lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 11 Apr 2024 14:25:10 +0200
From: Christian Brauner <brauner@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Alexander Viro <viro@...iv.linux.org.uk>, Jan Kara <jack@...e.cz>, 
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Andrew Lutomirski <luto@...nel.org>, Peter Anvin <hpa@...or.com>
Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() -
 requirements

On Thu, Apr 11, 2024 at 11:04:59AM +0200, Christian Brauner wrote:
> On Wed, Apr 10, 2024 at 07:39:49PM -0700, Linus Torvalds wrote:
> > On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
> > <torvalds@...ux-foundation.org> wrote:
> > >
> > > +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> > > +                       if (f.file->f_cred != current_cred() &&
> > > +                           !capable(CAP_DAC_READ_SEARCH)) {
> > > +                               fdput(f);
> > > +                               return ERR_PTR(-ENOENT);
> > > +                       }
> > > +               }
> > 
> > Side note: I suspect that this could possibly be relaxed further, by
> > making the rule be that if something has been explicitly opened to be
> > used as a path (ie O_PATH was used at open time), we can link to it
> > even across different credentials.
> 
> I had a similar discussion a while back someone requested that we relax
> permissions so linkat can be used in containers. And I drafted the
> following patch back then:
> 
> https://lore.kernel.org/all/20231113-undenkbar-gediegen-efde5f1c34bc@brauner
> 
> IOW, I had intended to make this work with containers so that we check
> CAP_DAC_READ_SEARCH in the namespace of the opener of the file. My
> thinking had been that this can serve as a way to say "Hey, I could've
> opened this file in the openers namespace therefore let me make a path
> to it.". I didn't actually send it because I thought the original author
> would but imho, that would be a worthwhile addition to your patch if
> this makes sense...

For example, say someone opened an O_PATH fd in the initial user ns and
then send that file over an AF_UNIX socket to some other container the
ns_capable(f_cred->user_ns, CAP_DAC_READ_SEARCH) would always be false.
The other way around though would work. Which imho is exactly what we
want to make such cross-container interactions with linkat() safe.

And this didn't aim to solve the problem of allowing unprivileged users
in the initial namespace to do linkat(), of course which yours does.

Btw, I think we should try to avoid putting this into path_init() and
confine this to linkat() itself imho. The way I tried to do it was by
presetting a root for filename_lookup(); means we also don't need a
LOOKUP_* flag for this as this is mostly a linkat thing.

So maybe your suggestion combined with my own attempt would make this
work for unprivileged users and containers?

if (f.file->f_cred != current_cred() &&
    !ns_capable(f.file->f_cred->user_ns, CAP_DAC_READ_SEARCH))

Worst case we get a repeat of the revert and get to make this a 10 year
anniversary patch attempt?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