Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp784880lqd;
        Wed, 24 Apr 2024 17:43:37 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWbN0n9LawY1bPMQJf7SGpzn/gL907rTF7E9RYreR2q1IatxGawfQq9UhoND+GgRs1qRenkcpzzFLnKFUhD5cSbelre1ALO4or81Xt4DA==
X-Google-Smtp-Source: AGHT+IEwEM2GWQPbm5prSoMJuj61ET0JgA02Sukva7+oYEK2EJjkRnlhqXFo4ThDAOBp5WQwQ7fn
X-Received: by 2002:a05:6a00:3c88:b0:6ec:ea4b:f077 with SMTP id lm8-20020a056a003c8800b006ecea4bf077mr4791340pfb.16.1714005817128;
        Wed, 24 Apr 2024 17:43:37 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714005817; cv=pass;
        d=google.com; s=arc-20160816;
        b=IQv31WF2kIi7Q1rvNjyO5rWrvu/FV6whowEx34lVqqIDmtj3NE75KKbS8hhVBt2grC
         x6hSPjN4+zTGqkWjpEPGbasWURlYorY3ET4r67gQvtGDCACnIpz/kAsRc1kbMn0DF43V
         CBOHUGUTp0LFfOmgv07Mvmob6wrUamjgA2Y0Ur1RWxoHNgdY/3DCFkAv4dycGu7eqSY6
         X9r/ovwKIYI3dD3IVs9F9buN4CIf9mdBDr93WG+n001z8I5hzyxOmVFFNEGZC/0zyG88
         unghvtqX1Jw8pvvz2z1jyF0/xYYWF8rWbzh732oMrPI3I5QVA301eGRctyb8J6EwPrAr
         XXbw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=fR7n1uhPFN3B2i3X955I2o/YTQLtqjqYe3qbWIU7RC4=;
        fh=Bspi0cUQuuS5lzRxZsX/GI2lJAo1nA3kYrV7LqQgcuA=;
        b=KfMxUD49cjaQfcpsXpQHQ6MfyyrH10NGlozksVOE8pzK8pZIXJTfzJm2WYBPwRhjQP
         YGn2Jv+kJBUrUtM+mxFmcPAjHzLpsWCnqezUWDExnQVF6LbFX4/1iGngJIup4+ugDj0I
         h3a0QjDJHfHIAIu0FtkcCKN9nY8RyvMVDVUrlg0jWCJzswx0THCZTcI601LJSM2NJ2vm
         EfaVXgdQuEtI99cqj4Nw9aawxmMoUAkNcZts6SikwO7g7G7YEOKdUXX+gtVV4FELBKNW
         9LwzeZjWS27xuTPrHuog3tLMxAaVmrr1c8OU7v7c2IIwCQvOIfzqAaVnILah8H+U2iem
         00NA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@amacapital-net.20230601.gappssmtp.com header.s=20230601 header.b=Ls+97lZT;
       arc=pass (i=1 spf=pass spfdomain=amacapital.net dkim=pass dkdomain=amacapital-net.20230601.gappssmtp.com);
       spf=pass (google.com: domain of linux-kernel+bounces-157887-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157887-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-157887-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id z129-20020a633387000000b005fe5c7f32e7si7257627pgz.332.2024.04.24.17.43.36
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 24 Apr 2024 17:43:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-157887-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20230601.gappssmtp.com header.s=20230601 header.b=Ls+97lZT;
       arc=pass (i=1 spf=pass spfdomain=amacapital.net dkim=pass dkdomain=amacapital-net.20230601.gappssmtp.com);
       spf=pass (google.com: domain of linux-kernel+bounces-157887-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157887-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id EDA5B2831E1
	for <linux.lists.archive@gmail.com>; Thu, 25 Apr 2024 00:43:27 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8C19E5227;
	Thu, 25 Apr 2024 00:43:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b="Ls+97lZT"
Received: from mail-vk1-f171.google.com (mail-vk1-f171.google.com [209.85.221.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4029115B3
	for <linux-kernel@vger.kernel.org>; Thu, 25 Apr 2024 00:43:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.171
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714005796; cv=none; b=g6wPg2/U2pXTmu2Rzi/rlEU3FF63QP5zBqP6Oqji72cIWqZBFiCAhZZDwzUqIrmP3FEiXIAQ0DeCgU2g0neBlPRK8oIc+FsYeieA7d7Nk/0XEgUMzbRAH2aV83gnWJusznnwGDOGoSwwO/OIDg7z9M2dVVz4oPa1Zefu5paYEx4=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714005796; c=relaxed/simple;
	bh=236gG8N4hj2YoDKj8i1xC+LA41Hwr3up0ZGcQlhtubw=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=jZdu2SUKj6KcY5juzI3BsjV2aErgAM8o0ON2GC0aO+FA3dceBVP1Zm/MRavQBl1oMpNCKGRxXrTPIJna1ie5E0cXMBFEB0as30nbwZ/kp+67/sfwxkErcyNCQSSEpdtokVcyslKWzTh/GhLbzbKQnXUQEtgQjdMq6ZXysuaD9eQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net; spf=pass smtp.mailfrom=amacapital.net; dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b=Ls+97lZT; arc=none smtp.client-ip=209.85.221.171
