Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3234729imu; Sat, 24 Nov 2018 00:44:05 -0800 (PST) X-Google-Smtp-Source: AJdET5ehUAY0U0gT99NPgqR74dVYW2JN2kUFZ+nyoU7NBCOT2lyKf2ZSshffTNsIRUzsQ/q8ZFbN X-Received: by 2002:a63:7d06:: with SMTP id y6mr17073791pgc.171.1543049045008; Sat, 24 Nov 2018 00:44:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543049044; cv=none; d=google.com; s=arc-20160816; b=O7tMMRa1HT+td0tJ9GQad6l+muUIqMOCfxv8xb12XWeiA0AtFggFjmDjmDUsFzErxW GMg7SbN94lskw1jC+f13LyOccVsUGARKthQMAeCj3NI19upj2MH0ib1KQM5I6XiPULLP VE04LO4fY5CUVbAhol0HjNKlA2NXKS+7wrJw1BvkUeNt5nhC6uF8fQ0GxzpTXGghsqHV ZryDL/Sdsb4WfUuJsOBwaEbVedJMZglX4rArPl2A1uWRLUf3M9bnXiAPxD6wTwcjkMbd cFjv80J9xPPoceMrAQ3ku7/pJRHexgrsnIYMrCrngUEsApxRJ73BXmr6zH0/ligWs7no hrSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=fcea2chKZrpt5K15gE46hQCwzJ1xVyJa/ie38ITeMpk=; b=mDt3YpcJw8UUKCjLnF8zunOojUWrxSi7Hh5YnXEJOZqcc/6b8V2+WlFUSoKIN0F6aD w3/Lg5UdDl/AEfJ4dmMEeKE+Vxq26h7K0ojrjwKD0OusJnjOrxOIlL5ZOKOiw7PWKdjB DFJ+vskpUGsMAgyGBElmR9pyrFYqSvOlh1CRFNtcDZ/s+gfvpOkP902raguwihJAMUna DhXgTByUXwJSEjuHi9WQJi61lWTJKwVb1InkIEBx7oaqiVjnyib1VH+wnsQswpEYufj1 RXWL9p1B4AzA5r9XOUT4oQ47/wOSFALeP9FmAToXWy+JpQSZ1cQunVGaZqGdU2zumPEr 9p9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id go3si27678794plb.97.2018.11.24.00.43.50; Sat, 24 Nov 2018 00:44:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2440677AbeKXDoC (ORCPT + 99 others); Fri, 23 Nov 2018 22:44:02 -0500 Received: from mx2.suse.de ([195.135.220.15]:41912 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2393482AbeKXDoC (ORCPT ); Fri, 23 Nov 2018 22:44:02 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 8A991AD75; Fri, 23 Nov 2018 16:58:57 +0000 (UTC) Date: Sat, 24 Nov 2018 03:58:43 +1100 From: Aleksa Sarai To: =?utf-8?B?SsO8cmc=?= Billeter Cc: Aleksa Sarai , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Christian Brauner , linux-api@vger.kernel.org, Andy Lutomirski , Jann Horn , David Drysdale , containers@lists.linux-foundation.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org Subject: Re: [PATCH v4 2/4] namei: O_BENEATH-style path resolution flags Message-ID: <20181123165843.xtkh3jpfz7k6xa5b@mikami> References: <20181112142654.341-1-cyphar@cyphar.com> <20181112142654.341-3-cyphar@cyphar.com> <1ce83cdf6e3168350b69f98f08aaa202bbaa682d.camel@bitron.ch> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7r4daumaby7eak7j" Content-Disposition: inline In-Reply-To: <1ce83cdf6e3168350b69f98f08aaa202bbaa682d.camel@bitron.ch> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --7r4daumaby7eak7j Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-11-23, J=FCrg Billeter wrote: > On Tue, 2018-11-13 at 01:26 +1100, Aleksa Sarai wrote: > > * O_BENEATH: Disallow "escapes" from the starting point of the > > filesystem tree during resolution (you must stay "beneath" the > > starting point at all times). Currently this is done by disallowing > > ".." and absolute paths (either