Received: by 2002:ab2:7988:0:b0:1f4:b336:87c4 with SMTP id g8csp101208lqj; Thu, 11 Apr 2024 10:59:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUChatZNpYLrfxyM2i1UDR7cPUuUMf8zC9+6jE0+b61y713nYcw9cP2vfhPpZd7fktzwF3oriSopDuO3yxydmLSEyujym4LU93m9zPxrQ== X-Google-Smtp-Source: AGHT+IESqKdbSxdE+ioPA3/gO6n+x/5VdC8skwvtjaHU57J4KMRTGS6d92gVwmvbrJdmDnspjccN X-Received: by 2002:a05:6a21:339c:b0:1a7:8bdb:f095 with SMTP id yy28-20020a056a21339c00b001a78bdbf095mr743914pzb.6.1712858373996; Thu, 11 Apr 2024 10:59:33 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712858373; cv=pass; d=google.com; s=arc-20160816; b=xSQvdg0J+hVSvzg+3QTC37xDhZF1rGtrc0Z0as/n/0iGV0qY6+86A82cU71rz7nfWy WTeq8R5ppymptY37bG1r5dkMyLJrUtlxU9czJJ+QlJSoqGKQaahkWdgPfB96SJ+hg3Fg R81cwwMnWtBhrajsHXaOMBRS8sommQWIyDwf6HkKsAOd3+pWeQfTgi2GNQkW/82YDMp7 NsCxr3xIUGBOvlZRAC+O9oWRsIULgL1FKVJ82n4MoZqkySojrJQaHNuqGIViPnK17XfX ej5fEV5d+JTB6RZEsMn1/7k4SCWk8vetMDYBB7D/99Y9yQqViqLUwzmFSobVtK4CIgZi ot5Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=94L/JCISmahgDBDl2sXYWYZZ3cyyrK3rK/U7jZZ3W+E=; fh=/DROV5v3qGvJvgy8ccXKGmAEzbwxqO7Tab1CI1KsuZA=; b=q+CxLqBCpURYf/jEOrNRD+f5CwIfOjIT1/RCaDs5YAKdY398vtqIlwHA7pKsvPD/54 +Fe2O7W6vKNPGpXhEc9dZmKS/Ear+7TAtoZZlXghmhy6x8NhyU7iMIp8gWfLyO42zm9D c946CSxNvVS2l2O6Hcg4jgqAL+pi94U2LC2V0L5d2t/lXqpSel5RBl+iqopUwQwbkDo7 JQxYGSR+svkIS3/NCpMVB3d4FPVZNuAS/Gya1sRbrA8+1C6UIvd6qGHoJQcKDTZufpV9 1euymylVW2hQELtBKYTCuc/sdzYooSR/CjKzqbWomglMa7k85R9yLpG5zb3v8jFtTGnV qVCA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="bs/zDxaJ"; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-141345-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141345-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id u5-20020a63ef05000000b005f3a86728b4si1596025pgh.875.2024.04.11.10.59.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 10:59:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-141345-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="bs/zDxaJ"; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-141345-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141345-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9FC2D287858 for ; Thu, 11 Apr 2024 17:59:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6D61915532F; Thu, 11 Apr 2024 16:45:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="bs/zDxaJ" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC7E31401B for ; Thu, 11 Apr 2024 16:45:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712853903; cv=none; b=eEoXW7OgxxE9AQyOqYWX1Nc0z7d0vFwsy6GwTHyUNSGj4Jvms0Jf3D8ohyhUnm96ab3uFseZlFMZf7Q4FPuJFoyW0PJhmi1/0H37NwWZ4o6PndWe5jTuPhSTtrK4inxRsX6eeTymmkTTwl4HA8SvAm5RhUEj/eoZcgstVyHliuM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712853903; c=relaxed/simple; bh=cK3iizGgg2Qy/74GUgPzOHeak1D+hq6agfRonTQWGp4=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=BxbpKI+a28QbO/Ix0Pz1GqJkh1TWPVWPh4VLflsRybJxTOeZAREpuNA8qssAcmck/T5kj9JBZczRuAbyt0HNFYXnvIQyko3F/x4z0ek0VL3T+f2bQ0CuqmQkbOaaT0B0aCanOH6WA9v6Wz46iYHvSCjOCr9kyVuu95VNbw2IyqA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=bs/zDxaJ; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712853900; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=94L/JCISmahgDBDl2sXYWYZZ3cyyrK3rK/U7jZZ3W+E=; b=bs/zDxaJmTotDk+U5u/VA3X3yaEsu298e5k6BJ2oQqhSKH0X7/D9VPou6MC/qGwHO2vIn+ vAoF7p7Fhw1qnYxIrDrYAtu1VfO6bdZuhuaOTzqzSLLtKq9Lvf27itlGmFKyzfZJ9ic5W2 tLxJnySzt/roa0BBgcyR326hebtSdPg= Received: from mail-vk1-f200.google.com (mail-vk1-f200.google.com [209.85.221.