| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Dec 2011 21:41:26 +0000 From: Al Viro <viro@...IV.linux.org.uk> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, John Johansen <john.johansen@...onical.com> Subject: Re: [git pull] apparmor fix for __d_path() misuse On Tue, Dec 06, 2011 at 01:07:56PM -0800, Linus Torvalds wrote: > On Tue, Dec 6, 2011 at 12:53 PM, Al Viro <viro@...iv.linux.org.uk> wrote: > > > > The trouble is, might very well stop *NOT* at the global root. ?Consider > > a race with umount -l; we have no way to tell "it had been outside of > > chroot jail" from "it had walked up to the place where ->mnt_parent had > > been already reset, sorry, no idea what it was". > > Sure, but you made that case return NULL already as part of the "no > bastard" case, didn't you? > > That part of the patch looked fine. > > It was just the extra convolutions around 'bastard' that seemed to be > over-designed, and made for just a single use that seems very > peripheral anyway. > > Apart from AppArmor, afaik nobody even really cared where they ended > up, and even AppArmor really didn't want to know - it just had this > totally crazy special case about "/sys". It's not /sys, actually, it's implicit /proc/sys/something from sysctl() ;-/ Hell knows. Frankly, the whole "let's build a pathname and decide basing on it" thing had been insane from the very beginning. For many reasons, starting with "pathname in which namespace?" and continuing through "who said that it still means what it used to at the moment of operation" to "what if it's not a part of any namespace anymore/had never been in one". Hey, it wasn't me who insisted that pathname-based stuff made any sense whatsoever... But "path to the nearest thing that has no ancestor now" is _meaningless_ if we know nothing about that ancestor. Cases include * that ancestor is the root of our namespace. * that ancestor is a solitary vfsmount we'd started in, never had been mounted in any namespace (e.g. procfs internal vfsmount, etc.) * that ancestor is a random vfsmount in a subtree that had been hit by umount -l, just as we'd been looking at it. Might be its root, might be equal to path->mnt, might be something in between. * cases 1 and 3 in another process' namespace In case 3 and analogs the path we'd obtained is pure junk, so I can agree with "let's just return NULL on those". The trouble is, how do you tell (3) from (2)? And do we want (1)-not-our-namespace to be distinguished from (1)-our-namespace? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists