Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1014047lqa; Sun, 28 Apr 2024 14:31:07 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW2MRT4AjkbdnIhEfYxknzNEbZDFj/4u0e+dYoIUwO77a5g28+XR278/SpnFYXXBbO8I3ikipbXP4mkZQp7LG8WxnV/f7nKst7uzyTt0g== X-Google-Smtp-Source: AGHT+IHikbFTFpmGed/538TT4HqyoRz/qimmNct2mnJBCbApTyKRUzAxEWQNONx6rNQ6BDn6jHb/ X-Received: by 2002:a2e:9bc1:0:b0:2de:cc70:2552 with SMTP id w1-20020a2e9bc1000000b002decc702552mr4997191ljj.10.1714339867026; Sun, 28 Apr 2024 14:31:07 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714339866; cv=pass; d=google.com; s=arc-20160816; b=Pk2LMbZLN6FTuPGqYUJ0P+pmkzZ48dBC6IOKHigAI8JiLMvZzFHyx4aG+/UR9EHWNW iAQLKUPYBJfbGQHeTca7EIpqvudwh/qSTGPvd6b+uqvAlVPpNALAHQML+bus4OZmVRLv fkDMpyAxz5Rub/L1LXY3eDC0fBxqf48O2doWoTZAm8vZFgPkOPy8K12QZEaTJmQT+4Uz uxMLLAuECa8vrxo8GqiGvIijUp416hw/JNiHkue68Gx9uBnHqdfxBB+RHFpNnro4C+N8 OP0ElkJBsrJvpS9OMN5cXdvhyH3NhP+8RpoUBfpirHc7tjvnJC8qKieErm4OtXY/LXQ+ PpYQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=uJJ35N4q0VyKFRaZhKEeRutim4StKWKCGfhx+lo+8WU=; fh=nVK+yPbZSoBDHD9szlpdMsk/yfBdMIhBX6YhbDSr2e0=; b=NGmEBec+WEKTOfao5yTKflSd9xhGAA2R1VIGAT7UEue7fx+oPsAXcbj7yyz7Il9/a6 dHhzYCGIsKTVztYWJwNV9tuR7aSFpV3tYAiRs5pU/GZQXnao0/eVhxcT6FMTkB7P2iRu Sktnc8G0M3JhmL2cERpb3V0uMEM651OPIp2zMXBOi5il2oeM4OUOaUw1E6mDeP1gypjH t1obKhtWEjGobAT8UK2XfFaq8Df/Jqhfy5wMfqyKGv7N9tDCYiLUIhJPZrgJLzEOwSH3 XP/DivSbgM6dZVCunIdWznj+63QQFDVSq7j7b1GjnrWPX4P9SCvjFL55+KCYu76iN/7G L3sQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amacapital-net.20230601.gappssmtp.com header.s=20230601 header.b=T46qo4nu; arc=pass (i=1 spf=pass spfdomain=amacapital.net dkim=pass dkdomain=amacapital-net.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-161576-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161576-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id r1-20020a50d681000000b005727330fa73si1603007edi.554.2024.04.28.14.31.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Apr 2024 14:31:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-161576-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20230601.gappssmtp.com header.s=20230601 header.b=T46qo4nu; arc=pass (i=1 spf=pass spfdomain=amacapital.net dkim=pass dkdomain=amacapital-net.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-161576-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161576-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 93B161F21249 for ; Sun, 28 Apr 2024 21:31:06 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 260E0BA2B; Sun, 28 Apr 2024 21:30:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b="T46qo4nu" Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9B5DA937 for ; Sun, 28 Apr 2024 21:30:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714339854; cv=none; b=ZcrXO7zRI6Ag5Yl/RNFps1+KQWuND5HQIDWFHPdB4/jtqNuy7iPdCwjS3BeEcFXaatXsgjYggRAe6JmZf2Nn/UaIdo5c/2ltsF00W0Gd5cOXWCBzrgv1NfGpNl6L1hQemRYrXa1W7vtwvSyl+i7yrL3AOLFa5+GJVgK/n+0M5uE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714339854; c=relaxed/simple; bh=iGTiqLpUAG8tJk0tZZXhVpkv3sDrq4xQk2Vsf0SnG0c=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=UkPVr9inEy7oH5dyuFXuCuDoHgTMD8OUrSjsjMjYvmHuX1EZZYHiHjV4Lip5nj5r+eWjgO+UtUPs6MWu8WewW6rIcwYD+MktblQO1H/gy2PqfRF1oGMxSZ3NYOT+T8HxdtobSOj+rcIGfJd8Ojw1NhcL+FXTd1MMEPyLlPo/h4Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net; spf=pass smtp.mailfrom=amacapital.net; dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b=T46qo4nu; arc=none smtp.client-ip=209.85.222.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amacapital.net Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-7f01c265ab6so417839241.1 for ; Sun, 28 Apr 2024 14:30:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20230601.gappssmtp.com; s=20230601; t=1714339851; x=1714944651; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=uJJ35N4q0VyKFRaZhKEeRutim4StKWKCGfhx+lo+8WU=; b=T46qo4nuLxB/m8R1EzSBwQiyztMf4/wQbuFE0yGSPR3DlrA8GwtAEBHQ8KJhtz1StC TfiPbAQb/M08wrLTbSS7JT6S6uhIzfwvlW4Zbf2SZStO7u5U/GRs0N39qwCGK+8tnttv TW15AQx8gmyHloHohM9bVuV2GfLx/yFOEqCeiVpeWbPmSgTrwg4eMGJLqtLkVM+2veru XrcXqq88Sj/Nbjn2cMDgI34excSxccFRFAMHkK3pdeCE5oC++yo8MmZKmRI/2vu7g3eP BW/JzZ1Y3XSl0bTdpurE1tyGsabsoXyllaEFoXEbXMUIyjuIGxmO0Qg6L/iDbvloHuwA qtUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714339851; x=1714944651; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uJJ35N4q0VyKFRaZhKEeRutim4StKWKCGfhx+lo+8WU=; b=SY+HqunMLDyEmA8PS+BhCHmhn8M4lCI7IrLqrzg21dPc4+e+VAt9cAZhYTSBomz8f0 OLnmGzlogc3FEbSYDnx7D3YH/P4Zf364UXb2i1LmlDG7Shz8XFipIbB6Tbvm7bC9WDg3 bk3uRuslYOgiSKAtsXhRGeheKLZ6sun5rX9g+by+qwWlHwrgdVxcMaemKAQ98AV1QcLM sUUSRiTz40d+vZYJlMqkYH1b/tMfBoyN5ZWzZyOau8nqlcIKvloweO+nt3fdTozQvad9 //3U6ObbHb1Eoz8qxALGCnXGx/rnw6P95OM7kldPCbIpAYudqLrV1c9WTY9yCaDTkThy XvhQ== X-Forwarded-Encrypted: i=1; AJvYcCWFrASYOo9FaxElVk4N7/rEvDOyVWZwWF+Tz0HthVVMUuplwoYR2Xm8gCDO6UCaeI+9/8J3TFNe1p4EbEoAi9c5Cmh6AWypK+Zj+tZ5 X-Gm-Message-State: AOJu0Yxhi0Iensd9Ith3xqQk2CuvsOW32UCwPMqZuuFDr7HKaa/2QfI+ Ru3bi2LkntnNCnX4dH7UETGLZqUJOw1CCmXfyh0WvF651Wk0/xJrRc3cyseDQd8du6//eLvqkgs tZsCUU9KpvVrm2wGuSO4JnyvPWi6BboiEKVTb X-Received: by 2002:a05:6122:369f:b0:4c0:24e6:f49d with SMTP id ec31-20020a056122369f00b004c024e6f49dmr9623078vkb.1.1714339851513; Sun, 28 Apr 2024 14:30:51 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240426133310.1159976-1-stsp2@yandex.ru> <8e186307-bed2-4b5c-9bc6-bdc70171cc93@yandex.ru> <33bbaf98-db4f-4ea6-9f34-d1bebf06c0aa@yandex.ru> In-Reply-To: <33bbaf98-db4f-4ea6-9f34-d1bebf06c0aa@yandex.ru> From: Andy Lutomirski Date: Sun, 28 Apr 2024 14:30:40 -0700 Message-ID: Subject: Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2() To: stsp Cc: Aleksa Sarai , "Serge E. Hallyn" , linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?UTF-8?Q?Christian_G=C3=B6ttsche?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, Apr 28, 2024 at 2:15=E2=80=AFPM stsp wrote: > > 28.04.2024 23:19, Andy Lutomirski =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > >> Doesn't this have the same problem > >> that was pointed to me? Namely (explaining > >> my impl first), that if someone puts the cred > >> fd to an unaware process's fd table, such > >> process can't fully drop its privs. He may not > >> want to access these dirs, but once its hacked, > >> the hacker will access these dirs with the > >> creds came from an outside. > > This is not a real problem. If I have a writable fd for /etc/shadow or > > an fd for /dev/mem, etc, then I need close them to fully drop privs. > > But isn't that becoming a problem once > you are (maliciously) passed such fds via > exec() or SCM_RIGHTS? You may not know > about them (or about their creds), so you > won't close them. Or? Wait, who's the malicious party? Anyone who can open a directory has, at the time they do so, permission to do so. If you send that fd to someone via SCM_RIGHTS, all you accomplish is that they now have the fd. In my scenario, the malicious party attacks an *existing* program that opens an fd for purposes that it doesn't think are dangerous. And then it gives the fd *to the malicious program* by whatever means (could be as simple as dropping privs then doing dlopen). Then the malicious program does OA2_INHERIT_CREDS and gets privileges it shouldn't have. But if the *whole point* of opening the fd was to capture privileges and preserve them across a privilege drop, and the program loads malicious code after dropping privs, then that's a risk that's taken intentionally. This is like how, if you do curl http://whatever.com/foo.sh | bash, you are granting all kinds of permissions to unknown code. > >> My solution was to close such fds on > >> exec and disallowing SCM_RIGHTS passage. > > I don't see what problem this solves. > > That the process that received them, > doesn't know they have O_CRED_ALLOW > within. So it won't deduce to close them > in time. Hold on -- what exactly are you talking about? A process does recvmsg() and doesn't trust the party at the other end. Then it doesn't close the received fd. Then it does setuid(getuid()). Then it does dlopen or exec of an untrusted program. Okay, so the program now has a completely unknown fd. This is already part of the thread model. It could be a cred-capturing fd, it could be a device node, it could be a socket, it could be a memfd -- it could be just about anything. How do any of your proposals or my proposals cause an actual new problem here? > > This is fundamental to the whole model. If I stick a FAT formatted USB > > drive in the system and mount it, then any process that can find its > > way to the mountpoint can write to it. And if I open a dirfd, any > > process with that dirfd can write it. This is old news and isn't a > > problem. > > But IIRC O_DIRECTORY only allows O_RDONLY. > I even re-checked now, and O_DIRECTORY|O_RDWR > gives EISDIR. So is it actually true that > whoever has dir_fd, can write to it? If the filesystem grants that UID permission to write, then it can write.