Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3211563img; Mon, 25 Mar 2019 06:06:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqxCaVrnx+WNDv29HZmgp6WmShpqaX8KAZUIOR7sJqDEAiBYEnhKvQhKI1e1JVubuU7PyIO+ X-Received: by 2002:a17:902:8c8a:: with SMTP id t10mr25484735plo.160.1553519186611; Mon, 25 Mar 2019 06:06:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553519186; cv=none; d=google.com; s=arc-20160816; b=w4wbZIMxY8uX9wosyELCgNFM9aPa1myea5K3tB8a5g2tyHnSXKtn3Rco2UlYzgJrZA 5YG5LnJG6eVGwgFIKv67ciuGIWvz28TFcTNTJiiKmtha4l0YZSHVsb/TttqycF/GbSa1 +ljcD8nUjqB+NsTuwBUoI/gpHJ8ZywS2Z6NUhFJbp1CvF3K+0aevrWrTYLqe3hpylwv5 556viuVs4Q+TYhS/ToLiB30F69LunbiKwqAFhVWHZWhuVR07fZgB3I/rWnnY7+Ohvrvl iCZWugwwxLhWl9B/l09wmZjrHpkl4574I+78rv3E1UJrOCvGtGXkeHXyN2BCFq/71n3V R80Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=CHprlzkxe9FDUhO33ApAGpzgzXgTa1ZbPhq3Z9Q1gmg=; b=Z5Anp5t1oU5FQniLTiISN5pWDPGX20IF9/1xB5FASiixSJzCxGBn0zEGaclt2c1Wp3 eiCFhd8E/t8oUMDdnzdL3sLyajAmI6IwG0oIn+ndbrmx40Xl8EOIhl0T+qsbFwBcVIwP BDT313IzfZvUhc/6Amgb/ojZi8t6v8Lxs8MIVw8xN+trW3N3J5GgBQA16pOD7SeWDEHU 0l+s8si0sTKsgvV2wG54c3FAt1JzhZMU7whH2PWhFeBtVp6LQY8427qvhJwz07pLZWno HYtE+COsdaqbQEpV2sjHHN+62oFl8AtFvStrQXlo3sIpm86hguON2AazAUeEVQaPZhV4 28bw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n8si13094739pgq.119.2019.03.25.06.06.10; Mon, 25 Mar 2019 06:06:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731321AbfCYNFB (ORCPT + 99 others); Mon, 25 Mar 2019 09:05:01 -0400 Received: from mx2.mailbox.org ([80.241.60.215]:27230 "EHLO mx2.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731076AbfCYNFA (ORCPT ); Mon, 25 Mar 2019 09:05:00 -0400 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 1543EA11A6; Mon, 25 Mar 2019 14:04:54 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id Wz3oPpdRvpC1; Mon, 25 Mar 2019 14:04:47 +0100 (CET) Date: Tue, 26 Mar 2019 00:04:29 +1100 From: Aleksa Sarai To: Andy Lutomirski Cc: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Jann Horn , Christian Brauner , David Drysdale , Tycho Andersen , Kees Cook , Linux Containers , Linux FS Devel , Linux API , Andrew Morton , Alexei Starovoitov , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linus Torvalds , LKML , linux-arch Subject: Re: [PATCH RESEND v5 0/5] namei: vfs flags to restrict path resolution Message-ID: <20190325130429.dbrgjxnvq3w5cpb3@yavin> References: <20190320143717.2523-1-cyphar@cyphar.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="57yveyjfb6o3za6g" Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --57yveyjfb6o3za6g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2019-03-21, Andy Lutomirski wrote: > On Wed, Mar 20, 2019 at 7:38 AM Aleksa Sarai wrote: > > Now that the holiday break is over, it's time to re-send this patch > > series (with a few additions, due to new information we got from > > CVE-2019-5736 -- which this patchset mostly protected against but had > > some holes with regards to #!