Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp591155lqd; Wed, 24 Apr 2024 10:50:53 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUug2At6LleMa9rCFqdcYc303OM255titpnjy3oV5MnuCdeH5TX3CEkqAiP32J4/ymRuuZQ8TVHB2WmyExePVAaU2mM19BzL1a5+1bVsw== X-Google-Smtp-Source: AGHT+IHwZmEnEwGBbfabR1P3lzfbfoqXZrb+9V8AlTiUD9nKrG6UUTgshbLWG7oDeDx0LXr+9IZM X-Received: by 2002:a17:906:b842:b0:a58:a1e3:a2cd with SMTP id ga2-20020a170906b84200b00a58a1e3a2cdmr885976ejb.55.1713981053040; Wed, 24 Apr 2024 10:50:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713981053; cv=pass; d=google.com; s=arc-20160816; b=hKES9vFWjEr5mLn7CjuZRxp3w/2nB/pWLPABQKRxX+LJs5TgYcTp2DW/ZjNlnn6a0A +ZAOq2PjEKxITt+ME/nMFHt7/NM4zhDs5HGrHKZuQAfrQ4k5RPwcLM9x0QI/mOk7KpKf Y9qd2JNioQomgmkpnXM7E+O+2s3EvvaK/gYnb3oBZWPaB7+v3Dv7+ssDFjX+3jZbtoTU ShdvU0NPHUv7Q0Y6DwmXh9MsBlWLXbVsHkQXYy6V6v4aWpEkZnOnru7vOeBV0aIdDesN nEQRXaG9UyCw9yJzL2sm6JReQSFKxsvkNysnvBJVeK9T8Sn4Ba2+HF/3AMuXw7gaCX6f 9A7Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=FsAH7dX/dutCxtwW5Qi7X0NyAfR1DP1iFwg1kpXF4So=; fh=cwF+GqCeZgJn7ta7itWnt879JOb5i1IcZSuvIllqiIk=; b=UWSdlYhbZu/36jR3tEss/uPSuqGFIlw3Fk10W0pGGvM1UWGbkKHm5jy5DfaehP8AiR xCYN4zSaLQ+5uUpU9PH4KAjpyubHV7EzK1qoxYd3ZE4Ki18RKTIU0swM4Cw+GZjUOFV0 jH6n8NsjRbrBXudz8ifW9wjqU0r1ZipS4dSrVKK6PdWeyos2X75tfwX9x7U4jsI6ibLS 3zHc0p0P9I40PUkIjsvoCI9q4SgsR52hS48FDKz3b0JgAq9YAr4lact/8X+yX0u1colo WUP9FcOX1EjM5h5DsJSu9LuU0RFWyuiE7doQCFpzjwHBLp0Ap9xh+0QA3pjVNlerOnNd CsWA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=mF8Y3dzK; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-157421-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157421-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id qw42-20020a1709066a2a00b00a55b0621ae8si5190105ejc.680.2024.04.24.10.50.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 10:50:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-157421-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=mF8Y3dzK; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-157421-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157421-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id BFC2E1F22D80 for ; Wed, 24 Apr 2024 17:50:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BF28B16D4FB; Wed, 24 Apr 2024 17:50:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="mF8Y3dzK" Received: from forward501a.mail.yandex.net (forward501a.mail.yandex.net [178.154.239.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9622616D4E2; Wed, 24 Apr 2024 17:50:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.81 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713981043; cv=none; b=A2aoLh9t0Bfv+/lpkoFerxUe4+dBhonwREWxSDglXqmYtaaGlXdNf7lEBsDWAeR9bA9dGyKhPcBYifsSdti54pCIPv33XZ16lBOaRyUA0FxV+sSuSFSpYUbXCF9lzdOeHiYz08Ociq3kd6P6CDY2ZgkECsa2dAV5vFUEC9aq380= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713981043; c=relaxed/simple; bh=o8jKNpnbE9BafJeDbh3SGBlwwtmgAmcgcxUn8SzIL/c=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=UowArBdePEH3qJY+mTANqrwmostS0d3QMWUaqLpqmpHum2SpGWKZDTPWlE3eMeyGePLOuKzz/w+iL7gZqzi37NLPF91669C7vcmTS8qF8ZxSbLgrWl2Rqw00beVK2RZ3C4Y57sCqOJIFwFT+bo5yrIrvOtj4ioI6bi5Cxxazrgg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=mF8Y3dzK; arc=none smtp.client-ip=178.154.239.