Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1026583lqa; Sun, 28 Apr 2024 15:13:21 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXc+vVWzkAIsPyl1g9G8RTHh/CISB3Tsn1VXk180tkkZs7Q8gKOXQhKvhnoh0H9nTLsAQ8dKrnaSLpDGeI02WgWownIvQuL1QxOI49KyA== X-Google-Smtp-Source: AGHT+IEFxZssUSbxzIfBP8Q8+ELk34U9boN3wv3PJjKlbPlXAkFI9QCIG4/uJWvz1plUlRuVI133 X-Received: by 2002:a17:906:b03:b0:a58:c5a5:209b with SMTP id u3-20020a1709060b0300b00a58c5a5209bmr7553425ejg.24.1714342401447; Sun, 28 Apr 2024 15:13:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714342401; cv=pass; d=google.com; s=arc-20160816; b=kqqIl7tZLWG3Ht5unmoI5s7y2qXRyXYKGiUCvjK1vM5NAgzW4wjbyc1JXkLLW0tOt2 oLGtdQNYHmLmmTL6/CY3gYN02NOaT7Gz8S/2Rv2yAIyLDgLfnPYzxKXieTkkrsgK2gpz wb6EIlcGhS6/FkXY7l//bHlCeAsBOs8xMpFYwCXBcBvi+bCvQROqErL/tc6mGGwtAvLt yazrjXP0K9JdaLYYGeR6y7Q6L0ae4USsoOLaE/8WO+vXY4hJXpfD0Trd2qDrU7Je3XoP +yIMPZoJJ1HME3/TMxUiEgH1mbq4gyJfMp7vX72lAosmERt6lKe/BUpGosdbY667DgUI CfZg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=c9Y0BivHdjPKZY5c2XXTa9ws62jwT30YMQALX3hKUgU=; fh=2CU+yo3UDQuGGBAALx7Gkef0He2akNiFegPJ6ec2/wo=; b=wmxyAjrmgtAp8t8sbxq5amgLwVdbC+dzAslPbRynNi6GsFtF8EtGtWMBtmM/aillJv zrMb3fGjPatR1fCIAwXiv39R5HRsHDYgw2xKDI/UxjJ8I047sgaUcTb2X4eV+TfW0exC Y8CcWcfq1JLwxdEDoKArXRLE+575moSvHleyiA1b5uU5IkJWkizfxuvl1aO6U3qHHo6b csHbcm/eHZ4lx6Gp2LPWX+L6e0dWYyBBw3VBQ+QN2VRN+QwFcmjnirTt94XoOM+A3+// LDcUVss92lLGbI3Q5N73LhZtgxih3v4RkdN0yAx8BJ5oFVg9yfP3gslgvYLvpCQQZm27 UT2w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=LsyOqxLS; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-161601-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161601-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id b18-20020a17090630d200b00a5881ec8959si7249307ejb.806.2024.04.28.15.13.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Apr 2024 15:13:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-161601-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=LsyOqxLS; arc=pass (i=1 spf=pass spfdomain=yandex.ru dkim=pass dkdomain=yandex.ru dmarc=pass fromdomain=yandex.ru); spf=pass (google.com: domain of linux-kernel+bounces-161601-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161601-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id D04081F21168 for ; Sun, 28 Apr 2024 22:13:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B939F10976; Sun, 28 Apr 2024 22:13:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="LsyOqxLS" Received: from forward502c.mail.yandex.net (forward502c.mail.yandex.net [178.154.239.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38DB6B642; Sun, 28 Apr 2024 22:13:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.210 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714342388; cv=none; b=rn5YsOC/LfycICS2MVyjlzpM9svLjEQhR1dXdmInak/BtlZk7jfZyXwPeTRHxPdsMijTMXLFvpnZOtbCJ8zfi+IzRTCgtxp4r5lS31D/o6mUVPIrRbrofvHCWO/MUBx4Y+6MK7Do4sRoU0djsI73+tEHhBpHkfFFkmzO8Fs+uN4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714342388; c=relaxed/simple; bh=v+x60Em69Y3V15yKVtpLHgKkcW8An+47dIIafknn1Ek=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=bWATB4jWPHVQ1ZZhEymdEh7xka/D7I+KXw7TqQLL0pV2XUd5IGlupvD/rAmrSZdl1yhem7pxEJe20Xzh9fYr4/5agSnOd8gSi8Ns714+2aN1d2On5jJcFd3z5Ws0ETH7Xkw1xvyqqa82O8DRBPH62cAq2Q0DaC5mjAvlw2Rn2rs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=LsyOqxLS; arc=none smtp.client-ip=178.154.239.210 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Received: from mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net [IPv6:2a02:6b8:c12:28a2:0:640:9f07:0]) by forward502c.mail.yandex.net (Yandex) with ESMTPS id A818360E39; Mon, 29 Apr 2024 01:13:01 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id wCYcLSYpCSw0-neCwgFvP; Mon, 29 Apr 2024 01:13:00 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1714342380; bh=c9Y0BivHdjPKZY5c2XXTa9ws62jwT30YMQALX3hKUgU=; h=From:In-Reply-To:Cc:Date:References:To:Subject:Message-ID; b=LsyOqxLSL+upd6hnVyorcANpJaN3+4rBG+WC9FGO2DJNOLJqiBFKcdVbORF/YVI6k k1c9E5X7wsizm3X+SBFEdRVCBDXzZSSBjrxGZvnDpE/C7KRJRjBYSRLtWBzTSdxa+m JVb5ceF0eM55CN/tzh31ttIGaTAnZwuLtTnuIMGc= Authentication-Results: mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: Date: Mon, 29 Apr 2024 01:12:58 +0300 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2() Content-Language: en-US To: Andy Lutomirski Cc: Aleksa Sarai , "Serge E. Hallyn" , linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?UTF-8?Q?Christian_G=C3=B6ttsche?= References: <20240426133310.1159976-1-stsp2@yandex.ru> <8e186307-bed2-4b5c-9bc6-bdc70171cc93@yandex.ru> <33bbaf98-db4f-4ea6-9f34-d1bebf06c0aa@yandex.ru> From: stsp In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit 29.04.2024 00:30, Andy Lutomirski пишет: > On Sun, Apr 28, 2024 at 2:15 PM stsp wrote: >> But isn't that becoming a problem once >> you are (maliciously) passed such fds via >> exec() or SCM_RIGHTS? You may not know >> about them (or about their creds), so you >> won't close them. Or? > Wait, who's the malicious party? Someone who opens an fd with O_CRED_ALLOW and passes it to an unsuspecting process. This is at least how I understood the Christian Brauner's point about "unsuspecting userspace". > Anyone who can open a directory has, > at the time they do so, permission to do so. If you send that fd to > someone via SCM_RIGHTS, all you accomplish is that they now have the > fd. Normally yes. But fd with O_CRED_ALLOW prevents the receiver from fully dropping his privs, even if he doesn't want to deal with it. > In my scenario, the malicious party attacks an *existing* program that > opens an fd for purposes that it doesn't think are dangerous. And > then it gives the fd *to the malicious program* by whatever means > (could be as simple as dropping privs then doing dlopen). Then the > malicious program does OA2_INHERIT_CREDS and gets privileges it > shouldn't have. But what about an inverse scenario? Malicious program passes an fd to the "unaware" program, putting it under a risk. That program probably never cared about security, since it doesn't play with privs. But suddenly it has privs, passed out of nowhere (via exec() for example), and someone who hacks it, takes them. >>>> My solution was to close such fds on >>>> exec and disallowing SCM_RIGHTS passage. >>> I don't see what problem this solves. >> That the process that received them, >> doesn't know they have O_CRED_ALLOW >> within. So it won't deduce to close them >> in time. > Hold on -- what exactly are you talking about? A process does > recvmsg() and doesn't trust the party at the other end. Then it > doesn't close the received fd. Then it does setuid(getuid()). Then > it does dlopen or exec of an untrusted program. > > Okay, so the program now has a completely unknown fd. This is already > part of the thread model. It could be a cred-capturing fd, it could > be a device node, it could be a socket, it could be a memfd -- it > could be just about anything. How do any of your proposals or my > proposals cause an actual new problem here? I am not actually sure how widely does this spread. I.e. /dev/mem is restricted these days, but if you can freely pass device nodes around, then perhaps the ability to pass an r/o dir fd that can suddenly give creds, is probably not something new... But I really don't like to add to this particular set of cases. I don't think its safe, I just think its legacy, so while it is done that way currently, doesn't mean I can do the same thing and call it "secure" just because something like this was already possible. Or is this actually completely safe? Does it hurt to have O_CRED_ALLOW non-passable? >>> This is fundamental to the whole model. If I stick a FAT formatted USB >>> drive in the system and mount it, then any process that can find its >>> way to the mountpoint can write to it. And if I open a dirfd, any >>> process with that dirfd can write it. This is old news and isn't a >>> problem. >> But IIRC O_DIRECTORY only allows O_RDONLY. >> I even re-checked now, and O_DIRECTORY|O_RDWR >> gives EISDIR. So is it actually true that >> whoever has dir_fd, can write to it? > If the filesystem grants that UID permission to write, then it can write. Which to me sounds like owning an O_DIRECTORY fd only gives you the ability to skip the permission checks of the outer path components, but not the inner ones. So passing it w/o O_CRED_ALLOW was quite safe and didn't give you any new abilities.