From: Amir Goldstein <amir73il@gmail.com>
To: Omar Sandoval <osandov@osandov.com>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux Btrfs <linux-btrfs@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
Dave Chinner <david@fromorbit.com>, Jann Horn <jannh@google.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Linux API <linux-api@vger.kernel.org>,
kernel-team@fb.com
Subject: Re: [PATCH v6 02/11] fs: add O_ALLOW_ENCODED open flag
Date: Thu, 19 Nov 2020 09:02:53 +0200 [thread overview]
Message-ID: <CAOQ4uxiaWAT6kOkxgMgeYEcOBMsc=HtmSwssMXg0Nn=rbkZRGA@mail.gmail.com> (raw)
In-Reply-To: <977fd16687d8b0474fd9c442f79c23f53783e403.1605723568.git.osandov@fb.com>
On Wed, Nov 18, 2020 at 9:18 PM Omar Sandoval <osandov@osandov.com> wrote:
>
> From: Omar Sandoval <osandov@fb.com>
>
> The upcoming RWF_ENCODED operation introduces some security concerns:
>
> 1. Compressed writes will pass arbitrary data to decompression
> algorithms in the kernel.
> 2. Compressed reads can leak truncated/hole punched data.
>
> Therefore, we need to require privilege for RWF_ENCODED. It's not
> possible to do the permissions checks at the time of the read or write
> because, e.g., io_uring submits IO from a worker thread. So, add an open
> flag which requires CAP_SYS_ADMIN. It can also be set and cleared with
> fcntl(). The flag is not cleared in any way on fork or exec. It must be
> combined with O_CLOEXEC when opening to avoid accidental leaks (if
> needed, it may be set without O_CLOEXEC by using fnctl()).
>
> Note that the usual issue that unknown open flags are ignored doesn't
> really matter for O_ALLOW_ENCODED; if the kernel doesn't support
> O_ALLOW_ENCODED, then it doesn't support RWF_ENCODED, either.
>
> Signed-off-by: Omar Sandoval <osandov@fb.com>
> ---
> arch/alpha/include/uapi/asm/fcntl.h | 1 +
> arch/parisc/include/uapi/asm/fcntl.h | 1 +
> arch/sparc/include/uapi/asm/fcntl.h | 1 +
> fs/fcntl.c | 10 ++++++++--
> fs/namei.c | 4 ++++
> fs/open.c | 7 +++++++
> include/linux/fcntl.h | 2 +-
> include/uapi/asm-generic/fcntl.h | 4 ++++
> 8 files changed, 27 insertions(+), 3 deletions(-)
>
> diff --git a/arch/alpha/include/uapi/asm/fcntl.h b/arch/alpha/include/uapi/asm/fcntl.h
> index 50bdc8e8a271..391e0d112e41 100644
> --- a/arch/alpha/include/uapi/asm/fcntl.h
> +++ b/arch/alpha/include/uapi/asm/fcntl.h
> @@ -34,6 +34,7 @@
>
> #define O_PATH 040000000
> #define __O_TMPFILE 0100000000
> +#define O_ALLOW_ENCODED 0200000000
>
> #define F_GETLK 7
> #define F_SETLK 8
> diff --git a/arch/parisc/include/uapi/asm/fcntl.h b/arch/parisc/include/uapi/asm/fcntl.h
> index 03dee816cb13..72ea9bdf5f04 100644
> --- a/arch/parisc/include/uapi/asm/fcntl.h
> +++ b/arch/parisc/include/uapi/asm/fcntl.h
> @@ -19,6 +19,7 @@
>
> #define O_PATH 020000000
> #define __O_TMPFILE 040000000
> +#define O_ALLOW_ENCODED 100000000
>
> #define F_GETLK64 8
> #define F_SETLK64 9
> diff --git a/arch/sparc/include/uapi/asm/fcntl.h b/arch/sparc/include/uapi/asm/fcntl.h
> index 67dae75e5274..ac3e8c9cb32c 100644
> --- a/arch/sparc/include/uapi/asm/fcntl.h
> +++ b/arch/sparc/include/uapi/asm/fcntl.h
> @@ -37,6 +37,7 @@
>
> #define O_PATH 0x1000000
> #define __O_TMPFILE 0x2000000
> +#define O_ALLOW_ENCODED 0x8000000
>
> #define F_GETOWN 5 /* for sockets. */
> #define F_SETOWN 6 /* for sockets. */
> diff --git a/fs/fcntl.c b/fs/fcntl.c
> index 19ac5baad50f..9302f68fe698 100644
> --- a/fs/fcntl.c
> +++ b/fs/fcntl.c
> @@ -30,7 +30,8 @@
> #include <asm/siginfo.h>
> #include <linux/uaccess.h>
>
> -#define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
> +#define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME | \
> + O_ALLOW_ENCODED)
>
> static int setfl(int fd, struct file * filp, unsigned long arg)
> {
> @@ -49,6 +50,11 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
> if (!inode_owner_or_capable(inode))
> return -EPERM;
>
> + /* O_ALLOW_ENCODED can only be set by superuser */
> + if ((arg & O_ALLOW_ENCODED) && !(filp->f_flags & O_ALLOW_ENCODED) &&
> + !capable(CAP_SYS_ADMIN))
> + return -EPERM;
> +
> /* required for strict SunOS emulation */
> if (O_NONBLOCK != O_NDELAY)
> if (arg & O_NDELAY)
> @@ -1033,7 +1039,7 @@ static int __init fcntl_init(void)
> * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
> * is defined as O_NONBLOCK on some platforms and not on others.
