lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240802.011554-broke.flocks.valiant.camp-sk9TjsxvPYf@cyphar.com>
Date: Fri, 2 Aug 2024 11:29:19 +1000
From: Aleksa Sarai <cyphar@...har.com>
To: Petr Vorel <pvorel@...e.cz>
Cc: Andrea Cervesato <andrea.cervesato@...e.de>, ltp@...ts.linux.it, 
	Alexey Gladkov <legion@...nel.org>, Christian Brauner <brauner@...nel.org>, 
	Cyril Hrubis <chrubis@...e.cz>, Adhemerval Zanella <adhemerval.zanella@...aro.org>, 
	Gaƫl PORTAY <gael.portay@...ne.fr>, linux-kernel@...r.kernel.org
Subject: Re: [LTP] [PATCH v4 0/5] Add fchmodat2 testing suite

On 2024-08-01, Petr Vorel <pvorel@...e.cz> wrote:
> Hi all,
> 
> > This is a patch-set that implements fchmodat2() syscall coverage.
> > fchmodat2() has been added in kernel 6.6 in order to support
> > AT_SYMLINK_NOFOLLOW and AT_EMPTY_PATH in fchmodat().
> > There's no man pages yet, so please take the following links as
> > main documentation along with kernel source code:
> 
> I would hope that it'd be at least Christian's fork [1], but it's not there.
> I suppose nobody is working on the man page.
> 
> > https://www.phoronix.com/news/fchmodat2-For-Linux-6.6
> > https://lore.kernel.org/lkml/20230824-frohlocken-vorabend-725f6fdaad50@brauner/
> 
> > ***********
> > * WARNING *
> > ***********
> 
> > fchmodat2_02 fails with EOPNOTSUPP because of missing feature.
> 
> For a record, it's fchmodat2_01.c (from this patchset) which is failing (on
> 6.10.1-1.g4c78d6f-default Tumbleweed and 6.6.21-0-lts Alpine, both x86_64 VMs).
> 
> Andrea, I would personally just skip test on EOPNOTSUPP (that's what we do in
> LTP on EOPNOTSUPP). The question why is not supported and whether is going to be
> fixed.
> 
> Looking into glibc change 65341f7bbe ("linux: Use fchmodat2 on fchmod for flags
> different than 0 (BZ 26401)") one year old change from glibc-2.39 [2] it looks
> just accepted behavior (glibc returns EOPNOTSUPP on symlink):
> 
> +  /* Some Linux versions with some file systems can actually
> +     change symbolic link permissions via /proc, but this is not
> +     intentional, and it gives inconsistent results (e.g., error
> +     return despite mode change).  The expected behavior is that
> +     symbolic link modes cannot be changed at all, and this check
> +     enforces that.  */
> +  if (S_ISLNK (st.st_mode))
> +    {
>        __close_nocancel (pathfd);
> -      return ret;
> +      __set_errno (EOPNOTSUPP);
> +      return -1;
> +    }
> 
> Also musl also behaves the same on his fallback on old kernels [3]
> (it started 10 years ago on 0dc48244 ("work around linux's lack of flags
> argument to fchmodat syscall") when SYS_fchmodat was used and kept when this
> year SYS_fchmodat2 started to be used in d0ed307e):
> 
> 	int ret = __syscall(SYS_fchmodat2, fd, path, mode, flag);
> 	if (ret != -ENOSYS) return __syscall_ret(ret);
> 
> 	if (flag != AT_SYMLINK_NOFOLLOW)
> 		return __syscall_ret(-EINVAL);
> 
> 	struct stat st;
> 	int fd2;
> 	char proc[15+3*sizeof(int)];
> 
> 	if (fstatat(fd, path, &st, flag))
> 		return -1;
> 	if (S_ISLNK(st.st_mode))
> 		return __syscall_ret(-EOPNOTSUPP);
> 
> 
> > According to documentation, the feature has been implemented in
> > kernel 6.6, but __in reality__ AT_SYMLINK_NOFOLLOW is not working
> > on symbolic files. Also kselftests, which are meant to test the
> > functionality, are not working and they are treating fchmodat2()
> > syscall failure as SKIP. Please take a look at the following code
> > before reviewing:
> 
> > https://github.com/torvalds/linux/blob/8f6a15f095a63a83b096d9b29aaff4f0fbe6f6e6/tools/testing/selftests/fchmodat2/fchmodat2_test.c#L123
> 
> I see there is a kselftest workaround in 4859c257d295 ("selftests: Add fchmodat2
> selftest") [4], where fchmodat2 failure on symlink is simply skipped.
> 
> Aleksa, you're probably aware of this fchmodat2() failure on symlinks. Does
> anybody work or plan to work on fixing it? LTP has policy to not cover kernel
> bugs, if it's not expected to be working we might just skip the test as well.

If I understand the bug report, the issue is that fchmodat2() doesn't
work on symlinks?

This is intentional -- Christian fixed a tree-wide bug a while ago[1]
where some filesystems would change the mode of symlinks despite
returning an error (usually EOPNOTSUPP) and IIRC a few others would
happily change the mode of symlinks.

The current intended behaviour is to always return EOPNOTSUPP, and AFAIK
there is no plan to re-enable the changing of symlink modes. EOPNOTSUPP
was chosen because that's what filesystems were already returning.
(While this is a little confusing, VFS syscalls return EINVAL for an
unsupported flag, not EOPNOTSUPP.)

The benefit of an AT_SYMLINK_NOFOLLOW flag is not just to to allow a
syscall to operate on symlinks, it also allows programs to safely
operate on path components without worrying about symlinks being
followed (this is relevant for container runtimes, where we are
operating on untrusted filesystem roots -- though in the case of
fchmodat2(2) you would probably just use AT_EMPTY_PATH in practice). So
an error here is actually what you want as a program that uses
AT_SYMLINK_NOFOLLOW (since the actual operation is intentionally not
supported by filesystems).

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d1f903f75a80daa4dfb3d84e114ec8ecbf29956

> I see a RFC UAPI related patchset [5] which touches include/uapi/linux/fcntl.h,
> but AFAIK it's not related to this problem.

Yeah this is unrelated, that patch is about clarifying how AT_* flags
are allocated, not syscall behaviour.

> Kind regards,
> Petr
> 
> [1] https://github.com/brauner/man-pages-md
> [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=65341f7bbea824d2ff9d37db15d8be162df42bd3;hp=c52c2c32db15aba8bbe1a0b4d3235f97d9c1a525
> [3] https://git.musl-libc.org/cgit/musl/tree/src/stat/fchmodat.c
> [4] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/tools/testing/selftests/fchmodat2/fchmodat2_test.c?h=next-20240801&id=4859c257d295949c23f4074850a8c2ec31357abb
> [5] https://lore.kernel.org/lkml/20240801-exportfs-u64-mount-id-v3-0-be5d6283144a@cyphar.com/
> 
> > Signed-off-by: Andrea Cervesato <andrea.cervesato@...e.com>
> > ---
> > Changes in v4:
> > - add SAFE_FCHMODAT2
> > - Link to v3: https://lore.kernel.org/r/20240724-fchmodat2-v3-0-1dc7cfc634b8@suse.com
> 
> > Changes in v3:
> > - removed fchmodat2.h
> > - Link to v2: https://lore.kernel.org/r/20240723-fchmodat2-v2-0-e658a98b113e@suse.com
> 
> > Changes in v2:
> > - merge first 3 tests into a unique one
> > - move fchmodat2 in lapi/stat.h
> > - add test for error checking
> > - Link to v1: https://lore.kernel.org/r/20240521-fchmodat2-v1-0-191b4a986202@suse.com
> 
> > ---
> > Andrea Cervesato (5):
> >       Add SAFE_SYMLINKAT macro
> >       Add fchmodat2 syscalls definitions
> >       Add fchmodat2 fallback definition
> >       Add fchmodat2_01 test
> >       Add fchmodat2_02 test
> 
> >  include/lapi/stat.h                                |  16 +++
> >  include/lapi/syscalls/aarch64.in                   |   1 +
> >  include/lapi/syscalls/arc.in                       |   1 +
> >  include/lapi/syscalls/arm.in                       |   1 +
> >  include/lapi/syscalls/hppa.in                      |   1 +
> >  include/lapi/syscalls/i386.in                      |   1 +
> >  include/lapi/syscalls/ia64.in                      |   1 +
> >  include/lapi/syscalls/loongarch.in                 |   1 +
> >  include/lapi/syscalls/mips_n32.in                  |   1 +
> >  include/lapi/syscalls/mips_n64.in                  |   1 +
> >  include/lapi/syscalls/mips_o32.in                  |   1 +
> >  include/lapi/syscalls/powerpc.in                   |   1 +
> >  include/lapi/syscalls/powerpc64.in                 |   1 +
> >  include/lapi/syscalls/s390.in                      |   1 +
> >  include/lapi/syscalls/s390x.in                     |   1 +
> >  include/lapi/syscalls/sh.in                        |   1 +
> >  include/lapi/syscalls/sparc.in                     |   1 +
> >  include/lapi/syscalls/sparc64.in                   |   1 +
> >  include/lapi/syscalls/x86_64.in                    |   1 +
> >  include/safe_macros_fn.h                           |   4 +
> >  include/tst_safe_macros.h                          |   3 +
> >  lib/safe_macros.c                                  |  20 ++++
> >  runtest/syscalls                                   |   3 +
> >  testcases/kernel/syscalls/fchmodat2/.gitignore     |   2 +
> >  testcases/kernel/syscalls/fchmodat2/Makefile       |   7 ++
> >  testcases/kernel/syscalls/fchmodat2/fchmodat2_01.c | 114 +++++++++++++++++++++
> >  testcases/kernel/syscalls/fchmodat2/fchmodat2_02.c |  68 ++++++++++++
> >  27 files changed, 255 insertions(+)
> > ---
> > base-commit: 8422d4680b21e6576da63c677b5d49f46b477df0
> > change-id: 20240517-fchmodat2-5b82867d71fc
> 
> > Best regards,

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