| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 29 Sep 2018 09:34:24 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Aleksa Sarai <cyphar@...har.com>
Cc: Jeff Layton <jlayton@...nel.org>,
"J. Bruce Fields" <bfields@...ldses.org>,
Al Viro <viro@...iv.linux.org.uk>,
Arnd Bergmann <arnd@...db.de>, Shuah Khan <shuah@...nel.org>,
David Howells <dhowells@...hat.com>,
Andy Lutomirski <luto@...nel.org>,
Christian Brauner <christian@...uner.io>,
Eric Biederman <ebiederm@...ssion.com>,
Tycho Andersen <tycho@...ho.ws>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-arch@...r.kernel.org,
linux-kselftest@...r.kernel.org, dev@...ncontainers.org,
containers@...ts.linux-foundation.org
Subject: Re: [PATCH 0/3] namei: implement various scoping AT_* flags
> On Sep 29, 2018, at 8:45 AM, Aleksa Sarai <cyphar@...har.com> wrote:
>
> On 2018-09-29, Andy Lutomirski <luto@...capital.net> wrote:
>>> The most obvious change is that AT_NO_JUMPS has been split as dicussed
>>> in the original thread, along with a further split of AT_NO_PROCLINKS
>>> which means that each individual property of AT_NO_JUMPS is now a
>>> separate flag:
>>>
>>> * Path-based escapes from the starting-point using "/" or ".." are
>>> blocked by AT_BENEATH.
>>
>> Seems useful.
>>
>>> * Mountpoint crossings are blocked by AT_XDEV.
>>
>> Seems useful.
>>
>>> * /proc/$pid/fd/$fd resolution is blocked by AT_NO_PROCLINKS (more
>>> correctly it actually blocks any user of nd_jump_link() because it
>>> allows out-of-VFS path resolution manipulation).
>>>
>>
>> So how do I disable following symlinks? ISTM the most natural way
>> would be to have AT_NO_SYMLINKS, and to have that flag disable proc
>> links.
>
> So, this patchset has both AT_NO_SYMLINKS and AT_NO_PROCLINKS.
And AT_THIS_ROOT, which is neat. Want to update your cover letter to include all of this? Or at I just reading the wrong thing?
>
> * AT_NO_SYMLINKS blocks *all* symlinks (which is something Linus requested
> in the original thread[2] -- apparently this is something that would
> be useful to git even if wouldn't violate AT_BENEATH). This implies
> AT_NO_PROCLINKS.
>
> * AT_NO_PROCLINKS only blocks procfs-style "symlinks" (filesystem
> "symlinks" that call nd_jump_link() themselves -- currently only
> procfs and nsfs).
>
Hmm. I’m not sure that blocking nsfs links is always what the container runtime wants, but the overall concept sounds quite useful. Maybe call it AT_NO_TELEPORT? Or AT_NO_MAGIC_LINKS?
Also, as a perhaps-silly suggestion: if you end up adding a new syscall, I can see a use for a mode that does the path walk but, rather than failing on a disallowed link, stops early and indicates where it stopped. Then web servers, samba, etc can more efficiently implement custom behavior when links are encountered. And it may also be useful to have a variant of AT_THIS_ROOT where trying to escape is an error instead of having it just get stuck at the root.
Powered by blists - more mailing lists