From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757564AbaGAJyB (ORCPT ); Tue, 1 Jul 2014 05:54:01 -0400 Received: from mail-wi0-f202.google.com ([209.85.212.202]:36441 "EHLO mail-wi0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755541AbaGAJx6 (ORCPT ); Tue, 1 Jul 2014 05:53:58 -0400 Date: Tue, 1 Jul 2014 10:53:56 +0100 From: David Drysdale To: Andi Kleen Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Alexander Viro , Meredydd Luff , Kees Cook , James Morris , linux-api@vger.kernel.org Subject: Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) Message-ID: <20140701095356.GC2242@google.com> References: <1404124096-21445-1-git-send-email-drysdale@google.com> <1404124096-21445-2-git-send-email-drysdale@google.com> <87mwcuw2pj.fsf@tassilo.jf.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87mwcuw2pj.fsf@tassilo.jf.intel.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 30, 2014 at 01:40:40PM -0700, Andi Kleen wrote: > David Drysdale writes: > > > Add a new O_BENEATH_ONLY flag for openat(2) which restricts the > > provided path, rejecting (with -EACCES) paths that are not beneath > > the provided dfd. In particular, reject: > > - paths that contain .. components > > - paths that begin with / > > - symlinks that have paths as above. > > How about bind mounts? > > -Andi > > -- > ak@linux.intel.com -- Speaking for myself only Bind mounts won't get rejected because they just look like normal path components. In other words, if dir/subdir is a bind mount to /root/dir then: fd = openat(AT_FDCWD, "dir/subdir", O_RDONLY|O_BENEATH_ONLY); will work fine. From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Drysdale Subject: Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) Date: Tue, 1 Jul 2014 10:53:56 +0100 Message-ID: <20140701095356.GC2242@google.com> References: <1404124096-21445-1-git-send-email-drysdale@google.com> <1404124096-21445-2-git-send-email-drysdale@google.com> <87mwcuw2pj.fsf@tassilo.jf.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <87mwcuw2pj.fsf-KWJ+5VKanrL29G5dvP0v1laTQe2KTcn/@public.gmane.org> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Andi Kleen Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Greg Kroah-Hartman , Alexander Viro , Meredydd Luff , Kees Cook , James Morris , linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-api@vger.kernel.org On Mon, Jun 30, 2014 at 01:40:40PM -0700, Andi Kleen wrote: > David Drysdale writes: > > > Add a new O_BENEATH_ONLY flag for openat(2) which restricts the > > provided path, rejecting (with -EACCES) paths that are not beneath > > the provided dfd. In particular, reject: > > - paths that contain .. components > > - paths that begin with / > > - symlinks that have paths as above. > > How about bind mounts? > > -Andi > > -- > ak-VuQAYsv1563Yd54FQh9/CA@public.gmane.org -- Speaking for myself only Bind mounts won't get rejected because they just look like normal path components. In other words, if dir/subdir is a bind mount to /root/dir then: fd = openat(AT_FDCWD, "dir/subdir", O_RDONLY|O_BENEATH_ONLY); will work fine.