Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp1050205ybg; Sat, 26 Oct 2019 11:59:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqw85AZmZGaO/JDmANiK1P5m5LVonkvxI0Pafcs3Tp1Gc5fliDCl1EHHP0tr96m2Z4LlKQya X-Received: by 2002:a17:906:2a89:: with SMTP id l9mr775344eje.329.1572116360489; Sat, 26 Oct 2019 11:59:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572116360; cv=none; d=google.com; s=arc-20160816; b=AwN9E9VNw+kMNkIf1S4PosmY+ATAOPl/+L/g23SOtJ03CK6INfJKsaU8xN9chGwRHq psRqCZK23UUmSKIESicqewmreyQk/QxwMnGHJqkh1C1zxd1Kn0tzCZj0W+xT3QI0n3Dk ioDt6yJ22x2xmW+jFzoydBdB045eNoy9ZdldgjUUckzYCH8Who+kfQrgH0g/KK0klCRJ Ez44DkvPBAY2zxeNmRUKV1abrcpdSgY5AprtpYO0YN3i6gvsF2hZPGtMqc+2Iy2dYNql hdtW26LphrbnzcAI17RH9QbKqzUK0isdyXoo1t5zNAVY4NGWEcq/o2yk5+GUKXpnf5JU ItBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=t5c3ftYrDMDbxE+wbLskzLQur2i4A2V8jJAF3VM35ys=; b=y2Fs/v3HaVqiVWtPawkcAjlXAUt8X+BHVpk+0S1ys/CN5G2wOjzHTee0XkT3OEnuMe 6irYJHQgM8YnaSW5l5ubY+uKBdeSF5u68HrZmRYjaQleTuoC+hCXK8A3DkCgwn9HwVF+ QLu5IM7ipdVVxWfIr6DeCZf8muR46EFxqqFW93Zr2ALcy7eUxnLjo2Qt7yBsHpiiX41Q xPN+jriBMy6IYL1pvbC2qBt+cwgx6ADuGkNahfN/HGMBjBlTuFoIwzyBlpX4NWMYDoIk B8OiD6ydwmsOaqkIZhvh50+RzK8XUCqAT7fGh21za/ATBbv6pGUO3fPNzCFCKc5S8a4W mWrQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j26si3362041ejd.138.2019.10.26.11.58.57; Sat, 26 Oct 2019 11:59:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726655AbfJZS6V (ORCPT + 99 others); Sat, 26 Oct 2019 14:58:21 -0400 Received: from mout-p-102.mailbox.org ([80.241.56.152]:22284 "EHLO mout-p-102.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726533AbfJZS6U (ORCPT ); Sat, 26 Oct 2019 14:58:20 -0400 Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 470qxf4GBHzKmh0; Sat, 26 Oct 2019 20:58:14 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id 7ch4qwxEvf03; Sat, 26 Oct 2019 20:58:10 +0200 (CEST) From: Aleksa Sarai To: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Ingo Molnar , Peter Zijlstra Cc: Aleksa Sarai , Eric Biederman , Andy Lutomirski , Andrew Morton , Alexei Starovoitov , Kees Cook , Jann Horn , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Rasmus Villemoes , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Christian Brauner , Aleksa Sarai , Linus Torvalds , containers@lists.linux-foundation.org, linux-alpha@vger.kernel.org, linux-api@vger.kernel.org, libc-alpha@sourceware.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org Subject: [PATCH RESEND v14 2/6] namei: LOOKUP_IN_ROOT: chroot-like path resolution Date: Sun, 27 Oct 2019 05:56:56 +1100 Message-Id: <20191026185700.10708-3-cyphar@cyphar.com> In-Reply-To: <20191026185700.10708-1-cyphar@cyphar.com> References: <20191026185700.10708-1-cyphar@cyphar.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org /* Background. */ Container runtimes or other administrative management processes will often interact with root filesystems while in the host mount namespace, because the cost of doing a chroot(2) on every operation is too prohibitive (especially in Go, which cannot safely use vfork). However, a malicious program can trick the management process into doing operations on files outside of the root filesystem through careful crafting of symlinks. Most programs that need this feature have attempted to make this process safe, by doing all of the path resolution in userspace (with symlinks being scoped to the root of the malicious root filesystem). Unfortunately, this method is prone to foot-guns and usually such implementations have subtle security bugs. Thus, what userspace needs is a way to resolve a path as though it were in a chroot(2) -- with all absolute symlinks being resolved relative to the dirfd root (and ".." components being stuck under the dirfd root[1]) It is much simpler and more straight-forward to provide this functionality in-kernel (because it can be done far more cheaply and correctly). More classical applications that also have this problem (which have their own potentially buggy userspace path sanitisation code) include web servers, archive extraction tools, network file servers, and so on. [1]: At the moment, ".." and magic-link jumping are disallowed for the same reason it is disabled for LOOKUP_BENEATH -- currently it is not safe to allow it. Future patches may enable it unconditionally once we have resolved the possible races (for "..") and semantics (for magic-link jumping). /* Userspace API. */ LOOKUP_IN_ROOT will be exposed to userspace through openat2(2). There is a slight change in behaviour regarding pathnames -- if the pathname is absolute then the dirfd is still used as the root of resolution of LOOKUP_IN_ROOT is specified (this is to avoid obvious foot-guns, at the cost of a minor API inconsistency). Signed-off-by: Aleksa Sarai --- fs/namei.c | 5 +++++ include/linux/namei.h | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 54fdbdfbeb94..9d00b138f54c 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2277,6 +2277,11 @@ static const char *path_init(struct nameidata *nd, unsigned flags) nd->m_seq = read_seqbegin(&mount_lock); + /* LOOKUP_IN_ROOT treats absolute paths as being relative-to-dirfd. */ + if (flags & LOOKUP_IN_ROOT) + while (*s == '/') + s++; + /* Figure out the starting path and root (if needed). */ if (*s == '/') { error = nd_jump_root(nd); diff --git a/include/linux/namei.h b/include/linux/namei.h index 35a1bf074ff1..c7a010570d05 100644 --- a/include/linux/namei.h +++ b/include/linux/namei.h @@ -47,8 +47,9 @@ enum {LAST_NORM, LAST_ROOT, LAST_DOT, LAST_DOTDOT, LAST_BIND}; #define LOOKUP_NO_MAGICLINKS 0x080000 /* No /proc/$pid/fd/ "symlink" crossing. */ #define LOOKUP_NO_SYMLINKS 0x100000 /* No symlink crossing *at all*. Implies LOOKUP_NO_MAGICLINKS. */ +#define LOOKUP_IN_ROOT 0x200000 /* Treat dirfd as %current->fs->root. */ /* LOOKUP_* flags which do scope-related checks based on the dirfd. */ -#define LOOKUP_IS_SCOPED LOOKUP_BENEATH +#define LOOKUP_IS_SCOPED (LOOKUP_BENEATH | LOOKUP_IN_ROOT) extern int path_pts(struct path *path); -- 2.23.0