Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2433614ioo; Sat, 28 May 2022 13:32:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbSVcDy6S0NbQrD95MzLz+/HBBeoa0FBhJ1UPoPY1749oA1Mo5BAcbbeM4NTp0WIhq/3N7 X-Received: by 2002:a17:903:1205:b0:15e:804c:fab4 with SMTP id l5-20020a170903120500b0015e804cfab4mr49158223plh.112.1653769925425; Sat, 28 May 2022 13:32:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653769925; cv=none; d=google.com; s=arc-20160816; b=zGHlbNhu34p8NUyQFlg5rqkrSGX3OLoihoVjPk7YW4iNHSAEjVzGHHgA8I3u21xY1G 0dqyxV3Vzhu6NNGp/9Ty+ttT6gX9lm2Hm9hwMk0wEzPntS/MYJ6tPLIjxm1YYaxLdh8w GWv8gi5jnubTwaz+df0An5WKehmm0SJfcHxTDtSZBMhWss/3aOSoq8Bwf7XOjbe3wMGc kyGvMGn4WznPJRgqcbphrgINt+3BTTEEsWCrkNfTaXf9CitYWrT089K8p0bGbwn1QCK1 urAaNHf2lBZ5nK3j3wqZNRX40NfM8BeUfgzGTKuOiYFf24jnOnoyIAhjZfBHDqTmTEcp di6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=sO3RE7iBk/Ht6XiGPph3HPlOiqnAaHxuMKCnSJyeitw=; b=mfg+TWMAkgDvyROs1be1JUULXjplZB9T5HyAYtht8QZYs9FJaIoWmA3tO4bOKUkYmf Xqbv95l5RdskvLPOLolzk/3xc4ezKxsuc/qmsiCHcsY+0pC7Ljyzc/pFsQGnN9okIXJC XHBKZ+aDy4GuvoL+8aiGtxiypO+dmlKCe1a10pGZ87N+776gSJvaHPVfJTIKaZ//YlS3 QiNcP5jeISvDdbyAY8xGXUruSqutSiXFVPLsEwpYHO3dUOtAQkmQ+Yb42bUUN4ZQ02t0 gwnPcsXcru15mRLuAiAgENhVV9YooWUwrW0VwxCeQHU0TcoOeD+tqxF30iV5xCh4g3cP GUkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cyphar.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id h7-20020a636c07000000b003fbb432d3c1si6154136pgc.449.2022.05.28.13.32.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 May 2022 13:32:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cyphar.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E50BC1AA3F9; Sat, 28 May 2022 12:37:52 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347462AbiEZNEO (ORCPT + 99 others); Thu, 26 May 2022 09:04:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347398AbiEZNEM (ORCPT ); Thu, 26 May 2022 09:04:12 -0400 Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [IPv6:2001:67c:2050:0:465::101]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E70B5CFE3E; Thu, 26 May 2022 06:04:10 -0700 (PDT) Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4L87Rm0bs8z9sZH; Thu, 26 May 2022 15:04:04 +0200 (CEST) Date: Thu, 26 May 2022 23:03:55 +1000 From: Aleksa Sarai To: Christian Brauner Cc: Miklos Szeredi , Amir Goldstein , Simon Ser , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" Subject: Re: procfs: open("/proc/self/fd/...") allows bypassing O_RDONLY Message-ID: <20220526130355.fo6gzbst455fxywy@senku> References: <03l0hfZIzD9KwSxSntGcmfFhvbIKiK45poGUhXtR7Qi0Av0-ZnqnSBPAP09GGpSrKGZWZNCTvme_Gpiuz0Bcg6ewDIXSH24SBx_tvfyZSWU=@emersion.fr> <20220513095817.622gcrgx3fffwk4h@wittgenstein> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ls6hlrjjszajykhe" Content-Disposition: inline In-Reply-To: <20220513095817.622gcrgx3fffwk4h@wittgenstein> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --ls6hlrjjszajykhe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2022-05-13, Christian Brauner wrote: > On Thu, May 12, 2022 at 02:56:22PM +0200, Miklos Szeredi wrote: > > On Thu, 12 May 2022 at 14:41, Simon Ser wrote: > > > > > > On Thursday, May 12th, 2022 at 12:37, Simon Ser = wrote: > > > > > > > what would be a good way to share a FD to another > > > > process without allowing it to write to the underlying file? > > > > > > (I'm reminded that memfd + seals exist for this purpose. Still, I'd be > > > interested to know whether that O_RDONLY/O_RDWR behavior is intended, > > > because it's pretty surprising. The motivation for using O_RDONLY over > > > memfd seals is that it isn't Linux-specific.) > >=20 > > Yes, this is intended. The /proc/$PID/fd/$FD file represents the > > inode pointed to by $FD. So the open flags for $FD are irrelevant > > when operating on the proc fd file. >=20 > Fwiw, the original openat2() patchset contained upgrade masks which we > decided to split it out into a separate patchset. >=20 > The idea is that struct open_how would be extended with an upgrade mask > field which allows the opener to specify with which permissions a file > descriptor is allowed to be re-opened. This has quite a lot of > use-cases, especially in container runtimes. So one could open an fd and > restrict it from being re-opened with O_WRONLY. For container runtimes > this is a huge security win and for userspace in general it would > provide a backwards compatible way of e.g., making O_PATH fds > non-upgradable. The plan is to resend the extension at some point in the > not too distant future. I am currently working on reviving this patchset. The main issue at the moment is that the semantics for how we should deal with directories is a little difficult to define (we want to ignore modes for directories because of *at(2) semantics but there's no fmode_t bits at the moment representing that the flip is a directory), but I'm working on it. This is going to be included along with the O_EMPTYPATH feature (since making this safe is IMHO a pre-requisite for O_EMPTYPATH). --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --ls6hlrjjszajykhe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCYo96uAAKCRCdlLljIbnQ EuLaAP9AIoX3ZQoBY4Zbt7eYKU1Futeff1vE4dFwviRHUzebPAEAtrMNZ1WaqSOT 6XAkAWN2lR2wUyPESn4+ONh89CO/0gs= =8SCK -----END PGP SIGNATURE----- --ls6hlrjjszajykhe--