Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp502531pxk; Sun, 30 Aug 2020 11:38:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJznphrH+66O339xDNnvdQiIvY9LqPiE4PyWwkGAt318iosWi+5RRmLdlcuZwhotpnPTdnfX X-Received: by 2002:a17:906:5fc7:: with SMTP id k7mr8535183ejv.1.1598812728839; Sun, 30 Aug 2020 11:38:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598812728; cv=none; d=google.com; s=arc-20160816; b=AaF6qhfTCp2fdtJioKDcMxE8vj6OsWpgaznkElw3h3G3rraf2j30APDmAIcOrI/IFR QLvUOZBqjMYv2zs/WBIsb3K3nj8XlGdLHd/NbUQJZA4zoWlqc0invMZu00GMX3ojKOQA lJS50QeTjXKjiIBshITDSmZscnirv0jKQxA3QjNNWdDvi///gvr4PzkR5ue3oxceoA6j XnJxR5g0LWGjUkBvOuG/rS0tjreCY0ogL5WF0CKubswD1Grn/OpaYUpcQxVohZHsewP1 kfbNTfT4K1j6+c6Hukn1Yy7FfOqwFyz1/7nrDeAccYbQ8LPX9PITeDNVyIkkFmqjLX1F 7+KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Y8uwjU5oHiF47ZrSXJ4yl5s3nLvBtRFzRy7WTBSBm60=; b=UxfZZRvkx4NXfBOTPu59fUPEYoYuh/xzusukHoGhzBV8HDOGFcsPGZvB1XhyQmniOW iXkdb3cFvW3Kh/cqTEi2n+NivCQX0Y6FufuMHQtNgv4q6mVLtG61OxZzmeS7p+A4tBQd kExmTE85cRAqusU8xS5UfnuVC8y4eH4KM4sxub2UbLCx/MVWSqH0lmj5YitFoeP+ljxx Ws/fwCPhTGJX0qXI8RriiD3EGVzeOBXfUeK9jC/TUr6q228IodOubuVOSeexH7rSDgtw vYhxx8gV1nFc80cHwuoyEPq0s4wWCo/3hkH0/FtXddaIDEhnKOCL80XgzUybbVr0ybkm pbDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MGNjjXB+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si4106337ejx.207.2020.08.30.11.37.56; Sun, 30 Aug 2020 11:38:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MGNjjXB+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726459AbgH3ScN (ORCPT + 99 others); Sun, 30 Aug 2020 14:32:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726150AbgH3ScJ (ORCPT ); Sun, 30 Aug 2020 14:32:09 -0400 Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1CB3C061573 for ; Sun, 30 Aug 2020 11:32:08 -0700 (PDT) Received: by mail-lj1-x243.google.com with SMTP id w14so4238125ljj.4 for ; Sun, 30 Aug 2020 11:32:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y8uwjU5oHiF47ZrSXJ4yl5s3nLvBtRFzRy7WTBSBm60=; b=MGNjjXB+sKk0AO3lukEHRKMns6YteBnRQd8m5Bll9lSZ/Eml2CBmh4gTdwtWTxIP6r UK4oJoC2yzNckRturFI5L/egulnjeVsLW8C/ZIDjidPe5svsGSCX/aKWPhqTL1rngZPk 33U5kKOxFG2i3PxPGx1/ADEnRCXW0Cj+rOMksm0Lacqaikw2OTBk/4E7Y0PIz9oC4ca9 UsYadqznNUBk3Gcz+E+3QnAjKIquDMO2giLssBhNoP1Ge6wGJQ5D26ySn0fukexoSOWM 43N9w551soMF9GansBYEpVOQ7aIBV5/1N2P1ZIDJjZ7nofUQwS+TWo8wAOSR5LTglIYp uciQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y8uwjU5oHiF47ZrSXJ4yl5s3nLvBtRFzRy7WTBSBm60=; b=K+sgZSa/IjE9kwe9ESQGSSrdbkgdptgSWHcd1isj9SU67oUcH2Sy6q/dYrP/S2yXfi vf+JWE926xIKo0qmjBUwlVfzy0D6BJpshG/YkYR4fxtA+PHHhFI4EcpejRFgQIEBJXwm SGCzD8Yy9fUAFl8kUavWSQOISD8MSMTjL2hDSuQ3Wj6gEhA99qvMwrLSY+gTsoRu13YC mtksp9WKkPIA6EHiR7O/uu50GK+jpnxnQA9a6SqHtA3XEuH22TjipNIVl+N1xa1EpZIK 9vNx6F5oSmMm1d74QIMbsWVN9uDuz9dS3AiN5K5d7ziIyLnBBgH5/8b4/psfgcCXn3Zd CkBA== X-Gm-Message-State: AOAM533kv3yepoNSZaGxZastBV5HyFhRnTy7AXpc0GbyEz9DKQEfX+BD guu5MaCGaiAM8x5ZtRAG43V1YLTcKsgMWwudJ3DvIg== X-Received: by 2002:a2e:9990:: with SMTP id w16mr3391033lji.156.1598812323032; Sun, 30 Aug 2020 11:32:03 -0700 (PDT) MIME-Version: 1.0 References: <20200829020002.GC3265@brightrain.aerifal.cx> <20200830163657.GD3265@brightrain.aerifal.cx> In-Reply-To: <20200830163657.GD3265@brightrain.aerifal.cx> From: Jann Horn Date: Sun, 30 Aug 2020 20:31:36 +0200 Message-ID: Subject: Re: [RESEND PATCH] vfs: add RWF_NOAPPEND flag for pwritev2 To: Rich Felker Cc: linux-fsdevel , kernel list , Linux API , Alexander Viro Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 30, 2020 at 6:36 PM Rich Felker wrote: > On Sun, Aug 30, 2020 at 05:05:45PM +0200, Jann Horn wrote: > > On Sat, Aug 29, 2020 at 4:00 AM Rich Felker wrote: > > > The pwrite function, originally defined by POSIX (thus the "p"), is > > > defined to ignore O_APPEND and write at the offset passed as its > > > argument. However, historically Linux honored O_APPEND if set and > > > ignored the offset. This cannot be changed due to stability policy, > > > but is documented in the man page as a bug. > > > > > > Now that there's a pwritev2 syscall providing a superset of the pwrite > > > functionality that has a flags argument, the conforming behavior can > > > be offered to userspace via a new flag. [...] > > Linux enforces the S_APPEND flag (set by "chattr +a") only at open() > > time, not at write() time: [...] > > It seems to me like your patch will permit bypassing S_APPEND by > > opening an append-only file with O_WRONLY|O_APPEND, then calling > > pwritev2() with RWF_NOAPPEND? I think you'll have to add an extra > > check for IS_APPEND() somewhere. > > > > > > One could also argue that if an O_APPEND file descriptor is handed > > across privilege boundaries, a programmer might reasonably expect that > > the recipient will not be able to use the file descriptor for > > non-append writes; if that is not actually true, that should probably > > be noted in the open.2 manpage, at the end of the description of > > O_APPEND. > > fcntl F_SETFL can remove O_APPEND, so it is not a security boundary. > I'm not sure how this interacts with S_APPEND; presumably fcntl > rechecks it. Ah, good point, you're right. In fs/fcntl.c: 35 static int setfl(int fd, struct file * filp, unsigned long arg) 36 { 37 struct inode * inode = file_inode(filp); 38 int error = 0; 39 40 /* 41 * O_APPEND cannot be cleared if the file is marked as append-only 42 * and the file is open for write. 43 */ 44 if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode)) 45 return -EPERM; > So just checking IS_APPEND in the code paths used by > pwritev2 (and erroring out rather than silently writing output at the > wrong place) should suffice to preserve all existing security > invariants. Makes sense.