Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp2637916iog; Mon, 20 Jun 2022 01:08:37 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vHJdih99YhLmccjPrQexg8TWwSSGK7aqgFmdHxQDWSUHiqSbp1fAxPiYxBRfFsAONwTaBn X-Received: by 2002:a63:2a92:0:b0:3fd:3da3:86ae with SMTP id q140-20020a632a92000000b003fd3da386aemr20522867pgq.284.1655712517118; Mon, 20 Jun 2022 01:08:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655712517; cv=none; d=google.com; s=arc-20160816; b=RPtcjupcLVGwyEu6fV7zjMKN8EbR7fUv5dmaFXQTlHIrlPO3ENHv7wkImosXyUu+u8 RkEbJ/N7/eOuSlXkm05OMlmLByN4ppKUYLYpmKL/abW18Uf5nod01dWuzbCHC+JPSR3a AayMYKVm9T0slFL+pWHMgwQQ+75PvjoyZlOghfHsn5SMB6BFAjHVRYpTgYgzgEmTeCUw /A6UU7lvEUingG6IcbNatCNqFaiBAXIGygiHl66NCZe6OJMWPdM3z/T6LmcLFeKrrzSZ /eCw7ZiD6WjFGhjlkfNCAqaW/9k+HQyFTxRvhNXm9GHZTYFOl2aZMype092gQETWU5Zd MZ9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=GxXkUt6216ao0IAs5e/9DRYdl00qb60wg/J8RDVkjsk=; b=q6XSzy8n2oheNr3BZYrttrm2fXc1JUULTMgv5RC/4oOyOLaiJ3UX1NFe3QEk0oe7An m9kWP16fLcUVsGGo8q3cpajRGpwuK98f7fg/HVU6qwkpRaCp9rmENh531ksqyKxqVsIg HIAKVOB2tjVo3RcKr6cV65qQU/sFUWmc6rMVWtj4IwiQRFkL29KaLZjg/tocDnklw3dG PSf/DZROqnJmNyJARWB3FRKDx7kuf8aYOfFOgtlrftpPaKMJgmD/nZz5dmnJf+1BY1fQ yZn60BI76rzT2Pk+vXlsYJRjYay4jcWeo1Opbl9CxmF77rS4D9Eunjgofus0OgjWYWRX mMjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=BLoaFYru; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d21-20020a056a00199500b00518959529f4si15793462pfl.300.2022.06.20.01.08.23; Mon, 20 Jun 2022 01:08:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=BLoaFYru; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239506AbiFTHqB (ORCPT + 99 others); Mon, 20 Jun 2022 03:46:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238584AbiFTHqA (ORCPT ); Mon, 20 Jun 2022 03:46:00 -0400 Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E79BFD19; Mon, 20 Jun 2022 00:45:59 -0700 (PDT) Received: by mail-vs1-xe31.google.com with SMTP id e20so9866077vso.4; Mon, 20 Jun 2022 00:45:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GxXkUt6216ao0IAs5e/9DRYdl00qb60wg/J8RDVkjsk=; b=BLoaFYruaso9jWufq53oE/bl/3unP9Q++L3TPsiXzyhkwByY2wB9NQa5HZ0g0k+M7s AudoV3xYGuQoPC0q5fc+0TA4sGzoE+3pnq1HaAgK0S7kyLzm4dzdewRXzv5D5TqGanlf 8tsV78Hk1R1+hXfhZAgmhsoOiVL++Y0xgF010mIUA0iS+3dv8gTWA8J594l73F4YAmSI VR3phYw8ZtQOBX/SR2ZHQ05abA8Y/ESqSwHWmca38tRDN4zwd6Tl+pTqfjnlJDg/HowB sxmTWII67lJlNR5CahWM1jEFficpNQjqfK1A7M5/KajIiZp07YRPasTvma+Xhiq3rJ5s T0dQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GxXkUt6216ao0IAs5e/9DRYdl00qb60wg/J8RDVkjsk=; b=eq611Q0ZHoCSYEKZMdedo2F5dUzj2sy6qPLc7t9ScnlO9qk006uHLr7/WCBpwS3wjW FpmXSq+y/VT4iD5cWffZqo17ghWzA4k0wYYtsfFLygdNAGtToIhyjykAmd/BFVzyECvz BkzgSLSCoksTxSC6xWhHLdXA5Ee4H0s18D/Eqd27K33jbb8xrXAko66c9MlMb11cRRs7 kV3vF3baxUBv1m13cLvfB8s0TzMu64b3Vg5uECM3xfzEUA22H2V9TgqoWwr5KTCzoyxI 1iBTKDj7Acat11WBSv+N7igrAcHG59zVpAQL6Rxqbzh6VtNSFifoMsJCjG80esiccBM7 3nJQ== X-Gm-Message-State: AJIora9TmsSdUoP7IDkAkRh+iwr+7gGz+0QgZV2LeuRoI8BpIFivH4qi nVwudDe/tKM0SVhKjJowSvUKwP/BhahAsxIudh8= X-Received: by 2002:a67:c113:0:b0:354:3ef9:3f79 with SMTP id d19-20020a67c113000000b003543ef93f79mr252323vsj.3.1655711158361; Mon, 20 Jun 2022 00:45:58 -0700 (PDT) MIME-Version: 1.0 References: <20220607153139.35588-1-cgzones@googlemail.com> <20220608112728.b4xrdppxqmyqmtwf@wittgenstein> <20220608124808.uylo5lntzfgxxmns@wittgenstein> <20220618031805.nmgiuapuqeblm3ba@senku> <20220620060741.3clikqadotq2p5ja@senku> In-Reply-To: <20220620060741.3clikqadotq2p5ja@senku> From: Amir Goldstein Date: Mon, 20 Jun 2022 10:45:46 +0300 Message-ID: Subject: Re: [RFC PATCH] f*xattr: allow O_PATH descriptors To: Aleksa Sarai Cc: Christian Brauner , =?UTF-8?Q?Christian_G=C3=B6ttsche?= , SElinux list , Miklos Szeredi , Linux API , linux-man , Alexander Viro , linux-fsdevel , linux-kernel Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > > The goal would be that the semantics of fooat(, AT_EMPTY_PATH) and > > > foo(/proc/self/fd/) should always be identical, and the current > > > semantics of /proc/self/fd/ are too leaky so we shouldn't always > > > assume that keeping them makes sense (the most obvious example is being > > > able to do tricks to open /proc/$pid/exe as O_RDWR). > > > > Please make a note that I have applications relying on current magic symlink > > semantics w.r.t setxattr() and other metadata operations, and the libselinux > > commit linked from the patch commit message proves that magic symlink > > semantics are used in the wild, so it is not likely that those semantics could > > be changed, unless userspace breakage could be justified by fixing a serious > > security issue (i.e. open /proc/$pid/exe as O_RDWR). > > Agreed. We also use magiclinks for similar TOCTOU-protection purposes in > runc (as does lxc) as well as in libpathrs so I'm aware we need to be > careful about changing existing behaviours. I would prefer to have the > default be as restrictive as possible, but naturally back-compat is > more important. > > > > I suspect that the long-term solution would be to have more upgrade > > > masks so that userspace can opt-in to not allowing any kind of > > > (metadata) write access through a particular file descriptor. You're > > > quite right that we have several metadata write AT_EMPTY_PATH APIs, and > > > so we can't retroactively block /everything/ but we should try to come > > > up with less leaky rules by default if it won't break userspace. > > > > Ok, let me try to say this in my own words using an example to see that > > we are all on the same page: > > > > - lsetxattr(PATH_TO_FILE,..) has inherent TOCTOU races > > - fsetxattr(fd,...) is not applicable for symbolic links > > While I agree with Christian's concerns about making O_PATH descriptors > more leaky, if userspace already relies on this through /proc/self/fd/$x > then there's not much we can do about it other than having an opt-out > available in openat2(2). Having the option to disable this stuff to > avoid making O_PATH descriptors less safe as a mechanism for passing > around "capability-less" file handles should make most people happy > (with the note that ideally we would not be *adding* capabilities to > O_PATH we don't need to). > > > - setxattr("/proc/self/fd/",...) is the current API to avoid TOCTOU races > > when setting xattr on symbolic links > > - setxattrat(o_path_fd, "", ..., AT_EMPTY_PATH) is proposed as a the > > "new API" for setting xattr on symlinks (and special files) > > If this is a usecase we need to support then we may as well just re-use > fsetxattr() since it's basically an *at(2) syscall already (and I don't > see why we'd want to split up the capabilities between two similar > *at(2)-like syscalls). Though this does come with the above caveats that > we need to have the opt-outs available if we're going to enshrine this > as intentional part of the ABI. Christian preferred that new functionality be added with a new API and I agree that this is nicer and more explicit. The bigger question IMO is, whether fsomething() should stay identical to somethingat(,,,AT_EMPTY_PATH). I don't think that it should. To me, open(path,O_PATH)+somethingat(,,,AT_EMPTY_PATH) is identical to something(path) - it just breaks the path resolution and operation to two distinguished steps. fsomething() was traditionally used for "really" open fds, so if we don't need to, we better not relax it further by allowing O_PATH, but that's just one opinion. > > > - The new API is going to be more strict than the old magic symlink API > > - *If* it turns out to not break user applications, old API can also become > > more strict to align with new API (unlikely the case for setxattr()) > > - This will allow sandboxed containers to opt-out of the "old API", by > > restricting access to /proc/self/fd and to implement more fine grained > > control over which metadata operations are allowed on an O_PATH fd > > > > Did I understand the plan correctly? > > Yup, except I don't think we need setxattrat(2). > > > Do you agree with me that the plan to keep AT_EMPTY_PATH and magic > > symlink semantics may not be realistic? > > To clarify -- my view is that if any current /proc/self/fd/$n semantic > needs to be maintained then I would prefer that the proc-less method of > doing it (such as through AT_EMPTY_PATH et al) would have the same > capability and semantics. There are some cases where the current > /proc/self/fd/$n semantics need to be fixed (such as the /proc/$pid/exe > example) and in that case the proc-less semantics also need to be made > safe. > > While I would like us to restrict O_PATH as much as possible, if > userspace already depends on certain behaviour then we may not be able > to do much about it. Having an opt-out would be very important since > enshrining these leaky behaviours (which seem to have been overlooked) > means we need to consider how userspace can opt out of them. > > Unfortunately, it should be noted that due to the "magical" nature of > nd_jump_link(), I'm not sure how happy Al Viro will be with the kinds of > restrictions necessary. Even my current (quite limited) upgrade-mask > patchset has to do a fair bit of work to unify the semantics of > magic-links and openat(O_EMPTYPATH) -- expanding this to all *at(2) > syscalls might be quite painful. (There are also several handfuls of > semantic questions which need to be answered about magic-link modes and > whether for other *at(2) operations we may need even more complicated > rules or even a re-thinking of my current approach.) > The question remains, regarding the $SUBJECT patch, is it fair to block it and deprive libselinux of a non buggy API until such time that all the details around masking O_PATH fds will be made clear and the new API implemented? There is no guarantee this will ever happen, so it does not seem reasonable to me. To be a reasonable reaction to the currently broken API is to either accept the patch as is or request that setxattrat() will be added to provide the new functionality. Thanks, Amir.