lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111206214126.GL2203@ZenIV.linux.org.uk>
Date:	Tue, 6 Dec 2011 21:41:26 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	John Johansen <john.johansen@...onical.com>
Subject: Re: [git pull] apparmor fix for __d_path() misuse

On Tue, Dec 06, 2011 at 01:07:56PM -0800, Linus Torvalds wrote:
> On Tue, Dec 6, 2011 at 12:53 PM, Al Viro <viro@...iv.linux.org.uk> wrote:
> >
> > The trouble is, might very well stop *NOT* at the global root. ?Consider
> > a race with umount -l; we have no way to tell "it had been outside of
> > chroot jail" from "it had walked up to the place where ->mnt_parent had
> > been already reset, sorry, no idea what it was".
> 
> Sure, but you made that case return NULL already as part of the "no
> bastard" case, didn't you?
> 
> That part of the patch looked fine.
> 
> It was just the extra convolutions around 'bastard' that seemed to be
> over-designed, and made for just a single use that seems very
> peripheral anyway.
> 
> Apart from AppArmor, afaik nobody even really cared where they ended
> up, and even AppArmor really didn't want to know - it just had this
> totally crazy special case about "/sys".

It's not /sys, actually, it's implicit /proc/sys/something from sysctl() ;-/

Hell knows.  Frankly, the whole "let's build a pathname and decide basing
on it" thing had been insane from the very beginning.  For many reasons,
starting with "pathname in which namespace?" and continuing through "who said
that it still means what it used to at the moment of operation" to "what
if it's not a part of any namespace anymore/had never been in one".

Hey, it wasn't me who insisted that pathname-based stuff made any sense
whatsoever...  But "path to the nearest thing that has no ancestor now"
is _meaningless_ if we know nothing about that ancestor.  Cases include
	* that ancestor is the root of our namespace.
	* that ancestor is a solitary vfsmount we'd started in, never had
been mounted in any namespace (e.g. procfs internal vfsmount, etc.)
	* that ancestor is a random vfsmount in a subtree that had been
hit by umount -l, just as we'd been looking at it.  Might be its root,
might be equal to path->mnt, might be something in between.
	* cases 1 and 3 in another process' namespace

In case 3 and analogs the path we'd obtained is pure junk, so I can agree
with "let's just return NULL on those".  The trouble is, how do you tell
(3) from (2)?  And do we want (1)-not-our-namespace to be distinguished
from (1)-our-namespace?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