From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753305AbdF2OKW (ORCPT <rfc822;w@1wt.eu>);
        Thu, 29 Jun 2017 10:10:22 -0400
Received: from out01.mta.xmission.com ([166.70.13.231]:60437 "EHLO
        out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752864AbdF2OKN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Jun 2017 10:10:13 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
        Shuah Khan <shuahkh@osg.samsung.com>, Greg KH <greg@kroah.com>,
        Naresh Kamboju <naresh.kamboju@linaro.org>,
        "open list\:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        "linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Shuah Khan <shuah@kernel.org>
References: <CA+G9fYtpFW+SHcaWCgt5ZAvPx3PO3x3nM+oRBUiOiQPbHVmw=w@mail.gmail.com>
        <20170627151359.GA11756@kroah.com> <20170627151600.GB11756@kroah.com>
        <df3c647e-1724-bcbb-4467-22af0c3be6e7@osg.samsung.com>
        <CAGXu5jKhpCsCZ-4xUyYnBzmAQCi4=CnJKW5daqhZZMZRs-kkwg@mail.gmail.com>
        <CALCETrVJYwoLT6=kQx9fRXzv7eVvC6dBiSHowjHHRrDCDFGJ1A@mail.gmail.com>
Date: Thu, 29 Jun 2017 09:02:53 -0500
In-Reply-To: <CALCETrVJYwoLT6=kQx9fRXzv7eVvC6dBiSHowjHHRrDCDFGJ1A@mail.gmail.com>
        (Andy Lutomirski's message of "Wed, 28 Jun 2017 14:21:01 -0700")
Message-ID: <87fuei6gdu.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1dQa8y-00066A-UM;;;mid=<87fuei6gdu.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1+9wqbG0ZVDHjTFjc3pViRd9bD5dpdbeYk=
X-SA-Exim-Connect-IP: 67.3.213.87
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4999]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa08 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa08 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Andy Lutomirski <luto@kernel.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 5729 ms - load_scoreonly_sql: 0.03 (0.0%),
        signal_user_changed: 2.3 (0.0%), b_tie_ro: 1.59 (0.0%), parse: 0.64 (0.0%),
        extract_message_metadata: 14 (0.2%), get_uri_detail_list: 1.88 (0.0%),
        tests_pri_-1000: 5 (0.1%), tests_pri_-950: 0.89 (0.0%), tests_pri_-900: 0.73
        (0.0%), tests_pri_-400: 25 (0.4%), check_bayes: 24 (0.4%), b_tokenize: 7
        (0.1%), b_tok_get_all: 10 (0.2%), b_comp_prob: 2.1 (0.0%), b_tok_touch_all:
        3.1 (0.1%), b_finish: 0.60 (0.0%), tests_pri_0: 605 (10.6%),
        check_dkim_signature: 0.40 (0.0%), check_dkim_adsp: 123 (2.1%),
        tests_pri_500: 5073 (88.6%), poll_dns_idle: 5068 (88.5%), rewrite_mail: 0.00
        (0.0%)
Subject: Re: selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Andy Lutomirski <luto@kernel.org> writes:

> On Tue, Jun 27, 2017 at 9:35 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Tue, Jun 27, 2017 at 4:16 PM, Shuah Khan <shuahkh@osg.samsung.com> wrote:
>>> On 06/27/2017 09:16 AM, Greg KH wrote:
>>>> On Tue, Jun 27, 2017 at 05:13:59PM +0200, Greg KH wrote:
>>>>> On Tue, Jun 27, 2017 at 02:10:32PM +0530, Naresh Kamboju wrote:
>>>>>> selftest capabilities test failed on linux mainline and linux-next and
>>>>>> PASS on linux-4.4.70+
>>>>>
>>>>> Odd.  Any chance you can use 'git bisect' to track down the offending
>>>>> commit?
>>>>>
>>>>> Does this also fail on x86 or any other platform you have available?
>>>>> Let me go try this on my laptop...
>>>>
>>>> Ok, Linus's current tree (4.12.0-rc7+) also fails on this.  I'm guessing
>>>> it's failing, it's hard to understand the output.  If only we had TAP
>>>> output for this test :)
>>>
>>> As far as the output, it isn't bad. Not TAP13 will help make it better.
>>> The problem seems to with the individual messages error/info. messages
>>> themselves. This test has the quality of a developer unit test and the
>>> messages could be improved for non-developer use.
>>>
>>> I ran the test on 4.11.8-rc1+ and 4.9.35-rc1 see the same failure.
>>> It would be difficult to bisect this since it spans multiple releases.
>>> I am hoping Andy can give us some insight.
>>
>> I bisected this to:
>>
>> commit 380cf5ba6b0a0b307f4afb62b186ca801defb203
>> Author: Andy Lutomirski <luto@amacapital.net>
>> Date:   Thu Jun 23 16:41:05 2016 -0500
>>
>>     fs: Treat foreign mounts as nosuid
>>
>> I assume the test needs updating, but I bet Andy knows for sure. I can
>> look into this more closely in the morning.
>
> Hi Eric-
>
> This is rather odd.  The selftest
> (tools/testing/selftests/capabilities/test_execve), run as root, fails
> on current kernels.  The failure is worked around by this:
>
> diff --git a/tools/testing/selftests/capabilities/test_execve.c
> b/tools/testing/selftests/capabilities/test_execve.c
> index 10a21a958aaf..6db60889b211 100644
> --- a/tools/testing/selftests/capabilities/test_execve.c
> +++ b/tools/testing/selftests/capabilities/test_execve.c
> @@ -139,8 +139,8 @@ static void chdir_to_tmpfs(void)
>         if (chdir(cwd) != 0)
>                 err(1, "chdir to private tmpfs");
>
> -       if (umount2(".", MNT_DETACH) != 0)
> -               err(1, "detach private tmpfs");
> +//     if (umount2(".", MNT_DETACH) != 0)
> +//             err(1, "detach private tmpfs");
>  }
>
>  static void copy_fromat_to(int fromfd, const char *fromname, const
> char *toname)
>
> I think this is due to the line:
>
> p->mnt_ns = NULL;
>
> in umount_tree().  The test is putting us into a situation in which
> our cwd has ->mnt_ns = NULL, which is making it act as if it's nosuid.
> I can imagine this breaking some weird user code (like my test!).  Is
> it a real problem, though?

That umount2(".", MNT_DETACH) creates a poor mans mount namespace in a
mount namespace.

I don't see why you would ever want to do that deliberately we have
mount namespaces.

Beyond that that is a very weird half cleaned up state.  We very
deliberately limit what you can do in that state.  It exists until all
of the references to the mounts are cleaned up.

I think it is very reasonable that we don't allow exec'ing a new
executable on an unmounted filesystem.  That could lead to all kinds of
non-sense.  I am not clever enough but I can imagine there might be an
attack on a suid executable in there somewhere.  Certainly we are
violating ordinary expectations of the starting condition of an
executable.  (AKA not living anywhere reachable with a path).

So even if this breaks userspace we have legitimate security reasons for
doing so in this case.

Eric