Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp54269pxu; Thu, 10 Dec 2020 18:06:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJwNTbTFltWOjSqj2ON5KmFHIuHZ3/QVzpjYpRarLDcFVO6VOq8ZIyZxeeW3OCvjkocaIM1s X-Received: by 2002:a17:906:3a55:: with SMTP id a21mr9135581ejf.516.1607652395173; Thu, 10 Dec 2020 18:06:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607652395; cv=none; d=google.com; s=arc-20160816; b=TDv9y8iHdKxwes8gZXI07+99kUSNX2V82R67s8TitC/spUmM37tBUL/o6KbNqZ+6v+ XXneZps6v12/+mUnCeZb3wojRFm2NMhQtWIdDU//Jl6RMQnY+DqRzRFc4l4VEqnGCjrO bsg3NUAC/Jv9iIhqWAs15rGoghumuDhRvXLH4KAvZTMbP50OB3srYTwhlkjEHtVjv6Dy LM6/lVF719zRG9jz1+aD0gf32IJFUknE9lORdzouedQMQhiDW45ODyuM40P/ddtaEMnk eXEJqCWqXvrNx/COnEPNR/s478fK0k9RdsTq6IT3h1u6RVwFFkSqUyWNoA7XR1mzsIkd 69bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=a3HoxVeTcWA5htpeSp9SI0dpd34NYlZHs8NPHZQ2aqk=; b=O7bnWpTvE+bFpsyMnlxpwntYFINnl2Jlyeeo/DPwa+62+wGyIt5jR9opdR2nK8CJUH dlOWkzUsSpNdrAQzAPgTfsf9NxYZXsBhqJP2uRvbeNBln+3bUllfwSPzv39gw1orH/50 LjKFG4TUUWW13OcxUcrStqMVv20e5OZ/3Vqu1aryO+0nJrTY2/2P4DPoKNXD2rrG8ZDq d3CL+SvMl4ElVNXlYtogFIcELzOi9q8DJ3nKOXuxuAdrgzeKz8Ri9BRqUVLt05kFTLf4 S0tXd43T4ShrHV4AByubI26mcCLaE/Bm97HItT13Gu1YRtar0l1owamAE1UJ9ee1r6nM V66Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=T7Om6Dz3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id kt2si3506189ejb.124.2020.12.10.18.06.12; Thu, 10 Dec 2020 18:06:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=T7Om6Dz3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389920AbgLJPTy (ORCPT + 99 others); Thu, 10 Dec 2020 10:19:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390107AbgLJPTp (ORCPT ); Thu, 10 Dec 2020 10:19:45 -0500 Received: from mail-ua1-x942.google.com (mail-ua1-x942.google.com [IPv6:2607:f8b0:4864:20::942]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB131C0617A6 for ; Thu, 10 Dec 2020 07:18:42 -0800 (PST) Received: by mail-ua1-x942.google.com with SMTP id w7so1789969uap.13 for ; Thu, 10 Dec 2020 07:18:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=a3HoxVeTcWA5htpeSp9SI0dpd34NYlZHs8NPHZQ2aqk=; b=T7Om6Dz30zjXwo1e3DzgDWXQhnNLsemk4NEGSyXJmQ5kiU3HRAbTfsV26RQ1UYys6W y/tqwGLAgNEebP63abkpvwOu2RYxIOPjqyyxuP2icvCDKprQz8lzYHv4pEegw4T/pSGk pv8LxMq6idiz77wBNzyo2zONXJtoQwzG+Hpxo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=a3HoxVeTcWA5htpeSp9SI0dpd34NYlZHs8NPHZQ2aqk=; b=JTqjhTKxrMlzvwEekRNPz0EjIhwdwzpn54d8Kuls+/SYzePYBaauSWZnfhu4hLzEG2 jECuFMMkXGWL2Xwb34N4Mrn6d/BxfvOfkRVKnJDHbHvVQyKKJPP2GnWsT1hx5D6jumms MATwA6tXcd6p3Er1MA039+/fHkkB5EI5k6NiBuW7jSjYHs4SmdLg8TLGlcliYcLDZiMq QlHTjkz1fcUjWft+xSakeAlactOP0hXFsKrq6RoyfyxsXRFf5rhb+hcfBRHWE2Q0kEel FekPMrHjXcdiwA1Q7Sou/MDOrgI2uc2GpOQBrl2pqBUhLI3W/0vmCoYotwu914e7idaL rg+g== X-Gm-Message-State: AOAM5311j4BVSE4SvHHrwIAOJz87GxkWjlNZpRhZZz5DOzJILG1F1yUY ZhNKO31h2y3StWdgIUWVVKOKEZ/OWqkfjjCX9NheLg== X-Received: by 2002:a9f:3012:: with SMTP id h18mr8283428uab.11.1607613521839; Thu, 10 Dec 2020 07:18:41 -0800 (PST) MIME-Version: 1.0 References: <20201207163255.564116-1-mszeredi@redhat.com> <20201207163255.564116-5-mszeredi@redhat.com> In-Reply-To: From: Miklos Szeredi Date: Thu, 10 Dec 2020 16:18:30 +0100 Message-ID: Subject: Re: [PATCH v2 04/10] ovl: make ioctl() safe To: Amir Goldstein Cc: Miklos Szeredi , "Eric W . Biederman" , linux-fsdevel , overlayfs , LSM List , linux-kernel , Dmitry Vyukov Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 8, 2020 at 12:15 PM Amir Goldstein wrote: > > On Mon, Dec 7, 2020 at 6:36 PM Miklos Szeredi wrote: > > > > ovl_ioctl_set_flags() does a capability check using flags, but then the > > real ioctl double-fetches flags and uses potentially different value. > > > > The "Check the capability before cred override" comment misleading: user > > can skip this check by presenting benign flags first and then overwriting > > them to non-benign flags. > > > > Just remove the cred override for now, hoping this doesn't cause a > > regression. > > > > The proper solution is to create a new setxflags i_op (patches are in the > > works). > > > > Xfstests don't show a regression. > > > > Reported-by: Dmitry Vyukov > > Signed-off-by: Miklos Szeredi > > Looks reasonable > > Reviewed-by: Amir Goldstein > > > --- > > fs/overlayfs/file.c | 75 ++------------------------------------------- > > 1 file changed, 3 insertions(+), 72 deletions(-) > > > > diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > > index efccb7c1f9bc..3cd1590f2030 100644 > > --- a/fs/overlayfs/file.c > > +++ b/fs/overlayfs/file.c > > @@ -541,46 +541,26 @@ static long ovl_real_ioctl(struct file *file, unsigned int cmd, > > unsigned long arg) > > { > > struct fd real; > > - const struct cred *old_cred; > > long ret; > > > > ret = ovl_real_fdget(file, &real); > > if (ret) > > return ret; > > > > - old_cred = ovl_override_creds(file_inode(file)->i_sb); > > ret = security_file_ioctl(real.file, cmd, arg); > > if (!ret) > > ret = vfs_ioctl(real.file, cmd, arg); > > - revert_creds(old_cred); > > > > fdput(real); > > > > return ret; > > } > > > > > I wonder if we shouldn't leave a comment behind to explain > that no override is intentional. Comment added. > I also wonder if "Permission model" sections shouldn't be saying > something about ioctl() (current task checks only)? or we just treat > this is a breakage of the permission model that needs to be fixed? This is a breakage of the permission model. But I don't think this is a serious breakage, or one that actually matters. Not sure which is better: adding exceptions to the model or applying the model in situations where it's unnecessary. I'd rather go with the latter, but clearly in this case that was the wrong decision. Thanks, Miklos