From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933325AbaDVQo1 (ORCPT ); Tue, 22 Apr 2014 12:44:27 -0400 Received: from mail-ig0-f178.google.com ([209.85.213.178]:35400 "EHLO mail-ig0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932250AbaDVQoW (ORCPT ); Tue, 22 Apr 2014 12:44:22 -0400 MIME-Version: 1.0 In-Reply-To: References: <430cfc67aae9b9ad5eab4d293107285ad44c5fd9.1398097304.git.luto@amacapital.net> <20140422143152.GA23716@amd.pavel.ucw.cz> Date: Tue, 22 Apr 2014 18:44:22 +0200 Message-ID: Subject: Re: [RFC 2/2] fs,proc: Respect FMODE_WRITE when opening /proc/pid/fd/N From: David Herrmann To: Andy Lutomirski Cc: Pavel Machek , linux-kernel , linux-fsdevel , Alexander Viro , "Theodore Ts'o" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi On Tue, Apr 22, 2014 at 5:24 PM, Andy Lutomirski wrote: > On Tue, Apr 22, 2014 at 8:19 AM, David Herrmann wrote: >> In other words, the bug you describe is that /proc/pid/fd/ allows >> access to objects without a reachable path to the only _real_ >> filesystem link. But isn't the same true for openat()? > > I don't think so. openat doesn't work on fds for things that aren't > directories. Sorry, I wasn't precise enough: I meant the same 'leak' occurs if you keep a dir-fd on the directory in question _before_ it is set to 0600. Just like the example race keeps a file-fd to the file in question. So after the directory is set to 0600 you can use that dir-fd via openat() to avoid the whole path-lookup just like you do it via /proc. Thanks David