Received: by 2002:a89:288:0:b0:1f7:eeee:6653 with SMTP id j8csp357834lqh; Tue, 7 May 2024 00:51:32 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWd//ffELLgtgznS+EEv5e4m8V0i3c5t5UKXhgXpww7Spk0CFI3KXwAdoQOs5K2gTBpHfZ+7Tw+4KW3aL0t0YY/2APzEqvYv6N0kSIlhg== X-Google-Smtp-Source: AGHT+IHuoIjKV2vqcfMMblZx/o41cr7qqy5Zt+5sQnSabeZwWYrm7d6Zu0znUeSkhg8oRpIRILyZ X-Received: by 2002:a81:b61d:0:b0:61b:3356:f1b5 with SMTP id u29-20020a81b61d000000b0061b3356f1b5mr14685092ywh.28.1715068291911; Tue, 07 May 2024 00:51:31 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715068291; cv=pass; d=google.com; s=arc-20160816; b=bHGQSkpi+rWcHO6FM04eU33PF4KwPHNFSN1pF1vbsBQaRqre0YRtMALkfYaHfTE0Bl rC1hgcmwMt2UG7Z6l3DxmiPzURuhrss9r/Flxh/0IeYghc6de0h1ZMraEQBB+kYdgI4w ueHIJRyMovMN8JEwsRwUqVuK4K7Z1+6ydniDGX+E0cmZQixScXAWaDCY8pyCdZJ4vWNr s76Pb6Vym5XDatgdE/YqWxttd3Kr4Mt0v9jBXkVAE35FJgkbbCBDY5I9rmjf58gdf0e7 uvj5elujIcIrYGD0goNogkV7oWyocSqrlhjE2SZedimQ+z90Qll1K8LbSSNhq74u9hLV 8RpQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=Yt1ERYjJEdTGYm8TRtzABKvuMdbrTzwn9Sc8/9cixag=; fh=+EJxlr1z7E+STGGNNgykR/x7XuhUofgCVc/rc5HRqmo=; b=pEPpP4B51WJkbBR2s0yU7eezqHIKvopGyz+FF8gi/hATxQ/3VIn5LfA5WgYjYnxcSd OFARNueQHlxoZi6gzrmXVua6HAkWT5aHdwmgGbLzchxl5LCg31CGq6R+VmBNdKpkUCIX XJ5jWS/pwjUv46/hBVZx9jDd7OsP3xCtZzyQ1i7ujvg+ku6YZLeb//0nDequv4SAqew+ 4wXTnyLDeFhO+WQr0ljXGP18Wy3de8j810mwcROmlKOyTwrIKVojO6hJ1CGgrmY7LSk6 /GrsZoY4JFz0XGkf3CqpCalAUDIweHz6ywBKDNoMOVN1fwqewlKLNNbDQ0DZhUL/jzeq Wwwg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@cyphar.com header.s=MBO0001 header.b=dCkyrJBG; arc=pass (i=1 spf=pass spfdomain=cyphar.com dkim=pass dkdomain=cyphar.com dmarc=pass fromdomain=cyphar.com); spf=pass (google.com: domain of linux-kernel+bounces-170837-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170837-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cyphar.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id v13-20020a05622a014d00b0043af50e9a04si11042897qtw.240.2024.05.07.00.51.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 May 2024 00:51:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-170837-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@cyphar.com header.s=MBO0001 header.b=dCkyrJBG; arc=pass (i=1 spf=pass spfdomain=cyphar.com dkim=pass dkdomain=cyphar.com dmarc=pass fromdomain=cyphar.com); spf=pass (google.com: domain of linux-kernel+bounces-170837-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170837-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cyphar.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3A8E71C20D50 for ; Tue, 7 May 2024 07:51:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 06BC213C826; Tue, 7 May 2024 07:51:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cyphar.com header.i=@cyphar.com header.b="dCkyrJBG" Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D57F078274; Tue, 7 May 2024 07:51:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=80.241.56.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715068282; cv=none; b=mo4qSMbCY2q2lLs/SzkmW7vfa2xjFfd6IqBMIa2JRjP0PNju2LKgTdVTwb5mX3ASmWw/Eg3bNWcSffxgVGl/0aUgmB2bwCb6ORA7uey70ubgGve0npIYPnbi3DIGm5SBZI23st8MAcnnouh6M2wkm4LBgIX16viQnX2pZ+yE2fc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715068282; c=relaxed/simple; bh=Yt1ERYjJEdTGYm8TRtzABKvuMdbrTzwn9Sc8/9cixag=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=IvESmCZTO1G/FG6foVNfWGZsZNE8einqZMxrYx2RWEgBYOq085KteR1+q6k9nQWZZKZJHw1lGM1ioPKTKz63MbejxJZosmZDm6LK6XSnVkJ7/3ojVt/dgpsh8UqQEr5VHOiYLYZny3thR02QVJaa4ba6B2c2X6OxsF3qU+VvscE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cyphar.com; spf=pass smtp.mailfrom=cyphar.com; dkim=pass (2048-bit key) header.d=cyphar.com header.i=@cyphar.com header.b=dCkyrJBG; arc=none smtp.client-ip=80.241.56.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cyphar.