Received: by 2002:ab2:7988:0:b0:1f4:b336:87c4 with SMTP id g8csp114662lqj; Thu, 11 Apr 2024 11:20:17 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXYPqg6f8qwCIQIdHifkCh9gH4PlxAKeFd2qtH34plsU/7UAZSVspd+xal+nk45t81RPdXeZoJ3TIFsvkItCYO4auTZ0ZPZCye8pohpdQ== X-Google-Smtp-Source: AGHT+IEJXAlYcMDdfy4AFnVvUClbpI5v2tPu7diYy4vcLR3wH1xj5sNmU1wJioqF/D7WUHI2rU4O X-Received: by 2002:a17:907:9725:b0:a51:d1f6:3943 with SMTP id jg37-20020a170907972500b00a51d1f63943mr357352ejc.56.1712859617793; Thu, 11 Apr 2024 11:20:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712859617; cv=pass; d=google.com; s=arc-20160816; b=IDj1t+v36HTJ/72+hMemCaZCVpOD24sUCsuKcSrhR/OpTvg6MNB4rUx486EYsOl0pv L6MrMenvjQaT0x0dohIBHB3R+/ekxA/6foiwLs0rxPZ9WmVKwmwdP58btzSYzpjLP9Xk IlMBwqoE80XWOV6GOQ//ncye6SwdWo3vWQeAgathKiYpL5l6yLWnRcAvZspTpMt+InC4 UKp4iq7TjltVKS+fTaGoJ5ZbqybP1YL3yx+YXWLcKLfBMKt2VU0GOz0cr0+8FxlmwynY cvncZtdUI25rJDbWLgm/dpQ9f/gvpNiSCf2MxHsTAwaLFwWFJsrDxsX+ejIK8fiKz4Zg cdbg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=JA70ylDgRN0gmRtnn7ierQ4wSnxSZyu6IwhBgJQKKoo=; fh=mh4/hv2BhsL3Cnu5VMAzeFOIyay2wiA9IFnupdc1By0=; b=yqQO33R54wfMRjvBGPUkC5sTNDlplu5m9ypdDrdkb5D2A373kph5ioGky03/hfK14K +DnhOKh+2mFty0ASkNHgXsf52SoXPB9P5QQak7+XWC+H34uW/ndVKIgcivFs60Nxan4I wdNQMqHt9zuLPoysnKVmLHVS29UJJvT4SUJqP/Wve1ZH8IBFCwiwpUOjZQ3/J5OeA2Bx N6NhD6eQNXX0In+cie2WGiMfmsX1YGNFGarCeQOae3mPO+NOp/Bf8RttwCrN8MiBRj/h EhGjxbefP67mfX75X67g5gdGYECKyz+eR2QBrBN3rRIAp2447NWhKMBezMOBJA7LhKmF OfuA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=AcrNhveZ; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-141404-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141404-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id b23-20020a170906491700b00a51a9939c95si936642ejq.1010.2024.04.11.11.20.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 11:20:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-141404-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=AcrNhveZ; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-141404-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141404-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 5A65A1F26828 for ; Thu, 11 Apr 2024 18:20:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 989505FDDC; Thu, 11 Apr 2024 17:30:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="AcrNhveZ" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88C215FDA5 for ; Thu, 11 Apr 2024 17:30:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712856615; cv=none; b=enff9/ZCquEFq0cTelHWqkN1px88uluPzdhynALa7MtxVwy9eJeO4SnboAPjgSyQDjWJUe8oh9fuYpsWecf0zbai+XhH/FUj9rOwuL8lCxp2tY9XPplPUPUTiQlMxzwq8bU98g6VAQhLgOZnNDtyWjo+mjbuxgWZsLdrdp4yytg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712856615; c=relaxed/simple; bh=coXlODZfnq7h5xpUpn/o3CBsPtjfYjFFjiRQ4X0YcmI=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Sb0X3bXAKFvIos/WFyNqIzeXZ1OYTd7ZdcC8PS0ddmKekoWxD7jojMt50+FBpuLJ8vTCDmjOtexgXBDpsnaAAGbWvfwGqssZEbTxFw4u1PPBvv1/hl5QOkRV8uarCID+TQFIKAdeercoNh5a3AZ/xR6xQJkAiCyc0HB3yIvhkVA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=AcrNhveZ; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712856612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JA70ylDgRN0gmRtnn7ierQ4wSnxSZyu6IwhBgJQKKoo=; b=AcrNhveZtmLb8+cAu0SfoeATDArqHZQadYWUJp/cJYj6DVXaXY03smQhMRNX+R3Rji/2td B1HfY8f7pXJ2ipqbifNQUgw1vzktN9vyt4sw/tiHK7roJAoRixIIzPvTVpQXQBGHsIe6Aw WErIG/I8UBwVgrYDIA9FhrOf8XVIv00= Received: from mail-vk1-f199.google.com (mail-vk1-f199.google.com [209.85.221.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-482-XUx43BG3M1yOkK_1nCRF2A-1; Thu, 11 Apr 2024 13:30:11 -0400 X-MC-Unique: XUx43BG3M1yOkK_1nCRF2A-1 Received: by mail-vk1-f199.google.com with SMTP id 71dfb90a1353d-4daa117d98fso16563e0c.0 for ; Thu, 11 Apr 2024 10:30:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712856611; x=1713461411; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JA70ylDgRN0gmRtnn7ierQ4wSnxSZyu6IwhBgJQKKoo=; b=fswYhx2uXTGN2NbXIGj1x0zWRq6LrDPrijT/PBozehG2Jd0Ln/DDvexQ5FyaWm2F3V RiBf8ia3uHTAqTcgIoJ7hO3fADbOgovnvLlAQnfGM1vl33xWoORy0K3TDu3ncyb9dXXP 8C/WqF+ys9ybjz2W/nWKy4XVvgVsIqGWKZalc6/xW8QEvBZZjyWhvbc7/0rNQbcW9I/F fZV6vTPphSWhUKIQXUe1HhT192JK7rtiDf8p0FeDzoxX1eu1rxsdPD3GrITQB+OgzZGA 2CVJrf//QYnoiARKTs/jpSTqfWg3xDJ8uZYUm5fHgmO4Y1QdNo8Wlc28Wvjpgnzf66O+ 9m1A== X-Forwarded-Encrypted: i=1; AJvYcCUFg94SVnz+efJFjG5BOfpwB25lkBF6BOQLGvfThtGy8AY/B64XbgAL9oJ6Lw6MmyN96Jll9um8oEhXM1+PAmU2mhjyl2Xq5F+75tZt X-Gm-Message-State: AOJu0YwvFHfYtvsgjgD/ar7Enl7R6A/yVczCMQzrn6fjOeEs971PTemK MwHjI95+EvCjC2fbktNelCURkZMCj7or9l1EbHIukHF9C/emBRlqaziREZlvfdcON7pg8nEtv3T zf3zSynIrcpuCYrDpwgDMh/soDHIo7SiAs5fOjocA90BXEgBa9Q2vT5pMPwIEMK4MV2OyEkQZZA m9+XgmHhXV41mMlHb8XYi0kJQ0JPMx9xpcFKulo8IGhN+FnbI= X-Received: by 2002:a05:6122:250e:b0:4d4:11a6:a4ff with SMTP id cl14-20020a056122250e00b004d411a6a4ffmr506652vkb.3.1712856610441; Thu, 11 Apr 2024 10:30:10 -0700 (PDT) X-Received: by 2002:a05:6122:250e:b0:4d4:11a6:a4ff with SMTP id cl14-20020a056122250e00b004d411a6a4ffmr506610vkb.3.1712856609810; Thu, 11 Apr 2024 10:30:09 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240411001012.12513-1-torvalds@linux-foundation.org> <20240411-alben-kocht-219170e9dc99@brauner> In-Reply-To: From: Charles Mirabile Date: Thu, 11 Apr 2024 13:29:58 -0400 Message-ID: Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements To: Linus Torvalds Cc: Christian Brauner , Alexander Viro , Jan Kara , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Lutomirski , Peter Anvin Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Here is an updated version of linus's patch that makes the check namespace relative --- fs/namei.c | 17 ++++++++++++----- include/linux/namei.h | 1 + 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 4e0de939fea1..2bcc10976ba7 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2419,6 +2419,14 @@ static const char *path_init(struct nameidata *nd, unsigned flags) if (!f.file) return ERR_PTR(-EBADF); + if (flags & LOOKUP_DFD_MATCH_CREDS) { + if (f.file->f_cred !=3D current_cred() && + !ns_capable(f.file->f_cred->user_ns, CAP_DAC_READ_SEARCH))= { + fdput(f); + return ERR_PTR(-ENOENT); + } + } + dentry =3D f.file->f_path.dentry; if (*s && unlikely(!d_can_lookup(dentry))) { @@ -4640,14 +4648,13 @@ int do_linkat(int olddfd, struct filename *old, int newdfd, goto out_putnames; } /* - * To use null names we require CAP_DAC_READ_SEARCH + * To use null names we require CAP_DAC_READ_SEARCH or + * that the open-time creds of the dfd matches current. * This ensures that not everyone will be able to create * handlink using the passed filedescriptor. */ - if (flags & AT_EMPTY_PATH && !capable(CAP_DAC_READ_SEARCH)) { - error =3D -ENOENT; - goto out_putnames; - } + if (flags & AT_EMPTY_PATH) + how |=3D LOOKUP_DFD_MATCH_CREDS; if (flags & AT_SYMLINK_FOLLOW) how |=3D LOOKUP_FOLLOW; diff --git a/include/linux/namei.h b/include/linux/namei.h index 74e0cc14ebf8..678ffe4acf99 100644 --- a/include/linux/namei.h +++ b/include/linux/namei.h @@ -44,6 +44,7 @@ enum {LAST_NORM, LAST_ROOT, LAST_DOT, LAST_DOTDOT}; #define LOOKUP_BENEATH 0x080000 /* No escaping from starting point.= */ #define LOOKUP_IN_ROOT 0x100000 /* Treat dirfd as fs root. */ #define LOOKUP_CACHED 0x200000 /* Only do cached lookup */ +#define LOOKUP_DFD_MATCH_CREDS 0x400000 /* Require that dfd creds match current */ /* LOOKUP_* flags which do scope-related checks based on the dirfd. */ #define LOOKUP_IS_SCOPED (LOOKUP_BENEATH | LOOKUP_IN_ROOT) --=20 2.44.0 On Thu, Apr 11, 2024 at 12:44=E2=80=AFPM Charles Mirabile wrote: > > On Thu, Apr 11, 2024 at 12:15=E2=80=AFPM Linus Torvalds > wrote: > > > > On Thu, 11 Apr 2024 at 02:05, Christian Brauner wr= ote: > > > > > > I had a similar discussion a while back someone requested that we rel= ax > > > permissions so linkat can be used in containers. > > > > Hmm. > > > > Ok, that's different - it just wants root to be able to do it, but > > "root" being just in the container itself. > > > > I don't think that's all that useful - I think one of the issues with > > linkat(AT_EMPTY_PATH) is exactly that "it's only useful for root", > > which means that it's effectively useless. Inside a container or out. > > > > Because very few loads run as root-only (and fewer still run with any > > capability bits that aren't just "root or nothing"). > > > > Before I did all this, I did a Debian code search for linkat with > > AT_EMPTY_PATH, and it's almost non-existent. And I think it's exactly > > because of this "when it's only useful for root, it's hardly useful at > > all" issue. > > > > (Of course, my Debian code search may have been broken). > > > > So I suspect your special case is actually largely useless, and what > > the container user actually wanted was what my patch does, but they > > didn't think that was possible, so they asked to just extend the > > "root" notion. > > > Yes, that is absolutely the case. When Christian poked holes in my > initial submission, I started working on a v2 but haven't had a chance > to send it because I wanted to make sure my arguments etc were > airtight because I am well aware of just how long and storied the > history of flink is. In the v2 that I didn't post yet, I extended the > ability to link *any* file from only true root to also "root" within a > container following the potentially suspect approach that christian > suggested (I see where you are coming from with the unobvious approach > to avoiding toctou though I obviously support this patch being > merged), but I added a followup patch that checks for whether the file > in question is an `__O_TMPFILE` file which is trivial once we are > jumping through the hoops of looking up the struct file. If it is a > tmpfile (i.e. linkcount =3D 0) I think that all the concerns raised > about processes that inherit a fd being able to create links to the > file inappropriately are moot. Here is an excerpt from the cover > letter I was planning to send that explains my reasoning. > > - the ability to create an unnamed file, adjust its contents > and attributes (i.e. uid, gid, mode, xattrs, etc) and then only give it a= name > once they are ready is exactly the ideal use-case for a hypothetical `fli= nk` > system call. The ability to use `AT_EMPTY_PATH` with `linkat` essentially= turns > it into `flink`, but these restrictions hamper it from actually being use= d, as > most code is not privileged. By checking whether the file to be linked is= a > temporary (i.e. unnamed) file we can allow this useful case without allow= ing > the more risky cases that could have security implications. > > - Although it might appear that the security posture is affected, it is = not. > Callers who open an extant file on disk in read only mode for sharing wit= h > potentially untrustworthy code can trust that this change will not affect= them > because it only applies to temporary files. Callers who open a temporary = file > need to do so with write access if they want to actually put any data in = it, > so they will already have to reopen the file (e.g. by linking it to a pat= h > and opening that path, or opening the magic symlink in proc) if they want= to > share it in read-only mode with untrustworthy code. As such, that new fil= e > description will no longer be marked as a temporary file and thus these c= hanges > do not apply. The final case I can think of is the unlikely possibility o= f > intentionally sharing read write access to data stored in a temporary fil= e with > untrustworthy code, but where that code being able to make a link would s= till > be deleterious. In such a bizarre case, the `O_EXCL` can and should be us= ed to > fully prevent the temporary file from ever having a name, and this change= does > not alter its efficacy. > > > I've added Charles to the Cc. > > > > But yes, with my patch, it would now be trivial to make that > > > > capable(CAP_DAC_READ_SEARCH) > > > > test also be > > > > ns_capable(f.file->f_cred->user_ns, CAP_DAC_READ_SEARCH) > > > > instead. I suspect not very many would care any more, but it does seem > > conceptually sensible. > > > > As to your patch - I don't like your nd->root games in that patch at > > all. That looks odd. > > > > Yes, it makes lookup ignore the dfd (so you avoid the TOCTOU issue), > > but it also makes lookup ignore "/". Which happens to be ok with an > > empty path, but still... > > > > So it feels to me like that patch of yours mis-uses something that is > > just meant for vfs_path_lookup(). > > > > It may happen to work, but it smells really odd to me. > > > > Linus > >