> */
> - BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ !=
> + BUILD_BUG_ON(22 - 1 /* for O_RDONLY being 0 */ !=
> HWEIGHT32(
> (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) |
> __FMODE_EXEC | __FMODE_NONOTIFY));
> diff --git a/fs/namei.c b/fs/namei.c
> index d4a6dd772303..fbf64ce61088 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -2890,6 +2890,10 @@ static int may_open(const struct path *path, int acc_mode, int flag)
> if (flag & O_NOATIME && !inode_owner_or_capable(inode))
> return -EPERM;
>
> + /* O_ALLOW_ENCODED can only be set by superuser */
> + if ((flag & O_ALLOW_ENCODED) && !capable(CAP_SYS_ADMIN))
> + return -EPERM;
> +
> return 0;
> }
>
> diff --git a/fs/open.c b/fs/open.c
> index 9af548fb841b..f2863aaf78e7 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -1040,6 +1040,13 @@ inline int build_open_flags(const struct open_how *how, struct open_flags *op)
> acc_mode = 0;
> }
>
> + /*
> + * O_ALLOW_ENCODED must be combined with O_CLOEXEC to avoid accidentally
> + * leaking encoded I/O privileges.
> + */
> + if ((how->flags & (O_ALLOW_ENCODED | O_CLOEXEC)) == O_ALLOW_ENCODED)
> + return -EINVAL;
> +
dup() can also result in accidental leak.
We could fail dup() of fd without O_CLOEXEC. Should we?
If we should than what error code should it be? We could return EPERM,
but since we do allow to clear O_CLOEXEC or set O_ALLOW_ENCODED
after open, EPERM seems a tad harsh.
EINVAL seems inappropriate because the error has nothing to do with
input args of dup() and EBADF would also be confusing.
Thanks,
Amir.
next prev parent reply other threads:[~2020-11-19 7:03 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-18 19:18 [PATCH v6 00/11] fs: interface for directly reading/writing compressed data Omar Sandoval
2020-11-18 19:18 ` [PATCH man-pages v6] Document encoded I/O Omar Sandoval
2020-11-19 23:29 ` Alejandro Colomar (mailing lists; readonly)
2020-11-20 14:06 ` Alejandro Colomar (man-pages)
2020-11-20 15:03 ` Alejandro Colomar (man-pages)
2020-11-30 19:35 ` Omar Sandoval
2020-12-01 14:36 ` Ping: " Alejandro Colomar (man-pages)
2020-12-01 20:12 ` Michael Kerrisk (man-pages)
2020-12-01 20:20 ` Michael Kerrisk (man-pages)
2020-12-01 21:35 ` Alejandro Colomar (man-pages)
2020-12-01 21:56 ` Michael Kerrisk (man-pages)
2020-12-18 10:32 ` Ping: " Alejandro Colomar (man-pages)
2021-01-12 1:12 ` Omar Sandoval
2020-12-01 20:21 ` G. Branden Robinson
2020-12-01 21:34 ` Alejandro Colomar (man-pages)
2020-12-01 21:58 ` Michael Kerrisk (man-pages)
2020-11-18 19:18 ` [PATCH v6 01/11] iov_iter: add copy_struct_from_iter() Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 02/11] fs: add O_ALLOW_ENCODED open flag Omar Sandoval
2020-11-19 7:02 ` Amir Goldstein [this message]
2020-11-20 23:41 ` Jann Horn
2020-11-30 19:26 ` Omar Sandoval
2020-12-01 8:15 ` Amir Goldstein
2020-12-01 20:31 ` Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 03/11] fs: add RWF_ENCODED for reading/writing compressed data Omar Sandoval
2020-11-19 7:38 ` Amir Goldstein
2021-01-11 23:06 ` Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 04/11] btrfs: fix btrfs_write_check() Omar Sandoval
2020-11-23 17:08 ` David Sterba
2020-11-30 19:18 ` Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 05/11] btrfs: fix check_data_csum() error message for direct I/O Omar Sandoval
2020-11-23 17:09 ` David Sterba
2020-11-30 19:20 ` Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 06/11] btrfs: don't advance offset for compressed bios in btrfs_csum_one_bio() Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 07/11] btrfs: add ram_bytes and offset to btrfs_ordered_extent Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 08/11] btrfs: support different disk extent size for delalloc Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 09/11] btrfs: optionally extend i_size in cow_file_range_inline() Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 10/11] btrfs: implement RWF_ENCODED reads Omar Sandoval
2020-12-03 14:32 ` Josef Bacik
2021-01-11 20:21 ` Omar Sandoval
2021-01-11 20:35 ` Josef Bacik
2021-01-11 20:58 ` Omar Sandoval
2020-11-18 19:18 ` [PATCH v6 11/11] btrfs: implement RWF_ENCODED writes Omar Sandoval
2020-12-02 22:03 ` Josef Bacik
2020-12-03 14:37 ` Josef Bacik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOQ4uxiaWAT6kOkxgMgeYEcOBMsc=HtmSwssMXg0Nn=rbkZRGA@mail.gmail.com' \
--to=amir73il@gmail.com \
--cc=cyphar@cyphar.com \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=jannh@google.com \
--cc=kernel-team@fb.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=osandov@osandov.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.