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amacapital.net
Received: by mail-vk1-f171.google.com with SMTP id 71dfb90a1353d-4daa91c0344so155994e0c.3
        for <linux-kernel@vger.kernel.org>; Wed, 24 Apr 2024 17:43:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20230601.gappssmtp.com; s=20230601; t=1714005794; x=1714610594; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=fR7n1uhPFN3B2i3X955I2o/YTQLtqjqYe3qbWIU7RC4=;
        b=Ls+97lZTFoJ2/KChiAz0ijZpt+w8uKkyx0sDOpeeR2wRJst8ppj7IQMNXK9YVsfify
         KoldSLY5TOixc/CYJyNmoOIazKBu0O+8EAqWAX2KkZ9TAs0DCI8gxS9zjsxYjn1CKJH7
         PbXCVxti/h7UYwMEyc3k3ILN4giSD9R5dq1B1UKU80WGrP7FUY+jrywp8RsI/yMW1O/o
         Ec3sLVg0flnk54tkfSDXo5pofBMFom1oY/kALI1e7e6RTggr/8BP48Jy9/KGp6A9c1m5
         69ZFDoNxsXokabU95Vt4hFjFP5loY+NeWmG/5sPqG2tKPo6FF6QUc8CVEwBb2O7951xc
         Hp5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1714005794; x=1714610594;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=fR7n1uhPFN3B2i3X955I2o/YTQLtqjqYe3qbWIU7RC4=;
        b=VrXd8mSvEqlQ5IfoymIEjcYWH/cke985QQ7x/p+jVKsfApF1Qr/3k1q1Gdy2cBawIP
         XSbeD0dzADaWS324FjdqxiwerEI3/uhyBGk2DTfW91rUl3BeJtYSqlWOQFUgFMn024sN
         0B//zMF+h+fTH+o4XQ0KlcwqiMjCfgSfBEgSJ0v7n9jQs1V3qsK4wKM0f5J3aqzOsy7P
         c1koBU55G6CSTTINM7UoNHyImX7WhGq1b86rX5qhRrEc7r3NJSNpMqgHbiRU3zRhvuXv
         fZU10Hv4AakW0C6kQbpetQMGI80lw005RV192IX9TNAQbVvKcWF5Zy9s850bNeuVP3U3
         r9Vw==
X-Gm-Message-State: AOJu0YykPz/yKBiUQvqFvByA22hDbu2PptbubcrR9+r+vVxFdDK9wiQ3
	ypt7kQLpcPvxengzjnkqoQ9xK1NfWExGt+wxC6Mc0VRdTs0GMosa8aR1CUeZ5kiZBz8o9t3ThMy
	bwI/GI6VrKsLYO3neAaf5x+uhstfhgyhfpZE8
X-Received: by 2002:a05:6122:790:b0:4d4:1ec7:76e5 with SMTP id
 k16-20020a056122079000b004d41ec776e5mr4505317vkr.16.1714005793771; Wed, 24
 Apr 2024 17:43:13 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240423110148.13114-1-stsp2@yandex.ru> <4D2A1543-273F-417F-921B-E9F994FBF2E8@amacapital.net>
 <0e2e48be-86a8-418c-95b1-e8ca17469198@yandex.ru>
In-Reply-To: <0e2e48be-86a8-418c-95b1-e8ca17469198@yandex.ru>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 24 Apr 2024 17:43:02 -0700
Message-ID: <CALCETrWswr5jAzD9BkdCqLX=d8vReO8O9dVmZfL7HXdvwkft9g@mail.gmail.com>
Subject: Re: [PATCH v2 0/2] implement OA2_INHERIT_CRED flag for openat2()
To: stsp <stsp2@yandex.ru>
Cc: linux-kernel@vger.kernel.org, Stefan Metzmacher <metze@samba.org>, 
	Eric Biederman <ebiederm@xmission.com>, Alexander Viro <viro@zeniv.linux.org.uk>, 
	Andy Lutomirski <luto@kernel.org>, Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>, 
	Jeff Layton <jlayton@kernel.org>, Chuck Lever <chuck.lever@oracle.com>, 
	Alexander Aring <alex.aring@gmail.com>, linux-fsdevel@vger.kernel.org, 
	linux-api@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>, 
	=?UTF-8?Q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>, 
	Aleksa Sarai <cyphar@cyphar.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 24, 2024 at 3:57=E2=80=AFAM stsp <stsp2@yandex.ru> wrote:
>
> 23.04.2024 19:44, Andy Lutomirski =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> >> On Apr 23, 2024, at 4:02=E2=80=AFAM, Stas Sergeev <stsp2@yandex.ru> wr=
ote:
> >>
> >> =EF=BB=BFThis patch-set implements the OA2_INHERIT_CRED flag for opena=
t2() syscall.
> >> It is needed to perform an open operation with the creds that were in
> >> effect when the dir_fd was opened. This allows the process to pre-open
> >> some dirs and switch eUID (and other UIDs/GIDs) to the less-privileged
> >> user, while still retaining the possibility to open/create files withi=
n
> >> the pre-opened directory set.
> > I like the concept, as it=E2=80=99s a sort of move toward a capability =
system. But I think that making a dirfd into this sort of capability would =
need to be much more explicit. Right now, any program could do this entirel=
y by accident, and applying OA2_INHERIT_CRED to an fd fished out of /proc s=
eems hazardous.
>
> While I still don't quite understand
> the threat of /proc symlinks, I posted
> v4 which disallows them.
>

