Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp400925pxa; Wed, 26 Aug 2020 13:49:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyvyJxIi+BMCW22QEVTq6tMYWd8rqRw6qeEz6D2UhJPomDYreavFg3uxvas8sw0y8N6p8c/ X-Received: by 2002:aa7:c983:: with SMTP id c3mr16343743edt.383.1598474992784; Wed, 26 Aug 2020 13:49:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598474992; cv=none; d=google.com; s=arc-20160816; b=x99fxUjpT6ZLrRQI7XuweJI1cF5PrzN2qXyA4ZfwI94ftCBPzQXweCMCXLm8jp6kDD Ya0Qr4a8QB320dOHQlMYObUvELGHOqxeScMEAgDQONUIot1bogCyeNrWxVCERThBh8BY K28/e9pgBmyVoVakiy5hVmkqVXu91h2ji4Aqk4AnS6d9CAqJ19YAUB/CGpFxC4BEYQJL jJRWh1RNayNEInWD2OZ95WpIHHQdV7khVcUo0sMmOJ2ieE74BvYDuKgF/8LJ2N/zoXoa rI47yB9OMREWYceegDXYLO7BrwcW55scMAvulZ2+WX9TpHvskeR1XF1Tzo5+ZGigXoKS 7yxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=GYZ/IYnL+Ejk8On59DCFq1qjJvZujhshbpaYtFkE1R8=; b=gw9qNdnfwJUbFgzHL6Kdbx2YUuvIa0u3Nz9wdEXSER+Bp7Acdz/xxWGEzx5+v3+/jU DQmwGbXZILG+5OD1nWrV4+nmmN1V0p9A6tC7ahgt7MJ6C+zfoz0XPZyhqwaCCchhuG/6 6TyCk0JM8EMdDSljueHuDpxUzqAEtRNc0MQa0WPdouZKCAtgdLSYRpkqDIdc/gJfcX+W HdOcU8hovB1yFFI7sp/jtg7fCostsCI1lbGrfGd2mLMfix05YrlnGNXcom+hB6f5zRUN 2r43Co13K7j86q1AyhAfGBcqlOO+45zWZCmdDzvuvbrJzc2kEHliERxoMclpSE2G0owL Rllg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fgr2FDPu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a31si88348edf.141.2020.08.26.13.49.30; Wed, 26 Aug 2020 13:49:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fgr2FDPu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726904AbgHZUs0 (ORCPT + 99 others); Wed, 26 Aug 2020 16:48:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726784AbgHZUsZ (ORCPT ); Wed, 26 Aug 2020 16:48:25 -0400 Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85F70C061756 for ; Wed, 26 Aug 2020 13:48:25 -0700 (PDT) Received: by mail-io1-xd44.google.com with SMTP id v6so3563195iow.11 for ; Wed, 26 Aug 2020 13:48:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=GYZ/IYnL+Ejk8On59DCFq1qjJvZujhshbpaYtFkE1R8=; b=fgr2FDPuuOFPfNtfWqDsufpkMYmHHkvJqPJqR9DYQu2fBa6a8i94cTveYLvPe8rwPB cBJKNqx5qPeAgOo5uNPQaI1rQeHzy4HiIdcioANP2/qrPeBMye11kYFHf8lkqhxYfS93 rlzwWk51dEw7macHuYgBf8aYM0cyMW00LF6iPKzr0pgqf331i1XC/qAm8sF6FH5STsik jqo4ibr1DA6OjUZHdisZKVD9djHc7K2gYcCX8SExQXoWdmcMlVMDKV3/sZ0uGECvjFT0 VBvno0Qd9SEtJP1haonwQTmPrbsnw0ZMFeXFC1miWd1ZCtach4LnN24ujGEzXa1nuMet eUcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=GYZ/IYnL+Ejk8On59DCFq1qjJvZujhshbpaYtFkE1R8=; b=iSpY9ydFAqLm6K6wayaakoUAxBtFOYzo7uzfca4aP9I4mMgesAnNeW1lxQYnOlIXzQ VMhrS+29/mfOLtU8WZsJc2mSApPd82tqlR+xQmW8svDToJQlyOQLngKY5gGn1FW/iHGR FwyV3h1WOA8stP+8krojYO1UdwUalGpXfPzHEixm0R5+I1WZvSUPJThbzddSepuv4YxY ow+JymEQXZZlGuhar4/WmmmFEqGils88C+pN//WutFx573LM//YOH3TL6OGRdP2oWbjf luk/9Gi52/Hbc60kUe24a5Zt6DHhLO6HzINQLSw7wmzC2Fvex/7Vain06Lnaw85acOPr JwhA== X-Gm-Message-State: AOAM530S+tbF2jj960Bt2IicjVvAl5yBoJzjXGjdVWfoDWxKGFJYvD1Z US/2koeJ6lTW5tyMp7iQ6yYLjQ== X-Received: by 2002:a05:6638:2a3:: with SMTP id d3mr3127575jaq.0.1598474903204; Wed, 26 Aug 2020 13:48:23 -0700 (PDT) Received: from google.com ([2601:285:8380:9270::f2a2]) by smtp.gmail.com with ESMTPSA id i144sm75064ioa.55.2020.08.26.13.48.