From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1759368AbbKSV5d (ORCPT <rfc822;w@1wt.eu>);
	Thu, 19 Nov 2015 16:57:33 -0500
Received: from mail-oi0-f49.google.com ([209.85.218.49]:36180 "EHLO
	mail-oi0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756004AbbKSV53 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 19 Nov 2015 16:57:29 -0500
MIME-Version: 1.0
In-Reply-To: <CAGXu5jJ443eKJDHUM5vAXkZkztdOVVosD4egniTk2pUJJ1_0Jw@mail.gmail.com>
References: <CAGXu5jKCCq4hs_nerQYMnC1frA3qKkCxxQTjpS2gw-7dPZAX+w@mail.gmail.com>
 <20151104065820.GF21740@1wt.eu> <CALCETrVKuAW=qYKsB_Dkmq2LDwSV1sdP8sKbuDcGzye3zn_e2A@mail.gmail.com>
 <CAGXu5jJ3yKaeWJb1b6aJTNJMrX1f+vTabMn3ATuz_cuksuXDog@mail.gmail.com>
 <CALCETrU3WyynfLmqf7Krb+veF=2AxXbd2o1p3R3caxqjXFYO=Q@mail.gmail.com>
 <CAGXu5jJUd5sZpRtx3EDgazp9G013FCJ=mwBbAOH=9Qb1TQXs_Q@mail.gmail.com>
 <CAGXu5jJH8VCbHcwLNaoDw5uxGcUzpckT6GJyp1u_wANfURwLhw@mail.gmail.com>
 <CALCETrVaB8saXsUrp-qfCAV=ocDfhAuM4PQ8pHjEStS4vDNF6w@mail.gmail.com>
 <CAGXu5j++4L3BLNPmBDwU9JA3UdqmFAWEKxDcveLOmJmxwgNiVA@mail.gmail.com>
 <20151108020206.GA3880@thunk.org> <20151110150829.GC3156@quack.suse.cz> <CAGXu5jJ443eKJDHUM5vAXkZkztdOVVosD4egniTk2pUJJ1_0Jw@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 19 Nov 2015 13:57:09 -0800
Message-ID: <CALCETrVQrgg=CS+wJU7MhCO=2JdSMzqgn2-Vioy2Rq7cLrrnaA@mail.gmail.com>
Subject: Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids
To: Kees Cook <keescook@chromium.org>
Cc: "security@kernel.org" <security@kernel.org>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        "Theodore Ts'o" <tytso@mit.edu>, Jan Kara <jack@suse.cz>,
        Theodore Tso <tytso@google.com>,
        Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
        Serge Hallyn <serge.hallyn@ubuntu.com>, Willy Tarreau <w@1wt.eu>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Seth Forshee <seth.forshee@canonical.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Nov 19, 2015 12:11 PM, "Kees Cook" <keescook@chromium.org> wrote:
>
> On Tue, Nov 10, 2015 at 7:08 AM, Jan Kara <jack@suse.cz> wrote:
> > On Sat 07-11-15 21:02:06, Ted Tso wrote:
> >> On Fri, Nov 06, 2015 at 09:05:57PM -0800, Kees Cook wrote:
> >> > >>>> They're certainly not used early enough -- we need to remove suid when
> >> > >>>> the page becomes writable via mmap (wp_page_shared), not when
> >> > >>>> writeback happens, or at least not only when writeback happens.
> >> > >>>
> >> > >>> Well, I'm shy about the change there. For example, we don't strip in
> >> > >>> on open(RDWR), just on write().
> >> > >>
> >> > >> I take it back. Hooking wp_page_shared looks expensive. :) Maybe we do
> >> > >> need to hook the mmap?
> >> > >
> >> > > But file_update_time already pokes at the same (or nearby) cachelines,
> >> > > I think -- why would it be expensive?  The whole thing could be
> >> > > guarded by if (unlikely(is setuid)), right?
> >> >
> >> > Yeah, true. I added file_remove_privs calls near all the
> >> > file_update_time calls, to no effect. Added to wp_page_shared too,
> >> > nothing. Hmmm.
> >>
> >> Why not put the the should_remove_suid() call in
> >> filemap_page_mkwrite(), or maybe do_page_mkwrite()?
> >
> > page_mkwrite() callbacks are IMHO the right place for this check (and
> > change).  Just next to file_update_time() call. You get proper filesystem
>
> Should file_update_time() just be modified to include
> file_remove_privs()? They seem to regularly go together.
>

No, I think.  The current file_update_time is slow and
POSIX-noncompliant, and I have old patches I need to dig up to fix it.

--Andy