Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp85003imm; Thu, 12 Jul 2018 14:41:53 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfXbJHxjTWBg4PujH0Vt0wY958LL/tDnPmmchTce+MCef7bqQYgmGt8Hocjj76Hzyx/mPrp X-Received: by 2002:a63:f002:: with SMTP id k2-v6mr3541230pgh.8.1531431712991; Thu, 12 Jul 2018 14:41:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531431712; cv=none; d=google.com; s=arc-20160816; b=njPTIQwI4yjjYEv1/NVjIGTj7x5+GwogUMtIAaLJ0D6xIDWMG8TZWRAqmBWCltRfzX NAbFqGtffjFot0T7ee//fYZn4MSL2tx4J/JyP6zE5WmkkCjrefE+fG0I1g92S8X9VIdX sXEuAt1RmXRF7fWZCJp/r5I741K7UIefDuv314WgQrigYzs0vi1SseYd/exTLXTqxrp+ nHgW8bdNcorAm3IqWFT79iILm2RLyNAXKqTmB+lMqZLgaRDGVHQe6SquAqVohJys5wJw gLyGhPR38atE0cGKwXLUxvehZ11phpHu0OSH+PZ/b4tWeJR+z7nXkvobO5krT/3nu38E Fgdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=pYw+ZJGSxGm6J74XTNum40LIC28Ukp7NFhdm52rnKUc=; b=sqUj3kVPV7iYpIGhkNJYKJOPKYE91wSs+leMdaa5Z/fFqTAVw0Xtbkwk6upIK4R70c 4YFLmXV8ZfFxTKCsJa29ah7JaHwtS1jhkbtOEb8NW1iknccamkEi64zV+gnZiTTsFoYv SAS2xiYhqvECXHhWQLeiphGtMJoViSJDd5AOFgQqs0UgtvoKNd7E2RXNIqPWPULjVXrJ 93stAnImoQwP1fVsu0ofW/PQWxxOOAn8D2ojNaR5zZ4glJta/sAYqCB46XkaZKZhJnUp QsKe8qfLkLvDp28LYHECiAz0OC4zl3s/J1AEMK9BNZt2/zKURl5cVzWoZERjzhLKxHNM g6NA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="CqXsPx/y"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z33-v6si22033016plb.380.2018.07.12.14.41.37; Thu, 12 Jul 2018 14:41:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="CqXsPx/y"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733203AbeGLVw2 (ORCPT + 99 others); Thu, 12 Jul 2018 17:52:28 -0400 Received: from mail-io0-f194.google.com ([209.85.223.194]:42101 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733113AbeGLVw1 (ORCPT ); Thu, 12 Jul 2018 17:52:27 -0400 Received: by mail-io0-f194.google.com with SMTP id r24-v6so29544965ioh.9; Thu, 12 Jul 2018 14:41:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pYw+ZJGSxGm6J74XTNum40LIC28Ukp7NFhdm52rnKUc=; b=CqXsPx/yRbvIu0uQQ6NOvpSOb82EF3aswz9WDv0HX/EFKF2YWnAe6lU7ApLJIdBlUv jU4/Rs9AwF7jHOVVhJHuJX57YX8el9tgkwFZU/hP0J4Q2ONWyV2zXtlrOdOmo0TthxPY sH4/Z3if1o9+Fnb46BBHTJA/pklnurc9MvL4M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pYw+ZJGSxGm6J74XTNum40LIC28Ukp7NFhdm52rnKUc=; b=FHuL/79mYplBMQ/c//DcE37ejnpwEgGwDOAZCuHPhVxgIPb+Yjuj0GTeRmXx3rZ4ub /v4K/x3J2y6Oe2MFZ7aCmeH3ZsBtyhMhe+IlmXC90GaEigH7f9x02Uyrgsb/mOqOOI2r g+OAwTBhcu1asgCRo394hDeoRZDRMf/9HGYFfLvEawNe4ZzzQLIDiGQhPt3V3DLvsWUU WTQCqyP98ND3TsF9Bxp6XIc/NZqXGexSUr1iw7dEBmJZR1m2v22sg3JpYZDhR8zXLFXa 7e9O77K8FcGmHMTKBRSXci9aXXIGhhMM3djZVhTx18kGAhBFyicUkZM1MBnu+W1jHCC6 kIXQ== X-Gm-Message-State: AOUpUlHINnFq+7PPt/qFKCy7ZGiSUDnz1MQDp+YYry/fw35QHK3mK3Nd jY4f0wO1kGpnBPW7w5Qn1vq+tQAVwjvIdi0VtpGvDM6C X-Received: by 2002:a6b:274f:: with SMTP id n76-v6mr30313690ion.259.1531431660330; Thu, 12 Jul 2018 14:41:00 -0700 (PDT) MIME-Version: 1.0 References: <153126248868.14533.9751473662727327569.stgit@warthog.procyon.org.uk> <153126264966.14533.3388004240803696769.stgit@warthog.procyon.org.uk> <686E805C-81F3-43D0-A096-50C644C57EE3@amacapital.net> <22370.1531293761@warthog.procyon.org.uk> <7002.1531407244@warthog.procyon.org.uk> <16699.1531426991@warthog.procyon.org.uk> <18233.1531430797@warthog.procyon.org.uk> In-Reply-To: <18233.1531430797@warthog.procyon.org.uk> From: Linus Torvalds Date: Thu, 12 Jul 2018 14:40:49 -0700 Message-ID: Subject: Re: [PATCH 24/32] vfs: syscall: Add fsopen() to prepare for superblock creation [ver #9] To: David Howells Cc: Andrew Lutomirski , Al Viro , Linux API , linux-fsdevel , Linux Kernel Mailing List , Jann Horn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 12, 2018 at 2:26 PM David Howells wrote: > > The problem is that there's more than one actual "open" involved. No. The problem is "write()". This is not about open, about fsopen, or about anything at all. This is about the fact that "write()" by definition can happen in a different - and unexpected - context. Whether that be due to suid or due to splice, or due to any other random issue is entirely immaterial. (The same is true of "read()" too, but very few people try to make "read()" have side effects, so it's less of an issue. It does happen, though). But once you have another interface than "read/write()", the issues go away. Those other interfaces are synchronous, and now you can decide "ok, I'll just use current creds". > (1) Pass the creds from ->get_tree() all the way down into pathwalk and make > sure *every* check that pathwalk does uses it. No. See above. If your write() does anything but buffering data, it's not getting merged. > (2) When do_the_create_thing() is invoked, it wraps the call to ->get_tree() > with override_creds(file->f_cred). No. We do not wrap creds in any case. It's just asking for *another* kind of security issue, where you fool some higher-security thing into giving you access because it wrapped the higher-security case instead. > (3) Forget using an fd to refer to the context. fsopen() takes absolutely > everything, perhaps as a kv array and spits out an O_PATH fd. That works. Or you know - do what I told you to do ALL THE TIME, which was to not use write(), or to only buffer things with write(). But yes, any option that simply avoids read and write is fine. You can even have a file descriptor. We already have file descriptors that cannot be read from or written to. It's quite common for special devices, the whole "open /dev/floppy with O_NONBLOCK only to be able to do control operations with it" goes back to pretty much day #1. More recently, we have the whole "FMODE_PATH" kind of file descriptor, which works as a directory entry, but not for read and write. So file descriptors can have very useful properties. But no. We do not use "write()" to implement actions. If you think you need to check permissions and think you need a "cred", then you're not using write(). It really is that simple. Not using write just avouds *all* the problems. If you can fool a suid application to do arbitrary system calls for you, then it's not the system call that is the security problem. Linus