Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp331704lqd; Wed, 24 Apr 2024 03:58:14 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWkPA9yrPMqHSMUSMhkbxcbXiz5ccf1TbAKyWRa62sKlGNvcTErgF3yG1I1+TWddzv20LNj1djlDQKxjFWl2e2E7s5YGs71eoFnf/qgbg== X-Google-Smtp-Source: AGHT+IG792i9NwQZaBX2kbJjyPvLbb7m/OYIYD4M3Kw1W8silaY69fb5+eMJR5awpJhS9svEF5H6 X-Received: by 2002:a05:6a20:9745:b0:1a9:84f6:dcb6 with SMTP id hs5-20020a056a20974500b001a984f6dcb6mr1891162pzc.57.1713956293987; Wed, 24 Apr 2024 03:58:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713956293; cv=pass; d=google.com; s=arc-20160816; b=LlgRd5TKszfazc9t292UeZHmPL6k8VkOKBoe/jgNdj6mOzhkBlfN+fJmwwGourGYS2 jfEqm9LFHc5/eQHlYRKy6MYIFb4RPZsWLGyYvesQU9Iik5RNfqRC4hUNh6dNKLE2RvJx mqVgsqLHFvNFyrCbRz5yFgeMXSS47IINAg/Wi25C4fAA0UKiOFuOCRkEt+3zMaW+zolQ NqX1mRkbeNS3TchM5M8IWU7DjUg3va2msBkJL7JjAItek5UKnPMaRBq3N+OOhr3P0eQu 7kXbO9tdLSZ0Om+gdZ1EmSW7oyk2QjxwT1yaOgYY6hFPBTamKh6fmWBxMQI3s7UU68f8 QHXQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=PW4InI6RvH6mgnnXE9HYRckmIzWlFOBQopwKxQoJMTc=; fh=7XC3bGY2KXA4A6CyPdWHJvXwrjIY4o1kr734fjJP7lU=; b=0C33I220rMezSap6kDnuWwaBN2ZZWDj5kk+dvPzJJ0aJQD8k2DnZhad4lRPXFW/76h jcY5wgPvnYbBbcp+v67tTrwdKqCCbdGTYea6aE2NVfZA9z8B3TG2/ENDyF5H58gqcaZ2 1oQ0Xl7T/pxKFpcNQCttQL/KvZgH0tfAvnXEaCLJhcLhY1oO7K/KGKi3Ehu+T55lc/Zi C+4bmHd0rnTJqtd15F794zTwGH7emuklxhsYtKvcwhYUuKG244P94PGE9r1BG9SSB8M2 7L5CMleVeGqpwv1eTmtGfQq4viuCWmAWkXPvBsngo1y++axeBxf0Pe47ZyFB3JS/P/AG Hj1g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=aHWX6URs; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-156761-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-156761-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id q2-20020a056a00084200b006ecfd9eb45bsi11313834pfk.312.2024.04.24.03.58.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 03:58:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-156761-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=aHWX6URs; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-156761-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-156761-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id ED868B22A89 for ; Wed, 24 Apr 2024 10:57:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C539A15991D; Wed, 24 Apr 2024 10:57:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="aHWX6URs" Received: from forward500c.mail.yandex.net (forward500c.mail.yandex.net [178.154.239.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5F36142E62; Wed, 24 Apr 2024 10:57:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.208 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713956241; cv=none; b=m3radUQssZGcZR3ioTjb1MQskSDnel+GHE0d7ZNCmBwBFiUhwT8oxhPwSUJWeWcsvFFJU8Uwa4ZnM1oo4MKN/yzpz5cOaM0FLXgAP+tZ6waH4mazfc+TGLwwX74bwAxx3ZrZR7rTpUR+zXf5Y4Ky4jOU4oL+R3oOyEHm442+rGk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713956241; c=relaxed/simple; bh=Tpknc1WS+aLV5Cxqz1NO1ZCEXDAP8+u3fI3aOx5+9VQ=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=prOgcCI7V8+pmHHPV8uSXS3xtPuDCGE7HoHuPsdez3rzBZQ/1FL5CriJMIMPnML/XIsJ1KBAUST8S1F5NUShkCfAmZ/L/K6VbTGTYZxuqeMRrKZqQLMepzEv40/o+pqY8fts4j0fTmU6bhPL8J0JbZSKXW8F3PSmMLbsuyhvQcg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=aHWX6URs; arc=none smtp.client-ip=178.154.239.208 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Received: from mail-nwsmtp-smtp-production-main-24.iva.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-24.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:9309:0:640:3b75:0]) by forward500c.mail.yandex.net (Yandex) with ESMTPS id 4E59861636; Wed, 24 Apr 2024 13:57:11 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-24.iva.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id 9vIYOJTo7Gk0-0xNd6Gyy; Wed, 24 Apr 2024 13:57:10 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1713956230; bh=PW4InI6RvH6mgnnXE9HYRckmIzWlFOBQopwKxQoJMTc=; h=From:In-Reply-To:Cc:Date:References:To:Subject:Message-ID; b=aHWX6URsvGY9GfJ08EiIqvHVi0dly45Vh5O6Q+ZOTyxDfkNc5ORaPf7IaobMkzrAA 9Jo0iXVHVbmgUE3c513+Yo49C2x1HtTc9YXT7ecCU5H9oteq2GRdB7+YIxGthm5272 MM42/0p13z6yHj5CShN+ssTAVQMbebEA1M7iaQgI= Authentication-Results: mail-nwsmtp-smtp-production-main-24.iva.yp-c.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <0e2e48be-86a8-418c-95b1-e8ca17469198@yandex.ru> Date: Wed, 24 Apr 2024 13:57:09 +0300 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 0/2] implement OA2_INHERIT_CRED flag for openat2() Content-Language: en-US To: Andy Lutomirski Cc: linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?UTF-8?Q?Christian_G=C3=B6ttsche?= References: <20240423110148.13114-1-stsp2@yandex.ru> <4D2A1543-273F-417F-921B-E9F994FBF2E8@amacapital.net> From: stsp In-Reply-To: <4D2A1543-273F-417F-921B-E9F994FBF2E8@amacapital.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit 23.04.2024 19:44, Andy Lutomirski пишет: >> On Apr 23, 2024, at 4:02 AM, Stas Sergeev wrote: >> >> This patch-set implements the OA2_INHERIT_CRED flag for openat2() syscall. >> It is needed to perform an open operation with the creds that were in >> effect when the dir_fd was opened. This allows the process to pre-open >> some dirs and switch eUID (and other UIDs/GIDs) to the less-privileged >> user, while still retaining the possibility to open/create files within >> the pre-opened directory set. > I like the concept, as it’s a sort of move toward a capability system. But I think that making a dirfd into this sort of capability would need to be much more explicit. Right now, any program could do this entirely by accident, and applying OA2_INHERIT_CRED to an fd fished out of /proc seems hazardous. While I still don't quite understand the threat of /proc symlinks, I posted v4 which disallows them. > So perhaps if an open file description for a directory could have something like FMODE_CRED, and if OA2_INHERIT_CRED also blocked .., magic links, symlinks to anywhere above the dirfd (or maybe all symlinks) and absolute path lookups, then this would be okay. So I think this all is now done. > Also, there are lots of ways that f_cred could be relevant: fsuid/fsgid, effective capabilities and security labels. And it gets more complex if this ever gets extended to support connecting or sending to a socket or if someone opens a device node. Does CAP_SYS_ADMIN carry over? Not any more, nothin is carried but fsuid, fsgid, groupinfo. Thank you.