Re: [PATCH RFC v8 01/10] namei: obey trailing magic-link DAC permissions

From: Aleksa Sarai
Date: Thu May 23 2019 - 23:14:56 EST

Next message: Gen Zhang: "[PATCH] dm-region-hash: Fix a missing-check bug in __rh_alloc()"
Previous message: Pingfan Liu: "Re: [PATCHv2] kernel/crash: make parse_crashkernel()'s return value more indicant"
In reply to: Aleksa Sarai: "Re: [PATCH RFC v8 01/10] namei: obey trailing magic-link DAC permissions"
Next in thread: Aleksa Sarai: "[PATCH RFC v8 02/10] procfs: switch magic-link modes to be more sane"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2019-05-23, Aleksa Sarai <cyphar@xxxxxxxxxx> wrote:
> On 2019-05-22, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> > What are actual examples of uses for this exception? Breaking
> > selftests is not, in and of itself, a huge problem.
>
> Not as far as I know. All of the re-opening users I know of do re-opens
> of O_PATH or are re-opening with the same (or fewer) privileges. I also
> ran this for a few days on my laptop without this exception, and didn't
> have any visible issues.

I have modified the patch to WARN_ON(may_open_magiclink() == -EACCES).

So far (in the past day on my openSUSE machines) I have only seen two
programs which have hit this case: kbd[1]'s "loadkeys" and "kbd_mode"
binaries. In addition to there not being any user-visible errors -- they
actually handle permission errors gracefully!

static int
open_a_console(const char *fnam)
{
int fd;

/*
* For ioctl purposes we only need some fd and permissions
* do not matter. But setfont:activatemap() does a write.
*/
fd = open(fnam, O_RDWR);
if (fd < 0)
fd = open(fnam, O_WRONLY);
if (fd < 0)
fd = open(fnam, O_RDONLY);
if (fd < 0)
return -1;
return fd;
}

The above gets called with "/proc/self/fd/0" as an argument (as well as
other console candidates like "/dev/console"). And setfont:activatemap()
actually does handle read-only fds:

static void
send_escseq(int fd, const char *seq, int n)
{
if (write(fd, seq, n) != n) /* maybe fd is read-only */
printf("%s", seq);
}

void activatemap(int fd)
{
send_escseq(fd, "\033(K", 3);
}

So, thus far, not only have I not seen anything go wrong -- the only
program which actually hits this case handles the error gracefully.
Obviously we got lucky here, but the lack of any users of this
mis-feature leads me to have some hope that we can block it without
anyone noticing.

But I emphatically do not want to break userspace here (except for
attackers, obviously).

[1]: http://git.altlinux.org/people/legion/packages/kbd.git

--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Attachment: signature.asc
Description: PGP signature

Next message: Gen Zhang: "[PATCH] dm-region-hash: Fix a missing-check bug in __rh_alloc()"
Previous message: Pingfan Liu: "Re: [PATCHv2] kernel/crash: make parse_crashkernel()'s return value more indicant"
In reply to: Aleksa Sarai: "Re: [PATCH RFC v8 01/10] namei: obey trailing magic-link DAC permissions"
Next in thread: Aleksa Sarai: "[PATCH RFC v8 02/10] procfs: switch magic-link modes to be more sane"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]