[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240427112451.1609471-1-stsp2@yandex.ru>
Date: Sat, 27 Apr 2024 14:24:48 +0300
From: Stas Sergeev <stsp2@...dex.ru>
To: linux-kernel@...r.kernel.org
Cc: Stas Sergeev <stsp2@...dex.ru>,
Stefan Metzmacher <metze@...ba.org>,
Eric Biederman <ebiederm@...ssion.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Andy Lutomirski <luto@...nel.org>,
Christian Brauner <brauner@...nel.org>,
Jan Kara <jack@...e.cz>,
Jeff Layton <jlayton@...nel.org>,
Chuck Lever <chuck.lever@...cle.com>,
Alexander Aring <alex.aring@...il.com>,
David Laight <David.Laight@...LAB.COM>,
linux-fsdevel@...r.kernel.org,
linux-api@...r.kernel.org,
Paolo Bonzini <pbonzini@...hat.com>,
Christian Göttsche <cgzones@...glemail.com>
Subject: [PATCH v6 0/3] implement OA2_CRED_INHERIT flag for openat2()
This patch-set implements the OA2_CRED_INHERIT flag for openat2() syscall.
It is needed to perform an open operation with the creds that were in
effect when the dir_fd was opened, if the dir was opened with O_CRED_ALLOW
flag. This allows the process to pre-open some dirs and switch eUID
(and other UIDs/GIDs) to the less-privileged user, while still retaining
the possibility to open/create files within the pre-opened directory set.
The sand-boxing is security-oriented: symlinks leading outside of a
sand-box are rejected. /proc magic links are rejected. fds opened with
O_CRED_ALLOW are always closed on exec() and cannot be passed via unix
socket.
The more detailed description (including security considerations)
is available in the log messages of individual patches.
Changes in v6:
- it appears open flags bit 23 is already taken on parisc, and bit 24
is taken on alpha. Move O_CRED_ALLOW to bit 25.
- added selftests for both O_CRED_ALLOW and O_CRED_INHERIT additions
Changes in v5:
- rename OA2_INHERIT_CRED to OA2_CRED_INHERIT
- add an "opt-in" flag O_CRED_ALLOW as was suggested by many reviewers
- stop using 64bit types, as suggested by
Christian Brauner <brauner@...nel.org>
- add BUILD_BUG_ON() for VALID_OPENAT2_FLAGS, based on Christian Brauner's
comments
- fixed problems reported by patch-testing bot
- made O_CRED_ALLOW fds not passable via unix sockets and exec(),
based on Christian Brauner's comments
Changes in v4:
- add optimizations suggested by David Laight <David.Laight@...LAB.COM>
- move security checks to build_open_flags()
- force RESOLVE_NO_MAGICLINKS as suggested by Andy Lutomirski <luto@...nel.org>
Changes in v3:
- partially revert v2 changes to avoid overriding capabilities.
Only the bare minimum is overridden: fsuid, fsgid and group_info.
Document the fact the full cred override is unwanted, as it may
represent an unneeded security risk.
Changes in v2:
- capture full struct cred instead of just fsuid/fsgid.
Suggested by Stefan Metzmacher <metze@...ba.org>
CC: Stefan Metzmacher <metze@...ba.org>
CC: Eric Biederman <ebiederm@...ssion.com>
CC: Alexander Viro <viro@...iv.linux.org.uk>
CC: Andy Lutomirski <luto@...nel.org>
CC: Christian Brauner <brauner@...nel.org>
CC: Jan Kara <jack@...e.cz>
CC: Jeff Layton <jlayton@...nel.org>
CC: Chuck Lever <chuck.lever@...cle.com>
CC: Alexander Aring <alex.aring@...il.com>
CC: David Laight <David.Laight@...LAB.COM>
CC: linux-fsdevel@...r.kernel.org
CC: linux-kernel@...r.kernel.org
CC: linux-api@...r.kernel.org
CC: Paolo Bonzini <pbonzini@...hat.com>
CC: Christian Göttsche <cgzones@...glemail.com>
--
2.44.0
Powered by blists - more mailing lists