Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp451523pxk; Sun, 30 Aug 2020 09:37:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzH27pYrHZWedGzTYDDQajh+lUcQicR2hhGw1QqhwWaEXfhOZ6YIvjxKkNkdGDV2OLO90fe X-Received: by 2002:a17:906:9591:: with SMTP id r17mr8662204ejx.424.1598805479525; Sun, 30 Aug 2020 09:37:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598805479; cv=none; d=google.com; s=arc-20160816; b=xsIzjS/6E20/dDDJuN0WALHdQfLJYo6Zq/+aiHuurCQfdr1dy2HDvnFZ57hACIZYuP WNh3bLaaezoAQrSzT7CciC0eX1RdbnZQhDPjf7I4Ftg1NjNGsrPjfm7+XJnTHv2X/nCl sU4vPLi1tMi01sLCwJ2oMyErdCuMhVzBvRLB1qIC1Y73TbH1YrJe7GbYdZX7SYClPwrz YYDqyml0fuBtKB0GSx6EGocB7SLK8KM6MRLVLpd6kGfsqgOb2o+qNhnfCMO4eGgyC7hM fSuow1JFr2FLLzMwMUtMEmp4YhX8KLDADeR/SMJFrunteTqdQIjVovNaeilPy4xSxfTL VVvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ApjSGjUJIfnOFgukjKR7sGn/Fh23cf3zsLshkzEgV5s=; b=UcnWBiqM6MrjscuRuJKbo5qRFeND2U9cXFpPW4GFmN7N10XwSBwlhW9Y3JzKk41sqk 87mByduEOxVp1XYHi5PeBdSBLlLOQqXMDEfwoBuWgELRcp09C5N7jHjCB28qEmUKacyu Kf1HnIV7c35zQdyt3UG7u74NS7vLtTjBr+rdiFjpmmT2wcD7rxihWQpavivTpsBtLZ4r MXocBFwoViyo8z21gllYGKo90cwhtjjM+UiMttczWokdB/9nvbDS+SWvTtf3PDVY2RCE vTiqAD9XHe7t0F+f2fYEQzOV8qIhPfp4UWOWcAQBsJ9Eu86jgMsXtlPQdbnyBstMl0Dh QZrA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si3502266edv.310.2020.08.30.09.37.35; Sun, 30 Aug 2020 09:37:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726134AbgH3QhE (ORCPT + 99 others); Sun, 30 Aug 2020 12:37:04 -0400 Received: from brightrain.aerifal.cx ([216.12.86.13]:48216 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726035AbgH3QhA (ORCPT ); Sun, 30 Aug 2020 12:37:00 -0400 Date: Sun, 30 Aug 2020 12:36:58 -0400 From: Rich Felker To: Jann Horn Cc: linux-fsdevel , kernel list , Linux API , Alexander Viro Subject: Re: [RESEND PATCH] vfs: add RWF_NOAPPEND flag for pwritev2 Message-ID: <20200830163657.GD3265@brightrain.aerifal.cx> References: <20200829020002.GC3265@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 30, 2020 at 05:05:45PM +0200, Jann Horn wrote: > On Sat, Aug 29, 2020 at 4:00 AM Rich Felker wrote: > > The pwrite function, originally defined by POSIX (thus the "p"), is > > defined to ignore O_APPEND and write at the offset passed as its > > argument. However, historically Linux honored O_APPEND if set and > > ignored the offset. This cannot be changed due to stability policy, > > but is documented in the man page as a bug. > > > > Now that there's a pwritev2 syscall providing a superset of the pwrite > > functionality that has a flags argument, the conforming behavior can > > be offered to userspace via a new flag. > [...] > > diff --git a/include/linux/fs.h b/include/linux/fs.h > [...] > > @@ -3411,6 +3413,8 @@ static inline int kiocb_set_rw_flags(struct kiocb *ki, rwf_t flags) > > ki->ki_flags |= (IOCB_DSYNC | IOCB_SYNC); > > if (flags & RWF_APPEND) > > ki->ki_flags |= IOCB_APPEND; > > + if (flags & RWF_NOAPPEND) > > + ki->ki_flags &= ~IOCB_APPEND; > > return 0; > > } > > Linux enforces the S_APPEND flag (set by "chattr +a") only at open() > time, not at write() time: > > # touch testfile > # exec 100>testfile > # echo foo > testfile > # cat testfile > foo > # chattr +a testfile > # echo bar > testfile > bash: testfile: Operation not permitted > # echo bar >&100 > # cat testfile > bar > # > > At open() time, the kernel enforces that you can't use O_WRONLY/O_RDWR > without also setting O_APPEND if the file is marked as append-only: > > static int may_open(const struct path *path, int acc_mode, int flag) > { > [...] > /* > * An append-only file must be opened in append mode for writing. > */ > if (IS_APPEND(inode)) { > if ((flag & O_ACCMODE) != O_RDONLY && !(flag & O_APPEND)) > return -EPERM; > if (flag & O_TRUNC) > return -EPERM; > } > [...] > } > > It seems to me like your patch will permit bypassing S_APPEND by > opening an append-only file with O_WRONLY|O_APPEND, then calling > pwritev2() with RWF_NOAPPEND? I think you'll have to add an extra > check for IS_APPEND() somewhere. > > > One could also argue that if an O_APPEND file descriptor is handed > across privilege boundaries, a programmer might reasonably expect that > the recipient will not be able to use the file descriptor for > non-append writes; if that is not actually true, that should probably > be noted in the open.2 manpage, at the end of the description of > O_APPEND. fcntl F_SETFL can remove O_APPEND, so it is not a security boundary. I'm not sure how this interacts with S_APPEND; presumably fcntl rechecks it. So just checking IS_APPEND in the code paths used by pwritev2 (and erroring out rather than silently writing output at the wrong place) should suffice to preserve all existing security invariants. Rich