| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 May 2019 13:11:09 +1000
From: Aleksa Sarai <cyphar@...har.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Jeff Layton <jlayton@...nel.org>,
"J. Bruce Fields" <bfields@...ldses.org>,
Arnd Bergmann <arnd@...db.de>,
David Howells <dhowells@...hat.com>,
Shuah Khan <shuah@...nel.org>,
Shuah Khan <skhan@...uxfoundation.org>,
Christian Brauner <christian@...uner.io>,
Eric Biederman <ebiederm@...ssion.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Alexei Starovoitov <ast@...nel.org>,
Kees Cook <keescook@...omium.org>,
Jann Horn <jannh@...gle.com>, Tycho Andersen <tycho@...ho.ws>,
David Drysdale <drysdale@...gle.com>,
Chanho Min <chanho.min@....com>,
Oleg Nesterov <oleg@...hat.com>, Aleksa Sarai <asarai@...e.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Linux Containers <containers@...ts.linux-foundation.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@...r.kernel.org>,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
linux-arch <linux-arch@...r.kernel.org>
Subject: Re: [PATCH RFC v8 01/10] namei: obey trailing magic-link DAC
permissions
On 2019-05-23, Aleksa Sarai <cyphar@...har.com> wrote:
> On 2019-05-22, Andy Lutomirski <luto@...nel.org> wrote:
> > What are actual examples of uses for this exception? Breaking
> > selftests is not, in and of itself, a huge problem.
>
> Not as far as I know. All of the re-opening users I know of do re-opens
> of O_PATH or are re-opening with the same (or fewer) privileges. I also
> ran this for a few days on my laptop without this exception, and didn't
> have any visible issues.
I have modified the patch to WARN_ON(may_open_magiclink() == -EACCES).
So far (in the past day on my openSUSE machines) I have only seen two
programs which have hit this case: kbd[1]'s "loadkeys" and "kbd_mode"
binaries. In addition to there not being any user-visible errors -- they
actually handle permission errors gracefully!
static int
open_a_console(const char *fnam)
{
int fd;
/*
* For ioctl purposes we only need some fd and permissions
* do not matter. But setfont:activatemap() does a write.
*/
fd = open(fnam, O_RDWR);
if (fd < 0)
fd = open(fnam, O_WRONLY);
if (fd < 0)
fd = open(fnam, O_RDONLY);
if (fd < 0)
return -1;
return fd;
}
The above gets called with "/proc/self/fd/0" as an argument (as well as
other console candidates like "/dev/console"). And setfont:activatemap()
actually does handle read-only fds:
static void
send_escseq(int fd, const char *seq, int n)
{
if (write(fd, seq, n) != n) /* maybe fd is read-only */
printf("%s", seq);
}
void activatemap(int fd)
{
send_escseq(fd, "\033(K", 3);
}
So, thus far, not only have I not seen anything go wrong -- the only
program which actually hits this case handles the error gracefully.
Obviously we got lucky here, but the lack of any users of this
mis-feature leads me to have some hope that we can block it without
anyone noticing.
But I emphatically do not want to break userspace here (except for
attackers, obviously).
[1]: http://git.altlinux.org/people/legion/packages/kbd.git
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists