From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753731AbbKJPIg (ORCPT <rfc822;w@1wt.eu>);
	Tue, 10 Nov 2015 10:08:36 -0500
Received: from mx2.suse.de ([195.135.220.15]:54898 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753045AbbKJPIe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 10 Nov 2015 10:08:34 -0500
Date: Tue, 10 Nov 2015 16:08:29 +0100
From: Jan Kara <jack@suse.cz>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>,
        Theodore Tso <tytso@google.com>, Willy Tarreau <w@1wt.eu>,
        Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
        Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
        Serge Hallyn <serge.hallyn@ubuntu.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        "security@kernel.org" <security@kernel.org>
Subject: Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids
Message-ID: <20151110150829.GC3156@quack.suse.cz>
References: <CAGXu5jKCCq4hs_nerQYMnC1frA3qKkCxxQTjpS2gw-7dPZAX+w@mail.gmail.com>
 <20151104065820.GF21740@1wt.eu>
 <CALCETrVKuAW=qYKsB_Dkmq2LDwSV1sdP8sKbuDcGzye3zn_e2A@mail.gmail.com>
 <CAGXu5jJ3yKaeWJb1b6aJTNJMrX1f+vTabMn3ATuz_cuksuXDog@mail.gmail.com>
 <CALCETrU3WyynfLmqf7Krb+veF=2AxXbd2o1p3R3caxqjXFYO=Q@mail.gmail.com>
 <CAGXu5jJUd5sZpRtx3EDgazp9G013FCJ=mwBbAOH=9Qb1TQXs_Q@mail.gmail.com>
 <CAGXu5jJH8VCbHcwLNaoDw5uxGcUzpckT6GJyp1u_wANfURwLhw@mail.gmail.com>
 <CALCETrVaB8saXsUrp-qfCAV=ocDfhAuM4PQ8pHjEStS4vDNF6w@mail.gmail.com>
 <CAGXu5j++4L3BLNPmBDwU9JA3UdqmFAWEKxDcveLOmJmxwgNiVA@mail.gmail.com>
 <20151108020206.GA3880@thunk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20151108020206.GA3880@thunk.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat 07-11-15 21:02:06, Ted Tso wrote:
> On Fri, Nov 06, 2015 at 09:05:57PM -0800, Kees Cook wrote:
> > >>>> They're certainly not used early enough -- we need to remove suid when
> > >>>> the page becomes writable via mmap (wp_page_shared), not when
> > >>>> writeback happens, or at least not only when writeback happens.
> > >>>
> > >>> Well, I'm shy about the change there. For example, we don't strip in
> > >>> on open(RDWR), just on write().
> > >>
> > >> I take it back. Hooking wp_page_shared looks expensive. :) Maybe we do
> > >> need to hook the mmap?
> > >
> > > But file_update_time already pokes at the same (or nearby) cachelines,
> > > I think -- why would it be expensive?  The whole thing could be
> > > guarded by if (unlikely(is setuid)), right?
> > 
> > Yeah, true. I added file_remove_privs calls near all the
> > file_update_time calls, to no effect. Added to wp_page_shared too,
> > nothing. Hmmm.
> 
> Why not put the the should_remove_suid() call in
> filemap_page_mkwrite(), or maybe do_page_mkwrite()?

page_mkwrite() callbacks are IMHO the right place for this check (and
change).  Just next to file_update_time() call. You get proper filesystem
freezing protection etc. As Ted properly mentions filemap_page_mkwrite() is
one place you want to hook into but quite a few filesystems (most notably
ext4, xfs, btrfs) overload ->page_mkwrite() callbacks to their own
functions so each filesystem that does this needs to be updated
separately...

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR