Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2103196imm; Sat, 29 Sep 2018 10:25:42 -0700 (PDT) X-Google-Smtp-Source: ACcGV60YQDDzE8hyGSj+OVtgdTC1kwboN8Pi0TMvBCoahNGA4qjl+gcVbVoo5EZv2slsV9e/xndO X-Received: by 2002:a17:902:8a89:: with SMTP id p9-v6mr4100066plo.183.1538241942784; Sat, 29 Sep 2018 10:25:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538241942; cv=none; d=google.com; s=arc-20160816; b=QCQqIK9PETn/uOyvF7p84zMHfMgBwFg6UuqUoYk6h52x8dPG6TKZA1dPsdrLLs03Kv ixmCXnvewsZOndvxEo4S5SUh9FoQd02vDvDslfDRKwq1Y5EeNWSwqIjh47iGaL4qq6dG hUF7wZPK2BKmIOK9Zo/VjK8WjrkhHn/BYMIA++ccRBM1Yzh+pFR700zPmasaFnGbT3EN zWBWZUIf2iYbbMzaX7LfPtEVVcQneBsB59psN5RwUBa7ZLJ5u/N+7lCVH6cuDUten9Cl C1MYO962FQqaIlVzoE4nbaqSEnW/0YBmFXtBd459Ik66HyPL+6S7FMxO9zHXxrNntpaJ ygtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=y9lp7/3pak1VDZ2E9w1R36VwEYsxkJD7BrUo4zbmdEU=; b=ImpzzzjontsgPYOlFXEGpCGkP0sGhlhpu9xSNrQqlAWyHKU2n9ZHEeLjaBmJyFXkbl sd6fFBa0o5mu2cAoLkCCsXK/7VTWZH3iLJ1VLdS2atvDfX4YZmXpMOvg8E1pLNwn4zR9 IxD84bhxoLst+hCuVkQCHn9ZyZ97zs2i1sZmuaMD48yO0peGpePSVg+zObXleKhv6cN5 aJOPQGvyKAiKw4RjHmiUksubB8yPSj8FzoSPtLE3R/gpvHBHw7ZAPEfhc5BpJ3/G6pDH JVWUzS1HpliuwEkbUkRFktnaOmmTmV6Okdf0HdbIs2FWbzz+A1TSoKpyurOMd+wVhLRk rPhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=HqxBaHsR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t190-v6si8130247pfb.344.2018.09.29.10.25.28; Sat, 29 Sep 2018 10:25:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=HqxBaHsR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728565AbeI2Xyf (ORCPT + 99 others); Sat, 29 Sep 2018 19:54:35 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:46678 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728462AbeI2Xyf (ORCPT ); Sat, 29 Sep 2018 19:54:35 -0400 Received: by mail-pg1-f194.google.com with SMTP id b129-v6so6607651pga.13 for ; Sat, 29 Sep 2018 10:25:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=y9lp7/3pak1VDZ2E9w1R36VwEYsxkJD7BrUo4zbmdEU=; b=HqxBaHsRhRIHNm9X0bvbdOAuUm2FVHE+Yso/NbJtm6jddlQOG8cpyTNo4YVeC+1L1T oRyCOUMDxMXG35o+bQ5pZ+ONTQ7bDh6jqvkORolFkaxWtvuw8ONOZqtHl3BLxNX8tigV uD2S/bMGj2AmOS6aYax0bQsUxxkrs8N+kCt0w46AACOG42g4GiKwuPcOLjTE3DULQGaR ZiI9M+EnSrgedw/8TqqTcdLQ0YttD68HYBFG1UM2N1a1ICC2ZWY1JbyBmyf/6EL56mM/ IdmRY/p22b3q8I7iaEiK7kLHD6R9jf4ARCokIxGbW8loxXjn/G6hU+bC5q6tT9i0w1Kl KdkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=y9lp7/3pak1VDZ2E9w1R36VwEYsxkJD7BrUo4zbmdEU=; b=cFq1PJmsUrwRcO/jNNNJmZMEA4dVZRVRouZMxKXt8ZnMTrkM1HJnVwbtSyAWqcEjfg B3XFdqQ44/WPyhNniwEkzVduNL+JA5cq84qQKQpAj6VOLvdlzHtwQz0Ko5ljPGL0J5pm N74am8Q0Z/DeIKqtGBuUv/Z+x3ht/7Ww1wqPfcxTOZ+Vm35P1bvmc2FxqmCHRWe4QUb2 hBgCnbO3GUFuJd9nwFl9DZALmljjChDhgJpIdeB9kNt3jPvSqOhPtsVaL215eSDzcLJi d+c3EhnNfzYUH5CQ+rYo2xzGIO/Lg4mwJdlMobRb41z/pzwJxFNwF+F7N9JaBa4dFRXu 8MFw== X-Gm-Message-State: ABuFfoj2hGqAc8DnyUCdMg9WTasvDYOR6W55GJsn24utgIu8w+eN89nF vpaiXtGf4bgjDy/SFlrY19h1sg== X-Received: by 2002:a63:4a09:: with SMTP id x9-v6mr3570006pga.34.1538241920885; Sat, 29 Sep 2018 10:25:20 -0700 (PDT) Received: from ?IPv6:2600:1010:b029:4fc8:d7f:8889:342e:40b? ([2600:1010:b029:4fc8:d7f:8889:342e:40b]) by smtp.gmail.com with ESMTPSA id d81-v6sm14752421pfj.122.2018.09.29.10.25.