From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753483AbbKHCCY (ORCPT <rfc822;w@1wt.eu>);
	Sat, 7 Nov 2015 21:02:24 -0500
Received: from imap.thunk.org ([74.207.234.97]:48009 "EHLO imap.thunk.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751802AbbKHCCU (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sat, 7 Nov 2015 21:02:20 -0500
Date: Sat, 7 Nov 2015 21:02:06 -0500
From: "Theodore Ts'o" <tytso@mit.edu>
To: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>, Theodore Tso <tytso@google.com>,
        Willy Tarreau <w@1wt.eu>, Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
        Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
        Serge Hallyn <serge.hallyn@ubuntu.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        "security@kernel.org" <security@kernel.org>
Subject: Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids
Message-ID: <20151108020206.GA3880@thunk.org>
Mail-Followup-To: Theodore Ts'o <tytso@mit.edu>,
	Kees Cook <keescook@chromium.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Theodore Tso <tytso@google.com>, Willy Tarreau <w@1wt.eu>,
	Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
	Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
	Serge Hallyn <serge.hallyn@ubuntu.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	"security@kernel.org" <security@kernel.org>
References: <20151104002132.010ccd1d@rsjtdrjgfuzkfg.com>
 <CAGXu5jKCCq4hs_nerQYMnC1frA3qKkCxxQTjpS2gw-7dPZAX+w@mail.gmail.com>
 <20151104065820.GF21740@1wt.eu>
 <CALCETrVKuAW=qYKsB_Dkmq2LDwSV1sdP8sKbuDcGzye3zn_e2A@mail.gmail.com>
 <CAGXu5jJ3yKaeWJb1b6aJTNJMrX1f+vTabMn3ATuz_cuksuXDog@mail.gmail.com>
 <CALCETrU3WyynfLmqf7Krb+veF=2AxXbd2o1p3R3caxqjXFYO=Q@mail.gmail.com>
 <CAGXu5jJUd5sZpRtx3EDgazp9G013FCJ=mwBbAOH=9Qb1TQXs_Q@mail.gmail.com>
 <CAGXu5jJH8VCbHcwLNaoDw5uxGcUzpckT6GJyp1u_wANfURwLhw@mail.gmail.com>
 <CALCETrVaB8saXsUrp-qfCAV=ocDfhAuM4PQ8pHjEStS4vDNF6w@mail.gmail.com>
 <CAGXu5j++4L3BLNPmBDwU9JA3UdqmFAWEKxDcveLOmJmxwgNiVA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5j++4L3BLNPmBDwU9JA3UdqmFAWEKxDcveLOmJmxwgNiVA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Nov 06, 2015 at 09:05:57PM -0800, Kees Cook wrote:
> >>>> They're certainly not used early enough -- we need to remove suid when
> >>>> the page becomes writable via mmap (wp_page_shared), not when
> >>>> writeback happens, or at least not only when writeback happens.
> >>>
> >>> Well, I'm shy about the change there. For example, we don't strip in
> >>> on open(RDWR), just on write().
> >>
> >> I take it back. Hooking wp_page_shared looks expensive. :) Maybe we do
> >> need to hook the mmap?
> >
> > But file_update_time already pokes at the same (or nearby) cachelines,
> > I think -- why would it be expensive?  The whole thing could be
> > guarded by if (unlikely(is setuid)), right?
> 
> Yeah, true. I added file_remove_privs calls near all the
> file_update_time calls, to no effect. Added to wp_page_shared too,
> nothing. Hmmm.

Why not put the the should_remove_suid() call in
filemap_page_mkwrite(), or maybe do_page_mkwrite()?

Cheers,

					- Ted