Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp994091lqa; Sun, 28 Apr 2024 13:19:33 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUwQMrX3eXK6+avSHT058KEbz3hJroGdj8V4pCTG9ujemipsUCC7KDYi3staG6EkEi0ST4ZvgNkdqrE7qU/s/dO0WgJhGxIo1SljW1bfw== X-Google-Smtp-Source: AGHT+IFYqomu6RmUEm2OT+I5f8VvmjmIBeDfJN2dBooH47OxrlxDlg+KaEHvqu8Pytdt0iCk7plh X-Received: by 2002:a05:6a20:438f:b0:1ad:8335:1a45 with SMTP id i15-20020a056a20438f00b001ad83351a45mr11487253pzl.55.1714335573633; Sun, 28 Apr 2024 13:19:33 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714335573; cv=pass; d=google.com; s=arc-20160816; b=SktlYX2ZcBNmm53dhlJbn6JRrAqy5t16nTgOUalbdaiFeeQBh8QsK2FLwiJ+gGLuGC M7xiBzo6Ea4BSP7ptRlOqyaigO8qkZ9uN6lf5ifde/cTd/3BLwsNSH7wiyesvoMukxCO WeuZi794pnCh1lxtD4txgeJtTJQCWnohwLJuJdSVMu8RwfMov4176wyPTbeywdznTlwP hgoo73H3FmF1RoU/Zng2E4g3an8DRmOxJ8TY5rbjZOLVdPGAtk4/G/iSc6k6pdtPiIr7 6qasPZeIe9bW7cE4IWsTLDijAnn8CJhUscuuffiOHs6b+hGvMdCaxJHBKe8MQGGfNtN8 eX3Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=36fCDwL4QpR+lpjC88HY7LLvBoa6Q/B+CIUJ2PbdlPg=; fh=TMoi6aBKntauBOm+bTll4AkhLkwF7q6Y8/vnHwjoT30=; b=UgVeQmlwyYWQG4QSMyZ3mIy/dMCcI+O+CLjDeJlAYeG7Y283QcyHiKy4cX/Bko5OZn o3v0Tb41cGkN0Y3LOHHu2islx8N7bFpuKohV/+/VMdKGmV2x/a8hUX6gD74UXa1bLRD/ 8rRITxO9Yu038uvh6mJNxHMUqg+V4OU7NbT5mgM1E2xWIq6ojngSfdg2Pylq0tItYjze D2ZxlOQX798D002/Q4/DFgroT7KO/dD4wOwHHOgsBphwd5MmFBOUfqcZ9O+tOrTq2VG2 sBpmVjr0/sRd5nE+Zg7x0zkcMsQGLf9Gw55eGEEak7a5wFGBZKy2mPVhOqFrDh6Ju/G/ oc/g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amacapital-net.20230601.gappssmtp.com header.s=20230601 header.b=IOsJQkew; arc=pass (i=1 spf=pass spfdomain=amacapital.net dkim=pass dkdomain=amacapital-net.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-161561-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161561-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id i195-20020a639dcc000000b0060e9c8f866csi4230399pgd.878.2024.04.28.13.19.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Apr 2024 13:19:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-161561-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20230601.gappssmtp.com header.s=20230601 header.b=IOsJQkew; arc=pass (i=1 spf=pass spfdomain=amacapital.net dkim=pass dkdomain=amacapital-net.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-161561-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161561-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E1209281514 for ; Sun, 28 Apr 2024 20:19:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3358774BED; Sun, 28 Apr 2024 20:19:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b="IOsJQkew" Received: from mail-ua1-f44.google.com (mail-ua1-f44.google.com [209.85.222.