Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1164287imm;
        Wed, 18 Jul 2018 18:31:35 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfPz0Q8oRnNo+a8fj3FN26UwXjswjiuRgR4keDg2l37iI1S1sZwvb8ByF2dwHqV9P83h0gf
X-Received: by 2002:a65:6086:: with SMTP id t6-v6mr8088800pgu.424.1531963895212;
        Wed, 18 Jul 2018 18:31:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531963895; cv=none;
        d=google.com; s=arc-20160816;
        b=qrWPlTvI0KawEjkxfh+X7bnP6pCAckAFIk1WCr0Od3iC5dvMsqD1aQjvS7RPDBml9I
         rvGxcbPDndDsumaZ0naRJT2gwyOC3Z9UEn9L5ZqeoreBd2MUAVa2Hw4qvwKvcIkO0zSX
         a1LtbrHnatTaB3zvwEbccF6XE1UeapZ5wPo6PGl7XbddGLxdOAXdhCIkaA+Ksvj1lWUw
         mzsCLjrWNR5BvS0fbDb9XR6FzbZxOJpL2Sd/EzcaTCa1HqXgkkR1STLcgxcaFnld64pV
         lQMJaOH1KRm1nR+/1stAgwfDqU/UxnLt0gypoQ/Vf17XGuMitXbUH/SMCY9YmfJ7M6YD
         ChVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:mime-version:user-agent
         :message-id:in-reply-to:date:references:cc:to:from
         :arc-authentication-results;
        bh=lbwNg/5+oGGCJvtoCvv2KdL8GIY983SDlweZf8GU868=;
        b=I3/ATbGotOmKAxRH9d3moHaHVTZX/YdpltgZLdJUfPrR6pfc8XY80B3c/z3f9AyUNd
         UWHkp2sMYSW3CBFGnNAV+RBpbJw4MmicVgq00T3/T3MiVI9qTdsPNXqkm4qaplbEJzUA
         Oq75L3fW0T8YmuXxN41ytR7o+j6Wbmo6YZXmgW8Ze3ymmzFQctRBV2FJn+2//29b86XA
         dQoKxYqZ4j7Ip8p9EQfRT/1BYuGBA6X7po0glZZkVtL2vM8zpeNgOuvuxPeQbb7GUhJe
         PfyZhUwqlVf4TsYdIc2b2J4EMseN3KcjZ806CmI1jxkrty8QUle636nkb8jfcHFW4blK
         9ePw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x17-v6si4386911pfn.286.2018.07.18.18.31.19;
        Wed, 18 Jul 2018 18:31:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730974AbeGSCLU (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Wed, 18 Jul 2018 22:11:20 -0400
Received: from out03.mta.xmission.com ([166.70.13.233]:51680 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730094AbeGSCLU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Jul 2018 22:11:20 -0400
Received: from in02.mta.xmission.com ([166.70.13.52])
        by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1ffxmE-0007wU-IV; Wed, 18 Jul 2018 19:30:42 -0600
Received: from [97.119.167.31] (helo=x220.xmission.com)
        by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1ffxlz-00028y-1L; Wed, 18 Jul 2018 19:30:42 -0600
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     David Howells <dhowells@redhat.com>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        "Theodore Y. Ts'o" <tytso@mit.edu>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Lutomirski <luto@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux API <linux-api@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Jann Horn <jannh@google.com>
References: <5A7CC3BF-5F4E-4624-A129-4BD0434D0747@amacapital.net>
        <3236C75A-5D74-4BB4-A1EC-06F6E22D810C@amacapital.net>
        <611054C7-D6E8-4C89-958E-3128C9305E1E@amacapital.net>
        <20180712223223.GA28610@thunk.org>
        <CA+55aFw1WyKY+-2dg62M-QT_F0-waCTCrba1DW4dStYz-f_fjA@mail.gmail.com>
        <153126248868.14533.9751473662727327569.stgit@warthog.procyon.org.uk>
        <153126264966.14533.3388004240803696769.stgit@warthog.procyon.org.uk>
        <686E805C-81F3-43D0-A096-50C644C57EE3@amacapital.net>
        <22370.1531293761@warthog.procyon.org.uk>
        <CALCETrU3kbh-ZRHDj7-Asq+OH-35dQ2p_erpHpYUvN5+BdAoVQ@mail.gmail.com>
        <7002.1531407244@warthog.procyon.org.uk>
        <CA+55aFx+xm333ZZ7d2Z39QuhDu=0XM6nTMChbHvWQOXNk32yxw@mail.gmail.com>
        <16699.1531426991@warthog.procyon.org.uk>
        <18233.1531430797@warthog.procyon.org.uk>
        <22105.1531436081@warthog.procyon.org.uk>
        <23894.1531438559@warthog.procyon.org.uk>
        <26064.1531440190@warthog.procyon.org.uk>
        <3429.1531467024@warthog.procyon.org.uk>
Date:   Wed, 18 Jul 2018 20:30:19 -0500
In-Reply-To: <3429.1531467024@warthog.procyon.org.uk> (David Howells's message
        of "Fri, 13 Jul 2018 08:30:24 +0100")
Message-ID: <87o9f4f1w4.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1ffxlz-00028y-1L;;;mid=<87o9f4f1w4.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=97.119.167.31;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX18raZo2qbeltvm9HtK1ksyxPNimAgjxaWM=
X-SA-Exim-Connect-IP: 97.119.167.31
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa07.xmission.com
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=8.0 tests=ALL_TRUSTED,BAYES_50,
        DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,T_TooManySym_02,
        XMNoVowels,XMSubLong autolearn=disabled version=3.4.1
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  1.5 XMNoVowels Alpha-numberic number with no vowels
        *  0.7 XMSubLong Long Subject
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa07 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
        *  0.0 T_TooManySym_02 5+ unique symbols in subject
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;David Howells <dhowells@redhat.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 15023 ms - load_scoreonly_sql: 0.03 (0.0%),
        signal_user_changed: 2.4 (0.0%), b_tie_ro: 1.62 (0.0%), parse: 0.80 (0.0%),
        extract_message_metadata: 11 (0.1%), get_uri_detail_list: 1.48 (0.0%),
        tests_pri_-1000: 3.0 (0.0%), tests_pri_-950: 1.13 (0.0%), tests_pri_-900:
        1.00 (0.0%), tests_pri_-400: 21 (0.1%), check_bayes: 20 (0.1%), b_tokenize: 7
        (0.0%), b_tok_get_all: 7 (0.0%), b_comp_prob: 2.1 (0.0%), b_tok_touch_all:
        2.5 (0.0%), b_finish: 0.51 (0.0%), tests_pri_0: 191 (1.3%),
        check_dkim_signature: 0.48 (0.0%), check_dkim_adsp: 2.8 (0.0%),
        tests_pri_500: 14789 (98.4%), poll_dns_idle: 14780 (98.4%), rewrite_mail:
        0.00 (0.0%)
Subject: Re: [PATCH 24/32] vfs: syscall: Add fsopen() to prepare for superblock creation [ver #9]
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