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-170-9leoPhofP4GHZeM4nCp5HQ-1; Thu, 11 Apr 2024 12:44:58 -0400 X-MC-Unique: 9leoPhofP4GHZeM4nCp5HQ-1 Received: by mail-vk1-f200.google.com with SMTP id 71dfb90a1353d-4dad4785131so53e0c.2 for ; Thu, 11 Apr 2024 09:44:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712853898; x=1713458698; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=94L/JCISmahgDBDl2sXYWYZZ3cyyrK3rK/U7jZZ3W+E=; b=ffwj4d0vWqPaiy8BioAN3I+/rJ64v0irHMSli66r9qFz3F4e4E/rk8C6RrOlfxG/i8 grGHa2ZWCAFzk8JCtU0ir5TByFhqQZn6eKhX7k3l7AK8+N26pirTi3varqV37LS9hFYH z9m8PqQT/KaN14CWdJaVBrE2APBaAPjgDwYfSr+RhiST09qE7lq6iXwu3QU/1f9GEb9S 0JqnbpV6zNbd6UXYGrmpuBWC/CXgUTX0pKLcNfXhXHsRO55a9+DykwdlK3KZzCfqGR6W by2GqFM6fL0zrMa/PDu0HZyV08P0nX/S0dX05Mle1RZYymKFHw4wLnPI8ok9dL3i05ST +fDw== X-Forwarded-Encrypted: i=1; AJvYcCVrAZQKXv+eyUaSCqXthyknexoybt/SkSTgVf3G3pb84tx5BjotrfnCyv5EOZP8W9wJOsiBYZqkLrIkIbO2mk5iXI+2JvKfXAxCnSve X-Gm-Message-State: AOJu0YyAlXFo1gfqASf6MfsANYGgkJTbp9Kt8pTQXGEquaZ3Cnu8UsQV Zu7lLpOPK1OGhQTkvIl1ZXeeMDtGERFFL5iAQ68ppFvqiOOxQiXFGtvmrxyjPpoTFUWuBdmJRis 0ugYsqHuhjEc7tp92WsmkepuNvIVXbQTfVGYxPa8gJBhST0onshtEIhcvzS0YZhY8RGWfXj+5u0 +g6TMieRNpmNuOvTuNykU4IkkXAKzzQTyJdqjuV1Qxdq2j/dk= X-Received: by 2002:a05:6122:54b:b0:4d3:45a2:ae53 with SMTP id y11-20020a056122054b00b004d345a2ae53mr347666vko.16.1712853898275; Thu, 11 Apr 2024 09:44:58 -0700 (PDT) X-Received: by 2002:a05:6122:54b:b0:4d3:45a2:ae53 with SMTP id y11-20020a056122054b00b004d345a2ae53mr347654vko.16.1712853897944; Thu, 11 Apr 2024 09:44:57 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240411001012.12513-1-torvalds@linux-foundation.org> <20240411-alben-kocht-219170e9dc99@brauner> In-Reply-To: From: Charles Mirabile Date: Thu, 11 Apr 2024 12:44:46 -0400 Message-ID: Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements To: Linus Torvalds Cc: Christian Brauner , Alexander Viro , Jan Kara , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Lutomirski , Peter Anvin Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Apr 11, 2024 at 12:15=E2=80=AFPM Linus Torvalds wrote: > > On Thu, 11 Apr 2024 at 02:05, Christian Brauner wrot= e: > > > > I had a similar discussion a while back someone requested that we relax > > permissions so linkat can be used in containers. > > Hmm. > > Ok, that's different - it just wants root to be able to do it, but > "root" being just in the container itself. > > I don't think that's all that useful - I think one of the issues with > linkat(AT_EMPTY_PATH) is exactly that "it's only useful for root", > which means that it's effectively useless. Inside a container or out. > > Because very few loads run as root-only (and fewer still run with any > capability bits that aren't just "root or nothing"). > > Before I did all this, I did a Debian code search for linkat with > AT_EMPTY_PATH, and it's almost non-existent. And I think it's exactly > because of this "when it's only useful for root, it's hardly useful at > all" issue. > > (Of course, my Debian code search may have been broken). > > So I suspect your special case is actually largely useless, and what > the container user actually wanted was what my patch does, but they > didn't think that was possible, so they asked to just extend the > "root" notion. > Yes, that is absolutely the case. When Christian poked holes in my initial submission, I started working on a v2 