From patchwork Fri Apr 26 13:33:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: stsp X-Patchwork-Id: 13644807 Received: from forward102a.mail.yandex.net (forward102a.mail.yandex.net [178.154.239.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86FCB1474DF; Fri, 26 Apr 2024 13:34:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.85 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714138453; cv=none; b=YUxuy6O3i22tfH6a1E4KwLkyGsl5cCN7gfyizO9GRe+nyRX6hfuVJ6mggU4rA6CJcdVYPbj57vlxGb6JyuTmNVrem640ZM7UW5Mjjwoc38hmlgQoqSYrmhFMNo57Yq3QSynONPhFwB7UnM5QAW0vhV3T88yuke/YdLLgaHBujxw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714138453; c=relaxed/simple; bh=eW+R7T+4wDE0CCmXnPO5w8nUsJ7ogtYZtHHlx4MY378=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Q/1m4xHkyyuiIRZI4dGpfI0rMSs42Hak/3wB2aXzDVRqDlblndC3xzYCe+50tshJkAxAVhBqzfMHHLKiGShAPHEViN1bCRqR6Gt2x/WCxsRM3eZ/R21Hkc6GKHURzaG6FUKXUdv//CuNq6CwEfODubnseCTOjmZzKGOsmFwcHUk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=S7rq6OGV; arc=none smtp.client-ip=178.154.239.85 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="S7rq6OGV" Received: from mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net [IPv6:2a02:6b8:c0d:230c:0:640:f8e:0]) by forward102a.mail.yandex.net (Yandex) with ESMTPS id 37B5760905; Fri, 26 Apr 2024 16:34:05 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id 2YN3P0DXnmI0-Bn2tdwo5; Fri, 26 Apr 2024 16:34:04 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1714138444; bh=N6Wa5ZdYH+jnqmFV3t56OpNcrMxvOQwAgYBdbDZuPl8=; h=Message-ID:Date:In-Reply-To:Cc:Subject:References:To:From; b=S7rq6OGVdRG+mfSoFeDmu1F7HVcrELvHlGVgK9rz2d/czf3zQAnRMgwTMkb7e9CPa DyMulwy+fyq0UAcFk54BZj+z45yyKC4hJKPwBaQ3GLEpL/8MX92LGXyZjj66fRsWjE YbAoUmJ3Y8bfj/YOc8V1rnYbmfMzGec64WjlTRlE= Authentication-Results: mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Stas Sergeev To: linux-kernel@vger.kernel.org Cc: Stas Sergeev , Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?utf-8?q?C?= =?utf-8?q?hristian_G=C3=B6ttsche?= Subject: [PATCH v5 1/3] fs: reorganize path_openat() Date: Fri, 26 Apr 2024 16:33:08 +0300 Message-ID: <20240426133310.1159976-2-stsp2@yandex.ru> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240426133310.1159976-1-stsp2@yandex.ru> References: <20240426133310.1159976-1-stsp2@yandex.ru> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This patch moves the call to alloc_empty_file() down the if branches. That changes is needed for the next patch, which adds a cred override for alloc_empty_file(). The cred override is only needed in one branch, i.e. it is not needed for O_PATH and O_TMPFILE.. No functional changes are intended by that patch. Signed-off-by: Stas Sergeev CC: Eric Biederman CC: Alexander Viro CC: Christian Brauner CC: Jan Kara CC: Andy Lutomirski CC: David Laight CC: linux-fsdevel@vger.kernel.org CC: linux-kernel@vger.kernel.org --- fs/namei.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index c5b2a25be7d0..dd50345f7260 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3781,17 +3781,24 @@ static struct file *path_openat(struct nameidata *nd, { struct file *file; int error; + int open_flags = op->open_flag; - file = alloc_empty_file(op->open_flag, current_cred()); - if (IS_ERR(file)) - return file; - - if (unlikely(file->f_flags & __O_TMPFILE)) { - error = do_tmpfile(nd, flags, op, file); - } else if (unlikely(file->f_flags & O_PATH)) { - error = do_o_path(nd, flags, file); + if (unlikely(open_flags & (__O_TMPFILE | O_PATH))) { + file = alloc_empty_file(open_flags, current_cred()); + if (IS_ERR(file)) + return file; + if (open_flags & __O_TMPFILE) + error = do_tmpfile(nd, flags, op, file); + else + error = do_o_path(nd, flags, file); } else { - const char *s = path_init(nd, flags); + const char *s; + + file = alloc_empty_file(open_flags, current_cred()); + if (IS_ERR(file)) + return file; + + s = path_init(nd, flags); while (!(error = link_path_walk(s, nd)) && (s = open_last_lookups(nd, file, op)) != NULL) ; From patchwork Fri Apr 26 13:33:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: stsp X-Patchwork-Id: 13644809 Received: from forward200a.mail.yandex.net (forward200a.mail.yandex.net [178.154.239.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4FC614831F; Fri, 26 Apr 2024 13:34:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.93 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714138466; cv=none; b=VOR1CgjutMlaMsZt3zP+cc/FpmkRxK0StUNbCHDmYw5fJiigcjnXHHjdlSCPanecE1bnaHLdSYoHy95f8optQXoFxrhyVLvR0riGjsdh7PZLptRJUXVtxBby3r/3UJiWIzykWW08+2/HFIg4M+/OX2GYpzmwWiKtq5CTV8/rogQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714138466; c=relaxed/simple; bh=NJLlv+BYrw+C+sbV2KvdymITp5TUT7pACIgIb4CZHl4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=N8vX3J58cHidIA2bcge4QkZchzZJ+AbZUrcs+yYg3HyP9uR2itenZJrLuNIrK1BUoEfEWvnq77X9uZF8sBZ0hwodYZW2EEMKH+lOgve91Ovf+rrjmUHcvyoZoYwD0t/bSQrM6yrvKN/O604S6rEQM5qkTpcWrUNct8A2zpFnwhc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=ECoAuMMR; arc=none smtp.client-ip=178.154.239.93 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="ECoAuMMR" Received: from forward101a.mail.yandex.net (forward101a.mail.yandex.net [IPv6:2a02:6b8:c0e:500:1:45:d181:d101]) by forward200a.mail.yandex.net (Yandex) with ESMTPS id 7AF1C66A43; Fri, 26 Apr 2024 16:34:16 +0300 (MSK) Received: from mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net [IPv6:2a02:6b8:c0d:230c:0:640:f8e:0]) by forward101a.mail.yandex.net (Yandex) with ESMTPS id 8EFA360B53; Fri, 26 Apr 2024 16:34:08 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id 2YN3P0DXnmI0-XlfhjaY2; Fri, 26 Apr 2024 16:34:06 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1714138446; bh=oe8bbNwOy9Cey4DMgLCWnxFN4lQ1FLTo4XG3E1C4v8Q=; h=Message-ID:Date:In-Reply-To:Cc:Subject:References:To:From; b=ECoAuMMRjRsRnHs1YWDcIiI84Zgj6ZrBSrBEhwjmClSLd/H74Kj3f9iLL0MLpNdOX 069WuQs8GyqfI7yU+T2IfDdn1aYqLeMAg/Ffxq2+hq8zN1sBe0GhbYlyMLV7qjA8CD Xl0IpvfqDbE9Fnsay/URNI7VmN5Z4rJsgcHLons0= Authentication-Results: mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Stas Sergeev To: linux-kernel@vger.kernel.org Cc: Stas Sergeev , Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?utf-8?q?C?= =?utf-8?q?hristian_G=C3=B6ttsche?= , Arnd Bergmann , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jens Axboe , Kuniyuki Iwashima , Pavel Begunkov , linux-arch@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v5 2/3] open: add O_CRED_ALLOW flag Date: Fri, 26 Apr 2024 16:33:09 +0300 Message-ID: <20240426133310.1159976-3-stsp2@yandex.ru> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240426133310.1159976-1-stsp2@yandex.ru> References: <20240426133310.1159976-1-stsp2@yandex.ru> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This flag prevents an fd from being passed via unix socket, and makes it to be always closed on exec(). It is needed for the subsequent OA2_CRED_INHERIT addition, to work as an "opt-in" for the new cred-inherit functionality. Without using O_CRED_ALLOW when opening dir fd, it won't be possible to use OA2_CRED_INHERIT on that dir fd. Signed-off-by: Stas Sergeev CC: Eric Biederman CC: Alexander Viro CC: Christian Brauner CC: Jan Kara CC: Andy Lutomirski CC: David Laight CC: Arnd Bergmann