[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240411-alben-kocht-219170e9dc99@brauner>
Date: Thu, 11 Apr 2024 11:04:59 +0200
From: Christian Brauner <brauner@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Alexander Viro <viro@...iv.linux.org.uk>, Jan Kara <jack@...e.cz>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Andrew Lutomirski <luto@...nel.org>, Peter Anvin <hpa@...or.com>
Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() -
requirements
On Wed, Apr 10, 2024 at 07:39:49PM -0700, Linus Torvalds wrote:
> On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
> <torvalds@...ux-foundation.org> wrote:
> >
> > + if (flags & LOOKUP_DFD_MATCH_CREDS) {
> > + if (f.file->f_cred != current_cred() &&
> > + !capable(CAP_DAC_READ_SEARCH)) {
> > + fdput(f);
> > + return ERR_PTR(-ENOENT);
> > + }
> > + }
>
> Side note: I suspect that this could possibly be relaxed further, by
> making the rule be that if something has been explicitly opened to be
> used as a path (ie O_PATH was used at open time), we can link to it
> even across different credentials.
I had a similar discussion a while back someone requested that we relax
permissions so linkat can be used in containers. And I drafted the
following patch back then:
https://lore.kernel.org/all/20231113-undenkbar-gediegen-efde5f1c34bc@brauner
IOW, I had intended to make this work with containers so that we check
CAP_DAC_READ_SEARCH in the namespace of the opener of the file. My
thinking had been that this can serve as a way to say "Hey, I could've
opened this file in the openers namespace therefore let me make a path
to it.". I didn't actually send it because I thought the original author
would but imho, that would be a worthwhile addition to your patch if
this makes sense...
>
> IOW, the above could perhaps even be
>
> + if (flags & LOOKUP_DFD_MATCH_CREDS) {
> + if (!(f.file->f_mode & FMODE_PATH) &&
> + f.file->f_cred != current_cred() &&
> + !capable(CAP_DAC_READ_SEARCH)) {
> + fdput(f);
> + return ERR_PTR(-ENOENT);
> + }
> + }
>
> which would _allow_ people to pass in paths as file descriptors if
> they actually wanted to.
>
> After all, the only thing you can do with an O_PATH file descriptor is
> to use it as a path - there would be no other reason to use O_PATH in
> the first place. So if you now pass it to somebody else, clearly you
> are intentionally trying to make it available *as* a path.
>
> So you could imagine doing something like this:
>
> // Open path as root
> int fd = open('filename", O_PATH);
>
> // drop privileges
> // setresuid(..) or chmod() or enter new namespace or whatever
>
> linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH);
>
> and it would open the path with one set of privileges, but then
> intentionally go into a more restricted mode and create a link to the
> source within that restricted environment.
>
> Sensible? Who knows. I'm just throwing this out as another "this may
> be the solution to our historical flink() issues".
>
> Linus
Powered by blists - more mailing lists