Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp1421818imd; Sat, 27 Oct 2018 08:45:47 -0700 (PDT) X-Google-Smtp-Source: AJdET5dCCjFyMNBa8a8F9Lhz730ZZASIC3C26vLj+5HYg27nHbEZ+v84vTMqWnp3MH5w+HsF1Aix X-Received: by 2002:a62:3a8c:: with SMTP id v12-v6mr8116408pfj.118.1540655147671; Sat, 27 Oct 2018 08:45:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540655147; cv=none; d=google.com; s=arc-20160816; b=OAjpUsIPhMzm94ZJtHNvwXVtM2N3HsG8VrV1hizns8X7ZWA/RENL3f815269LNPuAo C0PKbPxeX+NK/xtvTm+7jiDVvVwom0B6pNknvWeCAUIFfqjZWE2p39qpCa8d4V5qx9bo uvAqmK9J5vymKfJMaXVl7b3NSaWnReyM4pPOL+7Q+i6076HeZz31W42olBt4ag7alw6C 0bEClIj4wYp7GmyjBzcGMtDGkdl5dPBU5C610hxobcu3uDhUh928hDX+KvTdKG01Vyrq A6z6e1EWdheNVrDsBsSngTQ6qY80UkCvRu+3Vph6MkU7L04X6k9GAod172ZGH7DJdaG+ r4BQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=3Jt3KznDeCQKKYhrFkjY4txTRZ/B75FL72enJaXJs24=; b=UxkxQsRvbKYbRKTD4OExuKChhGInVO4KIme5H3GcYoNv9afkL1Quej8R7f7vk0uxNY 1AdQKHUchfdM5uePt0dBqkAYf70vy/Gk7H9MEJ/CM++9PANwqbyEMEWicJEYGDBOHn/y tzBPKvXqMuad8V1BOyc00hbBcYJKoahWurx/BkfJcFi3y3A9OkfHRsbfxSvRnI43Wjcv Pfeyt/+ypKznOOxu/R2whH6wC1BlPAMGa47uBAMbHh0GTGE4W30mQo5DZA/HDiRSzKLY 8K76SOr+rIJzmLjNg4tCGgUuu3hHgnclY96Bk8k9f32TFJzXRM9zD+QPGAvWgz9yrJfC h8RA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h80-v6si16014764pfj.120.2018.10.27.08.45.32; Sat, 27 Oct 2018 08:45:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728746AbeJ1ATD (ORCPT + 99 others); Sat, 27 Oct 2018 20:19:03 -0400 Received: from mx2.mailbox.org ([80.241.60.215]:18818 "EHLO mx2.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728515AbeJ1ATD (ORCPT ); Sat, 27 Oct 2018 20:19:03 -0400 Received: from smtp2.mailbox.org (unknown [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 618FBA114A; Sat, 27 Oct 2018 17:37:39 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de [80.241.56.116]) (amavisd-new, port 10030) with ESMTP id VoBHB5k5HvI1; Sat, 27 Oct 2018 17:37:37 +0200 (CEST) Date: Sun, 28 Oct 2018 02:37:23 +1100 From: Aleksa Sarai To: Al Viro Cc: Ed Maste , David Drysdale , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/3] namei: implement O_BENEATH-style AT_* flags Message-ID: <20181027153723.nfro756r4o2vxqqr@ryuk> References: <20181009065300.11053-3-cyphar@cyphar.com> <20181027014114.GA52393@freebsd.org> <20181027071729.xbnvfii6iwdwymrn@ryuk> <20181027075348.GN32577@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="po2m5ugz2nquu7oo" Content-Disposition: inline In-Reply-To: <20181027075348.GN32577@ZenIV.linux.org.uk> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --po2m5ugz2nquu7oo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-10-27, Al Viro wrote: > On Sat, Oct 27, 2018 at 06:17:29PM +1100, Aleksa Sarai wrote: >=20 > > I'm going to send out a v4 "soon" but I would like to know what folks > > think about having resolveat(2) (or similar) to separate the scoping O_* > > flags and produce an O_PATH -- since unsupported O_* flags are ignored > > by older kernels userspace will have to do some plenty of checking after > > each path operation. > >=20 > > Personally, I believe this (along with AT_EMPTY_PATH for openat(2)) > > would help with some other O_PATH issues. >=20 > The trouble with resolveat(2) is that for anything directory-modifying > you really want directory locked before the lookup for last component. > IOW, funlink(2) et.al. are hopeless. Ah, right... In those cases I think that AT_SYMLINK_NOFOLLOW could help, or maybe we would need to have some of the scoping flags for other syscalls (though this would be an issue in either case for scoping unlinkat(2) -- even if we used O_BENEATH). :/ But my main issue at the moment with O_PATH is that /proc/self/fd/... re-opening allows for some very odd delayed-access-check attacks. openat(2) doesn't give you an O_EMPTYPATH but that is what you get with /proc. For instance, take /proc/self/exe. Tautologically, it is impossible to open it O_RDWR -- if you are resolving it through an "exe" magic symlink then it is being used as a process's ->mm (and thus is locked from writing). *However* you can open it O_PATH and then later re-open it through /proc/self/fd. We had cases where a container runtime joining a container would be able to do this and overwrite the container binary *on the host*. This has been mitigated now (as part of CVE-2016-9962), but I would be very shocked if there was no other places where this sort of thing would happen. My proposal for resolveat(2) would let us have some sort of "I want these access bits" API for O_PATH. Of course there are some quite not-nice changes I think you'd need to allow for this usecase -- my back-of-the-envelope proposal would be to stash away the fmode bits inside 'struct path' so that do_last() can see whether we are doing a re-open of an existing 'struct file' (but I'm sure this sounds awful). Is this a problem you think deserves solving / is there a better way of going about it? Thanks. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --po2m5ugz2nquu7oo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlvUhjMACgkQnhiqJn3b jbQiNg/9EUPo5YUBft7w5yogDlRYWgaoZeQz/WHPb9ndAvWEn54aebevYTfodT1k QSO0k8QzQUOwSYVS1nCarRL7mb/V4v7vNlHC/1MpCPZULnU8AJ16pOKA5obUE6nS a7ukHvEOOlyh88p0Lcn4IvZNBHWSXznjr1avINfarvupjxmv6DD+R+n3vijMrSqs KTCEc4Iw7qXyBE8m8VIxACG3m8JWWJl5nGucsSPIVgT5tnV26sloM4ofPVe4c6QN AMlq+INKmyt1teMaidCxBaMDcgCEA4Vdx1v3JPL1qcUE354ZVqDwBA1D6zUP/IO+ nhYRqWWhc9e+BLW5IRLe0d7b+xRYaOOS9jN3ZqFyBbqMcfuDBTGMwmky4koHgb0f ftVb0ywsOYw6yN7W80+od+yuwpO6ox7xcr6v05oVBahOtyKiprrQpN9bvaJwTH6W vfxVB3+jDRIz5WcpB5qmt/LPqYm3fl3XkJHd/xE8aZl3xg/6E/x5mC4xk/LVGOqI a+cJBUYFGqNCcjMZl37KL1Onsp66PPAhRRGKnYd4ojmAJvXH28FBLfw/MksD2Lne gS48erzeJm7R5f7TXxX1w8jMyeKHzdrWQkXRZvGRg2F/Iiym3UuFIFYfQKW10uNf 73/GZ/q78UoE2kG+lTL9Tp0ipl28wnJYyzd2ONapgey06Qhrods= =HEAw -----END PGP SIGNATURE----- --po2m5ugz2nquu7oo--