I like that, but you're blocking it the wrong way.  My concern is that
someone does dfd =3D open("/proc/PID/fd/3") and then openat(dfd, ...,
OA2_INHERIT_CRED);  IIRC open("/proc/PID/fd/3") is extremely magical
and returns the _same open file description_ (struct file) as PID's fd
3.

> > So perhaps if an open file description for a directory could have somet=
hing like FMODE_CRED, and if OA2_INHERIT_CRED also blocked .., magic links,=
 symlinks to anywhere above the dirfd (or maybe all symlinks) and absolute =
path lookups, then this would be okay.
>
> So I think this all is now done.

But you missed the FMODE_CRED part!

So here's the problem: right now, in current Linux, a dirfd pointing
to a directory that you can open anyway doesn't convey any new powers.
So, if I'm a regular program, and I do open("/etc", O_PATH), I get an
fd.  And if I get an fd pointing at /etc from somewhere else, I get
the same thing (possibly with different f_cred, but f_cred is largely
a hack to restrict things that would otherwise be insecure because
they were designed a bit wrong from the beginning).

But, with your patch, these fds suddenly convey a very strong
privilege: that of their f_cred *over the entire subtree to which they
refer*.  And you can attack it using exactly your intended use case:
if any program opens a dirfd and then drops privileges, well, oops, it
didn't actually fully drop privilege.

So I think that, if this whole concept has any chance of working well,
it needs to be opt-in *at the time of the original open*.  So a
privilege-carrying open would be an entirely new option like
O_CAPTURE_CREDS or FMODE_CREDS.  And OA2_INHERIT_CREDS is rejected if
the dirfd doesn't have that special mode.