Received-SPF: pass (google.com: domain of linux-kernel+bounces-140132-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Date: Thu, 11 Apr 2024 11:04:59 +0200
From: Christian Brauner <brauner@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>, 
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, 
	Andrew Lutomirski <luto@kernel.org>, Peter Anvin <hpa@zytor.com>
Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() -
 requirements
Message-ID: <20240411-alben-kocht-219170e9dc99@brauner>
References: <20240411001012.12513-1-torvalds@linux-foundation.org>
 <CAHk-=wiaoij30cnx=jfvg=Br3YTxhQjp4VWRc6=xYE2=+EVRPg@mail.gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAHk-=wiaoij30cnx=jfvg=Br3YTxhQjp4VWRc6=xYE2=+EVRPg@mail.gmail.com>

On Wed, Apr 10, 2024 at 07:39:49PM -0700, Linus Torvalds wrote:
> On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> > +                       if (f.file->f_cred != current_cred() &&
> > +                           !capable(CAP_DAC_READ_SEARCH)) {
> > +                               fdput(f);
> > +                               return ERR_PTR(-ENOENT);
> > +                       }
> > +               }
> 
> Side note: I suspect that this could possibly be relaxed further, by
> making the rule be that if something has been explicitly opened to be
> used as a path (ie O_PATH was used at open time), we can link to it
> even across different credentials.

I had a similar discussion a while back someone requested that we relax
permissions so linkat can be used in containers. And I drafted the
following patch back then:

https://lore.kernel.org/all/20231113-undenkbar-gediegen-efde5f1c34bc@brauner

IOW, I had intended to make this work with containers so that we check
CAP_DAC_READ_SEARCH in the namespace of the opener of the file. My
thinking had been that this can serve as a way to say "Hey, I could've
opened this file in the openers namespace therefore let me make a path
to it.". I didn't actually send it because I thought the original author
would but imho, that would be a worthwhile addition to your patch if
this makes sense...

> 
> IOW, the above could perhaps even be
> 
> +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> +                       if (!(f.file->f_mode & FMODE_PATH) &&
> +                           f.file->f_cred != current_cred() &&
> +                           !capable(CAP_DAC_READ_SEARCH)) {
> +                               fdput(f);
> +                               return ERR_PTR(-ENOENT);
> +                       }
> +               }
> 
> which would _allow_ people to pass in paths as file descriptors if
> they actually wanted to.
> 
> After all, the only thing you can do with an O_PATH file descriptor is
> to use it as a path - there would be no other reason to use O_PATH in
> the first place. So if you now pass it to somebody else, clearly you
> are intentionally trying to make it available *as* a path.
> 
> So you could imagine doing something like this:
> 
>          // Open path as root
>          int fd = open('filename", O_PATH);
> 
>         // drop privileges
>         // setresuid(..) or chmod() or enter new namespace or whatever
> 
>         linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH);
> 
> and it would open the path with one set of privileges, but then
> intentionally go into a more restricted mode and create a link to the
> source within that restricted environment.
> 
> Sensible? Who knows. I'm just throwing this out as another "this may
> be the solution to our historical flink() issues".
> 
>            Linus