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cyphar.com Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4VYVpB3Qxsz9sls; Tue, 7 May 2024 09:51:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar.com; s=MBO0001; t=1715068274; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Yt1ERYjJEdTGYm8TRtzABKvuMdbrTzwn9Sc8/9cixag=; b=dCkyrJBG5z7WLTGoSi3Di7SZ1dymYcoHun/rKWymCVjq6wOgRGVO65Y12Xt1MWmNUsWezI vV424TbvVZnEV6NCJoGw8WpQTDzyR2gzcIqFjQgiF02bZRQITTXUZiJdWtnttUXuBllZEa UdEWR8Z1jhyjoS9s4BRi49T62IoRQelINWy9jUrMK27lchoPA1wNlXKVPrKdIPwnnbhbXq qXVFeA7Cfozrt36mPhtTahiuEVHo8T2+OLR7uZaYwt/Hqa4/hHhu0X0dTAteABkpx/dPPT bNkw1/ynZ+viD6psUfEgo+W3iz/A/U7bQENQbEUC4ubVUYTFOqgLPxe8Dk+QDA== Date: Tue, 7 May 2024 17:50:58 +1000 From: Aleksa Sarai To: Stas Sergeev Cc: linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , Christian =?utf-8?B?R8O2dHRzY2hl?= Subject: Re: [PATCH v6 0/3] implement OA2_CRED_INHERIT flag for openat2() Message-ID: <20240506.071502-teak.lily.alpine.girls-aiKJgErDohK@cyphar.com> References: <20240427112451.1609471-1-stsp2@yandex.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lyexfaaq2zqn7bci" Content-Disposition: inline In-Reply-To: <20240427112451.1609471-1-stsp2@yandex.ru> --lyexfaaq2zqn7bci Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024-04-27, Stas Sergeev wrote: > This patch-set implements the OA2_CRED_INHERIT flag for openat2() syscall. > It is needed to perform an open operation with the creds that were in > effect when the dir_fd was opened, if the dir was opened with O_CRED_ALLOW > flag. This allows the process to pre-open some dirs and switch eUID > (and other UIDs/GIDs) to the less-privileged user, while still retaining > the possibility to open/create files within the pre-opened directory set. >=20 > The sand-boxing is security-oriented: symlinks leading outside of a > sand-box are rejected. /proc magic links are rejected. fds opened with > O_CRED_ALLOW are always closed on exec() and cannot be passed via unix > socket. > The more detailed description (including security considerations) > is available in the log messages of individual patches. (I meant to reply last week but I couldn't get my mail server to send mail...) It seems to me that this can already be implemented using MOUNT_ATTR_IDMAP, without creating a new form of credential overriding within the filesystem (and with such a deceptively simple implementation...) If you are a privileged process which plans to change users, you can create a detached tree with a user mapping that gives that user access to only that tree. This is far more effective at restricting possible attacks because id-mapped mounts don't override credentials during VFS operations (meaning that if you miss something, you have a big problem), instead they only affect uid-related operations within the filesystem for that mount. Since this implementation does no inherit CAP_DAC_OVERRIDE, being able to rewrite uid/gids is all you need. A new attack I just thought of while writing this mail is that because there is no RESOLVE_NO_XDEV requirement, it should be possible for the process to get an arbitrary write primitive by creating a new userns+mountns and then bind-mounting / underneath the directory. Since O_CRED_INHERIT uses override_creds, it doesn't care about whether something about the O_CRED_ALLOW directory changed afterwards. Yes, you can "just fix this" by adding a RESOLVE_NO_XDEV requirement too, but given that there have been 2-3 security issues with this design found already, it makes me feel really uneasy. Using id-mapped mounts avoids this issue because the new mount will not have the id-mapping applied and thus there is no security issue. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --lyexfaaq2zqn7bci Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCZjndYQAKCRAol/rSt+lE b2oOAQCmKy2OE9MgmZTVxlKN+/Sdcj0IpZ+qML12Z2Jmhr8r6QD+JguvCHBD2QUw 5QTi+WIy7+VPoIpn+aXJKiYsm0xm4AU= =VQBl -----END PGP SIGNATURE----- --lyexfaaq2zqn7bci--