in the given path or found during > > symlink resolution) entirely, as well as all "magic link" jumping. >=20 > With open_tree(2) and OPEN_TREE_CLONE, will O_BENEATH still be > necessary? As I understand it, O_BENEATH could be replaced by a much > simpler flag that only disallows absolute paths (incl. absolute > symlinks). And it would have the benefit that you can actually pass the > tree/directory fd to another process and escaping would not be possible > even if that other process doesn't use O_BENEATH (after calling > mount_setattr(2) to make sure it's locked down). >=20 > This approach would also make it easy to restrict writes via a cloned > tree/directory fd by marking it read-only via mount_setattr(2) (and > locking down the read-only flag). This would again be especially useful > when passing tree/directory fds across processes, or for voluntary > self-lockdown within a process for robustness against security bugs. >=20 > This wouldn't affect any of the other flags in this patch. And for full > equivalence to O_BENEATH you'd have to use O_NOMAGICLINKS in addition > to O_NOABSOLUTE, or whatever that new flag would be called. >=20 > Or is OPEN_TREE_CLONE too expensive for this use case? Or is there > anything else I'm missing? OPEN_TREE_CLONE currently requires CAP_SYS_ADMIN in mnt_ns->user_ns, which requires a fork and unshare -- or at least a vfork and some other magic -- at which point we're back to just doing a pivot_root(2) for most operations. I think open_tree(2) -- which I really should sit down and play around with -- would be an interesting way of doing O_BENEATH, but I think you'd still need to have the same race protections we have in the current O_BENEATH proposal to handle "..". So really you'd be using open_tree(OPEN_TREE_CLONE) just so that you can use the "path.mnt" setting code, which I'm not sure is the best way of doing it (plus the other interesting ideas which you get with the other mount API changes). But I am quite hopeful for what cool things we'll be able to make using the new mount API. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --7r4daumaby7eak7j Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlv4McMACgkQnhiqJn3b jbShVA//eL066b61N+4EViLKYRHvgNZYsP88NJzUgT8MksvPPJ3iuOtM6TTI2B2E LY/fVfxNOTuRrw7Vx4I0YfNKUU3dyoDhtxL46GUEJ2h0btgiKmXWMCV8VgdPHIRR /XLkkiJddJBtZJ6KJogz8PfOY9cewtL2Ir/byZbgYlTBDTLzcCsY/iFi8fuenDRK l7mNsKKQge8rsMnOQoZSNV/Ln+7dNwuuuo5wqfaI6vLIud87gbWiwR50DLG465EZ 3Hz4/4/PzqW00VsG62w0wlWJrugyOfxegwW1HeH7UuaH3NWn5TPnGVA89vtIuO11 LaX03GVW4MIi+FXdWbYB8W6+9K8m/2/VvA4ArYGBTVNSKoA0ONUclMZdNv+fbElW lcOKpORXfeocIq3WUOgtWnWmBfNLV5hCA7qImd1/nPurpA7OMJ8SL153GQAZpukF 6Q6Gr5Wc/F5uz/m+348+60REslSxTt971m8PRjC1Q0wtUcNKEpVrsv90EW1tHBnq k3J0uQ1Vwm6fVl2SWpQkz1MDO2NMk2LDITxJguTIi9oMDjrQpCUMEjEeRtxvdNPm 5PI2j7jOJ9G5Q9E0SWO823JWsEVSVv1TRB403CNOxoum7PKXHHYYO7AYvR7gfFs0 H3wWSdKxDavXxm0k+uUuJvWj2UXmFIXLxxcPua97TKZytcq8Tgk= =ETTZ -----END PGP SIGNATURE----- --7r4daumaby7eak7j--