Inter-revision diff: patch 1

Comparing v5 (message) to v4 (message) 

--- v5
+++ v4
@@ -31,6 +31,13 @@
 * Processes executed in a chroot may not require access to these special
   files (e.g. with minimal runtimes, or by emulating some special files
   with a LD_PRELOADed library or seccomp).
+
+Unprivileged chroot is especially interesting for userspace developers
+wishing to harden their applications.  For instance, chroot(2) and Yama
+enable to build a capability-based security (i.e. remove filesystem
+ambient accesses) by calling chroot/chdir with an empty directory and
+accessing data through dedicated file descriptors obtained with
+openat2(2) and RESOLVE_BENEATH/RESOLVE_IN_ROOT/RESOLVE_NO_MAGICLINKS.
 
 Allowing a task to change its own root directory is not a threat to the
 system if we can prevent confused deputy attacks, which could be
@@ -67,20 +74,14 @@
 Cc: Dominik Brodowski <linux@dominikbrodowski.net>
 Cc: Eric W. Biederman <ebiederm@xmission.com>
 Cc: James Morris <jmorris@namei.org>
-Cc: Jann Horn <jannh@google.com>
 Cc: John Johansen <john.johansen@canonical.com>
+Cc: Kees Cook <keescook@chromium.org>
 Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
 Cc: Serge Hallyn <serge@hallyn.com>
 Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
 Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Link: https://lore.kernel.org/r/20210316203633.424794-2-mic@digikod.net
+Link: https://lore.kernel.org/r/20210316170135.226381-2-mic@digikod.net
 ---
-
-Changes since v4:
-* Use READ_ONCE(current->fs->users) (found by Jann Horn).
-* Remove ambiguous example in commit description.
-* Add Reviewed-by Kees Cook.
 
 Changes since v3:
 * Move the new permission checks to a dedicated helper
@@ -103,7 +104,7 @@
  1 file changed, 21 insertions(+), 2 deletions(-)
 
 diff --git a/fs/open.c b/fs/open.c
-index e53af13b5835..480010a551b2 100644
+index e53af13b5835..da46eb28a3a6 100644
 --- a/fs/open.c
 +++ b/fs/open.c
 @@ -532,6 +532,24 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
@@ -120,7 +121,7 @@
 +	 * As for seccomp, checking no_new_privs avoids scenarios where
 +	 * unprivileged tasks can affect the behavior of privileged children.
 +	 */
-+	if (task_no_new_privs(current) && READ_ONCE(current->fs->users) == 1 &&
++	if (task_no_new_privs(current) && current->fs->users == 1 &&
 +			!current_chrooted())
 +		return 0;
 +	if (ns_capable(current_user_ns(), CAP_SYS_CHROOT))
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help