From: Aleksa Sarai <cyphar@cyphar.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Jeff Layton <jlayton@kernel.org>,
"J. Bruce Fields" <bfields@fieldses.org>,
Al Viro <viro@zeniv.linux.org.uk>, Arnd Bergmann <arnd@arndb.de>,
Shuah Khan <shuah@kernel.org>,
David Howells <dhowells@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
Christian Brauner <christian@brauner.io>,
Eric Biederman <ebiederm@xmission.com>,
Tycho Andersen <tycho@tycho.ws>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org,
dev@opencontainers.org, containers@lists.linux-foundation.org
Subject: Re: [PATCH 0/3] namei: implement various scoping AT_* flags
Date: Sun, 30 Sep 2018 01:45:51 +1000 [thread overview]
Message-ID: <20180929154551.jsi6dt3xjxdxoqeh@ryuk> (raw)
In-Reply-To: <1EE20CA2-4C8B-4A80-B613-0277D92B376D@amacapital.net>
[-- Attachment #1: Type: text/plain, Size: 2381 bytes --]
On 2018-09-29, Andy Lutomirski <luto@amacapital.net> wrote:
> > The most obvious change is that AT_NO_JUMPS has been split as dicussed
> > in the original thread, along with a further split of AT_NO_PROCLINKS
> > which means that each individual property of AT_NO_JUMPS is now a
> > separate flag:
> >
> > * Path-based escapes from the starting-point using "/" or ".." are
> > blocked by AT_BENEATH.
>
> Seems useful.
>
> > * Mountpoint crossings are blocked by AT_XDEV.
>
> Seems useful.
>
> > * /proc/$pid/fd/$fd resolution is blocked by AT_NO_PROCLINKS (more
> > correctly it actually blocks any user of nd_jump_link() because it
> > allows out-of-VFS path resolution manipulation).
> >
>
> So how do I disable following symlinks? ISTM the most natural way
> would be to have AT_NO_SYMLINKS, and to have that flag disable proc
> links.
So, this patchset has both AT_NO_SYMLINKS and AT_NO_PROCLINKS.
* AT_NO_SYMLINKS blocks *all* symlinks (which is something Linus requested
in the original thread[2] -- apparently this is something that would
be useful to git even if wouldn't violate AT_BENEATH). This implies
AT_NO_PROCLINKS.
* AT_NO_PROCLINKS only blocks procfs-style "symlinks" (filesystem
"symlinks" that call nd_jump_link() themselves -- currently only
procfs and nsfs).
The reason why we need AT_NO_PROCLINKS is that "proclinks"[*] allow for
breaking-out of nd->root without a trivial way of detecting it (since
the filesystem can manipulate nd->path almost arbitrarily outside of the
control of VFS). Al Viro's original patchset[1] also blocked these but
it was all included within AT_NO_JUMPS.
Requiring you to block *all* symlinks in order to block "proclinks"
seems to be a bit overkill to me (especially if consider that
AT_THIS_ROOT|AT_NO_PROCLINKS is definitely a usecase most container
runtimes would be _very_ interested in -- while AT_NO_SYMLINKS will
cause issues with most distribution images).
[*]: Sorry for the awful naming, I'm not sure what the correct name is
(I've called them "super symlinks" in the past) -- if you have a
better name please let me know!
[1]: https://lwn.net/Articles/721443/
[2]: https://marc.info/?l=linux-kernel&m=149394765324531&w=2
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2018-09-29 15:46 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-29 10:34 [PATCH 0/3] namei: implement various scoping AT_* flags Aleksa Sarai
2018-09-29 10:34 ` [PATCH 1/3] namei: implement O_BENEATH-style " Aleksa Sarai
2018-09-29 14:48 ` Christian Brauner
2018-09-29 15:34 ` Aleksa Sarai
2018-09-30 4:38 ` Aleksa Sarai
2018-10-01 12:28 ` Jann Horn
2018-10-01 13:00 ` Christian Brauner
2018-10-01 16:04 ` Aleksa Sarai
2018-10-04 17:20 ` Christian Brauner
2018-09-29 13:15 ` [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution Aleksa Sarai
2018-09-29 13:15 ` [PATCH 3/3] selftests: vfs: add AT_* path resolution tests Aleksa Sarai
2018-09-29 16:35 ` [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution Jann Horn
2018-09-29 17:25 ` Andy Lutomirski
2018-10-01 9:46 ` Aleksa Sarai
2018-10-01 5:44 ` Aleksa Sarai
2018-10-01 10:13 ` Jann Horn
2018-10-01 16:18 ` Aleksa Sarai
2018-10-04 17:27 ` Christian Brauner
2018-10-01 10:42 ` Christian Brauner
2018-10-01 11:29 ` Jann Horn
2018-10-01 12:35 ` Christian Brauner
2018-10-01 13:55 ` Bruce Fields
2018-10-01 14:28 ` Andy Lutomirski
2018-10-02 7:32 ` Aleksa Sarai
2018-10-03 22:09 ` Andy Lutomirski
2018-10-06 20:56 ` Florian Weimer
2018-10-06 21:49 ` Christian Brauner
2018-10-01 14:00 ` Christian Brauner
2018-10-04 16:26 ` Aleksa Sarai
2018-10-04 17:31 ` Christian Brauner
2018-10-04 18:26 ` Jann Horn
2018-10-05 15:07 ` Aleksa Sarai
2018-10-05 15:55 ` Jann Horn
2018-10-06 2:10 ` Aleksa Sarai
2018-10-08 10:50 ` Jann Horn
2018-09-29 14:25 ` [PATCH 0/3] namei: implement various scoping AT_* flags Andy Lutomirski
2018-09-29 15:45 ` Aleksa Sarai [this message]
2018-09-29 16:34 ` Andy Lutomirski
2018-09-29 19:44 ` Matthew Wilcox
2018-09-29 14:38 ` Christian Brauner
2018-09-30 4:44 ` Aleksa Sarai
2018-09-30 13:54 ` Alban Crequy
2018-09-30 14:02 ` Christian Brauner
2018-09-30 19:45 ` Mickaël Salaün
2018-09-30 21:46 ` Jann Horn
2018-09-30 22:37 ` Mickaël Salaün
2018-10-01 20:14 ` James Morris
2018-10-01 4:08 ` Dave Chinner
2018-10-01 5:47 ` Aleksa Sarai
2018-10-01 6:14 ` Dave Chinner
2018-10-01 13:28 ` David Laight
2018-10-01 16:15 ` Aleksa Sarai
2018-10-03 13:21 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180929154551.jsi6dt3xjxdxoqeh@ryuk \
--to=cyphar@cyphar.com \
--cc=arnd@arndb.de \
--cc=bfields@fieldses.org \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=dev@opencontainers.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jlayton@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=shuah@kernel.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).