| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Apr 2019 15:22:49 +0200
From: Adam Borowski <kilobyte@...band.pl>
To: Aleksa Sarai <cyphar@...har.com>
Cc: Kees Cook <keescook@...omium.org>,
Andy Lutomirski <luto@...nel.org>,
Al Viro <viro@...iv.linux.org.uk>,
Jeff Layton <jlayton@...nel.org>,
"J. Bruce Fields" <bfields@...ldses.org>,
Arnd Bergmann <arnd@...db.de>,
David Howells <dhowells@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>,
Jann Horn <jannh@...gle.com>,
Christian Brauner <christian@...uner.io>,
David Drysdale <drysdale@...gle.com>,
Tycho Andersen <tycho@...ho.ws>,
Linux Containers <containers@...ts.linux-foundation.org>,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Alexei Starovoitov <ast@...nel.org>,
Chanho Min <chanho.min@....com>,
Oleg Nesterov <oleg@...hat.com>, Aleksa Sarai <asarai@...e.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>,
linux-arch <linux-arch@...r.kernel.org>
Subject: Re: [PATCH RESEND v5 0/5] namei: vfs flags to restrict path
resolution
On Thu, Apr 25, 2019 at 01:38:06AM +1000, Aleksa Sarai wrote:
> * openat(2) ignores unknown flags, meaning that old kernels will ignore
> new programs trying to use O_THISROOT and might end up causing
> security issues. Yes, it'd be trivial to check whether the new O_*
> flags are supported at start-up, but I think a security feature
> shouldn't have a foot-gun associated with it. In fact, I didn't know
> openat(2) ignored unknown flags until I wrote this patchset -- I
> doubt many other userspace developers do either.
For this reason, I propose every new syscall that has flags to follow a
bitmask scheme, where any flag assigned a bit in the upper half returns
EOPNOTSUPP when called on an old kernel. That would allow defining which
flags can be safely ignored and which can't.
It otherwise takes major hacks to implement a fail-if-not-supported flag
while keeping compat with old kernels. For example, for mmap(), MAP_SHARED
has been duplicated as MAP_SHARED_VALIDATE just to allow an unrelated flag
(MAP_SYNC) to fail on old kernels.
Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢰⠒⠀⣿⡁ Imagine there are bandits in your house, your kid is bleeding out,
⢿⡄⠘⠷⠚⠋⠀ the house is on fire, and seven giant trumpets are playing in the
⠈⠳⣄⠀⠀⠀⠀ sky. Your cat demands food. The priority should be obvious...
Powered by blists - more mailing lists