Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4139545imu; Mon, 12 Nov 2018 06:28:07 -0800 (PST) X-Google-Smtp-Source: AJdET5fmT2Co3d7Ql9z68Q6Kx9Jvkv8s7qE+mh02/pr1b5Q+q1eHWzjwL6KC9wk2rOiTVhEj3rNA X-Received: by 2002:a17:902:6686:: with SMTP id e6-v6mr1146285plk.173.1542032887574; Mon, 12 Nov 2018 06:28:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542032887; cv=none; d=google.com; s=arc-20160816; b=AN91woRfVuj009oSQ8ctQ/jjUAe4TwzcSg+jvJHhVodaJte9wX085IFqlQzAN53/xL YYcSz7/FgFHx+UpND4K9PuNvDf/9tt5ztumy79aH1BuDgxz8Vlxb+tWHG8cHIwmbPWvJ tciszEdxk/jtbSwBzQ+Y9phZ7/xlXmj/v5vUuHUNmTodGr/TBD4d+tK/S8i93wIm5d2/ jiz8gH7qCOj0Op297jToot466HQRNK4kYJn1Xq4ARSAkpQObdPxN2s3lxLdikbRosa4J NumeqqbVqG4fW+1BoK+JQZUJ0yxku84O24cz0uGXsgmA3gJa4S913fZhfHB1bW0/av5R lEYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=bSHprQiGn9mTEYfEL29D0Nl+vlqIT2b2KeEPQFDwnrc=; b=1FnaUGyMhj5zTJIIiLVLFfBhPVmEvPT5wJeBKWdtoNuSb2c+FRSUk1Qt5ekP+JAvcf KUueQTYJXmIeVFPOHcVvd81LHNvx3ki2TFR3JzP2LH86zW0RT4juf+K/rjkjPd+VxFSJ FTT+CnuuvQEzESv/3ZNeYFHgkxqyH8uLrIhMseaBPpQlBDTCJ2Y2ObJMTbutmG1O/ry0 9SsAdfOd4n6d2/eqFV46A2xDpMVBZ7EdA2iaq7p8bW/f2R+JpEFb5XGvoSaDq2IaZ6vv 1KvaDD3XOqEdJ150240Wzy3awLYxygHMHK7aBdXUC/aA7Bjfcgmz2l2dT7p0cM6zmapV +prg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g67-v6si9839176plb.163.2018.11.12.06.27.52; Mon, 12 Nov 2018 06:28:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728930AbeKMAUk (ORCPT + 99 others); Mon, 12 Nov 2018 19:20:40 -0500 Received: from mx2.mailbox.org ([80.241.60.215]:55656 "EHLO mx2.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726385AbeKMAUk (ORCPT ); Mon, 12 Nov 2018 19:20:40 -0500 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id BA602A114E; Mon, 12 Nov 2018 15:27:07 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de [80.241.56.116]) (amavisd-new, port 10030) with ESMTP id KGvNlcRgC_2C; Mon, 12 Nov 2018 15:27:06 +0100 (CET) From: Aleksa Sarai To: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells Cc: Aleksa Sarai , Eric Biederman , Andy Lutomirski , Jann Horn , Christian Brauner , David Drysdale , containers@lists.linux-foundation.org, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Aleksa Sarai , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org Subject: [PATCH v4 0/4] namei: O_* flags to restrict path resolution Date: Tue, 13 Nov 2018 01:26:50 +1100 Message-Id: <20181112142654.341-1-cyphar@cyphar.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sorry for not sending a series earlier, I've been busy with assignments. Patch changelog: v4: * Remove AT_* flag reservations, as they require more discussion. * Switch to path_is_under() over __d_path() for breakout checking. * Make O_XDEV no longer block openat("/tmp", "/", O_XDEV) -- dirfd is now ignored for absolute paths to match other flags. * Improve the dirfd_path_init() refactor and move it to a separate commit. * Remove reference to Linux-capsicum. * Switch "proclink" name to "magic link". v3: [resend] v2: * Made ".." resolution with AT_THIS_ROOT and AT_BENEATH safe(r) with some semi-aggressive __d_path checking (see patch 3). * Disallowed "proclinks" with AT_THIS_ROOT and AT_BENEATH, in the hopes they can be re-enabled once safe. * Removed the selftests as they will be reimplemented as xfstests. * Removed stat(2) support, since you can already get it through O_PATH and fstatat(2). The need for some sort of control over VFS's path resolution (to avoid malicious paths resulting in inadvertent breakouts) has been a very long-standing desire of many userspace applications. This patchset is a revival of Al Viro's old AT_NO_JUMPS[1,2] patchset (which was a variant of David Drysdale's O_BENEATH patchset[3] which was