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B41297350E for ; Sun, 28 Apr 2024 20:19:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.44 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714335562; cv=none; b=LBgaCnmnp2LhhebpsOpBYLynTZyvnu0lvTMaURI2iVoT/e1dCM1Ft/s7o4n+Vv1iS3GI1UJGqx3ko5DeRHdITZOrLwYEyNU4PF6GKooBwJraOHJkpP080BTtbJD3k5StLIi5alFC0+1aPoO3EBFTIDo8UTijL00XXJnqbn5KvZQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714335562; c=relaxed/simple; bh=1D4BeQM6t2ZEoGkKh0mFVZL/ht0rUhCq2wB6mxulAM4=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=izwmx5pVnNIIRCAXrUb2C809cFtX8m7fXWdMBAecwvltiDwL8eJJq1IWbYsUp0UgG48x6Xf4FJyRPQraPio9c8oVAKvoh5leAvlVO8X66pvxLwDLF0dyLcYoCHw/F1fz4oQXlqdP9b/rh0xU4CV3+5hTN3nnKrG1Bz6VCqt80KI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net; spf=pass smtp.mailfrom=amacapital.net; dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b=IOsJQkew; arc=none smtp.client-ip=209.85.222.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amacapital.net Received: by mail-ua1-f44.google.com with SMTP id a1e0cc1a2514c-7f00a9fc1f4so604093241.2 for ; Sun, 28 Apr 2024 13:19:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20230601.gappssmtp.com; s=20230601; t=1714335559; x=1714940359; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=36fCDwL4QpR+lpjC88HY7LLvBoa6Q/B+CIUJ2PbdlPg=; b=IOsJQkew67z2J8MFeJ728IHno/MCipwRfQ/47FeuyrLveN9+30o7j+pZutU92aD9Mu InZq/1ZC2TgCOBnPvWGZglEGabMML1snqaxsAAmw9EQs5ITmadiqiK0Y17ZV/Q3TPOcF hnhktkwf5R0FKh8bUGoqP/bNh8FHpZKtRZbEXAIhQROVcKH+BXw9KFIazLOQjpjMMIw2 QpdKVHLG8gxWsj4e0usKeGwH6eG+aEFD8e7BE20C+YptUaxUdBEuTO77QpLZKwh+c5km 6S/0drlFLHMwmVshu8wSV3llXje+/0Hz7SXntbl4bQtvMCYKMDXVu32O8riQiAQJm3/e B1pA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714335559; x=1714940359; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=36fCDwL4QpR+lpjC88HY7LLvBoa6Q/B+CIUJ2PbdlPg=; b=sNynLnZcm13K1GF4GIPkkz5ykVaKqWAcPPq09rvVawqJv5grGfm9MD1OkDtGbU6oOS gYYifgz+llGgaNmjY4NstMVnrPzUCQ6RXLefHtvAdtHx7sTdl2C+dAmwSihKniM/gP1l d/oSzAIQ5cyWk8k28yLktrVs2eB6IYJbfoxuZrsQYUuiKQJbSkqJ5bopf9qbf2ApplVo WIHYT4g5y3rynQ8uU1d+HDhNxzT7SGsU9+8YaohUI4LOZrX4RXa78jWRjsQSldldCosi JVBqQojYzKTrGiGY/1Tc7VbA1nSe/NkesYJub1r9Jxc8JDPUwZQLSBl442PupFWVZZTV c0PA== X-Forwarded-Encrypted: i=1; AJvYcCXBLL3TUGm504LyvX0O8j5QMOrkYlSijq1kE0PH6/loL+UntM7HSyTu44AbFziA+FCrBXS2Rab+p7Y+lKiIWnEHkVWPjAI8lNmODWU0 X-Gm-Message-State: AOJu0YwAFH6qzYv2XSFZF/KftaZhS97eHRVoT7MnBe+yr02Y8feGl1x6 ZYfdCsH/AaegAhBwB1BWRTVRg4yoxnSxYeFZdTMYBMh+A7uJmDzCxl29ba1M2yYEK58Tu4LqS5Y JyuqYYSUZLoZH9uZ6xI8oZRGAeUp8aNK3ydv/ X-Received: by 2002:a05:6122:99e:b0:4dc:fbc5:d47 with SMTP id g30-20020a056122099e00b004dcfbc50d47mr7210015vkd.16.1714335559590; Sun, 28 Apr 2024 13:19:19 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240426133310.1159976-1-stsp2@yandex.ru> <8e186307-bed2-4b5c-9bc6-bdc70171cc93@yandex.ru> In-Reply-To: <8e186307-bed2-4b5c-9bc6-bdc70171cc93@yandex.ru> From: Andy Lutomirski Date: Sun, 28 Apr 2024 13:19:08 -0700 Message-ID: Subject: Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2() To: stsp Cc: Aleksa Sarai , "Serge E. Hallyn" , linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?UTF-8?Q?Christian_G=C3=B6ttsche?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > On Apr 28, 2024, at 10:39=E2=80=AFAM, stsp wrote: > > =EF=BB=BF28.04.2024 19:41, Andy Lutomirski =D0=BF=D0=B8=D1=88=D0=B5=D1=82= : >>>> On Apr 26, 2024, at 6:39=E2=80=AFAM, Stas Sergeev wr= ote: >>> =EF=BB=BFThis patch-set implements the OA2_CRED_INHERIT flag for openat= 2() syscall. >>> It is needed to perform an open operation with the creds that were in >>> effect when the dir_fd was opened, if the dir was opened with O_CRED_AL= LOW >>> flag. This allows the process to pre-open some dirs and switch eUID >>> (and other UIDs/GIDs) to the less-privileged user, while still retainin= g >>> the possibility to open/create files within the pre-opened directory se= t. >>> >> Then two different things could be done: >> >> 1. The subtree could be used unmounted or via /proc magic links. This >> would be for programs that are aware of this interface. >> >> 2. The subtree could be mounted, and accessed through the mount would >> use the captured creds. > Doesn't this have the same problem > that was pointed to me? Namely (explaining > my impl first), that if someone puts the cred > fd to an unaware process's fd table, such > process can't fully drop its privs. He may not > want to access these dirs, but once its hacked, > the hacker will access these dirs with the > creds came from an outside. This is not a real problem. If I have a writable fd for /etc/shadow or an fd for /dev/mem, etc, then I need close them to fully drop privs. The problem is that, in current kernels, directory fds don=E2=80=99t allow access using their f_cred, and changing that means that existing software that does not intend to create a capability will start to do so. > My solution was to close such fds on > exec and disallowing SCM_RIGHTS passage. I don't see what problem this solves. > SCM_RIGHTS can be allowed in the future, > but the receiver will need to use some > new flag to indicate that he is willing to > get such an fd. Passage via exec() can > probably never be allowed however. > > If I understand your model correctly, you > put a magic sub-tree to the fs scope of some > unaware process. Only if I want that process to have access! > He may not want to access > it, but once hacked, the hacker will access > it with the creds from an outside. > And, unlike in my impl, in yours there is > probably no way to prevent that? This is fundamental to the whole model. If I stick a FAT formatted USB drive in the system and mount it, then any process that can find its way to the mountpoint can write to it. And if I open a dirfd, any process with that dirfd can write it. This is old news and isn't a problem. > > In short: my impl confines the hassle within > the single process. It can be extended, and > then the receiver will need to explicitly allow > adding such fds to his fd table. > But your idea seems to inherently require > 2 processes, and there is probably no way > for the second process to say "ok, I allow > such sub-tree in my fs scope". A process could use my proposal to open_tree directory, make a whole new mountns that is otherwise empty, switch to the mountns, mount the directory, then change its UID and drop all privs, and still have access to that one directory. But even right now, a process could unshare userns and mountns, map its uid as some nonzero number, rearrange its mountns so it only has access to that one directory, drop all privs, and seccomp itself, and only have access to that directory, as it still has the same UID. Take your pick.