lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240424105248.189032-1-stsp2@yandex.ru>
Date: Wed, 24 Apr 2024 13:52:46 +0300
From: Stas Sergeev <stsp2@...dex.ru>
To: linux-kernel@...r.kernel.org
Cc: Stas Sergeev <stsp2@...dex.ru>,
	Stefan Metzmacher <metze@...ba.org>,
	Eric Biederman <ebiederm@...ssion.com>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Andy Lutomirski <luto@...nel.org>,
	Christian Brauner <brauner@...nel.org>,
	Jan Kara <jack@...e.cz>,
	Jeff Layton <jlayton@...nel.org>,
	Chuck Lever <chuck.lever@...cle.com>,
	Alexander Aring <alex.aring@...il.com>,
	David Laight <David.Laight@...LAB.COM>,
	linux-fsdevel@...r.kernel.org,
	linux-api@...r.kernel.org,
	Paolo Bonzini <pbonzini@...hat.com>,
	Christian Göttsche <cgzones@...glemail.com>
Subject: [PATCH v4 0/2] implement OA2_INHERIT_CRED flag for openat2()

This patch-set implements the OA2_INHERIT_CRED flag for openat2() syscall.
It is needed to perform an open operation with the creds that were in
effect when the dir_fd was opened. This allows the process to pre-open
some dirs and switch eUID (and other UIDs/GIDs) to the less-privileged
user, while still retaining the possibility to open/create files within
the pre-opened directory set.

The sand-boxing is security-oriented: symlinks leading outside of a
sand-box are rejected. /proc magic links are rejected.
The more detailed description (including security considerations)
is available in the log messages of individual patches.

Changes in v4:
- add optimizations suggested by David Laight <David.Laight@...LAB.COM>
- move security checks to build_open_flags()
- force RESOLVE_NO_MAGICLINKS as suggested by Andy Lutomirski <luto@...nel.org>

Changes in v3:
- partially revert v2 changes to avoid overriding capabilities.
  Only the bare minimum is overridden: fsuid, fsgid and group_info.
  Document the fact the full cred override is unwanted, as it may
  represent an unneeded security risk.

Changes in v2:
- capture full struct cred instead of just fsuid/fsgid.
  Suggested by Stefan Metzmacher <metze@...ba.org>

CC: Stefan Metzmacher <metze@...ba.org>
CC: Eric Biederman <ebiederm@...ssion.com>
CC: Alexander Viro <viro@...iv.linux.org.uk>
CC: Andy Lutomirski <luto@...nel.org>
CC: Christian Brauner <brauner@...nel.org>
CC: Jan Kara <jack@...e.cz>
CC: Jeff Layton <jlayton@...nel.org>
CC: Chuck Lever <chuck.lever@...cle.com>
CC: Alexander Aring <alex.aring@...il.com>
CC: David Laight <David.Laight@...LAB.COM>
CC: linux-fsdevel@...r.kernel.org
CC: linux-kernel@...r.kernel.org
CC: linux-api@...r.kernel.org
CC: Paolo Bonzini <pbonzini@...hat.com>
CC: Christian Göttsche <cgzones@...glemail.com>

-- 
2.44.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