David Howells <dhowells@redhat.com> writes:

> Andy Lutomirski <luto@amacapital.net> wrote:
>
>> > Also you can't currently directly create a bind mount from userspace as you
>> > can only bind from another path point - which you may not be able to access
>> > (either by permission failure or because it's not in your mount namespace).
>> > 
>> 
>> Are you trying to preserve the magic bind semantics with the new API?
>
> No, I'm pointing out that you can't emulate this by doing a bind mount from
> userspace if you can't access the thing you're binding from.
>
> Now, we could create a syscall that just picks up an extant superblock using a
> device and attaches it to a mount for you, but that would have to be at least
> partially parameterised - which would be very fs-dependent - so that it can
> know whether or not you're allowed to create another mount to that sb.
>
> What you're talking about is emulating sget() in userspace - when we have to
> do it in the kernel anyway if we still offer mount(2).

I am just going to chime in and say that it is absolutely a problem in
the current mount interface that when I mount a filesystem with fresh
parameters I don't know if it is generates an sget and a new super_block
or if it just increments the refcount on an existing super_block.

It is the kind of problem that is actually security sensitive and has
resulted in a security issue in the current linux kernel with respect to
proc.

So yes we absolutely need to have a clean way of dealing with:

mount /dev/sda3 /tmp
mount /dev/sda3 /mnt

So that the second one is forbidden fails.  And userspace has to do the
equivalent of sget to get a file descriptor it can bind into the mount
namespace.

The deep problem is that the second mount does not parse the mount
options and userspace does not know that.  So userspace thinks it is
getting one kind of mount and in practice it gets another (sometimes
with different security properties).  Those different security
properties are an out and out bug.  Although any kind of different and
unexpected properties can be a problem.

Eric