CC: "David S. Miller" CC: Eric Dumazet CC: Jakub Kicinski CC: Paolo Abeni CC: Jens Axboe CC: Kuniyuki Iwashima CC: Pavel Begunkov CC: linux-arch@vger.kernel.org CC: netdev@vger.kernel.org CC: linux-fsdevel@vger.kernel.org CC: linux-kernel@vger.kernel.org CC: linux-api@vger.kernel.org --- fs/fcntl.c | 2 +- fs/file.c | 15 ++++++++------- include/linux/fcntl.h | 2 +- include/uapi/asm-generic/fcntl.h | 4 ++++ net/core/scm.c | 5 +++++ 5 files changed, 19 insertions(+), 9 deletions(-) diff --git a/fs/fcntl.c b/fs/fcntl.c index 54cc85d3338e..78c96b1293c2 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -1039,7 +1039,7 @@ static int __init fcntl_init(void) * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY * is defined as O_NONBLOCK on some platforms and not on others. */ - BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ != + BUILD_BUG_ON(22 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32( (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) | __FMODE_EXEC | __FMODE_NONOTIFY)); diff --git a/fs/file.c b/fs/file.c index 3b683b9101d8..2a09d5276676 100644 --- a/fs/file.c +++ b/fs/file.c @@ -827,22 +827,23 @@ void do_close_on_exec(struct files_struct *files) /* exec unshares first */ spin_lock(&files->file_lock); for (i = 0; ; i++) { + int j; unsigned long set; unsigned fd = i * BITS_PER_LONG; fdt = files_fdtable(files); if (fd >= fdt->max_fds) break; set = fdt->close_on_exec[i]; - if (!set) - continue; fdt->close_on_exec[i] = 0; - for ( ; set ; fd++, set >>= 1) { - struct file *file; - if (!(set & 1)) - continue; - file = fdt->fd[fd]; + for (j = 0; j < BITS_PER_LONG; j++, fd++, set >>= 1) { + struct file *file = fdt->fd[fd]; if (!file) continue; + /* Close all cred-allow files. */ + if (file->f_flags & O_CRED_ALLOW) + set |= 1; + if (!(set & 1)) + continue; rcu_assign_pointer(fdt->fd[fd], NULL); __put_unused_fd(files, fd); spin_unlock(&files->file_lock); diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h index a332e79b3207..e074ee9c1e36 100644 --- a/include/linux/fcntl.h +++ b/include/linux/fcntl.h @@ -10,7 +10,7 @@ (O_RDONLY | O_WRONLY | O_RDWR | O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC | \ O_APPEND | O_NDELAY | O_NONBLOCK | __O_SYNC | O_DSYNC | \ FASYNC | O_DIRECT | O_LARGEFILE | O_DIRECTORY | O_NOFOLLOW | \ - O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE) + O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE | O_CRED_ALLOW) /* List of all valid flags for the how->resolve argument: */ #define VALID_RESOLVE_FLAGS \ diff --git a/include/uapi/asm-generic/fcntl.h b/include/uapi/asm-generic/fcntl.h index 80f37a0d40d7..ee8c2267c516 100644 --- a/include/uapi/asm-generic/fcntl.h +++ b/include/uapi/asm-generic/fcntl.h @@ -89,6 +89,10 @@ #define __O_TMPFILE 020000000 #endif +#ifndef O_CRED_ALLOW +#define O_CRED_ALLOW 040000000 +#endif + /* a horrid kludge trying to make sure that this will fail on old kernels */ #define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) diff --git a/net/core/scm.c b/net/core/scm.c index 9cd4b0a01cd6..f54fb0ee9727 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -111,6 +111,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) fput(file); return -EINVAL; } + /* don't allow files with creds */ + if (file->f_flags & O_CRED_ALLOW) { + fput(file); + return -EPERM; + } if (unix_get_socket(file)) fpl->count_unix++; From patchwork Fri Apr 26 13:33:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: stsp X-Patchwork-Id: 13644808 Received: from forward103a.mail.yandex.net (forward103a.mail.yandex.net [178.154.239.