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Received: from mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net [IPv6:2a02:6b8:c0d:2a02:0:640:77d9:0]) by forward501a.mail.yandex.net (Yandex) with ESMTPS id F043C61C52; Wed, 24 Apr 2024 20:50:36 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id UoPFOVO1PCg0-scmYXfpm; Wed, 24 Apr 2024 20:50:32 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1713981032; bh=FsAH7dX/dutCxtwW5Qi7X0NyAfR1DP1iFwg1kpXF4So=; h=From:In-Reply-To:Cc:Date:References:To:Subject:Message-ID; b=mF8Y3dzKtk7GK8J2sNnlE4Ivnl6zPyjuyzrw7qLAGwIiaDFmPt3X6XMM1uGPpxVWb pJlLAzBXp4ymZ5B4NWCAkjLw/IOQ83M8d+7eTp00hwnSLVoJSFSbin2UGCbMkdAUSO Z+Jsd21zqLRQV3Y2G1EwnzJHpLVYlJpZSKIN/0X0= Authentication-Results: mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <6b46528a-965f-410a-9e6f-9654c5e9dba2@yandex.ru> Date: Wed, 24 Apr 2024 20:50:30 +0300 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v4 0/2] implement OA2_INHERIT_CRED flag for openat2() Content-Language: en-US To: Christian Brauner Cc: linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?UTF-8?Q?Christian_G=C3=B6ttsche?= References: <20240424105248.189032-1-stsp2@yandex.ru> <20240424-schummeln-zitieren-9821df7cbd49@brauner> From: stsp In-Reply-To: <20240424-schummeln-zitieren-9821df7cbd49@brauner> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit 24.04.2024 19:09, Christian Brauner пишет: > This smells ripe enough to serve as an attack vector in non-obvious > ways. And in general this has the potential to confuse the hell out > unsuspecting userspace. Unsuspecting user-space will simply not use this flag. What do you mean? > They can now suddenly get sent such > special-sauce files There are no any special files. This flag helps you to open a file on which you currently have no perms to open, but had those in the past. > such as this that they have no way of recognizing as > there's neither an FMODE_* flag nor is the OA2_* flag recorded so it's > not available in F_GETFL. > > There's not even a way to restrict that new flag because no LSM ever > sees it. So that behavior might break LSM assumptions as well. > > And it is effectively usable to steal credentials. If process A opens a > directory with uid/gid 0 then sends that directory fd via AF_UNIX or > something to process B then process B can inherit the uid/gid of process No, it doesn't inherit anything. The inheritance happens only for a duration of an open() call, helping open() to succeed. The creds are reverted when open() completed. The only theoretically possible attack would be to open some file you'd never intended to open. Also note that a very minimal sed of creds is overridden: fsuid, fsgid, groupinfo. > A by specifying OA2_* with no way for process A to prevent this - not > even through an LSM. If process B doesn't use that flag, it inherits nothing, no matter what process A did or passed via a socket. So an unaware process that doesn't use that flag, is completely unaffected. > The permission checking model that we have right now is already baroque. > I see zero reason to add more complexity for the sake of "lightweight > sandboxing". We have LSMs and namespaces for stuff like this. > > NAK. I don't think it is fair to say NAK without actually reading the patch or asking its author for clarifications. Even though you didn't ask, I provided my clarifications above, as I find that a polite action.