Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2094904rwb;
        Thu, 29 Sep 2022 06:14:57 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM5HOnxAKhwkyRzbQ4HW1gkLjantTVdSLAzzDZiCqppVJVWFe2nM6dIpRadJfSIIDJcbNa6I
X-Received: by 2002:a17:907:1c9b:b0:783:43c:10b with SMTP id nb27-20020a1709071c9b00b00783043c010bmr2740078ejc.320.1664457297368;
        Thu, 29 Sep 2022 06:14:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1664457297; cv=none;
        d=google.com; s=arc-20160816;
        b=zcuZk4ZwwuDwysBT9jqtGGH8doy++EfZ53F/Fb6Vit91lQdQs+ONoaUQBHunSSOlJn
         gZPMPXKIYRast4zTe8e2JMSaSqAQ6Q0I5y/9w3n317Ek1pF2LG7gjAmbZvFaOEL9Fo6b
         L5Vgxi0Jb9+9VH7hiAILdN5EwUmCjygDPrmfRx41/GwyisuWQ33ZbWAD4m7DvGTHFl9r
         KHZzlskMnVwr+Na/wlWULUU3tFE7z3ouN0XTX40XRXN3uOCbKfwQlX4fLiEHGhk2q8q/
         IFUzr7IMxJkvwr9DdQPxzoEzmeB47W/LcOVsRIxwUYPtT4PrnRnIA8bBga856SfSVdya
         2hpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=PTxlv6d/DZFC2QIDzQODHtRnVK4ndNdWTPqnwf1x7k8=;
        b=ARiFX+Zx87lWvFDGVY7t3baByeXdUB/n14YAmN6mfE8nBMcbRr4h4BMxmOxO7WC2+1
         MbMe77hce7dZDC4iX66tORYxA7O7kob9QDv1aDhOyGyJvv2P+EKKqp8zJ/aMNZ77CKOk
         Oumn03cq1IDvQIl9lkDdcPqKZD2Rqr3LtcNarHa8IfbSZrdbdPNBZ+j3hitP+9go0zwU
         lrPVhtwWyZ046pumDxlEF6PBjoAO/ou2tAS+7i91P5Y4cv4xEIBtILAfvkxCPbqATSfr
         1Kr6a6TcI3bTy9SgAXBK60AefJVtc2RNqqzA4+/VFxQjhB1kOhFk2BEVEHp0VUe5p4eY
         JI1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=J9t6XXTr;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id s25-20020a170906455900b007813c565e59si6939959ejq.210.2022.09.29.06.14.30;
        Thu, 29 Sep 2022 06:14:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=J9t6XXTr;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234889AbiI2MSw (ORCPT <rfc822;andy.bettisworth@gmail.com>
        + 99 others); Thu, 29 Sep 2022 08:18:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41720 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235307AbiI2MSt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Sep 2022 08:18:49 -0400
Received: from smtp-1908.mail.infomaniak.ch (smtp-1908.mail.infomaniak.ch [IPv6:2001:1600:4:17::1908])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2647212969F;
        Thu, 29 Sep 2022 05:18:47 -0700 (PDT)
Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107])
        by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4MdXTJ6ZzszMqJhl;
        Thu, 29 Sep 2022 14:18:44 +0200 (CEST)
Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149])
        by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4MdXTJ1MvNzMpnPm;
        Thu, 29 Sep 2022 14:18:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net;
        s=20191114; t=1664453924;
        bh=W7vslApTCphM95MlDuIkNlTGmBG0MHn06s5FtT+q6n4=;
        h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
        b=J9t6XXTrSZ+jmXbM/e0FUaS26/80lkVy1/MDSHtzVr40GTEErjt8EmT4uN9Wo2Zty
         fl4wEiUCBr5fa9by5a+vLpZyXPchrmawM6hzuUmHEy8FhdryxNBStPZjDs4BaH5tfC
         i6+hIILR6z4dw3J5UeBXe9xWN/ZAqYWPzBEck+iU=
Message-ID: <75d077ca-4f1d-50c4-10d2-0fb31fcd0c86@digikod.net>
Date:   Thu, 29 Sep 2022 14:18:43 +0200
MIME-Version: 1.0
User-Agent: 
Subject: Re: [PATCH v1] ksmbd: Fix user namespace mapping
Content-Language: en-US
To:     Christian Brauner <brauner@kernel.org>
Cc:     Hyunchul Lee <hyc.lee@gmail.com>,
        Namjae Jeon <linkinjeon@kernel.org>,
        Steve French <smfrench@gmail.com>,
        Al Viro <viro@zeniv.linux.org.uk>, linux-cifs@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, stable@vger.kernel.org
References: <20220929100447.108468-1-mic@digikod.net>
 <20220929113735.7k6fdu75oz4jvsvz@wittgenstein>
From:   =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@digikod.net>
In-Reply-To: <20220929113735.7k6fdu75oz4jvsvz@wittgenstein>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 29/09/2022 13:37, Christian Brauner wrote:
> On Thu, Sep 29, 2022 at 12:04:47PM +0200, Mickaël Salaün wrote:
>> A kernel daemon should not rely on the current thread, which is unknown
>> and might be malicious.  Before this security fix,
>> ksmbd_override_fsids() didn't correctly override FS UID/GID which means
>> that arbitrary user space threads could trick the kernel to impersonate
>> arbitrary users or groups for file system access checks, leading to
>> file system access bypass.
>>
>> This was found while investigating truncate support for Landlock:
>> https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVXqA@mail.gmail.com
>>
>> Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
>> Cc: Hyunchul Lee <hyc.lee@gmail.com>
>> Cc: Namjae Jeon <linkinjeon@kernel.org>
>> Cc: Steve French <smfrench@gmail.com>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>> Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net
>> ---
> 
> I think this is ok. The alternative would probably be to somehow use a
> relevant userns when struct ksmbd_user is created when the session is
> established. But these are deeper ksmbd design questions. The fix
> proposed here itself seems good.

That would be better indeed. I guess ksmbd works whenever the netlink 
peer is not in a user namespace with mapped UID/GID, but it should 
result in obvious access bugs otherwise (which is already the case 
anyway). It seems that the netlink peer must be trusted because it is 
the source of truth for account/user mapping anyway. This change fixes 
the more critical side of the issue and it should fit well for backports.