Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1698603ybi; Wed, 17 Jul 2019 20:20:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqylvllLO9ij5WHH8Lv6rPfevaPMYa4NlsIQ2Kia17tSzhngjLHeK6WFL4sNUxbElmJfU1Zz X-Received: by 2002:a65:6248:: with SMTP id q8mr5086037pgv.311.1563420031475; Wed, 17 Jul 2019 20:20:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563420031; cv=none; d=google.com; s=arc-20160816; b=ClBmeL0oXAjfBdUrxOBeI1gcrPUCb/Xm3LJh/m4cGv1rDohJ8xX4r/foN8myWDyTxV W11d5IRA3xrrGdMcDDH0mlSP4V9UzG/UgnGCrqEoss2iY2C2DNZJ7iWAx/QpZ0SUL7lJ 2j00YiMvwMfQ2Dh5CZ969oGUVFZ/FxIL0HJj/ZUqk15axrun9ASqe/fKliGYm6Ef6L2A jmPic+g9JW0kNdHPZaQoylCPQVVRbh0UpsGwX5OFoTjT9uvpTeMhUuD5rLfxNuzpLwzQ XW0bN7pnDK6/tpxw4MkYm2H5TuG5v3JL/59kVNZE3IcgoJAjLcbF9llS2mEUkg22D7EH VDbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=mfmw0xAMEUMqU/B5GYjF0ZLias/UBKEktoXuV2+KNtw=; b=Ht4NHIRNNHZecx6ln5VSqqqwKR6468JT1WkUqjvssx35v3uOTaWYAEo2ZOO6obCgUK XpDAT0rhZwdEz7ba1j2kCTo8zQVDyiKYEEWomWrnWirXduwZpl3E0v4KDVGfyqr9vSHc PKX7ELrUWHmRzWaDt+fegOYk1z5ixXdf9682z9MQEVJdQNNcDwoAnPa1Be1+gk8dLp6L dhPcplgE6Ku/GJRiw7bNhl579mqmMfhdy6qFrenwfni5/X29uNCIxug9p9YvGsEkcCS4 ohHot50UN/r8ZvITpDtL39siLM7KLvsRpdyWqCGj3hTJVMPT6F5DV6oqoYU+o8m/RDXS 9/2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m12si563854pgn.149.2019.07.17.20.20.15; Wed, 17 Jul 2019 20:20:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392087AbfGRDSc (ORCPT + 99 others); Wed, 17 Jul 2019 23:18:32 -0400 Received: from mx1.mailbox.org ([80.241.60.212]:39012 "EHLO mx1.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389508AbfGRDSa (ORCPT ); Wed, 17 Jul 2019 23:18:30 -0400 Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx1.mailbox.org (Postfix) with ESMTPS id F35D54FE71; Thu, 18 Jul 2019 05:18:23 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id nZ38r1RPFd3K; Thu, 18 Jul 2019 05:18:14 +0200 (CEST) Date: Thu, 18 Jul 2019 13:17:29 +1000 From: Aleksa Sarai To: Al Viro Cc: Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Christian Brauner , David Drysdale , Andy Lutomirski , Linus Torvalds , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Jann Horn , Tycho Andersen , Chanho Min , Oleg Nesterov , Aleksa Sarai , containers@lists.linux-foundation.org, linux-alpha@vger.kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org Subject: Re: [PATCH v9 05/10] namei: O_BENEATH-style path resolution flags Message-ID: <20190718031729.scehpjydhuxgxqjy@yavin> References: <20190706145737.5299-6-cyphar@cyphar.com> <20190712043341.GI17978@ZenIV.linux.org.uk> <20190712105745.nruaftgeat6irhzr@yavin> <20190712123924.GK17978@ZenIV.linux.org.uk> <20190712125552.GL17978@ZenIV.linux.org.uk> <20190712132553.GN17978@ZenIV.linux.org.uk> <20190712150026.GO17978@ZenIV.linux.org.uk> <20190713024153.GA3817@ZenIV.linux.org.uk> <20190714070029.m53etvm3y4etidxt@yavin> <20190714143623.GR17978@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="z4aw3kgjubxi6rqg" Content-Disposition: inline In-Reply-To: <20190714143623.GR17978@ZenIV.linux.org.uk> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --z4aw3kgjubxi6rqg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2019-07-14, Al Viro wrote: > On Sun, Jul 14, 2019 at 05:00:29PM +1000, Aleksa Sarai wrote: > > The basic property being guaranteed by LOOKUP_IN_ROOT is that it will > > not result in resolution of a path component which was not inside the > > root of the dirfd tree at some point during resolution (and that all > > absolute symlink and ".." resolution will be done relative to the > > dirfd). This may smell slightly of chroot(2), because unfortunately it > > is a similar concept -- the reason for this is to allow for a more > > efficient way to safely resolve paths inside a rootfs than spawning a > > separate process to then pass back the fd to the caller. >=20 > IDGI... If attacker can modify your subtree, you have already lost - > after all, they can make anything appear inside that tree just before > your syscall is made and bring it back out immediately afterwards. > And if they can't, what is the race you are trying to protect against? > Confused... I'll be honest, this code mostly exists because Jann Horn said that it was necessary in order for this interface to be safe against those kinds of attacks. Though, it's also entirely possible I just am mis-remembering the attack scenario he described when I posted v1 of this series last year. The use-case I need this functionality for (as do other container runtimes) is one where you are trying to safely interact with a directory tree that is a (malicious) container's root filesystem -- so the container won't be able to move the directory tree root, nor can they move things outside the rootfs into it (or the reverse). Users dealing with FTP, web, or file servers probably have similar requirements. There is an obvious race condition if you allow the attacker to move the root (I give an example and test-case of it in the last patch in the series), and given that it is fairly trivial to defend against I don't see the downside in including it? But it's obviously your call -- and maybe Jann Horn can explain the reasoning behind this much better than I can. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --z4aw3kgjubxi6rqg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCXS/kxgAKCRCdlLljIbnQ Eo0/AQD7a5jDbww9O+NZeirpVja2r3Y2CFcg1rTXSOeRjy321gEAoJhiO3HmSR50 nG/Ogapy7jTKDSyCcC7BfUZDZSz67go= =wzlY -----END PGP SIGNATURE----- --z4aw3kgjubxi6rqg--