From: Andy Lutomirski <luto@amacapital.net>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Willy Tarreau <w@1wt.eu>, Ingo Molnar <mingo@kernel.org>,
"security@kernel.org" <security@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Brad Spengler <spender@grsecurity.net>
Subject: Re: [RFC PATCH] fs: Add user_file_or_path_at and use it for truncate
Date: Wed, 28 Aug 2013 12:04:43 -0700 [thread overview]
Message-ID: <CALCETrUemSDkci_Z=MaZtU9x8ns-4UFwOSn_HNy_2hpQAOf+-Q@mail.gmail.com> (raw)
In-Reply-To: <20130828061623.GJ27005@ZenIV.linux.org.uk>
On Tue, Aug 27, 2013 at 11:16 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Tue, Aug 27, 2013 at 01:28:27PM -0700, Andy Lutomirski wrote:
>> There are also O_PATH fds, and I'm not sure what the semantics of
>> O_PATH fds are or should be when they refer to something other than a
>> directory.
>
> O_PATH file just points to specific location in the tree, no more and
> no less.
I don't know whether ftruncate(some O_PATH fd) should work. But this
probably barely matters.
>
> g) name_to_handle_at(). Not sure if we need any capability checks, but
> we definitely don't give a damn about the way file had been opened.
open_by_handle(name_to_handle(read-only fd)) is dangerous for the same
reason that open("/proc/self/fd/N", O_RDWR) is, but the capability
checks have that covered.
>
> h) one case in quotactl(). With CAP_SYS_ADMIN required. If attacker got
> that, it's too fucking late anyway.
>
> i) fstatat() and friends, statfs(), utimes() et.al, {set,get,list,remove}xattr()
> - no difference in checks between pathname- and descriptor-based calls
> anyway. Please, note that for fsetxattr() we do *NOT* require the file
> to be opened for write; adding such requirement would be a user-visible
> API change, and one fairly likely to break stuff, at that.
Sigh. I wonder if that was deliberate. Anyway, it is what it is.
>
> j) umount() and pivot_root(). We really don't care how the file had been
> opened, and attacker capable of playing with that can do a lot more.
>
> k) inotify_add_watch()/fanotify_mark(). No descriptor-based versions,
> no permission checks other than "may read whatever we ended up with".
> I really doubt that we care about the way fd had been opened in case
> of /proc/<pid>/fd/<fd>.
>
> l) truncate() mess.
>
> m) open() mess.
>
> AFAICS, the *only* cases when we might possibly care are linkat() target,
> truncate() and open(). Note, BTW, that right now we *do* allow an attempt
> to reopen a file via procfs symlink r/w, even when file had been r/o.
> It's subject to permissions on the object being opened, but that's it.
>
> I'm not sure we can change that - again, it's a user-visible API, and
> the change is very likely to break some scripts. In fact, it's about
> as dangerous as a full-blown switch to dup-style semantics for procfs
> opens, and it's a lot less attractive.
>
> For truncate() we would only need to have FMODE_WRITE reported, more or
> less the same way as FMODE_FLINK. And without open() changes it doesn't
> buy us anything at all...
>
> I've no problem with unrolling the user_path_at() in do_sys_truncate()
> into an explicit loop by trailing symlinks and checking for indication
> left by proc_pid_follow_link(), more or less the same way as with
> LOOKUP_LINK in lookup_last(). It's _far_ less invasive than playing
> with "oh, here we fill a struct path or maybe a struct file" horrors,
> pinning struct file for no reason, etc.
>
> AFAICS, the real question is whether we dare to change open() behaviour on
> /proc/*/fd/*. I've played with that a bit and I believe that I can do
> the switch to dup-style with very localized changes in fs/namei.c and
> fs/proc/{base,fd}.c. Will be even binary compatible kernel-side -
> ->atomic_open() returns NULL/ERR_PTR where it used to return 0/-error,
> not that we had many instances to convert. *IF* that variant is not
> out of consideration for userland API stability reasons, I would certainly
> prefer to go that way; turns out that these days we can pull it off without
> black magic in descriptor handling, etc. Linus?
I personally find the check-mode-but-get-a-new-struct-file version to
be less weird that the dup approach. Either approach will break
scripts that try to write to /dev/stdin (which is the whole point).
--Andy
next prev parent reply other threads:[~2013-08-28 19:04 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-21 19:14 [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) Andy Lutomirski
[not found] ` <CA+55aFxi-ps2f2M8xPhfbuQ0pToqupPrDsLi2+GPUK2sqdYfUw@mail.gmail.com>
[not found] ` <CALCETrW7+LcexA6v6RQDKhni_yJAduOmiSDneCpq3v8sPDvwUQ@mail.gmail.com>
2013-08-21 20:16 ` Willy Tarreau
2013-08-22 18:48 ` Linus Torvalds
2013-08-22 18:53 ` Willy Tarreau
2013-08-22 19:05 ` Andy Lutomirski
2013-08-22 19:23 ` Linus Torvalds
2013-08-22 20:10 ` Andy Lutomirski
2013-08-22 20:15 ` Willy Tarreau
2013-08-22 20:22 ` Andy Lutomirski
2013-08-22 20:44 ` Linus Torvalds
2013-08-22 20:48 ` Andy Lutomirski
2013-08-22 20:54 ` Linus Torvalds
2013-08-22 20:58 ` Andy Lutomirski
2013-08-23 1:07 ` Al Viro
2013-08-25 3:37 ` Al Viro
2013-08-25 7:26 ` Andy Lutomirski
2013-08-25 14:23 ` Al Viro
2013-08-25 17:04 ` Andy Lutomirski
2013-08-25 19:57 ` Linus Torvalds
2013-08-25 20:06 ` Al Viro
2013-08-25 20:23 ` Linus Torvalds
2013-08-26 17:37 ` Linus Torvalds
2013-08-26 18:07 ` Linus Torvalds
2013-08-26 18:11 ` Andy Lutomirski
2013-08-27 19:16 ` [RFC PATCH] fs: Add user_file_or_path_at and use it for truncate Andy Lutomirski
2013-08-27 19:32 ` Linus Torvalds
2013-08-27 20:28 ` Andy Lutomirski
2013-08-28 6:16 ` Al Viro
2013-08-28 16:24 ` Linus Torvalds
2013-08-28 19:04 ` Andy Lutomirski [this message]
2013-08-28 19:59 ` Al Viro
2013-08-28 21:07 ` Andy Lutomirski
2013-08-27 23:08 ` Al Viro
2013-08-27 23:13 ` Andy Lutomirski
2013-08-24 18:29 ` /proc/pid/fd && anon_inode_fops Oleg Nesterov
2013-08-24 21:24 ` Willy Tarreau
2013-08-25 5:23 ` Al Viro
2013-08-25 6:50 ` Willy Tarreau
2013-08-25 18:51 ` Linus Torvalds
2013-08-25 19:48 ` Oleg Nesterov
2013-08-25 20:05 ` Linus Torvalds
2013-08-26 15:33 ` Oleg Nesterov
2013-08-26 16:37 ` Oleg Nesterov
2013-08-26 17:54 ` [PATCH] proc: make proc_fd_permission() thread-friendly Oleg Nesterov
2013-08-26 18:09 ` Linus Torvalds
2013-08-26 19:35 ` Linus Torvalds
2013-08-26 20:20 ` Willy Tarreau
2013-08-27 15:05 ` Oleg Nesterov
2013-08-27 14:39 ` [PATCH 0/1] proc: make /proc/self point to thread Oleg Nesterov
2013-08-27 14:40 ` [PATCH 1/1] " Oleg Nesterov
2013-08-27 16:39 ` Linus Torvalds
2013-08-27 17:49 ` Oleg Nesterov
2013-08-27 18:15 ` Linus Torvalds
2013-08-27 18:28 ` Oleg Nesterov
[not found] ` <CALCETrXP-mYBPRon=0NzexW1FK1Qxz2+Bwv7-WeHBQpvW7ywRg@mail.gmail.com>
2013-08-27 15:45 ` [PATCH] proc: make proc_fd_permission() thread-friendly Oleg Nesterov
2013-08-26 18:32 ` Eric W. Biederman
2013-08-26 18:46 ` Oleg Nesterov
2013-08-26 18:56 ` Oleg Nesterov
2013-08-26 19:10 ` Eric W. Biederman
2013-08-27 14:53 ` Oleg Nesterov
2013-08-25 18:32 ` /proc/pid/fd && anon_inode_fops Linus Torvalds
2013-08-25 19:11 ` Al Viro
2013-08-25 19:17 ` Andy Lutomirski
2013-09-03 15:58 ` Pavel Machek
2013-08-25 15:45 ` Oleg Nesterov
2013-08-22 19:39 ` [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrUemSDkci_Z=MaZtU9x8ns-4UFwOSn_HNy_2hpQAOf+-Q@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=security@kernel.org \
--cc=spender@grsecurity.net \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).