Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp941108lqa; Sun, 28 Apr 2024 10:39:37 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWofwErtrCz//N4Y0r5EHjg+xWae813vf9Ni4yZYBkav31pgnpnZImyicRNf5aDlzSAfmd3+0GxL7aSz7SVCcNR1w4CLisB1FyzZD6fqQ== X-Google-Smtp-Source: AGHT+IFtURef5lDr8MdLvI/UdB/vadQjMg4e+mEcJ/oOtAPfTjladO5VYxoLr4YoCwZvViN+cPzO X-Received: by 2002:a05:6808:917:b0:3c8:4fc8:4372 with SMTP id w23-20020a056808091700b003c84fc84372mr8805997oih.55.1714325977392; Sun, 28 Apr 2024 10:39:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714325977; cv=pass; d=google.com; s=arc-20160816; b=Pt88lIPghBI4Ayv0oqHjGdoOPaNDClFA6PpGtLqfP8brWRMG3rvYKRVS8YQe/t3O7f O/7ibWnqgIbarXcch2Bck/A8HdmW/PVDBcHp+5RBBKWAOrv0CG/lFSx//YZNiZL4drki a1Tu0zwIJPrY1ozmPy/m74aupxj91il+8zhdaWOguFNs8cBVl/REGCtGYLW7MQkEJlY/ hz9y3yGsc6GwhITUcXJOYtSWVwrbR9ydNeMxVkmQOW0IuT3Cmh2w8zqwu1h+85yf0TS1 T7tn29lmp4NAMpWcPTNzC9KeexmPtJbCgpQHh7KjWYCrFmb0ToXs5JWe+QD81Nt3z+7f DXOA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=9vIlJGfggIMfPt+kTenoSp+mbnyzBRWNaGgd/qGD9jY=; fh=1w3+j/5ThUunRRL95tNNdt077j8YzLetvcI1vN0EeFo=; b=Z4Hox37GZnCzhbmrNHjf/8sTsRJVB04eJKzA4MS4gqyUPtIKQoRKWbsUvJ2tfs68TM km0Ez9HFeG7Pn/W4m+Fpe5plt+DDwKQ3sWdVPvM24c5xCpToCKJ27GXMqBLr/b760sKN EVqF6wZoG/dI4dEtr67/Qdy7qoWTEZExaNz1DtBhMAXJnBrs7c2AuLkNn7VT39k6ew90 aUBpoAHFoClkeT68namKec1PSE6xgkjzwgF7pLMUkARk7yKasdqqduXaEkeDFh5vHV56 5LEqLRmz/012hZ4zh8caU/DfqWjvHtTcmGrMz99c4N1uO3v7wxSD2ss3n4aRwjClnHVi wXOg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=Tfu+By08; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-161533-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161533-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 188-20020a6301c5000000b005dc42ad5d65si9110816pgb.622.2024.04.28.10.39.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Apr 2024 10:39:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-161533-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=Tfu+By08; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-161533-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161533-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 09C2128151B for ; Sun, 28 Apr 2024 17:39:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3E26C7352D; Sun, 28 Apr 2024 17:39:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="Tfu+By08" Received: from forward500a.mail.yandex.net (forward500a.mail.yandex.net [178.154.239.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCCA073506; Sun, 28 Apr 2024 17:39:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.80 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714325967; cv=none; b=WjNEFZTUumwayA1NF7wzTRnLA2BXnuH7sljhcqwTe36IKPq3c3X+nFUftOvmMoTvbtMbQ+I4zAB2uXehYG3155455SZcdaabdJ2uDBf8EJr5XWQyGZL0JszubCUjZPHsqP7dmrB0GA0800QiIzp+0vGZ8z5NEl3tuRy7jxvEdKQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714325967; c=relaxed/simple; bh=9vIlJGfggIMfPt+kTenoSp+mbnyzBRWNaGgd/qGD9jY=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=WRXVrLt/h0q9zC1HqLnzX1xTpKGii54iqLxHFX+7+vhK/I3NJkim85ENGwg5NjVqpSvPEbbx9N5+tCEhKKvE4EptU1ECeXBV1H/j+ttHrXNn2N+spi5ly+YwWvnESAy/DFfaBl6rfCYQAFCZZzXXNOfisVdIUt+We9maWt2SiL8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=Tfu+By08; arc=none smtp.client-ip=178.154.239.80 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Received: from mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net [IPv6:2a02:6b8:c0d:230c:0:640:f8e:0]) by forward500a.mail.yandex.net (Yandex) with ESMTPS id 32A8960ED8; Sun, 28 Apr 2024 20:39:20 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id GdTtsTB1F0U0-lo6nDCcX; Sun, 28 Apr 2024 20:39:18 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1714325958; bh=9vIlJGfggIMfPt+kTenoSp+mbnyzBRWNaGgd/qGD9jY=; h=From:In-Reply-To:Cc:Date:References:To:Subject:Message-ID; b=Tfu+By08UfkKGhVPTYhVI6BnA1Wju3hpF4QtM5GMyJHs87pOGnq9ahyKkfaSFOBYd PuZNm7p1jJK6yGWp1W8xCE+fwRghzwRyBYV8iPO+bqdHVPRX2Gfs9nmNmrkCL1/p3C rdQ5IkGjX1fUJW878+sX+jTCYXmQAKpUwbSffXfM= Authentication-Results: mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <8e186307-bed2-4b5c-9bc6-bdc70171cc93@yandex.ru> Date: Sun, 28 Apr 2024 20:39:16 +0300 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2() Content-Language: en-US To: Andy Lutomirski , Aleksa Sarai , "Serge E. Hallyn" Cc: linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?UTF-8?Q?Christian_G=C3=B6ttsche?= References: <20240426133310.1159976-1-stsp2@yandex.ru> From: stsp In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit 28.04.2024 19:41, Andy Lutomirski пишет: >> On Apr 26, 2024, at 6:39 AM, Stas Sergeev wrote: >> This patch-set implements the OA2_CRED_INHERIT flag for openat2() syscall. >> It is needed to perform an open operation with the creds that were in >> effect when the dir_fd was opened, if the dir was opened with O_CRED_ALLOW >> flag. This allows the process to pre-open some dirs and switch eUID >> (and other UIDs/GIDs) to the less-privileged user, while still retaining >> the possibility to open/create files within the pre-opened directory set. >> > Then two different things could be done: > > 1. The subtree could be used unmounted or via /proc magic links. This > would be for programs that are aware of this interface. > > 2. The subtree could be mounted, and accessed through the mount would > use the captured creds. Doesn't this have the same problem that was pointed to me? Namely (explaining my impl first), that if someone puts the cred fd to an unaware process's fd table, such process can't fully drop its privs. He may not want to access these dirs, but once its hacked, the hacker will access these dirs with the creds came from an outside. My solution was to close such fds on exec and disallowing SCM_RIGHTS passage. SCM_RIGHTS can be allowed in the future, but the receiver will need to use some new flag to indicate that he is willing to get such an fd. Passage via exec() can probably never be allowed however. If I understand your model correctly, you put a magic sub-tree to the fs scope of some unaware process. He may not want to access it, but once hacked, the hacker will access it with the creds from an outside. And, unlike in my impl, in yours there is probably no way to prevent that? In short: my impl confines the hassle within the single process. It can be extended, and then the receiver will need to explicitly allow adding such fds to his fd table. But your idea seems to inherently require 2 processes, and there is probably no way for the second process to say "ok, I allow such sub-tree in my fs scope". And even if he could, in my impl he can just close the cred fd, while in yours it seems to persist. Sorry if I misunderstood your idea.