Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2433614ioo;
        Sat, 28 May 2022 13:32:05 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxbSVcDy6S0NbQrD95MzLz+/HBBeoa0FBhJ1UPoPY1749oA1Mo5BAcbbeM4NTp0WIhq/3N7
X-Received: by 2002:a17:903:1205:b0:15e:804c:fab4 with SMTP id l5-20020a170903120500b0015e804cfab4mr49158223plh.112.1653769925425;
        Sat, 28 May 2022 13:32:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1653769925; cv=none;
        d=google.com; s=arc-20160816;
        b=zGHlbNhu34p8NUyQFlg5rqkrSGX3OLoihoVjPk7YW4iNHSAEjVzGHHgA8I3u21xY1G
         0dqyxV3Vzhu6NNGp/9Ty+ttT6gX9lm2Hm9hwMk0wEzPntS/MYJ6tPLIjxm1YYaxLdh8w
         GWv8gi5jnubTwaz+df0An5WKehmm0SJfcHxTDtSZBMhWss/3aOSoq8Bwf7XOjbe3wMGc
         kyGvMGn4WznPJRgqcbphrgINt+3BTTEEsWCrkNfTaXf9CitYWrT089K8p0bGbwn1QCK1
         urAaNHf2lBZ5nK3j3wqZNRX40NfM8BeUfgzGTKuOiYFf24jnOnoyIAhjZfBHDqTmTEcp
         di6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=sO3RE7iBk/Ht6XiGPph3HPlOiqnAaHxuMKCnSJyeitw=;
        b=mfg+TWMAkgDvyROs1be1JUULXjplZB9T5HyAYtht8QZYs9FJaIoWmA3tO4bOKUkYmf
         Xqbv95l5RdskvLPOLolzk/3xc4ezKxsuc/qmsiCHcsY+0pC7Ljyzc/pFsQGnN9okIXJC
         XHBKZ+aDy4GuvoL+8aiGtxiypO+dmlKCe1a10pGZ87N+776gSJvaHPVfJTIKaZ//YlS3
         QiNcP5jeISvDdbyAY8xGXUruSqutSiXFVPLsEwpYHO3dUOtAQkmQ+Yb42bUUN4ZQ02t0
         gwnPcsXcru15mRLuAiAgENhVV9YooWUwrW0VwxCeQHU0TcoOeD+tqxF30iV5xCh4g3cP
         GUkQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cyphar.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id h7-20020a636c07000000b003fbb432d3c1si6154136pgc.449.2022.05.28.13.32.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 28 May 2022 13:32:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cyphar.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id E50BC1AA3F9;
	Sat, 28 May 2022 12:37:52 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347462AbiEZNEO (ORCPT <rfc822;42.hyeyoo@gmail.com> + 99 others);
        Thu, 26 May 2022 09:04:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49242 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1347398AbiEZNEM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 26 May 2022 09:04:12 -0400
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [IPv6:2001:67c:2050:0:465::101])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E70B5CFE3E;
        Thu, 26 May 2022 06:04:10 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4L87Rm0bs8z9sZH;
        Thu, 26 May 2022 15:04:04 +0200 (CEST)
Date:   Thu, 26 May 2022 23:03:55 +1000
From:   Aleksa Sarai <cyphar@cyphar.com>
To:     Christian Brauner <brauner@kernel.org>
Cc:     Miklos Szeredi <miklos@szeredi.hu>,
        Amir Goldstein <amir73il@gmail.com>,
        Simon Ser <contact@emersion.fr>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: procfs: open("/proc/self/fd/...") allows bypassing O_RDONLY
Message-ID: <20220526130355.fo6gzbst455fxywy@senku>
References: <lGo7a4qQABKb-u_xsz6p-QtLIy2bzciBLTUJ7-ksv7ppK3mRrJhXqFmCFU4AtQf6EyrZUrYuSLDMBHEUMe5st_iT9VcRuyYPMU_jVpSzoWg=@emersion.fr>
 <03l0hfZIzD9KwSxSntGcmfFhvbIKiK45poGUhXtR7Qi0Av0-ZnqnSBPAP09GGpSrKGZWZNCTvme_Gpiuz0Bcg6ewDIXSH24SBx_tvfyZSWU=@emersion.fr>
 <CAJfpegs4GVirNVtf4OqunzNwbXQywZVkxpGPtpN=ZonHU2SpiA@mail.gmail.com>
 <20220513095817.622gcrgx3fffwk4h@wittgenstein>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="ls6hlrjjszajykhe"
Content-Disposition: inline
In-Reply-To: <20220513095817.622gcrgx3fffwk4h@wittgenstein>
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--ls6hlrjjszajykhe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2022-05-13, Christian Brauner <brauner@kernel.org> wrote:
> On Thu, May 12, 2022 at 02:56:22PM +0200, Miklos Szeredi wrote:
> > On Thu, 12 May 2022 at 14:41, Simon Ser <contact@emersion.fr> wrote:
> > >
> > > On Thursday, May 12th, 2022 at 12:37, Simon Ser <contact@emersion.fr>=
 wrote:
> > >
> > > > what would be a good way to share a FD to another
> > > > process without allowing it to write to the underlying file?
> > >
> > > (I'm reminded that memfd + seals exist for this purpose. Still, I'd be
> > > interested to know whether that O_RDONLY/O_RDWR behavior is intended,
> > > because it's pretty surprising. The motivation for using O_RDONLY over
> > > memfd seals is that it isn't Linux-specific.)
> >=20
> > Yes, this is intended.   The /proc/$PID/fd/$FD file represents the
> > inode pointed to by $FD.   So the open flags for $FD are irrelevant
> > when operating on the proc fd file.
>=20
> Fwiw, the original openat2() patchset contained upgrade masks which we
> decided to split it out into a separate patchset.
>=20
> The idea is that struct open_how would be extended with an upgrade mask
> field which allows the opener to specify with which permissions a file
> descriptor is allowed to be re-opened. This has quite a lot of
> use-cases, especially in container runtimes. So one could open an fd and
> restrict it from being re-opened with O_WRONLY. For container runtimes
> this is a huge security win and for userspace in general it would
> provide a backwards compatible way of e.g., making O_PATH fds
> non-upgradable. The plan is to resend the extension at some point in the
> not too distant future.

I am currently working on reviving this patchset.

The main issue at the moment is that the semantics for how we should
deal with directories is a little difficult to define (we want to ignore
modes for directories because of *at(2) semantics but there's no fmode_t
bits at the moment representing that the flip is a directory), but I'm
working on it.

This is going to be included along with the O_EMPTYPATH feature (since
making this safe is IMHO a pre-requisite for O_EMPTYPATH).

--=20
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

--ls6hlrjjszajykhe
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCYo96uAAKCRCdlLljIbnQ
EuLaAP9AIoX3ZQoBY4Zbt7eYKU1Futeff1vE4dFwviRHUzebPAEAtrMNZ1WaqSOT
6XAkAWN2lR2wUyPESn4+ONh89CO/0gs=
=8SCK
-----END PGP SIGNATURE-----

--ls6hlrjjszajykhe--