Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp74693imm; Mon, 1 Oct 2018 06:56:23 -0700 (PDT) X-Google-Smtp-Source: ACcGV62uzEJTe1IopDmUDChj5LHL+kTDePzLZM5M0r7sHGxI7zzAKm3cWWU2Y5lE2z5oOiSi7/z0 X-Received: by 2002:a63:1342:: with SMTP id 2-v6mr10486627pgt.19.1538402183610; Mon, 01 Oct 2018 06:56:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538402183; cv=none; d=google.com; s=arc-20160816; b=aDnZ7Z3lESGFaF9aZoNtnAZv/3ygbhmdRMf4zK+iflmcBrP62NFoqcB8+DjwbNELb9 yYpJRNW1HeX6MwasDcdZUZSgCy4VW/65WyaomO/sG+XP9KzAokbRsbV1yiq237kQbr6n yoaIGXZDaQcg7BMUjm13C0OpoKMKSFHTfZ1OwwNrd0Zu+wZZvAi78x263CvHsOQCQna2 MiWCapqw7Geb3dV/35/9QeEmO9IksomIU8/0Q2gkFDkBV1iuOlKnnu4ZID7R7ZPMp5Ma DuXkkQYPScxwnFjWQ7252eqYUCE3qipdlMrVRmQomAQboKj1KzDMhaNJDHDAgyUSLSB+ +o/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=jiriP4z7x2ycPpp5pPSWPkysGQBowkSK4fkGU+HQqGw=; b=vq7l6hcvpUJGx1gXOlsMOM+u+mldnlfrvddTm+RHued/etyFzGv/B0hcitYOu4EsRo N86aFCx5oO1T+6A+9/rVay2g2dkkNl0+ajo6zJyzbdPzh1x4LdoPulpyaeJh+hABDmfr h8g7/2e+JycGf7nIt9OuzltaOUAZ3wVI++kw8Qoo1Lrs7tEzrLo2kccpQmXYsck4B7oq fjhKTVCqjFSTqo4eCFRB/78PuDVG9apXoRSzRJ0pr7bMQIPoVLqdOqUzrR0gMm4BzZhA w+aSCA99mektB3n6yFXmpPInDkyEJLgQsWCOWZGlDgQ3lfkZUR4HPOjFONo6YCmUI9D4 G3tw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 68-v6si12366348pld.314.2018.10.01.06.56.08; Mon, 01 Oct 2018 06:56:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729386AbeJAUdy (ORCPT + 99 others); Mon, 1 Oct 2018 16:33:54 -0400 Received: from fieldses.org ([173.255.197.46]:54602 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729182AbeJAUdy (ORCPT ); Mon, 1 Oct 2018 16:33:54 -0400 Received: by fieldses.org (Postfix, from userid 2815) id DBE312015; Mon, 1 Oct 2018 09:55:58 -0400 (EDT) Date: Mon, 1 Oct 2018 09:55:58 -0400 From: Bruce Fields To: Aleksa Sarai Cc: Jann Horn , "Eric W. Biederman" , jlayton@kernel.org, Al Viro , Arnd Bergmann , shuah@kernel.org, David Howells , Andy Lutomirski , christian@brauner.io, Tycho Andersen , kernel list , linux-fsdevel@vger.kernel.org, linux-arch , linux-kselftest@vger.kernel.org, dev@opencontainers.org, containers@lists.linux-foundation.org, Linux API Subject: Re: [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution Message-ID: <20181001135558.GB25003@fieldses.org> References: <20180929103453.12025-1-cyphar@cyphar.com> <20180929131534.24472-1-cyphar@cyphar.com> <20181001054246.gfinmx3api7kjhmc@ryuk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181001054246.gfinmx3api7kjhmc@ryuk> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 01, 2018 at 03:44:28PM +1000, Aleksa Sarai wrote: > On 2018-09-29, Jann Horn wrote: > > The problem is what happens if a folder you are walking through is > > concurrently moved out of the chroot. Consider the following scenario: > > > > You attempt to open "C/../../etc/passwd" under the root "/A/B". > > Something else concurrently moves /A/B/C to /A/C. This can result in > > the following: > > > > 1. You start the path walk and reach /A/B/C. > > 2. The other process moves /A/B/C to /A/C. Your path walk is now at /A/C. > > 3. Your path walk follows the first ".." up into /A. This is outside > > the process root, but you never actually encountered the process root, > > so you don't notice. > > 4. Your path walk follows the second ".." up to /. Again, this is > > outside the process root, but you don't notice. > > 5. Your path walk walks down to /etc/passwd, and the open completes > > successfully. You now have an fd pointing outside your chroot. > > > > If the root of your walk is below an attacker-controlled directory, > > this of course means that you lose instantly. If you point the root of > > the walk at a directory out of which a process in the container > > wouldn't be able to move the file, you're probably kinda mostly fine - > > as long as you know, for certain, that nothing else on the system > > would ever do that. But I still wouldn't feel good about that. > > Please correct me if I'm wrong here (this is the first patch I've > written for VFS). Isn't the retry/LOOKUP_REVAL code meant to handle this No. ... > Speaking naively, doesn't it make sense to invalidate the walk if a path > component was modified? Or is this something that would be far too > costly with little benefit? Lookups and renames can definitely proceed in parallel, and yes I suspect it would be difficult to get good performance and guaranteed forward progress if you required lookup of the full path to be atomic with respect to renames. --b.