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 29 Sep 2018 10:25:19 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution From: Andy Lutomirski X-Mailer: iPhone Mail (16A366) In-Reply-To: Date: Sat, 29 Sep 2018 10:25:17 -0700 Cc: cyphar@cyphar.com, "Eric W. Biederman" , jlayton@kernel.org, Bruce Fields , Al Viro , Arnd Bergmann , shuah@kernel.org, David Howells , Andy Lutomirski , christian@brauner.io, Tycho Andersen , kernel list , linux-fsdevel@vger.kernel.org, linux-arch , linux-kselftest@vger.kernel.org, dev@opencontainers.org, containers@lists.linux-foundation.org, Linux API Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180929103453.12025-1-cyphar@cyphar.com> <20180929131534.24472-1-cyphar@cyphar.com> To: Jann Horn Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Sep 29, 2018, at 9:35 AM, Jann Horn wrote: >=20 > +cc linux-api; please keep them in CC for future versions of the patch >=20 >> On Sat, Sep 29, 2018 at 4:29 PM Aleksa Sarai wrote: >> The primary motivation for the need for this flag is container runtimes >> which have to interact with malicious root filesystems in the host >> namespaces. One of the first requirements for a container runtime to be >> secure against a malicious rootfs is that they correctly scope symlinks >> (that is, they should be scoped as though they are chroot(2)ed into the >> container's rootfs) and ".."-style paths. The already-existing AT_XDEV >> and AT_NO_PROCLINKS help defend against other potential attacks in a >> malicious rootfs scenario. >=20 > So, I really like the concept for patch 1 of this series (but haven't > read the code yet); but I dislike this patch because of its footgun > potential. >=20 The code could do it differently: do the path walk and then, before acceptin= g the result, walk back up and make sure the result is under the starting po= int. This is *not* a full solution, though, since a walk above the root gas side e= ffects on timing, various caches, and possibly network traffic, so it=E2=80=99= s open to Spectre-like attacks in which a malicious container could use a ru= ntime-initiated AT_THIS_ROOT to infer the existence of directories outside t= he container. But what=E2=80=99s the container usecase? Any sane container is based on pi= vot_root or similar, so the runtime can just do the walk in the container co= ntext. IOW I=E2=80=99m a bit confused as to the exact intended use of the wh= ole series. Can you elaborate?=