All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jan Kara <jack@suse.cz>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Matthew Bobrowski <repnop@google.com>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH 5/5] fanotify: Add pidfd info record support to the fanotify API
Date: Fri, 21 May 2021 12:24:18 +0200	[thread overview]
Message-ID: <20210521102418.GF18952@quack2.suse.cz> (raw)
In-Reply-To: <CAOQ4uxi6LceN+ETbF6XbbBqfAY3H+K5ZMuky1L-gh_g53TEN1A@mail.gmail.com>

On Fri 21-05-21 12:41:51, Amir Goldstein wrote:
> On Fri, May 21, 2021 at 12:22 PM Matthew Bobrowski <repnop@google.com> wrote:
> >
> > Hey Amir/Christian,
> >
> > On Thu, May 20, 2021 at 04:43:48PM +0300, Amir Goldstein wrote:
> > > On Thu, May 20, 2021 at 11:17 AM Christian Brauner
> > > <christian.brauner@ubuntu.com> wrote:
> > > > > +#define FANOTIFY_PIDFD_INFO_HDR_LEN \
> > > > > +     sizeof(struct fanotify_event_info_pidfd)
> > > > >
> > > > >  static int fanotify_fid_info_len(int fh_len, int name_len)
> > > > >  {
> > > > > @@ -141,6 +143,9 @@ static int fanotify_event_info_len(unsigned int info_mode,
> > > > >       if (fh_len)
> > > > >               info_len += fanotify_fid_info_len(fh_len, dot_len);
> > > > >
> > > > > +     if (info_mode & FAN_REPORT_PIDFD)
> > > > > +             info_len += FANOTIFY_PIDFD_INFO_HDR_LEN;
> > > > > +
> > > > >       return info_len;
> > > > >  }
> > > > >
> > > > > @@ -401,6 +406,29 @@ static int copy_fid_info_to_user(__kernel_fsid_t *fsid,
> > > > >       return info_len;
> > > > >  }
> > > > >
> > > > > +static int copy_pidfd_info_to_user(struct pid *pid,
> > > > > +                                char __user *buf,
> > > > > +                                size_t count)
> > > > > +{
> > > > > +     struct fanotify_event_info_pidfd info = { };
> > > > > +     size_t info_len = FANOTIFY_PIDFD_INFO_HDR_LEN;
> > > > > +
> > > > > +     if (WARN_ON_ONCE(info_len > count))
> > > > > +             return -EFAULT;
> > > > > +
> > > > > +     info.hdr.info_type = FAN_EVENT_INFO_TYPE_PIDFD;
> > > > > +     info.hdr.len = info_len;
> > > > > +
> > > > > +     info.pidfd = pidfd_create(pid, 0);
> > > > > +     if (info.pidfd < 0)
> > > > > +             info.pidfd = FAN_NOPIDFD;
> > > > > +
> > > > > +     if (copy_to_user(buf, &info, info_len))
> > > > > +             return -EFAULT;
> > > >
> > > > Hm, well this kinda sucks. The caller can end up with a pidfd in their
> > > > fd table and when the copy_to_user() failed they won't know what fd it
> > >
> > > Good catch!
> >
> > Super awesome catch Christian, thanks pulling this up!
> >
> > > But I prefer to solve it differently, because moving fd_install() to the
> > > end of this function does not guarantee that copy_event_to_user()
> > > won't return an error one day with dangling pidfd in fd table.
> >
> > I can see the angle you're approaching this from...
> >
> > > It might be simpler to do pidfd_create() next to create_fd() in
> > > copy_event_to_user() and pass pidfd to copy_pidfd_info_to_user().
> > > pidfd can be closed on error along with fd on out_close_fd label.
> > >
> > > You also forgot to add CAP_SYS_ADMIN check before pidfd_create()
> > > (even though fanotify_init() does check for that).
> >
> > I didn't really understand the need for this check here given that the
> > administrative bits are already being checked for in fanotify_init()
> > i.e. FAN_REPORT_PIDFD can never be set for an unprivileged listener;
> > thus never walking any of the pidfd_mode paths. Is this just a defense
> > in depth approach here, or is it something else that I'm missing?
> >
> 
> We want to be extra careful not to create privilege escalations,
> so even if the fanotify fd is leaked or intentionally passed to a less
> privileged user, it cannot get an open pidfd.
> 
> IOW, it is *much* easier to be defensive in this case than to prove
> that the change cannot introduce any privilege escalations.

