Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp1115863ioo; Fri, 27 May 2022 01:39:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvKqCeWl6N9Dw2M5Fy+vCsAtsr9aDDUUcrcvq/lzvOkMr3Gv5nyEK06B5KrLc9N1MGMytx X-Received: by 2002:a05:6402:520a:b0:42b:4576:b407 with SMTP id s10-20020a056402520a00b0042b4576b407mr30748628edd.198.1653640773710; Fri, 27 May 2022 01:39:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653640773; cv=none; d=google.com; s=arc-20160816; b=naa9JGgrJv1ZD0i6xEhWcI7UvNRmrcNgnXU0aHlSKUsamTCnrSm9eMDS+qCAbDimpz 3f0IfO75VUH40Gf5v2Ebjw5d08OhFXu+QUnapNoOAuJtGIsKz5c3FE2kBWyvxLa4pNoi ov9RCnrQHMmRDCSybo8YkbOuLvfUp6PaEg6yJXotMvXzy8iUmvt6CkND2//4qwcyl6GK vzkmIvKvwEGGLFF9Ql6XgEdeITuHQNkhQmCqdVPQd6P6/8XrO8xWEQk+CUvpY6oPrAaS H56L87bqTLpU91MuRbuEUp3wLKk1zjVo3yyMKzDGgt9a5hh2IHPnhxjIQX7fkb9kbv2l lnpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=MgrOfQSUqjqfS7BeZlur/xZsDGe9e09GjCYSto1gVeQ=; b=Vd9kjS9TyueZyIQgJocXHt7ssS4VrdkDhc0co/jOYtss1c4uvSdjSI8vrX8PmY0F2P 6TrJhFWWnTEdtGexzw8qFufTLekedNEP4N9PKuiKsiNL9xkzWwaF3ymS4b0o6KUcF6z0 KRlRRhM9jJoFGQPgbUZTVj9H4wKT1wdPPlzdHGRtqKWqehQ3RZWo8vOlqBqt2ZZoU+FS UUVaXjedESBGCKA2qzSmmqn1Ic1u+AdoW0NAFuJ1TMDzkNjutEXvm00faaWusQnePvUX I8n1NppcAOVgOsQ19NUF3cX/KKQmYNQWXhDeK9GeB3x7sXdT++qe9HCTU25IjFVYqZtx jqMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cyphar.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b13-20020a056402350d00b0042bc5df1476si4412736edd.77.2022.05.27.01.39.07; Fri, 27 May 2022 01:39:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cyphar.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344329AbiEZNKN (ORCPT + 99 others); Thu, 26 May 2022 09:10:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234229AbiEZNKM (ORCPT ); Thu, 26 May 2022 09:10:12 -0400 X-Greylist: delayed 359 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 26 May 2022 06:10:08 PDT Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63E80D6825; Thu, 26 May 2022 06:10:07 -0700 (PDT) Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4L87Zc45kqz9slf; Thu, 26 May 2022 15:10:00 +0200 (CEST) Date: Thu, 26 May 2022 23:09:52 +1000 From: Aleksa Sarai To: Simon Ser Cc: "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" Subject: Re: procfs: open("/proc/self/fd/...") allows bypassing O_RDONLY Message-ID: <20220526130952.z5efngrnh7xtli32@senku> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ibw7jsn6vzzlm5h2" Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --ibw7jsn6vzzlm5h2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2022-05-12, Simon Ser wrote: > Hi all, >=20 > I'm a user-space developer working on Wayland. Recently we've been > discussing about security considerations related to FD passing between > processes [1]. >=20 > A Wayland compositor often needs to share read-only data with its > clients. Examples include a keyboard keymap, or a pixel format table. > The clients might be untrusted. The data sharing can happen by having > the compositor send a read-only FD (ie, a FD opened with O_RDONLY) to > clients. >=20 > It was assumed that passing such a FD wouldn't allow Wayland clients to > write to the file. However, it was recently discovered that procfs > allows to bypass this restriction. A process can open(2) > "/proc/self/fd/" with O_RDWR, and that will return a FD suitable for > writing. This also works when running the client inside a user namespace. > A PoC is available at [2] and can be tested inside a compositor which > uses this O_RDONLY strategy (e.g. wlroots compositors). >=20 > Question: is this intended behavior, or is this an oversight? If this is > intended behavior, what would be a good way to share a FD to another > process without allowing it to write to the underlying file? This is currently intended behaviour, but I am working on a patchset to fix it. This was originally meant to be included with openat2(2) along with some other hardenings in order to add safe O_EMPTYPATH support (as well as having the ability for you to open an O_PATH descriptor and restrict how it can be re-opened). The WIP patchset is in my repo[1]. The main issue at the moment is how to deal with directories (for parity with *at(2) semantics as well as our own sanity, using a /proc/self/fd/$n as a path component can't be blocked so there's some more access mode fiddling necessary to make this all cleaner). I should have an RFC version ready in a couple of weeks. [1]: https://github.com/cyphar/linux/tree/magiclink/main --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --ibw7jsn6vzzlm5h2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCYo98HwAKCRCdlLljIbnQ EnbWAP4ueeQklKJMapKtyD+RDUZp4H6guPat1Ol2vAPb0dY/MwEAlASVdaS4T1/T SSSNPdv+rvtrmIpWk359KR9awogQNQo= =Jh+9 -----END PGP SIGNATURE----- --ibw7jsn6vzzlm5h2--