| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 May 2015 22:31:40 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Seth Forshee <seth.forshee@...onical.com>
Cc: Miklos Szeredi <miklos@...redi.hu>, alexey@...nosov.spb.ru,
Andy Lutomirski <luto@...capital.net>,
Serge Hallyn <serge.hallyn@...ntu.com>,
fuse-devel <fuse-devel@...ts.sourceforge.net>,
Linux-Fsdevel <linux-fsdevel@...r.kernel.org>,
Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [fuse-devel] fuse_get_context() and namespaces
Seth Forshee <seth.forshee@...onical.com> writes:
> On Tue, May 26, 2015 at 05:21:38PM +0200, Miklos Szeredi wrote:
>> On Fri, May 22, 2015 at 01:59:32PM -0500, Seth Forshee wrote:
>> > On Fri, May 22, 2015 at 12:44:35PM -0500, Eric W. Biederman wrote:
>> > > Seth Forshee <seth.forshee@...onical.com> writes:
>> > >
>> > > > On Fri, May 22, 2015 at 04:23:55PM +0200, Miklos Szeredi wrote:
>> > > >> On Sat, May 2, 2015 at 5:56 PM, <alexey@...nosov.spb.ru> wrote:
>> > > >> >
>> > > >> > 3.10.0-229 form Scientific Linux and native 4.0.1-1 (from elrepo).
>> > > >> > SL 7.1 on the host and SL 6.6 on the LXC guest. At least in 3.10
>> > > >> > the 499dcf2024092e5cce41d05599a5b51d1f92031a is present.
>> > > >> > Steps to reproduce:
>> > > >> >
>> > > >> > On first console:
>> > > >> > [root@...test ~]# lxc-start -n test-2 /bin/su -
>> > > >> > [root@...t-2 ~]# diff -u hello.py /usr/share/doc/fuse-python-0.2.1/example/hello.py
>> > > >> > --- hello.py 2015-05-02 11:12:13.963093580 -0400
>> > > >> > +++ /usr/share/doc/fuse-python-0.2.1/example/hello.py 2010-04-14 18:29:21.000000000 -0400
>> > > >> > @@ -41,8 +41,6 @@
>> > > >> > class HelloFS(Fuse):
>> > > >> >
>> > > >> > def getattr(self, path):
>> > > >> > - dic = Fuse.GetContext(self)
>> > > >> > - print dic
>> > > >> > st = MyStat()
>> > > >> > if path == '/':
>> > > >> > st.st_mode = stat.S_IFDIR | 0755
>> > > >> > [root@...t-2 ~]# python hello.py -f /mnt/
>> > > >> >
>> > > >> > On second console:
>> > > >> > [root@...t-2 ~]# echo $$
>> > > >> > 41
>> > > >> > [root@...t-2 ~]# ls /mnt/
>> > > >> > hello
>> > > >> >
>> > > >> > Output of first console:
>> > > >> > {'gid': 0, 'pid': 12083, 'uid': 0}
>> > > >>
>> > > >> Thanks.
>> > > >>
>> > > >> Digging in mailbox... There was a thread last year about adding
>> > > >> support for running fuse daemon in a container:
>> > > >>
>> > > >> http://thread.gmane.org/gmane.linux.kernel/1811658
>> > > >>
>> > > >> Not sure what happened, but no updated patches have been posted or
>> > > >> maybe I just missed them.
>> > > >
>> > > > I haven't sent updated patches in a while. I still intend to, but I
>> > > > shifted focus to first getting general support for mounts from user
>> > > > namespaces into the vfs (which will give a clearer direction for some of
>> > > > the concerns raised about the fuse patches).
>> > > >
>> > > > All of this code is available in the userns-mounts branch of
>> > > > git://kernel.ubuntu.com/sforshee/linux.git, and I don't think the fuse
>> > > > patches actually depend on any of the stuff that precedes them. I'm
>> > > > planning to start submitting some of the earlier patches from that
>> > > > branch soon, and eventually get back to resubmitting the fuse patches.
