Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3116143iob; Mon, 16 May 2022 13:30:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxw5aKTOA0GA4PcvCz212hja3aCoE8pSyWTVxNljXrIkLi/lb7pzlVdL5d30gPTPqRmXXy3 X-Received: by 2002:a05:6a00:2450:b0:4f7:bf07:c063 with SMTP id d16-20020a056a00245000b004f7bf07c063mr18710847pfj.51.1652733028050; Mon, 16 May 2022 13:30:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652733028; cv=none; d=google.com; s=arc-20160816; b=JuObErLpyilK6Q8v9ziPTC9hwQ1LnZ5SXQi3tLqc360MGw9+T9vF0R2dH1L666/vsa Dn0K75Yndfy0zfKWOXKIvWuJqajKi6ibs0DI1BuETukLGO0Y9b8xAed4MckyO7kMJwGr Ic6x5ppu/oIsf1OO4EygmvGr385GKJpGHc5253NaP+tcLhLgXqTvKmBehlGYHUElanKY sa5ytUbF7ksWo2klT2zK1F0geGrxZQIVTrurLnlPK7HVBxtVFbSaUvgM8k0A8qDjN6zo hByGt1qYDohWHCm8Oqip65kzMZxjqbNo4xZ6/lWopSlxfFvUyIDksnWyt2DcRrE7ux2N Xy+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=GRi7qYL5MFc9IxtC0M2IySOujCHuQhCkovUyzI0O1/M=; b=oLglGg1ka3CoX5+biixAGTtFCAWHFaPGzBRzGopsAgtHNPFqy8n2bl5ELHDFXFBCNG 1ljZFdLx1PLkl0LDEmRTvU5X12fLjB1ts76FJjHWjfE1/5IFWfJLhwxdRT8rdofDyH3n waAwrjN8OcVStYzIbct2jq/mRVMNVP5cSBIfQUFq3F7jfHfAvunqVRs1Byf1gtq5o/UT kDfrPHfdZt9dtLm7gdCI0oDOfXkpa/ksScCIxdCs6cv/FU8UKmhDg4CL4cmHVkR2Nesu 3RQeqQs6F0TqL5P5tDw1tXqC/l7+0jAOBySdbmypqJkWrvjzanleKisNMGY718gYlRQh jX8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=AYmqXQfi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mq7-20020a17090b380700b001d8814c305asi328457pjb.164.2022.05.16.13.30.17; Mon, 16 May 2022 13:30:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=AYmqXQfi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241316AbiEPHv1 (ORCPT + 99 others); Mon, 16 May 2022 03:51:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32974 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241315AbiEPHvQ (ORCPT ); Mon, 16 May 2022 03:51:16 -0400 Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47E6827153 for ; Mon, 16 May 2022 00:51:14 -0700 (PDT) Received: by mail-lj1-x234.google.com with SMTP id 4so17062602ljw.11 for ; Mon, 16 May 2022 00:51:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=GRi7qYL5MFc9IxtC0M2IySOujCHuQhCkovUyzI0O1/M=; b=AYmqXQfiZvO+PSvh6p7ZagVdULQKEc55/HGpL8DVoU7zWasDNN7MRWr9s6eXJsas+k 54SMOc2TjBqwR/vMiUGLXOVi5GuvpwPg+cRy+zO4jbOdXDEZQp3D+IoeDIkpi01sHfyd 80EmsXgpetDsKENZc7lqGlbcGt7Fnwi9M+MaE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=GRi7qYL5MFc9IxtC0M2IySOujCHuQhCkovUyzI0O1/M=; b=Bou3udlfSCbXulbYv6fgSZyU9B3hLbGtKr7bs3OIBO6TgeK6plTNy8+ox6+9glPGHq NazJ3MowXSkVWxkRPdETfJtkAQbtraZ2d2kf3YfoXMBly6mPKMzjwFVbQzPKNODMPO1I Nb5OpCGGxBT+Irw5LKR5AEqk9wkuJtOHozjz93daMJL/KuYsF2xZbgWXAeZVs6eIwSfO HaLA5QjRRWESIU5qDZTLF3AmBXgWBFzIiG5lrsPYL6wdTiIzRRs+z30iD+Z17zKRjVVP bFsJLLHPsiSbQFCqdVYyWprrsv3RAOUbWmF6hhpjp5LGuzQo+KJdgu0eJ3pgV1LJ9BcI F5vg== X-Gm-Message-State: AOAM531kXR97C3WXIsGt74tUJdDTucLiB1nN9RgjheC/uIto2Ee0Y/A6 lpeErgWuss4Ah7cZV/J+MXfLpg== X-Received: by 2002:a2e:82cd:0:b0:24b:4a69:790b with SMTP id n13-20020a2e82cd000000b0024b4a69790bmr10416425ljh.326.1652687472586; Mon, 16 May 2022 00:51:12 -0700 (PDT) Received: from [172.16.11.74] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id f4-20020a056512092400b0047255d211desm1226591lft.269.2022.05.16.00.51.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 16 May 2022 00:51:12 -0700 (PDT) Message-ID: <2ff479df-1f88-ecd0-8a0e-7d31ab02ca0d@rasmusvillemoes.dk> Date: Mon, 16 May 2022 09:51:10 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: procfs: open("/proc/self/fd/...") allows bypassing O_RDONLY Content-Language: en-US To: Simon Ser , Amir Goldstein Cc: "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" References: From: Rasmus Villemoes In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/05/2022 14.38, Simon Ser wrote: > On Thursday, May 12th, 2022 at 14:30, Amir Goldstein wrote: > >> Clients can also readlink("/proc/self/fd/") to get the path of the file >> and open it from its path (if path is accessible in their mount namespace). > > What the compositor does is: > > - shm_open with O_RDWR > - Write the kyeboard keymap > - shm_open again the same file with O_RDONLY > - shm_unlink > - Send the O_RDONLY FD to clients > > Thus, the file doesn't exist anymore when clients get the FD. So, what happens if you do fchmod(fd, 0400) on the fd before passing it to the client [1]. I assume the client is not running as the same uid as the compositor (so it can't fchmod() the inode back); if it is, then it could just ptrace you and all bets are off. [1] or for that matter, simply specify 0400 as the mode argument when creating the file - that's perfectly legal to do in conjunction with O_RDWR | O_CREAT | O_EXCL, and should probably be done to prevent anybody else from opening the same shm file with write permission before it gets shm_unlinked. Rasmus