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BAEC01474DF; Fri, 26 Apr 2024 13:34:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.86 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714138460; cv=none; b=JFmJGS1X3RpuekiRAx2G8RbkCgux0FDtrj6IvPFJMaCbPysaUJWuPQfrrI8KfiUd7LT/EBnPm3+18oe3SkG3OVVdQzb+WZ6sg+Pl+gAyjL9UPPCUxrJjMIu2PrPbjOjQIT5wf81Pw2kor2jCl4Xa8ndEEgr6PjzjS6G011kDlYU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714138460; c=relaxed/simple; bh=nZvMQTmrqARtQUnPBPFu3Ve70ZduHAcyHC7S7TaKEbw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hD73tobEN7x1tqxwO1qxxdQOEYZBn5D9W4AxeUQ1/+ystI1+c+Yxy++oSsrItp7caxFbLcIv9noIfPjD9KYliVcQiB+agQFbWDerVwIJYukfg0uqOAb39EbIOsCyzTGP3eu/fUOJ4Y39dbnr6i2goWvUmJl3ib07ljbtFg4OuDo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=E1ffhLcT; arc=none smtp.client-ip=178.154.239.86 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="E1ffhLcT" Received: from mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net [IPv6:2a02:6b8:c0d:230c:0:640:f8e:0]) by forward103a.mail.yandex.net (Yandex) with ESMTPS id C1737608F6; Fri, 26 Apr 2024 16:34:09 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id 2YN3P0DXnmI0-8WRp0rPj; Fri, 26 Apr 2024 16:34:08 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1714138448; bh=PQrL87zyCxcvBgqIk2OLIv3fLCdiMHul6W+w6klXk6Y=; h=Cc:Message-ID:References:Date:In-Reply-To:Subject:To:From; b=E1ffhLcTFWZrSX+Ma2El3B2AWKqbH5vZPawrmS98o5BQmb8lkocxXMsnagi5Mkgr0 sXG3eaGmMdZoFcoxN3TCjo5He3ZY5gjtCR1W578ltnAQ02pEWmZggxfCAiYw19nKk3 fn837K0d7/WZjPIwT1Nhns2R4i4KIkw09rQWIRng= Authentication-Results: mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Stas Sergeev To: linux-kernel@vger.kernel.org Cc: Stas Sergeev , Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Christian Brauner , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , =?utf-8?q?C?= =?utf-8?q?hristian_G=C3=B6ttsche?= Subject: [PATCH v5 3/3] openat2: add OA2_CRED_INHERIT flag Date: Fri, 26 Apr 2024 16:33:10 +0300 Message-ID: <20240426133310.1159976-4-stsp2@yandex.ru> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240426133310.1159976-1-stsp2@yandex.ru> References: <20240426133310.1159976-1-stsp2@yandex.ru> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This flag performs the open operation with the fs credentials (fsuid, fsgid, group_info) that were in effect when dir_fd was opened. dir_fd must be opened with O_CRED_ALLOW flag for this to work. This allows the process to pre-open some directories and then change eUID (and all other UIDs/GIDs) to a less-privileged user, retaining the ability to open/create files within these directories. Design goal: The idea is to provide a very light-weight sandboxing, where the process, without the use of any heavy-weight techniques like chroot within namespaces, can restrict the access to the set of pre-opened directories. This patch is just a first step to such sandboxing. If things go well, in the future the same extension can be added to more syscalls. These should include at least unlinkat(), renameat2() and the not-yet-upstreamed setxattrat(). Security considerations: - Only the bare minimal set of credentials is overridden: fsuid, fsgid and group_info. The rest, for example capabilities, are not overridden to avoid unneeded security risks. - To avoid sandboxing escape, this patch makes sure the restricted lookup modes are used. Namely, RESOLVE_BENEATH or RESOLVE_IN_ROOT. - Magic /proc symlinks are discarded, as suggested by Andy Lutomirski - O_CRED_ALLOW fds cannot be passed via unix socket and are always closed on exec() to prevent "unsuspecting userspace" from not being able to fully drop privs. Use cases: Virtual