[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240424105248.189032-1-stsp2@yandex.ru>
Date: Wed, 24 Apr 2024 13:52:46 +0300
From: Stas Sergeev <stsp2@...dex.ru>
To: linux-kernel@...r.kernel.org
Cc: Stas Sergeev <stsp2@...dex.ru>,
Stefan Metzmacher <metze@...ba.org>,
Eric Biederman <ebiederm@...ssion.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Andy Lutomirski <luto@...nel.org>,
Christian Brauner <brauner@...nel.org>,
Jan Kara <jack@...e.cz>,
Jeff Layton <jlayton@...nel.org>,
Chuck Lever <chuck.lever@...cle.com>,
Alexander Aring <alex.aring@...il.com>,
David Laight <David.Laight@...LAB.COM>,
linux-fsdevel@...r.kernel.org,
linux-api@...r.kernel.org,
Paolo Bonzini <pbonzini@...hat.com>,
Christian Göttsche <cgzones@...glemail.com>
Subject: [PATCH v4 0/2] implement OA2_INHERIT_CRED flag for openat2()
This patch-set implements the OA2_INHERIT_CRED flag for openat2() syscall.
It is needed to perform an open operation with the creds that were in
effect when the dir_fd was opened. This allows the process to pre-open
some dirs and switch eUID (and other UIDs/GIDs) to the less-privileged
user, while still retaining the possibility to open/create files within
the pre-opened directory set.
The sand-boxing is security-oriented: symlinks leading outside of a
sand-box are rejected. /proc magic links are rejected.
The more detailed description (including security considerations)
is available in the log messages of individual patches.
Changes in v4:
- add optimizations suggested by David Laight <David.Laight@...LAB.COM>
- move security checks to build_open_flags()
- force RESOLVE_NO_MAGICLINKS as suggested by Andy Lutomirski <luto@...nel.org>
Changes in v3:
- partially revert v2 changes to avoid overriding capabilities.
Only the bare minimum is overridden: fsuid, fsgid and group_info.
Document the fact the full cred override is unwanted, as it may
represent an unneeded security risk.
Changes in v2:
- capture full struct cred instead of just fsuid/fsgid.
Suggested by Stefan Metzmacher <metze@...ba.org>
CC: Stefan Metzmacher <metze@...ba.org>
CC: Eric Biederman <ebiederm@...ssion.com>
CC: Alexander Viro <viro@...iv.linux.org.uk>
CC: Andy Lutomirski <luto@...nel.org>
CC: Christian Brauner <brauner@...nel.org>
CC: Jan Kara <jack@...e.cz>
CC: Jeff Layton <jlayton@...nel.org>
CC: Chuck Lever <chuck.lever@...cle.com>
CC: Alexander Aring <alex.aring@...il.com>
CC: David Laight <David.Laight@...LAB.COM>
CC: linux-fsdevel@...r.kernel.org
CC: linux-kernel@...r.kernel.org
CC: linux-api@...r.kernel.org
CC: Paolo Bonzini <pbonzini@...hat.com>
CC: Christian Göttsche <cgzones@...glemail.com>
--
2.44.0
Powered by blists - more mailing lists