Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp337076lqa; Sat, 27 Apr 2024 04:42:54 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUyTQExiBxYa4WktRhuYD5IjkFCLO5+qe1WFLMymLICuBxTZ2OV+/y93Lqg1N0NXBmHQy9VQX/bcWcn1fjVUiP0/UTUEP+ogaVmQtaUlQ== X-Google-Smtp-Source: AGHT+IGMHHBlDE8JmaEzRIjiJffFzn6IPNmnO7O7NiHdZmwTPnjmtkRYaZi9aH4bHnU0sSipet+B X-Received: by 2002:a05:6a21:3383:b0:1ac:de57:b1e3 with SMTP id yy3-20020a056a21338300b001acde57b1e3mr7947374pzb.0.1714218174400; Sat, 27 Apr 2024 04:42:54 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714218174; cv=pass; d=google.com; s=arc-20160816; b=lTro8M230V7ipv+X0FzJK6bmfOuOODmKPl/ZQsoQKYBi+BHXzh/herhm5yzPDbzdzR 0unwmQb4/1hINKTBrgRsRjSvWoAktQefil00V+jmSrHHSJN+R+HVkqMa0c6Za7lYpTmr pcPdMu0Ga1ogjp6aj8Pib2t3bL5+Ev1NauDSHmPAL4VVV9/AsE3xsDFBcF0xzGn30kUn P+7xDrR5nCptiqlDw/utYlu6ZQVihgo0l0BVbghoYgu5Cj+64DpPzoLg5g+Vk9TzG3nQ 7h5L6KyjBmZuM9hl59P2daYTrV6XryatNr/O2QXmXK7YQ/GKPuwLo7P1mKohXHKA20Ir EW0w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=XCfS/LUmhc1w0qDiOkcF2eV7jBKumbvKS05niUxy/Rs=; fh=328TqmIIEN4VgTC/+/XdKCFZhWn0fxfd+KKmu/Qf5iY=; b=FX6QOjaGFnqVg3VThj2bX8oEfTVylFXjDrkKN3hJo7tphqJQ0ntyeJlsLolVv1FJqu l7EgkeJ/nMiYuewY+a8L8HkKh/AqmCpejVE1kB5YtDlYyET8aJFe8mUmcUiplvoZVQbN ytXQOwIX6muR94lLLWeTEiKqlwK9rCxU9u1D51n6Rs4eAhKW6trIhV78N4SaQG6uAOai 5beLcAj9jOUwqXixT74BXVoHFa1HKr+e+Hwh77vtWUb41YvOkuzEymNVPqtP/KnjWGT7 VuBOMYjlysZ3adD8DDeyeyrqL4OoQkD1KqOmw3csbjjD8GoZslAcaxmjnu0iWoDioet8 M98A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=EuDIhThW; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-161037-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161037-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id z7-20020a056a00240700b006ecfc53c4ffsi16981198pfh.122.2024.04.27.04.42.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 27 Apr 2024 04:42:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-161037-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=EuDIhThW; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-161037-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161037-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 30B66288FBE for ; Sat, 27 Apr 2024 11:32:18 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8AF764F201; Sat, 27 Apr 2024 11:31:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="EuDIhThW" Received: from forward203a.mail.yandex.net (forward203a.mail.yandex.net [178.154.239.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66C5A4D5AC; Sat, 27 Apr 2024 11:31:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.90 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714217508; cv=none; b=qGrjyPYbR4K8YSd986u91+SGNAnzEYrVIEyoNjuxsm8/e2yFIG0cudbxg4GFY5+BjD01m3zzOC7EmvgJtiiyYmpj5padz3FJtV9fGE3WdUTPMML2lwg0xGA+j4xExLNnI9PPHi7Pm8zBzFyuc7Q2TCC5MrwWa3GzgYmoxy3U9P4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714217508; c=relaxed/simple; bh=hI1bSFK6/X4iALDRDEAUD7sApxCEtoFPFoe6Z2HMYwE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=tDKcrr0jGCjgcLJ+K+dornbT07FlaNbMTXl63pZCMadqUaPnwH+xNT4LU0pLCwdLN+J+7HMGCxRDEYAmN4gFr4qHOAX/sNkZgQWkn0PT8kh+xqrzp0YdkX8M77pwN2b3BYy0ZptE57+MIufEQM5AUyjfHwWPp0Yle3+9o13GMzs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=EuDIhThW; arc=none smtp.client-ip=178.154.239.90 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Received: from forward100a.mail.yandex.net (forward100a.mail.yandex.net [IPv6:2a02:6b8:c0e:500:1:45:d181:d100]) by forward203a.mail.yandex.net (Yandex) with ESMTPS id 53EFA666E2; Sat, 27 Apr 2024 14:25:07 +0300 (MSK) Received: from mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net [IPv6:2a02:6b8:c0d:2a02:0:640:77d9:0]) by forward100a.mail.yandex.net (Yandex) with ESMTPS id A48A546C9B; Sat, 27 Apr 2024 14:24:58 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id uOMFvPQXlqM0-vvZKY9q8; Sat, 27 Apr 2024 14:24:57 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1714217097; bh=XCfS/LUmhc1w0qDiOkcF2eV7jBKumbvKS05niUxy/Rs=; h=Message-ID:Date:Cc:Subject:To:From; b=EuDIhThWEd0NuT9ktrUH0zZfx5d+4ZSJ5kNqdgYliEsonvmrnVqEdod08AwZZZ75k 1MyPi99TC0t+mZIAUhdQTqzDeLVnWso6EXI60hlPeO8NJ/fqjjmcxQX7bV6QCFVaWT EfxPiWRmGCF6CCPWsbWhT1APTCdkjpxLURpHUAuo= Authentication-Results: mail-nwsmtp-smtp-production-main-51.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Stas Sergeev To: linux-kernel@vger.kernel.org Cc: Stas Sergeev , Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?UTF-8?q?Christian=20G=C3=B6ttsche?= Subject: [PATCH v6 0/3] implement OA2_CRED_INHERIT flag for openat2() Date: Sat, 27 Apr 2024 14:24:48 +0300 Message-ID: <20240427112451.1609471-1-stsp2@yandex.ru> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch-set implements the OA2_CRED_INHERIT flag for openat2() syscall. It is needed to perform an open operation with the creds that were in effect when the dir_fd was opened, if the dir was opened with O_CRED_ALLOW flag. This allows the process to pre-open some dirs and switch eUID (and other UIDs/GIDs) to the less-privileged user, while still retaining the possibility to open/create files within the pre-opened directory set. The sand-boxing is security-oriented: symlinks leading outside of a sand-box are rejected. /proc magic links are rejected. fds opened with O_CRED_ALLOW are always closed on exec() and cannot be passed via unix socket. The more detailed description (including security considerations) is available in the log messages of individual patches. Changes in v6: - it appears open flags bit 23 is already taken on parisc, and bit 24 is taken on alpha. Move O_CRED_ALLOW to bit 25. - added selftests for both O_CRED_ALLOW and O_CRED_INHERIT additions Changes in v5: - rename OA2_INHERIT_CRED to OA2_CRED_INHERIT - add an "opt-in" flag O_CRED_ALLOW as was suggested by many reviewers - stop using 64bit types, as suggested by Christian Brauner - add BUILD_BUG_ON() for VALID_OPENAT2_FLAGS, based on Christian Brauner's comments - fixed problems reported by patch-testing bot - made O_CRED_ALLOW fds not passable via unix sockets and exec(), based on Christian Brauner's comments Changes in v4: - add optimizations suggested by David Laight - move security checks to build_open_flags() - force RESOLVE_NO_MAGICLINKS as suggested by Andy Lutomirski Changes in v3: - partially revert v2 changes to avoid overriding capabilities. Only the bare minimum is overridden: fsuid, fsgid and group_info. Document the fact the full cred override is unwanted, as it may represent an unneeded security risk. Changes in v2: - capture full struct cred instead of just fsuid/fsgid. Suggested by Stefan Metzmacher CC: Stefan Metzmacher CC: Eric Biederman CC: Alexander Viro CC: Andy Lutomirski CC: Christian Brauner CC: Jan Kara CC: Jeff Layton CC: Chuck Lever CC: Alexander Aring CC: David Laight CC: linux-fsdevel@vger.kernel.org CC: linux-kernel@vger.kernel.org CC: linux-api@vger.kernel.org CC: Paolo Bonzini CC: Christian Göttsche -- 2.44.0