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Aug 2020 13:48:22 -0700 (PDT) Date: Wed, 26 Aug 2020 14:48:19 -0600 From: Ross Zwisler To: Alexander Viro Cc: linux-kernel@vger.kernel.org, Mattias Nissler , Aleksa Sarai , Andrew Morton , Benjamin Gordon , David Howells , Dmitry Torokhov , Jesse Barnes , linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthew Wilcox , Micah Morton , Raul Rangel , Shuah Khan Subject: Re: [PATCH v8 1/2] Add a "nosymfollow" mount option. Message-ID: <20200826204819.GA4414@google.com> References: <20200819164317.637421-1-zwisler@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200819164317.637421-1-zwisler@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org O Wed, Aug 19, 2020 at 10:43:16AM -0600, Ross Zwisler wrote: > From: Mattias Nissler > > For mounts that have the new "nosymfollow" option, don't follow symlinks > when resolving paths. The new option is similar in spirit to the > existing "nodev", "noexec", and "nosuid" options, as well as to the > LOOKUP_NO_SYMLINKS resolve flag in the openat2(2) syscall. Various BSD > variants have been supporting the "nosymfollow" mount option for a long > time with equivalent implementations. > > Note that symlinks may still be created on file systems mounted with > the "nosymfollow" option present. readlink() remains functional, so > user space code that is aware of symlinks can still choose to follow > them explicitly. > > Setting the "nosymfollow" mount option helps prevent privileged > writers from modifying files unintentionally in case there is an > unexpected link along the accessed path. The "nosymfollow" option is > thus useful as a defensive measure for systems that need to deal with > untrusted file systems in privileged contexts. > > More information on the history and motivation for this patch can be > found here: > > https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data#TOC-Restricting-symlink-traversal > > Signed-off-by: Mattias Nissler > Signed-off-by: Ross Zwisler > Reviewed-by: Aleksa Sarai > --- > Changes since v7 [1]: > * Rebased onto v5.9-rc1. > * Added selftest in second patch. > * Added Aleska's Reviewed-By tag. Thank you for the review! > > After this lands I will upstream changes to util-linux[2] and man-pages > [3]. > > [1]: https://lkml.org/lkml/2020/8/11/896 > [2]: https://github.com/rzwisler/util-linux/commit/7f8771acd85edb70d97921c026c55e1e724d4e15 > [3]: https://github.com/rzwisler/man-pages/commit/b8fe8079f64b5068940c0144586e580399a71668 > --- Friendly ping on this. Al, now that the changes to fs/namei.c have landed and we're past the merge window for v5.9, what are your thoughts on this patch and the associated test?