Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5738027ybi; Tue, 4 Jun 2019 11:17:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqx35+iqeV66ufD94xPMt5fD1jwE4lrcf9D/YzVwfLlSVVFs4t4YtVzHNnX0bld19XwKP5xI X-Received: by 2002:a63:2260:: with SMTP id t32mr6897320pgm.222.1559672244725; Tue, 04 Jun 2019 11:17:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559672244; cv=none; d=google.com; s=arc-20160816; b=ixH7NwFBpFjvlakXxJDFJTm+5sq6e8yxYFAPbctEqcxGuDxVhoTnV6UYE6h8TSqg4L VtTrwHFtVYIdtuCMHPk1tK8R4+UYl4pOjz0CvMD9FK6MkpVCLgcvSSAuogrtUh332TK5 ylcI01pDltqgGrK7Uv/CzIuSzBonIbTo+E87Qv1iwZQuxsUZdVb2yh+m3w2f0PErzfS1 IikDcMejd5jUSFvYnzjsrcQ6kHUc9AmZ5M9lLdGaBsp2zaKlT2TJsYns/YzZTZS79WK3 xFDo6KY7ZHMRyoo9JHAV9OtsJyr3ONUchOLDu+BHUuzYgfcpO/949dDJ0T1JaqGQCEUn OmNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=4b2bHTuEZSQ713z6bHJd50CDCdXA3oPfbTUK1IftIIU=; b=dLZ8D2l1opIATmztOeDkEG9Jwy+ogtunXKmmGlG26vWChpLuuuW8m0MYIYUhXXx/68 /FS6YyDvOmE3ZuM2RW4pRhvAUZ64Hbf8bKyPVGLMpULo1Q55X1McV72NCOObJq5Qy3sH BGfxzBzhiPb4dRyPXHBhwwHHX0BTIAyL/j06iowCHntBbO045BHLIZdVHRWnRYjZuzm+ qFBjUq3WCKj/9m/c/JQKhNiOcBWGTY9whvlVYeNcEY835ruqce3Mz/gwiN4eWfbjjdLn K2p8Yz/YLfuw8zg2Vb5FKpihD5zKIDlJCWckcy/H2L4Lzx0tU9FNZ4ugOzZeE55b5PKi Fq0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mXf48L0b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c1si24934564pla.122.2019.06.04.11.17.08; Tue, 04 Jun 2019 11:17:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mXf48L0b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726716AbfFDSP3 (ORCPT + 99 others); Tue, 4 Jun 2019 14:15:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:60438 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726701AbfFDSP2 (ORCPT ); Tue, 4 Jun 2019 14:15:28 -0400 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5FFE421019 for ; Tue, 4 Jun 2019 18:15:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559672127; bh=rJp5OtqEAvAiGS7xlsL6faTP+VzkPZmB2r/CXv2dDMw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=mXf48L0bbJsFlXG4RQ5TuxVD4BUsGDkraMg70yTes9Vx0aGRiVCyUI6hB1cNcXT2T EQOTcLwkJrjxfu0oX0teu7kbJBsSOW2daDsKYxp6iPLqEwCk/FAHCvhDbkgSjhsdEG 9ydu2jm6dSJLG16MzlOqlVPJ6N/Qq8YHvUFWDAm8= Received: by mail-wr1-f43.google.com with SMTP id d18so16838565wrs.5 for ; Tue, 04 Jun 2019 11:15:27 -0700 (PDT) X-Gm-Message-State: APjAAAXhNCPtt4PZoqGjetyjvaUtJ922yYPk2zt1+DkxmNdpIcvR449C FdoS0dZug1R7guUKJn8ZYAwRVgcR6SeQtuA6mbCEjw== X-Received: by 2002:adf:cc85:: with SMTP id p5mr7169034wrj.47.1559672125928; Tue, 04 Jun 2019 11:15:25 -0700 (PDT) MIME-Version: 1.0 References: <155966609977.17449.5624614375035334363.stgit@warthog.procyon.org.uk> <155966611030.17449.1411028213562548153.stgit@warthog.procyon.org.uk> In-Reply-To: <155966611030.17449.1411028213562548153.stgit@warthog.procyon.org.uk> From: Andy Lutomirski Date: Tue, 4 Jun 2019 11:15:14 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/8] security: Override creds in __fput() with last fputter's creds [ver #2] To: David Howells , Jann Horn Cc: Al Viro , Casey Schaufler , raven@themaw.net, Linux FS Devel , Linux API , linux-block@vger.kernel.org, keyrings@vger.kernel.org, LSM List , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 4, 2019 at 9:35 AM David Howells wrote: > > So that the LSM can see the credentials of the last process to do an fput() > on a file object when the file object is being dismantled, do the following > steps: > > (1) Cache the current credentials in file->f_fput_cred at the point the > file object's reference count reaches zero. I don't think it's valid to capture credentials in close(). This sounds very easy to spoof, especially when you consider that you can stick an fd in unix socket and aim it at a service that's just going to ignore it and close it. IOW I think this is at least as invalid as looking at current_cred() in write(), which is a classic bug that gets repeated regularly. --Andy