Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp791589ybl; Fri, 6 Dec 2019 06:20:04 -0800 (PST) X-Google-Smtp-Source: APXvYqy8JNtoM1059xZZNOmGwEtaeQD//MMQE5RkN+3Fwmoki+zQK7FBMZOWgbnHWHMKB9u7eeLG X-Received: by 2002:a9d:3b09:: with SMTP id z9mr4515272otb.195.1575642004220; Fri, 06 Dec 2019 06:20:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575642004; cv=none; d=google.com; s=arc-20160816; b=SHfHC1klhfXjujmOFnpSo0XWuozw5VweuuNlWCrrVDnCNNNW0K23pALIp315qCOnSB xWuA8EuhKhvizjr9U5ka4axJ6mfSKsR5y7m01Su2P4LPTmk0wLruoJjU18b+gRZFLslM 9HxWM9IkO9wlMzuVtLBClNX4b3OsupuXTgM04/lSK+jvkeqQPrsHfLUx/PRbOuz9YklM 0VG9mJx8T+gGALF+VFc+PIrmxTCw2mEalACzUEePbXbWV4uq1DHHU9npd9vgCRKtJzlJ Oe7rJCxwz9LEtDFhUPWhPac1j7z7fONO2oY6NbIuWYhf0yUKXOuzXqrKp+0q2oaSUAit l7bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=bKvnmBXM33OIa34/6jdAyLrwE9stNTR7nqhLPSendVU=; b=opmwO3vxTEyzePjwGWuxzYuqEVnVU3umRkhwrHH6vgdPCrcfSHd8t3eNJlnCwyH92a c62mTyyBHsIEop6/34Xtz09dLJtnJwiyz1UgxurwmZhuBmcR4CCi70mjflfyKL/mwELo 5aT6sBIcWHeITubHHn8KpWSXJ+6vu/Ws7cGW+ghIJ2+0bGTApwrjOWNWLxhSfrMgT6su Il8UQj/ilsUNqH/gtjIEPsATMaB1niDcFB9iGIJLPBSiPO4pp0DJLn7aepVoDvSwqr91 7sXHCYNr7Yl/IYSvxSmJJw2SF54rNVlPZKvqmaq8TZ/4NneGfkntBoAETZJEeqRK1lh1 fFFw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e5si7735247oth.288.2019.12.06.06.19.50; Fri, 06 Dec 2019 06:20:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726780AbfLFOSZ (ORCPT + 99 others); Fri, 6 Dec 2019 09:18:25 -0500 Received: from mout-p-202.mailbox.org ([80.241.56.172]:28942 "EHLO mout-p-202.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726298AbfLFOSY (ORCPT ); Fri, 6 Dec 2019 09:18:24 -0500 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 47Tvnm72hWzQlC4; Fri, 6 Dec 2019 15:18:20 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id YqKflRMrESdz; Fri, 6 Dec 2019 15:18:13 +0100 (CET) From: Aleksa Sarai To: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Ingo Molnar , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , Jonathan Corbet Cc: Aleksa Sarai , Christian Brauner , Eric Biederman , Andy Lutomirski , Andrew Morton , Kees Cook , Jann Horn , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Rasmus Villemoes , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Christian Brauner , Aleksa Sarai , Linus Torvalds , dev@opencontainers.org, containers@lists.linux-foundation.org, bpf@vger.kernel.org, netdev@vger.kernel.org, linux-alpha@vger.kernel.org, linux-api@vger.kernel.org, libc-alpha@sourceware.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org Subject: [PATCH v18 09/13] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution Date: Sat, 7 Dec 2019 01:13:34 +1100 Message-Id: <20191206141338.23338-10-cyphar@cyphar.com> In-Reply-To: <20191206141338.23338-1-cyphar@cyphar.com> References: <20191206141338.23338-1-cyphar@cyphar.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org /* Background. */ Container runtimes or other administrative management processes will often interact with root filesystems while in the host mount namespace, because the cost of doing a chroot(2) on every operation is too prohibitive (especially in Go, which cannot safely use vfork). However, a malicious program can trick the management process into doing operations on files outside of the root filesystem through careful crafting of symlinks. Most programs that need this feature have attempted to make this process safe, by doing all of the path resolution in userspace (with symlinks being scoped to the root of the malicious root filesystem). Unfortunately, this method is prone to foot-guns and usually such implementations have subtle security bugs. Thus, what userspace needs is a way to resolve a path as though it were in a chroot(2) -- with all absolute symlinks being resolved relative to the dirfd root (and ".." components being stuck under the dirfd root). It is much simpler and more straight-forward to provide this functionality in-kernel (because it can be done far more cheaply and correctly). More classical applications that also have this problem (which have their own potentially buggy userspace path sanitisation code) include web servers, archive extraction tools, network file servers, and so on. /* Userspace API. */ LOOKUP_IN_ROOT will be exposed to userspace through openat2(2). /* Semantics. */ Unlike most other LOOKUP flags (most notably LOOKUP_FOLLOW), LOOKUP_IN_ROOT applies to all components of the path. With LOOKUP_IN_ROOT, any path component which attempts to cross the starting point of the pathname lookup (the dirfd passed to openat) will remain at the starting point. Thus, all absolute paths and symlinks will be scoped within the starting point. There is a slight change in behaviour regarding pathnames -- if the pathname is absolute then the dirfd is still used as the root of resolution of LOOKUP_IN_ROOT is specified (this is to avoid obvious foot-guns, at the cost of a minor API inconsistency). As with LOOKUP_BENEATH, Jann's security concern about ".."[1] applies to LOOKUP_IN_ROOT -- therefore ".." resolution is blocked. This restriction will be lifted in a future patch, but requires more work to ensure that permitting ".." is done safely. Magic-link jumps are also blocked, because they can beam the path lookup across the starting point. It would be possible to detect and block only the "bad" crossings with path_is_under() checks, but it's unclear whether it makes sense to permit magic-links at all. However, userspace is recommended to pass LOOKUP_NO_MAGICLINKS if they want to ensure that magic-link crossing is entirely disabled. /* Testing. */ LOOKUP_IN_ROOT is tested as part of the openat2(2) selftests. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=oMM0vHWuLD6EULmne3R6xa53w@mail.gmail.com/ Cc: Christian Brauner Signed-off-by: Aleksa Sarai --- fs/namei.c | 10 +++++++--- include/linux/namei.h | 3 ++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index f0c15d2ace54..69cd0b296e8e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2299,13 +2299,16 @@ static const char *path_init(struct nameidata *nd, unsigned flags) nd->m_seq = read_seqbegin(&mount_lock); - /* Figure out the starting path and root (if needed). */ - if (*s == '/') { + /* Absolute pathname -- fetch the root (LOOKUP_IN_ROOT uses nd->dfd). */ + if (*s == '/' && !(flags & LOOKUP_IN_ROOT)) { error = nd_jump_root(nd); if (unlikely(error)) return ERR_PTR(error); return s; - } else if (nd->dfd == AT_FDCWD) { + } + + /* Relative pathname -- get the starting-point it is relative to. */ + if (nd->dfd == AT_FDCWD) { if (flags & LOOKUP_RCU) { struct fs_struct *fs = current->fs; unsigned seq; @@ -2345,6 +2348,7 @@ static const char *path_init(struct nameidata *nd, unsigned flags) } fdput(f); } + /* For scoped-lookups we need to set the root to the dirfd as well. */ if (flags & LOOKUP_IS_SCOPED) { nd->root = nd->path; diff --git a/include/linux/namei.h b/include/linux/namei.h index 93dad378f1e8..93151e47ec47 100644 --- a/include/linux/namei.h +++ b/include/linux/namei.h @@ -45,8 +45,9 @@ enum {LAST_NORM, LAST_ROOT, LAST_DOT, LAST_DOTDOT, LAST_BIND}; #define LOOKUP_NO_MAGICLINKS 0x020000 /* No nd_jump_link() crossing. */ #define LOOKUP_NO_XDEV 0x040000 /* No mountpoint crossing. */ #define LOOKUP_BENEATH 0x080000 /* No escaping from starting point. */ +#define LOOKUP_IN_ROOT 0x100000 /* Treat dirfd as fs root. */ /* LOOKUP_* flags which do scope-related checks based on the dirfd. */ -#define LOOKUP_IS_SCOPED LOOKUP_BENEATH +#define LOOKUP_IS_SCOPED (LOOKUP_BENEATH | LOOKUP_IN_ROOT) extern int path_pts(struct path *path); -- 2.24.0