From: Jan Kara <jack@suse.cz>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Jan Kara <jack@suse.cz>,
Matthew Bobrowski <mbobrowski@mbobrowski.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] fanotify: fix permission model of unprivileged group
Date: Mon, 24 May 2021 12:02:51 +0200 [thread overview]
Message-ID: <20210524100251.GJ32705@quack2.suse.cz> (raw)
In-Reply-To: <20210522091916.196741-1-amir73il@gmail.com>
On Sat 22-05-21 12:19:16, Amir Goldstein wrote:
> Reporting event->pid should depend on the privileges of the user that
> initialized the group, not the privileges of the user reading the
> events.
>
> Use an internal group flag FANOTIFY_UNPRIV to record the fact the the
> group was initialized by an unprivileged user.
>
> To be on the safe side, the premissions to setup filesystem and mount
> marks now require that both the user that initialized the group and
> the user setting up the mark have CAP_SYS_ADMIN.
>
> Fixes: 7cea2a3c505e ("fanotify: support limited functionality for unprivileged users")
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> ---
>
> Jan,
>
> The original RFC [1] used the internal flag to check permissions for:
> 1. Reporting event->pid
> 2. Reporting event->fd
> 3. Setting up sb/mount marks
>
> Although we discussed only adding the check for #1, I left all those
> checks.
>
> The check for #2 is redundant, but it feels safer to be
> defensive to protect against leaked fds.
>
> The check for #3 was added in addition to the existing permission checks
> because it feels right. Let me know if you disagree.
>
> I've adjusted Matthew's LTP test [2] to check case #1.
Thanks! Modulo those language nits from Matthew the patch looks good to me.
Honza
> [1] https://lore.kernel.org/linux-fsdevel/20210124184204.899729-3-amir73il@gmail.com/
> [1] https://github.com/amir73il/ltp/commits/fanotify_unpriv
>
> fs/notify/fanotify/fanotify_user.c | 30 ++++++++++++++++++++++++------
> fs/notify/fdinfo.c | 2 +-
> include/linux/fanotify.h | 4 ++++
> 3 files changed, 29 insertions(+), 7 deletions(-)
>
> diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
> index 71fefb30e015..7df6cba4a06d 100644
> --- a/fs/notify/fanotify/fanotify_user.c
> +++ b/fs/notify/fanotify/fanotify_user.c
> @@ -424,11 +424,18 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
> * events generated by the listener process itself, without disclosing
> * the pids of other processes.
> */
> - if (!capable(CAP_SYS_ADMIN) &&
> + if (FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV) &&
> task_tgid(current) != event->pid)
> metadata.pid = 0;
>
> - if (path && path->mnt && path->dentry) {
> + /*
> + * For now, we require fid mode for unprivileged listener, which does
> + * record path events, but keep this check for safety in case we want
> + * to allow unprivileged listener to get events with no fd and no fid
> + * in the future.
> + */
> + if (!FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV) &&
> + path && path->mnt && path->dentry) {
> fd = create_fd(group, path, &f);
> if (fd < 0)
> return fd;
> @@ -1040,6 +1047,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
> int f_flags, fd;
> unsigned int fid_mode = flags & FANOTIFY_FID_BITS;
> unsigned int class = flags & FANOTIFY_CLASS_BITS;
> + unsigned int internal_flags = 0;
>
> pr_debug("%s: flags=%x event_f_flags=%x\n",
> __func__, flags, event_f_flags);
> @@ -1053,6 +1061,13 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
> */
> if ((flags & FANOTIFY_ADMIN_INIT_FLAGS) || !fid_mode)
> return -EPERM;
> +
> + /*
> + * We set the internal flag FANOTIFY_UNPRIV on the group, so we
> + * know that we need to limit setting mount/filesystem marks on
> + * this group and avoid providing pid and open fd in the event.
> + */
> + internal_flags |= FANOTIFY_UNPRIV;
> }
>
> #ifdef CONFIG_AUDITSYSCALL
> @@ -1105,7 +1120,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
> goto out_destroy_group;
> }
>
> - group->fanotify_data.flags = flags;
> + group->fanotify_data.flags = flags | internal_flags;
> group->memcg = get_mem_cgroup_from_mm(current->mm);
>
> group->fanotify_data.merge_hash = fanotify_alloc_merge_hash();
> @@ -1305,11 +1320,13 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> group = f.file->private_data;
>
> /*
> - * An unprivileged user is not allowed to watch a mount point nor
> - * a filesystem.
> + * An unprivileged user is not allowed to setup mount point nor
> + * filesystem marks. It is not allowed to setup those marks for
> + * a group that was initialized by an unprivileged user.
> */
> ret = -EPERM;
> - if (!capable(CAP_SYS_ADMIN) &&
> + if ((!capable(CAP_SYS_ADMIN) ||
> + FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV)) &&
> mark_type != FAN_MARK_INODE)
> goto fput_and_out;
>
> @@ -1460,6 +1477,7 @@ static int __init fanotify_user_setup(void)
> max_marks = clamp(max_marks, FANOTIFY_OLD_DEFAULT_MAX_MARKS,
> FANOTIFY_DEFAULT_MAX_USER_MARKS);
>
> + BUILD_BUG_ON(FANOTIFY_INIT_FLAGS & FANOTIFY_INTERNAL_FLAGS);
> BUILD_BUG_ON(HWEIGHT32(FANOTIFY_INIT_FLAGS) != 10);
> BUILD_BUG_ON(HWEIGHT32(FANOTIFY_MARK_FLAGS) != 9);
>
> diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c
> index a712b2aaa9ac..57f0d5d9f934 100644
> --- a/fs/notify/fdinfo.c
> +++ b/fs/notify/fdinfo.c
> @@ -144,7 +144,7 @@ void fanotify_show_fdinfo(struct seq_file *m, struct file *f)
> struct fsnotify_group *group = f->private_data;
>
> seq_printf(m, "fanotify flags:%x event-flags:%x\n",
> - group->fanotify_data.flags,
> + group->fanotify_data.flags & FANOTIFY_INIT_FLAGS,
> group->fanotify_data.f_flags);
>
> show_fdinfo(m, f, fanotify_fdinfo);
> diff --git a/include/linux/fanotify.h b/include/linux/fanotify.h
> index bad41bcb25df..f277d1c4e6b8 100644
> --- a/include/linux/fanotify.h
> +++ b/include/linux/fanotify.h
> @@ -51,6 +51,10 @@ extern struct ctl_table fanotify_table[]; /* for sysctl */
> #define FANOTIFY_INIT_FLAGS (FANOTIFY_ADMIN_INIT_FLAGS | \
> FANOTIFY_USER_INIT_FLAGS)
>
> +/* Internal flags */
> +#define FANOTIFY_UNPRIV 0x80000000
> +#define FANOTIFY_INTERNAL_FLAGS (FANOTIFY_UNPRIV)
> +
> #define FANOTIFY_MARK_TYPE_BITS (FAN_MARK_INODE | FAN_MARK_MOUNT | \
> FAN_MARK_FILESYSTEM)
>
> --
> 2.31.1
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
prev parent reply other threads:[~2021-05-24 10:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-22 9:19 [PATCH] fanotify: fix permission model of unprivileged group Amir Goldstein
2021-05-24 8:41 ` Matthew Bobrowski
2021-05-24 10:00 ` Jan Kara
2021-05-24 23:42 ` Matthew Bobrowski
2021-05-24 10:40 ` Amir Goldstein
2021-05-24 10:02 ` Jan Kara [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210524100251.GJ32705@quack2.suse.cz \
--to=jack@suse.cz \
--cc=amir73il@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mbobrowski@mbobrowski.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).