a spin-off of the Capsicum project[4]) with a few additions and changes made based on the previous discussion within [5] as well as others I felt were useful. In line with the conclusions of the original discussion of AT_NO_JUMPS, the flag has been split up into separate flags: * O_XDEV blocks all mountpoint crossings (upwards, downwards, or through absolute links). Absolute pathnames alone in openat(2) do not trigger this. * O_NOMAGICLINKS blocks resolution through /proc/$pid/fd-style links. This is done by blocking the usage of nd_jump_link() during resolution in a filesystem. The term "magic links" is used to match with the only reference to these links in Documentation/, but I'm happy to change the name. It should be noted that this is different to the scope of O_NOFOLLOW in that it applies to all path components. However, you can do open(O_NOFOLLOW|O_NOMAGICLINKS|O_PATH) on a "magic link" and it will *not* fail (assuming that no parent component was a "magic link"), and you will have an fd for the "magic link". * O_BENEATH disallows escapes to outside the starting dirfd's tree, using techniques such as ".." or absolute links. Absolute paths in openat(2) are also disallowed. Conceptually this flag is to ensure you "stay below" a certain point in the filesystem tree -- but this requires some additional to protect against various races that would allow escape using ".." (see patch 4 for more detail). Currently O_BENEATH implies O_NOMAGICLINKS, because it can trivially beam you around the filesystem (breaking the protection). In future, there might be similar safety checks as in patch 4, but that requires more discussion. In addition, two new flags were added that expand on the above ideas: * O_NOSYMLINKS does what it says on the tin. No symlink resolution is allowed at all, including "magic links". Just as with O_NOMAGICLINKS this can still be used with (O_PATH|O_NOFOLLOW) to open an fd for the symlink as long as no parent path had a symlink component. * O_THISROOT is an extension of O_BENEATH that, rather than blocking attempts to move past the root, forces all such movements to be scoped to the starting point. This provides chroot(2)-like protection but without the cost of a chroot(2) for each filesystem operation, as well as being safe against race attacks that chroot(2) is not. If a race is detected (as with O_BENEATH) then an error is generated, and similar to O_BENEATH it is not permitted to cross "magic links" with O_THISROOT. The primary need for this is from container runtimes, which currently need to do symlink scoping in userspace[6] when opening paths in a potentially malicious container. There is a long list of CVEs that could have bene mitigated by having O_THISROOT (such as CVE-2017-1002101, CVE-2017-1002102, CVE-2018-15664, to name a few). Cc: Al Viro Cc: Eric Biederman Cc: Andy Lutomirski Cc: David Howells Cc: Jann Horn Cc: Christian Brauner Cc: David Drysdale Cc: Cc: Cc: [1]: https://lwn.net/Articles/721443/ [2]: https://lore.kernel.org/patchwork/patch/784221/ [3]: https://lwn.net/Articles/619151/ [4]: https://lwn.net/Articles/603929/ [5]: https://lwn.net/Articles/723057/ [6]: https://github.com/cyphar/filepath-securejoin Aleksa Sarai (4): namei: split out nd->dfd handling to dirfd_path_init namei: O_BENEATH-style path resolution flags namei: O_THISROOT: chroot-like path resolution namei: aggressively check for nd->root escape on ".." resolution fs/fcntl.c | 2 +- fs/namei.c | 205 ++++++++++++++++++++++--------- fs/open.c | 13 +- include/linux/fcntl.h | 3 +- include/linux/namei.h | 8 ++ include/uapi/asm-generic/fcntl.h | 20 +++ 6 files changed, 189 insertions(+), 62 deletions(-) -- 2.19.1