From: Aleksa Sarai <firstname.lastname@example.org> To: Kees Cook <email@example.com> Cc: Andy Lutomirski <firstname.lastname@example.org>, Al Viro <email@example.com>, Jeff Layton <firstname.lastname@example.org>, "J. Bruce Fields" <email@example.com>, Arnd Bergmann <firstname.lastname@example.org>, David Howells <email@example.com>, Eric Biederman <firstname.lastname@example.org>, Jann Horn <email@example.com>, Christian Brauner <firstname.lastname@example.org>, David Drysdale <email@example.com>, Tycho Andersen <firstname.lastname@example.org>, Linux Containers <email@example.com>, Linux FS Devel <firstname.lastname@example.org>, Linux API <email@example.com>, Andrew Morton <firstname.lastname@example.org>, Alexei Starovoitov <email@example.com>, Chanho Min <firstname.lastname@example.org>, Oleg Nesterov <email@example.com>, Aleksa Sarai <firstname.lastname@example.org>, Linus Torvalds <email@example.com>, LKML <firstname.lastname@example.org>, linux-arch <email@example.com> Subject: Re: [PATCH RESEND v5 0/5] namei: vfs flags to restrict path resolution Date: Thu, 25 Apr 2019 01:38:06 +1000 [thread overview] Message-ID: <20190424153806.64qkkmkudzodxnz2@yavin> (raw) In-Reply-To: <CAGXu5jKPrarixQkWWXOBCu6kRRpQd0aaJsPJbvsAyh0Wvc620A@mail.gmail.com> [-- Attachment #1: Type: text/plain, Size: 3814 bytes --] On 2019-04-23, Kees Cook <firstname.lastname@example.org> wrote: > On Mon, Mar 25, 2019 at 6:05 AM Aleksa Sarai <email@example.com> wrote: > > On 2019-03-21, Andy Lutomirski <firstname.lastname@example.org> wrote: > > > On Wed, Mar 20, 2019 at 7:38 AM Aleksa Sarai <email@example.com> wrote: > > > > Now that the holiday break is over, it's time to re-send this patch > > > > series (with a few additions, due to new information we got from > > > > CVE-2019-5736 -- which this patchset mostly protected against but had > > > > some holes with regards to #!-style scripts). > > > > > > I generally like this, but, as Linus pointed out, it will be > > > unfortunate if application authors see this as just another > > > non-portable weird Linux API and don't use it. Would it be worthwhile > > > to put some thought into making it an API that other OSes might be > > > willing to implement? As it stands, the openat(2) flags are getting > > > rather crazy in this patch set. > > I think many of the issues are specific to Linux (and Linux containers > especially), so I'm not sure this should get blocked because we want > something more portable. I agree these issues are quite Linux-specific (*especially* the ability to re-open fds through /proc and the existence of "magic links"). However, I feel there are a few more good reasons for resolveat(2): * openat(2) ignores unknown flags, meaning that old kernels will ignore new programs trying to use O_THISROOT and might end up causing security issues. Yes, it'd be trivial to check whether the new O_* flags are supported at start-up, but I think a security feature shouldn't have a foot-gun associated with it. In fact, I didn't know openat(2) ignored unknown flags until I wrote this patchset -- I doubt many other userspace developers do either. * resolveat(2) allows for improvement to the O_PATH interface, which I think might be necessary (completely separately to this patchset). I've been working on a patchset which would make nd_jump_link() transitions in trailing_symlink() depend on the mode of the magic link being traversed through (this would allow us to block a read-only fd being re-opened as a read-write fd or similar such nonsense). One aspect of this could be to allow userspace to enable certain re-opening operations by passing a "link mode" to resolveat(2). * I would argue that O_PATH should've been a separate syscall from the beginning, given how different its semantics are to other openat(2) flags (not to mention how O_PATH is incompatible with and thus ignores so many other openat(2) flags). * If we end up needing a resolveat(2) for any of the above reasons, then we will have wasted quite a few openat(2) flag slots for naught. (Then again, there are plenty of flag slots still left.) All of that aside, what I'd really like to know is what I should do to get this patchset reviewed and merged. It's been largely radio-silence for the last few revisions. A simple resolveat(2) is fairly trivial (I have a version of it lying around somewhere), but it doesn't make sense to polish it if there's no chance Al is interested in it. > This series provides solutions to so many different race and confusion > issues, I'd really like to see it land. What's the next step here? Is > this planned to go directly to Linus for v5.2, or is it going to live > in -mm for a while? I'd really like to see this moving forward. Given some of the security requirements of this interface, I think getting it to live in -mm wouldn't be a bad idea so folks can shake the bugs out before it's depended on by container runtimes. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/> [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-04-24 15:38 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-20 14:37 Aleksa Sarai 2019-03-20 14:37 ` [PATCH RESEND v5 1/5] namei: split out nd->dfd handling to dirfd_path_init Aleksa Sarai 2019-03-20 14:37 ` [PATCH RESEND v5 2/5] namei: O_BENEATH-style path resolution flags Aleksa Sarai 2019-03-20 14:37 ` [PATCH RESEND v5 3/5] namei: O_THISROOT: chroot-like path resolution Aleksa Sarai 2019-03-20 14:37 ` [PATCH RESEND v5 4/5] namei: aggressively check for nd->root escape on ".." resolution Aleksa Sarai 2019-03-20 14:37 ` [PATCH RESEND v5 5/5] binfmt_*: scope path resolution of interpreters Aleksa Sarai 2019-03-21 17:06 ` [PATCH RESEND v5 0/5] namei: vfs flags to restrict path resolution Andy Lutomirski 2019-03-25 13:04 ` Aleksa Sarai 2019-04-23 20:13 ` Kees Cook 2019-04-23 20:24 ` Christian Brauner 2019-04-24 15:38 ` Aleksa Sarai [this message] 2019-04-25 13:22 ` Adam Borowski 2019-04-25 19:45 ` Aleksa Sarai -- strict thread matches above, loose matches on Subject: below -- 2019-03-06 19:12 Aleksa Sarai
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190424153806.64qkkmkudzodxnz2@yavin \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH RESEND v5 0/5] namei: vfs flags to restrict path resolution' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).