I have no problems with being more defensive (it's certainly better than
being too lax) but does it really make sence here? I mean if CAP_SYS_ADMIN
task opens O_RDWR /etc/passwd and then passes this fd to unpriviledged
process, that process is also free to update all the passwords.
Traditionally permission checks in Unix are performed on open and then who
has fd can do whatever that fd allows... I've tried to follow similar
philosophy with fanotify as well and e.g. open happening as a result of
fanotify path events does not check permissions either.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

  reply	other threads:[~2021-05-21 10:24 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-20  2:09 [PATCH 0/5] Add pidfd support to the fanotify API Matthew Bobrowski
2021-05-20  2:10 ` [PATCH 1/5] kernel/pid.c: remove static qualifier from pidfd_create() Matthew Bobrowski
2021-05-20  2:10 ` [PATCH 2/5] kernel/pid.c: implement checks on parameters passed to pidfd_create() Matthew Bobrowski
2021-05-20  2:11 ` [PATCH 3/5] fanotify_user.c: minor cosmetic adjustments to fid labels Matthew Bobrowski
2021-05-20  2:11 ` [PATCH 4/5] fanotify/fanotify_user.c: introduce a generic info record copying function Matthew Bobrowski
2021-05-20 13:59   ` Amir Goldstein
2021-05-21  9:26     ` Matthew Bobrowski
2021-05-20  2:11 ` [PATCH 5/5] fanotify: Add pidfd info record support to the fanotify API Matthew Bobrowski
2021-05-20  8:17   ` Christian Brauner
2021-05-20 13:43     ` Amir Goldstein
2021-05-21  9:21       ` Matthew Bobrowski
2021-05-21  9:41         ` Amir Goldstein
2021-05-21 10:24           ` Jan Kara [this message]
2021-05-21 11:10             ` Amir Goldstein
2021-05-21 13:19               ` Jan Kara
2021-05-21 13:52                 ` Amir Goldstein
2021-05-21 15:14                   ` Jan Kara
2021-05-22  0:41                     ` Matthew Bobrowski
2021-05-22  9:01                       ` Amir Goldstein
2021-05-20 13:55 ` [PATCH 0/5] Add pidfd " Jan Kara
2021-05-21 10:15   ` Matthew Bobrowski
2021-05-21 10:40     ` Jan Kara
2021-05-21 23:32       ` Matthew Bobrowski
2021-05-24  8:47         ` Jan Kara
2021-05-25 10:31           ` Christian Brauner
2021-05-25 23:20             ` Matthew Bobrowski
2021-05-26 18:05               ` Christian Brauner
2021-05-26 22:54                 ` Matthew Bobrowski
2021-06-01 11:03                 ` Matthew Bobrowski
2021-06-01 11:46                   ` Christian Brauner
2021-06-02  6:30                     ` Matthew Bobrowski
2021-06-02  7:18                       ` Amir Goldstein
2021-06-02  8:48                         ` Christian Brauner
2021-06-02 10:56                           ` Matthew Bobrowski
2021-06-02 12:46                             ` Christian Brauner
2021-06-02 10:43                         ` Matthew Bobrowski
2021-06-02 12:18                           ` Amir Goldstein
2021-06-03  1:24                             ` Matthew Bobrowski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210521102418.GF18952@quack2.suse.cz \
    --to=jack@suse.cz \
    --cc=amir73il@gmail.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=repnop@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.