Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4006309yba; Tue, 23 Apr 2019 13:22:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqy4rHC+PG8y3vfZ4o96FI748yaoHYmH2C8IiPkOW+auGcwfbVlK+RJkuFYoFdaN6dXC4Mq/ X-Received: by 2002:a63:1048:: with SMTP id 8mr26414305pgq.70.1556050942685; Tue, 23 Apr 2019 13:22:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556050942; cv=none; d=google.com; s=arc-20160816; b=qKI5uWt3AZr0xzzOv7tJmoRgf+oxZH2sdgHTGXHA0Hk/S9e7CJHsMjJTdWsVVFFbhv E7mu791/KLdDEXzhEwXPehNihj/mL4X63ly0KBL3l/5u0YY73IryuX8+nOqDVeHx6b42 3qMSNLGchVstZn2rmpteYdi9zamR5Pjg/o9bTKcyz9g2wbnOkjy2uTe2rY7gWVj55dF+ 3EJhBqYuXe2bZdCJ46bK/ygj9f+czh6YvvAUf5PY1C+A0WXbNcQDzoZn9c4wEupusxZ+ Wxz2b7EgdNZZMKfJFur5vZpzz3yg+kn6JE3pm889pC3l0WBBK9U3KApYgyOA4Id5b6pT LBkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=mP3kJea3QTaT0rwWzqYn9wrhgO/TUKE2qqDZdHahOSw=; b=EbpMYJ3mx6j3gzMwXstOe8S+FqzMIbTqdVratSKICtcltgIOgKv4FGeAfG2TPo1VOc bX70qboDk45YS1ploWcCHNi9CLlyQm/PfmL+cOIRxo3dkNzs+X0+xVLg/GeN8PhTpJB7 9IaIFJV55BGkmKIWvFCDH/lNMnBNPHf8Xz7/j+K9MX0+tsZ7L/7+YTVT6OxZzROGHk3I W+xIB2fJ3THQLyFdXYLzPVU5CQcACcoZEY3ZF/6k6o12qmxkvpVsPQVIqkeGMo6aHNxn P8bzLvRBUq9OBotB4gyY5tRP/Yrd9gycjCC+CbYL8tCqE5QWIs9KTIa2qAcgt1jwXmNM zv6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KCDRHk4y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si16818667plo.217.2019.04.23.13.22.05; Tue, 23 Apr 2019 13:22:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KCDRHk4y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727243AbfDWUVK (ORCPT + 99 others); Tue, 23 Apr 2019 16:21:10 -0400 Received: from mail-vs1-f65.google.com ([209.85.217.65]:41912 "EHLO mail-vs1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726083AbfDWUVK (ORCPT ); Tue, 23 Apr 2019 16:21:10 -0400 Received: by mail-vs1-f65.google.com with SMTP id g187so9060891vsc.8 for ; Tue, 23 Apr 2019 13:21:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mP3kJea3QTaT0rwWzqYn9wrhgO/TUKE2qqDZdHahOSw=; b=KCDRHk4yPArTTwlQ3/og0fNGGkB8rX+YnNXnNrnIFAsQEbhkrBjQYX5+N5xyZ9B3jv QjMmytgIjJtSDA73pfpsEBQX6nAhSVdx20mP+lR72Q2DvEBCAR3G6v3//1dTvuzPZxxb f/O6fgF1GrdIZqFneyaf9H2t6xxFHYQRPtHUY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mP3kJea3QTaT0rwWzqYn9wrhgO/TUKE2qqDZdHahOSw=; b=i9s7QazZXoEC7AEQK8Q45dHcvh19ZGnTOiP0wolIqGAQ/2r95vdUwrSWMZGHeh1gU0 S2/9UPQln42NcdnO8eRwU/BUSFw3U+GpZV+bhS2wAmmSL5r/U2xwOzmTTnVyHfM1YlkG Oqo0Qh0Wm3maG29gkXEYfRm/3n47gqXiyev4UF5wdFcqdrw880kiH+vnSdzGkL2UYbMm /LL83lD8v42q5zTJUgJ1ezCD8Xp6+yMlulFub/zHkAcLAwqXz/OlDtU9dBzH6XJWomU0 Rl2hIJtUK7826zpdv8AT4xR8TlmRa1qy9hOvvztZq8gIDGbGBPftH6ainbqRBZ+U7TGt 2BsA== X-Gm-Message-State: APjAAAWDZF8lnIQqoMnCOSa0xC+S/90b6JU00KCABppR89OrQtPv+q3I F70XTV+I6+kcTMfzch+Q7/W0fKpes7M= X-Received: by 2002:a67:ec47:: with SMTP id z7mr15495605vso.142.1556050868848; Tue, 23 Apr 2019 13:21:08 -0700 (PDT) Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com. [209.85.217.47]) by smtp.gmail.com with ESMTPSA id b197sm16970567vkd.9.2019.04.23.13.21.08 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Tue, 23 Apr 2019 13:21:08 -0700 (PDT) Received: by mail-vs1-f47.google.com with SMTP id n17so763966vsr.1 for ; Tue, 23 Apr 2019 13:21:08 -0700 (PDT) X-Received: by 2002:a67:bc13:: with SMTP id t19mr14647886vsn.222.1556050443869; Tue, 23 Apr 2019 13:14:03 -0700 (PDT) MIME-Version: 1.0 References: <20190320143717.2523-1-cyphar@cyphar.com> <20190325130429.dbrgjxnvq3w5cpb3@yavin> In-Reply-To: <20190325130429.dbrgjxnvq3w5cpb3@yavin> From: Kees Cook Date: Tue, 23 Apr 2019 13:13:52 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RESEND v5 0/5] namei: vfs flags to restrict path resolution To: Aleksa Sarai , Andy Lutomirski Cc: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Jann Horn , Christian Brauner , David Drysdale , Tycho Andersen , Kees Cook , Linux Containers , Linux FS Devel , Linux API , Andrew Morton , Alexei Starovoitov , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linus Torvalds , LKML , linux-arch Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 25, 2019 at 6:05 AM Aleksa Sarai wrote: > > On 2019-03-21, Andy Lutomirski wrote: > > On Wed, Mar 20, 2019 at 7:38 AM Aleksa Sarai wrote: > > > Now that the holiday break is over, it's time to re-send this patch > > > series (with a few additions, due to new information we got from > > > CVE-2019-5736 -- which this patchset mostly protected against but had > > > some holes with regards to #!-style scripts). > > > > I generally like this, but, as Linus pointed out, it will be > > unfortunate if application authors see this as just another > > non-portable weird Linux API and don't use it. Would it be worthwhile > > to put some thought into making it an API that other OSes might be > > willing to implement? As it stands, the openat(2) flags are getting > > rather crazy in this patch set. I think many of the issues are specific to Linux (and Linux containers especially), so I'm not sure this should get blocked because we want something more portable. This series provides solutions to so many different race and confusion issues, I'd really like to see it land. What's the next step here? Is this planned to go directly to Linus for v5.2, or is it going to live in -mm for a while? I'd really like to see this moving forward. Thanks for continuing to work on it! -Kees