Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp45806imm; Mon, 1 Oct 2018 06:29:00 -0700 (PDT) X-Google-Smtp-Source: ACcGV60iglN7RCUmEd0qcfQMfoWpPx5y1GpdOmcqvO6D0UjEdroZ0ubTzVhsI9VgKSKHbvPKYfB5 X-Received: by 2002:a17:902:20c5:: with SMTP id v5-v6mr11826880plg.62.1538400540504; Mon, 01 Oct 2018 06:29:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538400540; cv=none; d=google.com; s=arc-20160816; b=e6v0I5yxaZE2Uf9sEb0Pwb3NUvRsa4ZEpIm6HE1fjk9sZFGwpsufWTwj6Y/6LXcF9B 3BAZY6tlVVVy6tUByfCrhDJmMnP40mTyNtT0SHWuz6NsRzr/PONsyaAzOHLV9bj8lxe7 Z7XIXWfHsRA7WNgtraUji7tfpHQH6p3/bKbL/cwD81NOcCVpGW+sURgrh6Jd5pwFJ5NS rTAQJHQQPEZvqAA5H/L+QzAfWSYKz5MZfH4a7xaZssKTm3gRCyRccdnzaFYMw4w9nGNm oxjhIUExxwBfOWBLGox2l+zr82IkAf2P3iBfMyEjLhEsE7xXQVGRgZpWW4CTNfOkgnMk gd4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=g0FH45L594ST4/5ZC7qpEfn9EEi1vfMS9d7RAmP9Tw4=; b=txvUerV6N3rsOuEc3rhMwJ92fx6O/MC0g6HzBv89qTdSzCvbeK15HxheF6Pr6Z3YT3 ZVKhOs9frQp/Yk9psR78Eo6lZoqxpmn6qWanMZo1m/WnNYc34aP370AM6DMfUFxH6v4V eqsGgVuR8WXfOfVG2LQtbDQks5duPFKzrnGoXfX699PnJbTUevK9o4JKdqhu3+lo6YTm 262ByEFn4/KxqvkT1bdWV6jn8Of6XlL7P0n+zp0nsrBSxLHWcty6dDoyIHD1PZpUMAlc dxCU36eK2o6ThDlKNMQSpge6EV81bhgXGZRrRwVFQCKFc5u1ELVckfzXwi3jIeGb/G9r WXWw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w11-v6si10309303pgs.377.2018.10.01.06.28.45; Mon, 01 Oct 2018 06:29:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729401AbeJAUGZ convert rfc822-to-8bit (ORCPT + 99 others); Mon, 1 Oct 2018 16:06:25 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([207.82.80.151]:46236 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729182AbeJAUGZ (ORCPT ); Mon, 1 Oct 2018 16:06:25 -0400 Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-114-hdwk75uOMpCDMB_HJnhKlw-1; Mon, 01 Oct 2018 14:28:28 +0100 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b::d117) by AcuMS.aculab.com (fd9f:af1c:a25b::d117) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 1 Oct 2018 14:28:28 +0100 Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000; Mon, 1 Oct 2018 14:28:28 +0100 From: David Laight To: 'Aleksa Sarai' , Jeff Layton , "J. Bruce Fields" , Al Viro , "Arnd Bergmann" , Shuah Khan CC: David Howells , Andy Lutomirski , Christian Brauner , Eric Biederman , Tycho Andersen , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-arch@vger.kernel.org" , "linux-kselftest@vger.kernel.org" , "dev@opencontainers.org" , "containers@lists.linux-foundation.org" Subject: RE: [PATCH 0/3] namei: implement various scoping AT_* flags Thread-Topic: [PATCH 0/3] namei: implement various scoping AT_* flags Thread-Index: AQHUV+AfgFSHvxd/OEe4NbXBVB2oHaUKX0QA Date: Mon, 1 Oct 2018 13:28:28 +0000 Message-ID: <1f1d699b1c8d472495a5b07199c31a6e@AcuMS.aculab.com> References: <20180929103453.12025-1-cyphar@cyphar.com> In-Reply-To: <20180929103453.12025-1-cyphar@cyphar.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-MC-Unique: hdwk75uOMpCDMB_HJnhKlw-1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Aleksa Sarai > Sent: 29 September 2018 11:35 > > The need for some sort of control over VFS's path resolution (to avoid > malicious paths resulting in inadvertent breakouts) has been a very > long-standing desire of many userspace applications. This patchset is a > revival of Al Viro's old AT_NO_JUMPS[1] patchset with a few additions. > > The most obvious change is that AT_NO_JUMPS has been split as dicussed > in the original thread, along with a further split of AT_NO_PROCLINKS > which means that each individual property of AT_NO_JUMPS is now a > separate flag: > > * Path-based escapes from the starting-point using "/" or ".." are > blocked by AT_BENEATH. You may need to allow absolute paths that refer to items inside the controlled area. (Even if done by a textual replacement based on the expected name of the base directory.) > * Mountpoint crossings are blocked by AT_XDEV. You might want a mountpoint flag that allows crossing into the mounted filesystem (you may need to get out in order to do pwd()). > * /proc/$pid/fd/$fd resolution is blocked by AT_NO_PROCLINKS (more > correctly it actually blocks any user of nd_jump_link() because it > allows out-of-VFS path resolution manipulation). Or 'fix' the /proc/$pid/fd/$fd code to open the actual vnode rather than being a symlink (although this might still let you get a directory vnode). FWIW this is what NetBSD does - you can link the open file back into the filesystem! > > AT_NO_JUMPS is now effectively (AT_BENEATH|AT_XDEV|AT_NO_PROCLINKS). At > Linus' suggestion in the original thread, I've also implemented > AT_NO_SYMLINKS which just denies _all_ symlink resolution (including > "proclink" resolution). What about allowing 'trivial' symlinks? ... > Currently I've only enabled these for openat(2) and the stat(2) family. > I would hope we could enable it for basically every *at(2) syscall -- > but many of them appear to not have a @flags argument and thus we'll > need to add several new syscalls to do this. I'm more than happy to send > those patches, but I'd prefer to know that this preliminary work is > acceptable before doing a bunch of copy-paste to add new sets of *at(2) > syscalls. If you make the flags a property of the directory vnode (perhaps as well as any syscall flags), and make it inherited by vnode lookup then it can be used to stop library functions (or entire binaries) using blocked paths. You'd then only need to add an fcntl() call to set the flags (but never clear them) to get the restriction applied to every lookup. ... David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)