Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp1268559ioo; Fri, 27 May 2022 05:21:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzREPI2xcFa92vwtMDGVICn8sMjc/91IWv8lvdnSEgvJo9Eo2YP5du70U1r8B1gE6NKwa/I X-Received: by 2002:a17:907:7ba1:b0:6fe:e18a:dc89 with SMTP id ne33-20020a1709077ba100b006fee18adc89mr23018439ejc.392.1653654106137; Fri, 27 May 2022 05:21:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653654106; cv=none; d=google.com; s=arc-20160816; b=R7ZKjnf2QPT216u81AFr/toVY3jgQz0ko1P7G+q7ppKV9tgfM+16ksVWUWzMp7rZ31 DNCrIKPABBMu3cOxTTfJgO4ny6SsGKbUKtSPL+COLVeGjNlebl/hhlWT0otjV3AnzWE7 mrJP/+PovXwjimYbwFaH557R+9WNY3YKIG9vTtnrpke6TYZulPnueGcfgUVLF/vwbpWM X5O/Mk+U1Tb6gya5XcKny82MdreOMJUIK6gaRE8h0l+phkwpIZ1JmlMWTOS/fh8HNfjj 1v8qWoT7DULOQmfKeL2nUEcpxKyvheO60kSZOGM6ZrGqCH2+EKsIcCqwp1H+9AkNeXYz q4Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=NJHx34PNqAnasONPL/2ps+5fCvlX+fT0+P1OSaVHx3o=; b=Kz0/l3sqLOxf8VMLVMdwV1VG2DrJQPu9DnjSOVtG/iIXpEYjLH+82j2RePqgNDyaXM w735taNY5LZ9bWeAI98Z8LtQu/ajrosh9uWWjrTLRXXmljQ54r1qHmBo7SaW64PlXgyJ nQO3+0yJ+GJD6DsJRg9hN/zIoitYmrJRVVWAuq9CRyrhEso2ZCp1eJHeYearuYWWxogJ 536StkiA98TNB6i0VGXSBriJtsdvc5lqaDWQPvD3lc+eVwTrCN+4uqknAG+PJkV/AjRc CTIdAHBFEqNHSzCDAxJWIQ1FBgm6UqSCw7unpS8Rq7BOqJslU+2znoDjFDXT3r99kLgI K2Jg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j15-20020aa7c0cf000000b0042bca82b686si3852060edp.618.2022.05.27.05.21.19; Fri, 27 May 2022 05:21:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232643AbiEZLIR (ORCPT + 99 others); Thu, 26 May 2022 07:08:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229464AbiEZLIP (ORCPT ); Thu, 26 May 2022 07:08:15 -0400 Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 032BD6D842; Thu, 26 May 2022 04:08:14 -0700 (PDT) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 74B2B1C0B8F; Thu, 26 May 2022 13:08:12 +0200 (CEST) Date: Thu, 26 May 2022 13:08:11 +0200 From: Pavel Machek To: Simon Ser Cc: "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" Subject: Re: procfs: open("/proc/self/fd/...") allows bypassing O_RDONLY Message-ID: <20220526110811.GB5138@localhost> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! > I'm a user-space developer working on Wayland. Recently we've been > discussing about security considerations related to FD passing between > processes [1]. > > A Wayland compositor often needs to share read-only data with its > clients. Examples include a keyboard keymap, or a pixel format table. > The clients might be untrusted. The data sharing can happen by having > the compositor send a read-only FD (ie, a FD opened with O_RDONLY) to > clients. > > It was assumed that passing such a FD wouldn't allow Wayland clients to > write to the file. However, it was recently discovered that procfs > allows to bypass this restriction. A process can open(2) > "/proc/self/fd/" with O_RDWR, and that will return a FD suitable for > writing. This also works when running the client inside a user namespace. > A PoC is available at [2] and can be tested inside a compositor which > uses this O_RDONLY strategy (e.g. wlroots compositors). > > Question: is this intended behavior, or is this an oversight? If this is > intended behavior, what would be a good way to share a FD to another > process without allowing it to write to the underlying file? Sounds like a bug. Not all world is Linux, and 'mount /proc' changing security characteristics of fd passing is nasty and surprising. We should not surprise people when it has security implications. Best regards, Pavel --