hrQGZJKOjB9niBoHpL77VNLYmHrKbPkLYAq5PbTb3rkIi2cp mbklq0x8o6u//VmyeoASEFM3X8j9kaYQBv6B99BIhnP/rs8NwAYmD9aKKG0+Hzyv3wsq S/3nCoT5oT4Nej62e6bZp/6NPzdKy5xWlQJ13SpScDB5tW9NpAj1I5feDtvMg3wxjWzO MEE6SnYwrgp7b6IkWLhfTwcy2E2p6Gmuc6Jf3aPMgA2txgmMXeEfhajU71yPXITE38DT LIF9fVrVGUU5odm6xqh4p1meMJF1EPoSt+QxRiq6dTZGgYYPuxNi1ifilcgk2aBEtCzw h3tw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f18-v6si20478357pgd.16.2018.07.12.07.55.49; Thu, 12 Jul 2018 07:56:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732616AbeGLPEB convert rfc822-to-8bit (ORCPT + 99 others); Thu, 12 Jul 2018 11:04:01 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:36218 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1732305AbeGLPEB (ORCPT ); Thu, 12 Jul 2018 11:04:01 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6E1F67A7EB; Thu, 12 Jul 2018 14:54:06 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-149.rdu2.redhat.com [10.10.120.149]) by smtp.corp.redhat.com (Postfix) with ESMTP id 498FD2026D6B; Thu, 12 Jul 2018 14:54:05 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <153126248868.14533.9751473662727327569.stgit@warthog.procyon.org.uk> <153126264966.14533.3388004240803696769.stgit@warthog.procyon.org.uk> <686E805C-81F3-43D0-A096-50C644C57EE3@amacapital.net> <22370.1531293761@warthog.procyon.org.uk> To: Andy Lutomirski Cc: dhowells@redhat.com, Al Viro , Linux API , Linux FS Devel , Linus Torvalds , LKML , Jann Horn Subject: Re: [PATCH 24/32] vfs: syscall: Add fsopen() to prepare for superblock creation [ver #9] MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Date: Thu, 12 Jul 2018 15:54:04 +0100 Message-ID: <7002.1531407244@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 12 Jul 2018 14:54:06 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 12 Jul 2018 14:54:06 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andy Lutomirski wrote: > > On Jul 11, 2018, at 12:22 AM, David Howells wrote: > > > > Andy Lutomirski wrote: > > > >>> sfd = fsopen("ext4", FSOPEN_CLOEXEC); > >>> write(sfd, "s /dev/sdb1"); // note I'm ignoring write's length arg > >> > >> Imagine some malicious program passes sfd as stdout to a setuid > >> program. That program gets persuaded to write "s /etc/shadow". What > >> happens? You’re okay as long as *every single fs* gets it right, but > >> that’s asking a lot. > > > > Do note that you must already have CAP_SYS_ADMIN to be able to call > > fsopen(). > > If you're not allowing it already, someone will want user namespace > root to be able to use this very, very soon. Yeah, I'm sure. And I've been thinking on how to deal with it. I think we *have* to open the source files/devices with the creds of whoever called fsopen() or fspick() - that way you can't upgrade your privs by passing your context fd to a suid program. To enforce this, I think it's simplest for fscontext_write() to call override_creds() right after taking the uapi_mutex and then call revert_creds() right before dropping the mutex. Another thing we might want to look at is to allow a supervisory process to examine the context before permitting the create/reconfigure action to proceed. It might also be possible to do this through the LSM. David