Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp2561750ybm; Thu, 23 May 2019 20:14:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqxDXAJJjnQ1SrGujeLyVVj+kO0lgo7Y1IwdnU3ievwcSMmDO/vI6AQQiDZ3x+JBxKktvqlG X-Received: by 2002:a17:90a:2263:: with SMTP id c90mr6272191pje.9.1558667652780; Thu, 23 May 2019 20:14:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558667652; cv=none; d=google.com; s=arc-20160816; b=GA0S3EK+W2+x9g3IpSAFAwgQpCo4umx+6Wn5287o47tM2+CMug5LJCrSGLd5T9gFa9 KVKiVHzSZrNtDQ6jm6oKFfl+ddfNpHY0aQc+Rb5CNlh6pw+p/scOd1ACjXPeSPx39jR1 m5vXfxaiExzX2YJH/xOUjDtNCEnvUY95qsIPzsPfJlMPzf+vWRs9lOb3nS4765hpmX1r tkJCIN42SjzObaAfQ1f8m78mhDHG6/yp1gp3R5qkUNJ3lNUwgDQ6rELZDpxzYOv74UQc 7DECkUv+7zLOn0KeEZwCZt5pUoqrm68riHsAKmIXvd66AWh6P7EBLNv4oh3SntCjodVU cS+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=gd96ZEapiuIsmB6PgRZA7G1BX32ARfRlc8D/GG4EtoQ=; b=x51hM1gS5GrypmwsMvE/uBwyaKHCM0qkgtscKC/z4F1oFNIELYDKMArqGaD5HjYHyS rC5GXwQFl3urI1lcVjBnyJ2vZoECdt/jZtoPjuxwUHrICzeWfTfqCvDHgk10BrwiZz+z dilBGMtz25qg1aVr3QSFuvxhLvRmzIsenmhHCiZB5vdWBjJ37ktym/5+4vsNZMs9I8LF ZnNLTJyjILFhhXXpz3uRzYBZyqpY+SBMlM3VtWVJx2wASNofqB6yFu7F828xGy1FE3F5 ZecWdxe9gEBh7u+0zRWE3yNtdiX4G0fGVJqguQGa4oo8/bWMSu1qVPT+H4A33ChtV15S cf9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h69si2196146plb.249.2019.05.23.20.13.52; Thu, 23 May 2019 20:14:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388807AbfEXDL7 (ORCPT + 99 others); Thu, 23 May 2019 23:11:59 -0400 Received: from mx2.mailbox.org ([80.241.60.215]:19540 "EHLO mx2.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387559AbfEXDL7 (ORCPT ); Thu, 23 May 2019 23:11:59 -0400 Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 1335AA015B; Fri, 24 May 2019 05:11:54 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id SZgroZg2fFsB; Fri, 24 May 2019 05:11:27 +0200 (CEST) Date: Fri, 24 May 2019 13:11:09 +1000 From: Aleksa Sarai To: Andy Lutomirski Cc: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Christian Brauner , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Jann Horn , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linus Torvalds , Linux Containers , "open list:KERNEL SELFTEST FRAMEWORK" , Linux FS Devel , Linux API , LKML , linux-arch Subject: Re: [PATCH RFC v8 01/10] namei: obey trailing magic-link DAC permissions Message-ID: <20190524031109.v24r6typyug2rlto@yavin> References: <20190520133305.11925-1-cyphar@cyphar.com> <20190520133305.11925-2-cyphar@cyphar.com> <20190523020009.mi25uziu2b3whf4l@yavin> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r6xfnzimry42j3mt" Content-Disposition: inline In-Reply-To: <20190523020009.mi25uziu2b3whf4l@yavin> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --r6xfnzimry42j3mt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2019-05-23, Aleksa Sarai wrote: > On 2019-05-22, Andy Lutomirski wrote: > > What are actual examples of uses for this exception? Breaking > > selftests is not, in and of itself, a huge problem. >=20 > Not as far as I know. All of the re-opening users I know of do re-opens > of O_PATH or are re-opening with the same (or fewer) privileges. I also > ran this for a few days on my laptop without this exception, and didn't > have any visible issues. I have modified the patch to WARN_ON(may_open_magiclink() =3D=3D -EACCES). So far (in the past day on my openSUSE machines) I have only seen two programs which have hit this case: kbd[1]'s "loadkeys" and "kbd_mode" binaries. In addition to there not being any user-visible errors -- they actually handle permission errors gracefully! static int open_a_console(const char *fnam) { int fd; /* * For ioctl purposes we only need some fd and permissions * do not matter. But setfont:activatemap() does a write. */ fd =3D open(fnam, O_RDWR); if (fd < 0) fd =3D open(fnam, O_WRONLY); if (fd < 0) fd =3D open(fnam, O_RDONLY); if (fd < 0) return -1; return fd; } The above gets called with "/proc/self/fd/0" as an argument (as well as other console candidates like "/dev/console"). And setfont:activatemap() actually does handle read-only fds: static void send_escseq(int fd, const char *seq, int n) { if (write(fd, seq, n) !=3D n) /* maybe fd is read-only */ printf("%s", seq); } void activatemap(int fd) { send_escseq(fd, "\033(K", 3); } So, thus far, not only have I not seen anything go wrong -- the only program which actually hits this case handles the error gracefully. Obviously we got lucky here, but the lack of any users of this mis-feature leads me to have some hope that we can block it without anyone noticing. But I emphatically do not want to break userspace here (except for attackers, obviously). [1]: http://git.altlinux.org/people/legion/packages/kbd.git --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --r6xfnzimry42j3mt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEb6Gz4/mhjNy+aiz1Snvnv3Dem58FAlznYMwACgkQSnvnv3De m5/UlRAAovI52jrpVsYCg4NsE4FyF6D0yGqaH+nTC1yXRTFIQOX0gWiYDa0U/BAQ cJNYiSNBV8HHy4s0N5h1MFu6FDKmWhNS5a8A58HUMXlJQ/6/RpT2NnleB6MBfi02 E91mqGiVxU4wEthnb44GhUhTmbSoo4JwrdI7AfhvOiKTEziXcf7HcF2VUMMySdD+ WTC48upAO2G2oYUowAWydF4//I6y7LL4mFPO0RhWCxUqFQmapC3ujka1xvkE46zQ 4R8ZIlKhnBk3SuE5B77urbIAr4gnQt7U6dZVvQACl/bpBBR8UPkj19okJ4yfjr77 x2q5Wq8MJB4sYTcjeAml1GNV3f+3v39OwDxiP9HF/j0oergsbKO/Lx0+B3S63TEk Hz3KhZRfC8/YpeTTGy60l/3Wqb+kONRvl8J1H47C/JS26MVQUs9nym/Iq6PX+cRf V2usCjxwVE1vrZAbpxUMAuifgTmkjf3n2NAURpFTKMX/druhDFxol6ZsuB4/0Ti4 EseHO5B2wVxkydDzR/9cmj6y29HUge+Y3fAeKa3zvtShYwhKqHg4DYx8CsoFVBfK ACLPMT6ymdJ/uz/xBy6wzT88vmDJZ4XC/vlAeAUTXZdd//s2CUu3fSaJs1FfKHr/ marW2Z16cmWWkyzZiWZlekLhKRxG3BmpD7bI5Wcxw2YKwPYl8IQ= =eLDb -----END PGP SIGNATURE----- --r6xfnzimry42j3mt--