Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements

From: Christian Brauner
Date: Thu Apr 11 2024 - 05:05:13 EST

Next message: Chao Yu: "Re: [f2fs-dev] [PATCH 2/3] f2fs: clear writeback when compression failed"
Previous message: Conor Dooley: "Re: [PATCH 07/10] riscv: add ISA extension parsing for Zcmop"
In reply to: Linus Torvalds: "Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements"
Next in thread: Christian Brauner: "Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 10, 2024 at 07:39:49PM -0700, Linus Torvalds wrote:
> On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > + if (flags & LOOKUP_DFD_MATCH_CREDS) {
> > + if (f.file->f_cred != current_cred() &&
> > + !capable(CAP_DAC_READ_SEARCH)) {
> > + fdput(f);
> > + return ERR_PTR(-ENOENT);
> > + }
> > + }
>
> Side note: I suspect that this could possibly be relaxed further, by
> making the rule be that if something has been explicitly opened to be
> used as a path (ie O_PATH was used at open time), we can link to it
> even across different credentials.

I had a similar discussion a while back someone requested that we relax
permissions so linkat can be used in containers. And I drafted the
following patch back then:

https://lore.kernel.org/all/20231113-undenkbar-gediegen-efde5f1c34bc@brauner

IOW, I had intended to make this work with containers so that we check
CAP_DAC_READ_SEARCH in the namespace of the opener of the file. My
thinking had been that this can serve as a way to say "Hey, I could've
opened this file in the openers namespace therefore let me make a path
to it.". I didn't actually send it because I thought the original author
would but imho, that would be a worthwhile addition to your patch if
this makes sense...

>
> IOW, the above could perhaps even be
>
> + if (flags & LOOKUP_DFD_MATCH_CREDS) {
> + if (!(f.file->f_mode & FMODE_PATH) &&
> + f.file->f_cred != current_cred() &&
> + !capable(CAP_DAC_READ_SEARCH)) {
> + fdput(f);
> + return ERR_PTR(-ENOENT);
> + }
> + }
>
> which would _allow_ people to pass in paths as file descriptors if
> they actually wanted to.
>
> After all, the only thing you can do with an O_PATH file descriptor is
> to use it as a path - there would be no other reason to use O_PATH in
> the first place. So if you now pass it to somebody else, clearly you
> are intentionally trying to make it available *as* a path.
>
> So you could imagine doing something like this:
>
> // Open path as root
> int fd = open('filename", O_PATH);
>
> // drop privileges
> // setresuid(..) or chmod() or enter new namespace or whatever
>
> linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH);
>
> and it would open the path with one set of privileges, but then
> intentionally go into a more restricted mode and create a link to the
> source within that restricted environment.
>
> Sensible? Who knows. I'm just throwing this out as another "this may
> be the solution to our historical flink() issues".
>
> Linus

Next message: Chao Yu: "Re: [f2fs-dev] [PATCH 2/3] f2fs: clear writeback when compression failed"
Previous message: Conor Dooley: "Re: [PATCH 07/10] riscv: add ISA extension parsing for Zcmop"
In reply to: Linus Torvalds: "Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements"
Next in thread: Christian Brauner: "Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]