lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230106130651.vxz7pjtu5gvchdgt@wittgenstein>
Date:   Fri, 6 Jan 2023 14:06:51 +0100
From:   Christian Brauner <brauner@...nel.org>
To:     Ameer Hamza <ahamza@...ystems.com>
Cc:     viro@...iv.linux.org.uk, jlayton@...nel.org,
        chuck.lever@...cle.com, arnd@...db.de, guoren@...nel.org,
        palmer@...osinc.com, f.fainelli@...il.com, slark_xiao@....com,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-arch@...r.kernel.org, awalker@...ystems.com
Subject: Re: [PATCH] Add new open(2) flag - O_EMPTY_PATH

On Wed, Dec 28, 2022 at 09:02:49PM +0500, Ameer Hamza wrote:
> This patch adds a new flag O_EMPTY_PATH that allows openat and open
> system calls to open a file referenced by fd if the path is empty,
> and it is very similar to the FreeBSD O_EMPTY_PATH flag. This can be
> beneficial in some cases since it would avoid having to grant /proc
> access to things like samba containers for reopening files to change
> flags in a race-free way.
> 
> Signed-off-by: Ameer Hamza <ahamza@...ystems.com>
> ---

In general this isn't a bad idea and Aleksa and I proposed this as part
of the openat2() patchset (see [1]).

However, the reason we didn't do this right away was that we concluded
that it shouldn't be simply adding a flag. Reopening file descriptors
through procfs is indeed very useful and is often required. But it's
also been an endless source of subtle bugs and security holes as it
allows reopening file descriptors with more permissions than the
original file descriptor had.

The same lax behavior should not be encoded into O_EMPTYPATH. Ideally we
would teach O_EMPTYPATH to adhere to magic link modes by default. This
would be tied to the idea of upgrade mask in openat2() (cf. [2]). They
allow a caller to specify the permissions that a file descriptor may be
reopened with at the time the fd is opened.

[1]: https://lore.kernel.org/lkml/20190930183316.10190-4-cyphar@cyphar.com/
[2]: https://lore.kernel.org/all/20220526130355.fo6gzbst455fxywy@senku/Kk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