Thread (59 messages) 59 messages, 6 authors, 2013-09-03

Re: [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH)

From: Willy Tarreau <w@1wt.eu>
Date: 2013-08-22 19:39:10
Also in: lkml

On Thu, Aug 22, 2013 at 12:05:50PM -0700, Andy Lutomirski wrote:
On Thu, Aug 22, 2013 at 11:53 AM, Willy Tarreau [off-list ref] wrote:
quoted
On Thu, Aug 22, 2013 at 11:48:10AM -0700, Linus Torvalds wrote:
quoted
And I'm wondering if we shouldn't actually do that at "path_init"
time. Right now the code says:

                /* Caller must check execute permissions on the
starting path component */
                struct fd f = fdget_raw(dfd);

and then uses the struct file mindlessly.

I'm wondering if we should just do some validation in that place, and say:

 - for directories, we require exec permissions here
 - for everything else, we require that f->f_cred == current->cred check.
Does this work for the procfs case?  As far as I understand it (which
isn't saying much), it goes through the symlink-following path.
Indeed I checked yesterday that it seems to use proc_pid_follow_link() for
fd/, cwd, root and exe, which means the same tests are used everywhere.
quoted
quoted
I dunno. But that I_LINKABLE thing just bothers me. It screams "I'm
hacky" to me.
I agreed, simply because the condition here is different from the one in /proc.

I have read some code last evening to try to understand how /proc/pid/fd
entries were granted access to various processes, because I would love to
see the same condition being used in both places. Unfortunately, it's beyond
my skills, and I stopped after my random attempts gave me some panics.
What if we added another field to struct nameidata that's indicates
what restrictions need to be enforced when following magical symlinks
and then enforcing them when nd_jump_link gets used.  (There are only
two of these, both in procfs.)
I tried to add a test based on a mount option before this call to
nd_jump_link() when I realized my attempt was a total disaster because
I'm a noob. But what I think would be nice (at least as an opt-in) would
be :

  - processes which don't share the same root should not be allowed to
    access files through /proc/pid/{root,cwd,exe,fd/*}

  - keep the current restrictions as well of course

  - the exact same restrictions should apply to AT_EMPTY_PATH

I might be totally wrong, but as a user that's what I find natural and
what I tend to expect.
Then open could check that the original fd was opened for a superset
of the requested permissions (or that the caller has
CAP_DAC_OVERRIDE), linkat could check whatever it feels like checking,
etc.
Do not forget that 2 other syscalls seem to support AT_EMPTH_PATH as
well if that makes a difference.
This would allow all of these issues to be fixed for real (controlled
by sysctl, presumably).
If needed for backwards compatibility, possibly, though I doubt that
there are apps that *rely* on the current lack of isolation between
chroots. But at the same time I hate to break existing setups :-)
--Andy
Willy
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help