but haven't had a chance to send it because I wanted to make sure my arguments etc were airtight because I am well aware of just how long and storied the history of flink is. In the v2 that I didn't post yet, I extended the ability to link *any* file from only true root to also "root" within a container following the potentially suspect approach that christian suggested (I see where you are coming from with the unobvious approach to avoiding toctou though I obviously support this patch being merged), but I added a followup patch that checks for whether the file in question is an `__O_TMPFILE` file which is trivial once we are jumping through the hoops of looking up the struct file. If it is a tmpfile (i.e. linkcount =3D 0) I think that all the concerns raised about processes that inherit a fd being able to create links to the file inappropriately are moot. Here is an excerpt from the cover letter I was planning to send that explains my reasoning. - the ability to create an unnamed file, adjust its contents and attributes (i.e. uid, gid, mode, xattrs, etc) and then only give it a n= ame once they are ready is exactly the ideal use-case for a hypothetical `flink= ` system call. The ability to use `AT_EMPTY_PATH` with `linkat` essentially t= urns it into `flink`, but these restrictions hamper it from actually being used,= as most code is not privileged. By checking whether the file to be linked is a temporary (i.e. unnamed) file we can allow this useful case without allowin= g the more risky cases that could have security implications. - Although it might appear that the security posture is affected, it is no= t. Callers who open an extant file on disk in read only mode for sharing with potentially untrustworthy code can trust that this change will not affect t= hem because it only applies to temporary files. Callers who open a temporary fi= le need to do so with write access if they want to actually put any data in it= , so they will already have to reopen the file (e.g. by linking it to a path and opening that path, or opening the magic symlink in proc) if they want t= o share it in read-only mode with untrustworthy code. As such, that new file description will no longer be marked as a temporary file and thus these cha= nges do not apply. The final case I can think of is the unlikely possibility of intentionally sharing read write access to data stored in a temporary file = with untrustworthy code, but where that code being able to make a link would sti= ll be deleterious. In such a bizarre case, the `O_EXCL` can and should be used= to fully prevent the temporary file from ever having a name, and this change d= oes not alter its efficacy. > I've added Charles to the Cc. > > But yes, with my patch, it would now be trivial to make that > > capable(CAP_DAC_READ_SEARCH) > > test also be > > ns_capable(f.file->f_cred->user_ns, CAP_DAC_READ_SEARCH) > > instead. I suspect not very many would care any more, but it does seem > conceptually sensible. > > As to your patch - I don't like your nd->root games in that patch at > all. That looks odd. > > Yes, it makes lookup ignore the dfd (so you avoid the TOCTOU issue), > but it also makes lookup ignore "/". Which happens to be ok with an > empty path, but still... > > So it feels to me like that patch of yours mis-uses something that is > just meant for vfs_path_lookup(). > > It may happen to work, but it smells really odd to me. > > Linus >