Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3148676ybi; Sun, 14 Jul 2019 07:37:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqwSWbKdY22UO7m5K4l3PaHGYsYM4qxXdPMKpf7iOeOW8Wvqd3oMIm4hF45vTqvVKVCGbLKl X-Received: by 2002:a17:902:28e9:: with SMTP id f96mr22165132plb.114.1563115055974; Sun, 14 Jul 2019 07:37:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563115055; cv=none; d=google.com; s=arc-20160816; b=JxbXwfTbPJ4V7ULrB7i3KXT1U+cm0cGQvEpkeMh64pHe2gM11yXSgcPR5PZWf7PIiN wyC9E+vGFyrreD+WVPttJI7i/tlPzd7RotN2WUAcaDphqLGAWJjWbPsc3jO98QFRdH/v 5H7Cu8+LC+288/9E246/FZhCEEIE5WUbKVvWLZeP7aAsC22qwbiLs4cp0ts56AMqYfVB Ej1GSWbIROM5Cq0OgS3kwaTnaNNK1vejV51xoq6aZAcF2yii4wCQZPsRotTeHU5ho3s6 ty1WFGNM4VgLblndGv/LLDbXPnYK+/PuwvyOBduxt8k0H4Gy5TatITwcFNOBtXeSUVfM MQiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ssGaDnRSwDOJkxKgQ5Px6it6s+5RPyBvp4MOExGelHw=; b=SN4SSOwSRe5XOuMJ0S1HVJ97PSzW9FvWQfjUYNI+sGDo+/JgKazkx7kFqJS7lpHGYW JyWmG6CZfKXEy50DjPDvJBXFkX069mZw6dWpu7p5SEc6KISsCeIayjvsRew+B67ZeUc9 S/zgPdz0+p1Ml8zTbw+0glYrMC2DWXfT7GNYSlNfj8ifQ+KVu75S31XytB5Ojh77Tcng cawOHLKyMrs3lWb4Zb2CmG25/jlYoqpTkAsLJ8na/aRo3yo+AeMW+xYhHcNZH/XK+m3K w2+Y6kFrhVTPRKUxOQ+ZNBIrMhxM4wRoclph5zhiSfoXqAXZt+bNMTN+49Cy1PFvt+P5 utAw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o23si14557535pfp.131.2019.07.14.07.37.20; Sun, 14 Jul 2019 07:37:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728534AbfGNOgz (ORCPT + 99 others); Sun, 14 Jul 2019 10:36:55 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:42092 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728146AbfGNOgy (ORCPT ); Sun, 14 Jul 2019 10:36:54 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux)) id 1hmfbz-00010j-Kc; Sun, 14 Jul 2019 14:36:23 +0000 Date: Sun, 14 Jul 2019 15:36:23 +0100 From: Al Viro To: Aleksa Sarai Cc: Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Christian Brauner , David Drysdale , Andy Lutomirski , Linus Torvalds , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Jann Horn , Tycho Andersen , Chanho Min , Oleg Nesterov , Aleksa Sarai , containers@lists.linux-foundation.org, linux-alpha@vger.kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org Subject: Re: [PATCH v9 05/10] namei: O_BENEATH-style path resolution flags Message-ID: <20190714143623.GR17978@ZenIV.linux.org.uk> References: <20190706145737.5299-1-cyphar@cyphar.com> <20190706145737.5299-6-cyphar@cyphar.com> <20190712043341.GI17978@ZenIV.linux.org.uk> <20190712105745.nruaftgeat6irhzr@yavin> <20190712123924.GK17978@ZenIV.linux.org.uk> <20190712125552.GL17978@ZenIV.linux.org.uk> <20190712132553.GN17978@ZenIV.linux.org.uk> <20190712150026.GO17978@ZenIV.linux.org.uk> <20190713024153.GA3817@ZenIV.linux.org.uk> <20190714070029.m53etvm3y4etidxt@yavin> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190714070029.m53etvm3y4etidxt@yavin> User-Agent: Mutt/1.11.3 (2019-02-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 14, 2019 at 05:00:29PM +1000, Aleksa Sarai wrote: > The basic property being guaranteed by LOOKUP_IN_ROOT is that it will > not result in resolution of a path component which was not inside the > root of the dirfd tree at some point during resolution (and that all > absolute symlink and ".." resolution will be done relative to the > dirfd). This may smell slightly of chroot(2), because unfortunately it > is a similar concept -- the reason for this is to allow for a more > efficient way to safely resolve paths inside a rootfs than spawning a > separate process to then pass back the fd to the caller. IDGI... If attacker can modify your subtree, you have already lost - after all, they can make anything appear inside that tree just before your syscall is made and bring it back out immediately afterwards. And if they can't, what is the race you are trying to protect against? Confused...