-style scripts). >=20 > I generally like this, but, as Linus pointed out, it will be > unfortunate if application authors see this as just another > non-portable weird Linux API and don't use it. Would it be worthwhile > to put some thought into making it an API that other OSes might be > willing to implement? As it stands, the openat(2) flags are getting > rather crazy in this patch set. >=20 > Aleksa had a resolveat(2) proposal that really didn't seem too bad. I agree having a bunch of O_* flags for resolution feels quite ugly (and crazy) -- but the last time I pitched resolveat(2) the reaction was lukewarm to say the least. It's basically an O_PATHv2 and I don't know how popular that suggestion might be. I wouldn't mind pitching it again though (now that I have a better idea of how to handle some of the UX worries I had). But, if we have a resolveat(2) we'll need to add O_EMPTYPATH support for openat(2) so that you can open scoped paths without using the /proc/self/fd/$n trick. However, you run into reopening permission issues (as we saw in CVE-2019-5736 and countless other CVEs). There might be a solution for this which Andy and I have talked about off-list. There is also the problem of the execveat(2) attack -- which is dealt with in patch 5 of this series. In order to scope #!-script resolution we need to have AT_* flags for the same resolution restriction (defeating the point of a resolveat(2) slightly). There is an argument that we shouldn't need AT_THIS_ROOT or AT_BENEATH support (because ideally you should be doing execve(2) in a pivot_root anyway) but AT_NO_MAGICLINKS is pretty important -- since it allows you to block the circumvention mm->dumpable in certain situations (as we saw in CVE-2019-5736). The solution Andy and I have discussed is a way to make fd-reopening (a seemingly little-known trick outside of container runtimes) much safer such that we don't need mitigations like AT_NO_MAGICLINKS on execveat(2). If we assume that idea works out (I'm still trying to get a working patch for that idea) then resolveat(2) would be sufficient and we don't need AT_* flags on execveat(2). tl;dr: I think resolveat(2) is much nicer, and assuming it's not an unpopular idea I think we should go for it. But there are several other threads of discussion that we might want to have first (such as how to improve the fd-reopening design so it's safer before we expose it to everyone). --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --57yveyjfb6o3za6g Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEb6Gz4/mhjNy+aiz1Snvnv3Dem58FAlyY0doACgkQSnvnv3De m5/H1Q//S6p57BAirsEx/gjAUOkKIGGK1zQ034Jjplmx7/gAOWKECS86LhV9c6We IBDVMVXfeG+iL7yRT7lk2wRTwpeB4DBrqrqD2lpDj2dhzB8b8yzPU4rY027k5r+e L/caAoPI6X0NX1nyFiK3MkuQtUNR0GbBI1LOwdwcxFDH0SrCNOrJMCD2VSOtVo5Z ktHED0T7KIEDdwS9ZTvEw4yhaxyWhoNGj/V5uU8av1Hbceq8MIxW+Y7aUytr9l4d XT0VJWaC9cjEuZWzmZDuZlqTFKFuiupHgE22O4prPJZOAhOMiqrQr76hbSz1ChbN iFsHU7JYnUcFd1rPhKwI25kKq2eGWvaj0VLCylQ/ZluMRLPrD3blYJYB9BYIaSss XVn9rjdRJG5t3tNKOMEDF9GYuVAE5w9Y+ZZJ1l8eZlUf3C7V6jISDkzvtfYu7xs+ ish7dFWE3CKrrMJR9eR2zQ0ZoFicCPxBkp7beThQ7JVV24gno7EMS+wF7NdNHKFc HwWq6hk1e9wh2FHxQfvloBlFr2FV+lGWhFNFdZ0LzOFJu5Swa1BsPn93KoHi2T7F 5XK+WAQBtzWuq7J8GN8T9LlhMlXs11QH6FKzt/vsuwEV35M3F4tKgur81bfkdsau w+prkX7aetu9qGthO9AFicPDXOXY6HyBcPTDMbGNkHz2/zILvpY= =Hj/g -----END PGP SIGNATURE----- --57yveyjfb6o3za6g--