>> > > >
>> > > > This is about pid namespaces though, and the fuse pid namespace patch
>> > > > from that series (see below) should be more or less independent of the
>> > > > rest of the patches. Potentially that could be merged separately from
>> > > > the user namespae stuff.
>> > >
>> > > [snip]
>> > >
>> > > > @@ -2076,7 +2077,15 @@ static int convert_fuse_file_lock(const struct fuse_file_lock *ffl,
>> > > >
>> > > > fl->fl_start = ffl->start;
>> > > > fl->fl_end = ffl->end;
>> > > > - fl->fl_pid = ffl->pid;
>> > > > +
>> > > > + /*
>> > > > + * Convert pid into the connection's pid namespace. If the
>> > > > + * pid does not map into the namespace fl_pid will get set
>> > > > + * to 0.
>> > > > + */
>> > > > + rcu_read_lock();
>> > > > + fl->fl_pid = pid_vnr(find_pid_ns(ffl->pid, fc->pid_ns));
>> > > > + rcu_read_unlock();
>> > >
>> > > Scratches my head. This looks wrong.
>> > >
>> > > I would have expected pid_nr_ns. Am I missing something reading this
>> > > patch quickly?
>> >
>> > Here we're in the context of a F_GETLK operation. We've requested the
>> > lock information from the fuse process, and ffl->pid is the pid number
>> > in that process's pid namespace so it needs to be translated into
>> > current's namespace. First we have to look up the struct pid, then
>> > pid_vnr is just a wrapper for pid_nr_ns in the current pid namespace:
>> >
>> > pid_t pid_vnr(struct pid *pid)
>> > {
>> > return pid_nr_ns(pid, task_active_pid_ns(current));
>> > }
>> >
>> > Oh, but the comment is wrong, so maybe that's what confused you.
>> > s/connection/caller/ there and it should make more sense.
>>
>> Attaching updated patch against fuse.git for-next. Check namespace in both
>> device read and write. Check them at the start (doesn't matter if requests are
>> stuck in the queue, if server isn't playing by the rules, then all is lost
>> anyway).
>>
>> One thing: we return error if current tgid isn't valid in server's namespace.
>> That's looks good. However we silently succeed and set in.h.pid to zero if
>> current pid isn't representable in the server's namespace. That doesn't sound
>> quite right.
>>
>> Again the question is, does it make sense to allow access by tasks whose pid
>> isn't representable in the server. If not, then they should be rejected instead
>> of succeeding with an invalid PID, right?
>
> All of the fuse filesystems I looked at didn't pay any attention at all
> to in.h.pid, and I don't see any reason to make them unusable by
> processes outside the pid namespace. Filesystems which do care about
> pids can reject requests when in.h.pid is 0 if they wish.
Well where we came in at was there is a fuse filesystem paying attention
to pids and is having problems running in a container because the pids
are not translated.
> Of course it's a different matter if there are existing filesystems
> which could be broken by in.h.pid == 0.
It seems there is at least one filesystem being written that has that
limitation.
Given the way fuse works it does seem reasonable to deny access outside
of a pid namespace that the fuse filesystem is in. Set I believe you
implemented or were at least considering limiting the clients to the
same user namespace as well.
Unfortunately the test Miklos proposed is wrong. It tested for pid
namespace identity which fails to account for nested pid namespaces.
Instead of saying:
+ if (task_active_pid_ns(current) != fc->pid_ns)
+ return -EIO;
The code should probably say:
if (!pid_nr_ns(fc->pid_ns, task_pid(current)))
return -EIO;
Or possibly:
static bool in_pid_ns(struct pid_namespace *ns, struct pid *pid)
{
return ns->level <= pid->level &&
pid->numbers[ns->level].ns == ns;
}
if (!in_pid_ns(fc->pid_ns, task_pid(current)))
return -EIO;
We don't have the in_pid_ns function but it would be easy enough to add.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists