Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp4553010imj; Tue, 12 Feb 2019 19:10:36 -0800 (PST) X-Google-Smtp-Source: AHgI3IaOv7XQKF+png5AXf6Okg77/DPi5SIoQk5BZONwO+MYCz26tiCKOOlWlsTV9TXeL400H/Og X-Received: by 2002:a17:902:7588:: with SMTP id j8mr2519664pll.22.1550027436266; Tue, 12 Feb 2019 19:10:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550027436; cv=none; d=google.com; s=arc-20160816; b=dMYFhotwq2A803rI57o4hD3HuX3vwQuLYgzXPCCXkcwnQDITZO6qw7+Q8hNFWZ3q91 tr/2auhi83GnlshyAkq349xi8gV8wRO1ZsCIsTBreL4lJK8zse6FlJapFfFKt5qVybgB q7P+MdlsCCmaUvVBXlA5BrQIoRLUIIe29KtWBR0vJ1+eTqbDaY7OiDnKS3m30cpXFp1o fPni3EbGU2BqnLmn8BnLpD01cEXq6o/AZP0ue1LIyk4BiJouhycbnzSJek/qxgxEnUWM zZWoqwrfYTj9dPdu3ztJNsesqmE30iIuTObznQK4LRsrjBqVvlG7xrZ2obmggiy2rhcJ ARrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=Wqeb3KVQOvpC/2WsZR1CtWejcaChQcCVeSrLTVrOcQM=; b=h2/0pcV720DNgvTyIfnPznH+/YC/MEzwONeSXPvJtZ3datmQsNNOW7AN3hvJA9jZq6 vwU/u+yYy3xfVcysjRTK2dFPrqnZQFshmz4hS5sUOzROp/nrktGzTJ1H0/b36wj2j+Rd WMptq2igc/qLxU0Y8HNN9Z8Ce6b2wwm5njVrwPAr6r/AsZkDQa2Xa7KNy+fNpjxX1dAJ nD95Ba/PPkuyjgyf89lbBUvyMEQ88soo7vnwyGeJRmpn3yAkMr2tmMmoU91mlAcUQwoH Ohri5rRa5IYfdFPteXgjNHZHuyGCFtP7JEiVXkpyUusZ3PcSB/ADDJaMKWtff549aHeQ jmxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g186si5829659pgc.320.2019.02.12.19.10.20; Tue, 12 Feb 2019 19:10:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388781AbfBMDJ4 (ORCPT + 99 others); Tue, 12 Feb 2019 22:09:56 -0500 Received: from mx2.mailbox.org ([80.241.60.215]:33426 "EHLO mx2.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729595AbfBMDJz (ORCPT ); Tue, 12 Feb 2019 22:09:55 -0500 Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 3768EA0D20; Wed, 13 Feb 2019 04:09:53 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTP id NqJl_vnBhftq; Wed, 13 Feb 2019 04:09:42 +0100 (CET) From: Aleksa Sarai To: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells Cc: Aleksa Sarai , Eric Biederman , Christian Brauner , Kees Cook , Andy Lutomirski , Andrew Morton , Alexei Starovoitov , Jann Horn , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , containers@lists.linux-foundation.org, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org Subject: [PATCH v5 3/5] namei: O_THISROOT: chroot-like path resolution Date: Wed, 13 Feb 2019 14:08:49 +1100 Message-Id: <20190213030851.1881-4-cyphar@cyphar.com> In-Reply-To: <20190213030851.1881-1-cyphar@cyphar.com> References: <20190213030851.1881-1-cyphar@cyphar.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The primary motivation for the need for this flag is container runtimes which have to interact with malicious root filesystems in the host namespaces. One of the first requirements for a container runtime to be secure against a malicious rootfs is that they correctly scope symlinks (that is, they should be scoped as though they are chroot(2)ed into the container's rootfs) and ".."-style paths[*]. The already-existing O_XDEV and O_NOMAGICLINKS[**] help defend against other potential attacks in a malicious rootfs scenario. Currently most container runtimes try to do this resolution in userspace[1], causing many potential race conditions. In addition, the "obvious" alternative (actually performing a {ch,pivot_}root(2)) requires a fork+exec (for some runtimes) which is *very* costly if necessary for every filesystem operation involving a container. [*] At the moment, ".." and "magic link" jumping are disallowed for the same reason it is disabled for O_BENEATH -- currently it is not safe to allow it. Future patches may enable it unconditionally once we have resolved the possible races (for "..") and semantics (for "magic link" jumping). The most significant openat(2) semantic change with O_THISROOT is that absolute pathnames no longer cause dirfd to be ignored completely. The rationale is that O_THISROOT must necessarily chroot-scope symlinks with absolute paths to dirfd, and so doing it for the base path seems to be the most consistent behaviour (and also avoids foot-gunning users who want to scope paths that are absolute). Currently this is only enabled for openat(2), and similar to O_BENEATH and family requires more discussion about extending it to more *at(2) syscalls as well as extending AT_EMPTY_PATH support. [1]: https://github.com/cyphar/filepath-securejoin Cc: Eric Biederman Cc: Christian Brauner Cc: Kees Cook Signed-off-by: Aleksa Sarai --- fs/fcntl.c | 2 +- fs/namei.c | 6 +++--- fs/open.c | 4 +++- include/linux/fcntl.h | 2 +- include/linux/namei.h | 1 + include/uapi/asm-generic/fcntl.h | 3 +++ 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/fs/fcntl.c b/fs/fcntl.c index f782e99700f0..a6b4565a903d 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -1031,7 +1031,7 @@ static int __init fcntl_init(void) * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY * is defined as O_NONBLOCK on some platforms and not on others. */ - BUILD_BUG_ON(25 - 1 /* for O_RDONLY being 0 */ != + BUILD_BUG_ON(26 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32( (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) | __FMODE_EXEC | __FMODE_NONOTIFY)); diff --git a/fs/namei.c b/fs/namei.c index c9a07a8c005a..798eb1702a0c 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1097,7 +1097,7 @@ const char *get_link(struct nameidata *nd) if (unlikely(nd->flags & LOOKUP_NO_MAGICLINKS)) return ERR_PTR(-ELOOP); /* Not currently safe. */ - if (unlikely(nd->flags & LOOKUP_BENEATH)) + if (unlikely(nd->flags & (LOOKUP_BENEATH | LOOKUP_IN_ROOT))) return ERR_PTR(-EXDEV); } if (IS_ERR_OR_NULL(res)) @@ -1746,7 +1746,7 @@ static inline int handle_dots(struct nameidata *nd, int type) * cause our parent to have moved outside of the root and us to skip * over it. */ - if (unlikely(nd->flags & LOOKUP_BENEATH)) + if (unlikely(nd->flags & (LOOKUP_BENEATH | LOOKUP_IN_ROOT))) return -EXDEV; if (!nd->root.mnt) set_root(nd); @@ -2297,7 +2297,7 @@ static const char *path_init(struct nameidata *nd, unsigned flags) nd->m_seq = read_seqbegin(&mount_lock); - if (unlikely(nd->flags & LOOKUP_BENEATH)) { + if (unlikely(nd->flags & (LOOKUP_BENEATH | LOOKUP_IN_ROOT))) { error = dirfd_path_init(nd); if (unlikely(error)) return ERR_PTR(error); diff --git a/fs/open.c b/fs/open.c index 3e73f940f56e..5914aed2fac8 100644 --- a/fs/open.c +++ b/fs/open.c @@ -960,7 +960,7 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o * cannot have anything other than the below set of flags */ flags &= O_DIRECTORY | O_NOFOLLOW | O_PATH | O_BENEATH | - O_XDEV | O_NOSYMLINKS | O_NOMAGICLINKS; + O_XDEV | O_NOSYMLINKS | O_NOMAGICLINKS | O_THISROOT; acc_mode = 0; } @@ -997,6 +997,8 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o lookup_flags |= LOOKUP_NO_MAGICLINKS; if (flags & O_NOSYMLINKS) lookup_flags |= LOOKUP_NO_SYMLINKS; + if (flags & O_THISROOT) + lookup_flags |= LOOKUP_IN_ROOT; op->lookup_flags = lookup_flags; return 0; } diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h index 864399c2fdd2..46c92bbfce4a 100644 --- a/include/linux/fcntl.h +++ b/include/linux/fcntl.h @@ -10,7 +10,7 @@ O_APPEND | O_NDELAY | O_NONBLOCK | O_NDELAY | __O_SYNC | O_DSYNC | \ FASYNC | O_DIRECT | O_LARGEFILE | O_DIRECTORY | O_NOFOLLOW | \ O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE | O_BENEATH | O_XDEV | \ - O_NOMAGICLINKS | O_NOSYMLINKS) + O_NOMAGICLINKS | O_NOSYMLINKS | O_THISROOT) #ifndef force_o_largefile #define force_o_largefile() (BITS_PER_LONG != 32) diff --git a/include/linux/namei.h b/include/linux/namei.h index 82b5039d27a6..0969313b518f 100644 --- a/include/linux/namei.h +++ b/include/linux/namei.h @@ -53,6 +53,7 @@ enum {LAST_NORM, LAST_ROOT, LAST_DOT, LAST_DOTDOT, LAST_BIND}; #define LOOKUP_NO_MAGICLINKS 0x040000 /* No /proc/$pid/fd/ "symlink" crossing. */ #define LOOKUP_NO_SYMLINKS 0x080000 /* No symlink crossing *at all*. Implies LOOKUP_NO_MAGICLINKS. */ +#define LOOKUP_IN_ROOT 0x100000 /* Treat dirfd as %current->fs->root. */ extern int path_pts(struct path *path); diff --git a/include/uapi/asm-generic/fcntl.h b/include/uapi/asm-generic/fcntl.h index ba53e0836cd4..3d0fe0de2ba2 100644 --- a/include/uapi/asm-generic/fcntl.h +++ b/include/uapi/asm-generic/fcntl.h @@ -110,6 +110,9 @@ #ifndef O_NOSYMLINKS #define O_NOSYMLINKS 01000000000 /* - Block all symlinks (implies AT_NO_MAGICLINKS). */ #endif +#ifndef O_THISROOT +#define O_THISROOT 02000000000 /* - Scope ".." resolution to dirfd (like chroot(2)). */ +#endif #define F_DUPFD 0 /* dup */ #define F_GETFD 1 /* get close_on_exec */ -- 2.20.1