machines that deal with untrusted code, can use that instead of a more heavy-weighted approaches. Currently the approach is being tested on a dosemu2 VM. Signed-off-by: Stas Sergeev CC: Stefan Metzmacher CC: Eric Biederman CC: Alexander Viro CC: Andy Lutomirski CC: Christian Brauner CC: Jan Kara CC: Jeff Layton CC: Chuck Lever CC: Alexander Aring CC: linux-fsdevel@vger.kernel.org CC: linux-kernel@vger.kernel.org CC: Paolo Bonzini CC: Christian Göttsche --- fs/fcntl.c | 2 ++ fs/namei.c | 56 ++++++++++++++++++++++++++++++++++-- fs/open.c | 10 ++++++- include/linux/fcntl.h | 2 ++ include/uapi/linux/openat2.h | 2 ++ 5 files changed, 69 insertions(+), 3 deletions(-) diff --git a/fs/fcntl.c b/fs/fcntl.c index 78c96b1293c2..283c2e65fc2c 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -1043,6 +1043,8 @@ static int __init fcntl_init(void) HWEIGHT32( (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) | __FMODE_EXEC | __FMODE_NONOTIFY)); + BUILD_BUG_ON(HWEIGHT32(VALID_OPENAT2_FLAGS) != + HWEIGHT32(VALID_OPEN_FLAGS) + 1); fasync_cache = kmem_cache_create("fasync_cache", sizeof(struct fasync_struct), 0, diff --git a/fs/namei.c b/fs/namei.c index dd50345f7260..aa5dcf57851b 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3776,6 +3776,43 @@ static int do_o_path(struct nameidata *nd, unsigned flags, struct file *file) return error; } +static const struct cred *openat2_init_creds(int dfd) +{ + struct cred *cred; + struct fd f; + + if (dfd == AT_FDCWD) + return ERR_PTR(-EINVAL); + + f = fdget_raw(dfd); + if (!f.file) + return ERR_PTR(-EBADF); + + cred = ERR_PTR(-EPERM); + if (!(f.file->f_flags & O_CRED_ALLOW)) + goto done; + + cred = prepare_creds(); + if (!cred) { + cred = ERR_PTR(-ENOMEM); + goto done; + } + + cred->fsuid = f.file->f_cred->fsuid; + cred->fsgid = f.file->f_cred->fsgid; + cred->group_info = get_group_info(f.file->f_cred->group_info); + +done: + fdput(f); + return cred; +} + +static void openat2_done_creds(const struct cred *cred) +{ + put_group_info(cred->group_info); + put_cred(cred); +} + static struct file *path_openat(struct nameidata *nd, const struct open_flags *op, unsigned flags) { @@ -3793,18 +3830,33 @@ static struct file *path_openat(struct nameidata *nd, error = do_o_path(nd, flags, file); } else { const char *s; + const struct cred *old_cred = NULL, *cred = NULL; - file = alloc_empty_file(open_flags, current_cred()); - if (IS_ERR(file)) + if (open_flags & OA2_CRED_INHERIT) { + cred = openat2_init_creds(nd->dfd); + if (IS_ERR(cred)) + return ERR_CAST(cred); + } + file = alloc_empty_file(open_flags, cred ?: current_cred()); + if (IS_ERR(file)) { + if (cred) + openat2_done_creds(cred); return file; + } s = path_init(nd, flags); + if (cred) + old_cred = override_creds(cred); while (!(error = link_path_walk(s, nd)) && (s = open_last_lookups(nd, file, op)) != NULL) ; if (!error) error = do_open(nd, file, op); + if (old_cred) + revert_creds(old_cred); terminate_walk(nd); + if (cred) + openat2_done_creds(cred); } if (likely(!error)) { if (likely(file->f_mode & FMODE_OPENED)) diff --git a/fs/open.c b/fs/open.c index ee8460c83c77..dd4fab536135 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1225,7 +1225,7 @@ inline int build_open_flags(const struct open_how *how, struct open_flags *op) * values before calling build_open_flags(), but openat2(2) checks all * of its arguments. */ - if (flags & ~VALID_OPEN_FLAGS) + if (flags & ~VALID_OPENAT2_FLAGS) return -EINVAL; if (how->resolve & ~VALID_RESOLVE_FLAGS) return -EINVAL; @@ -1326,6 +1326,14 @@ inline int build_open_flags(const struct open_how *how, struct open_flags *op) lookup_flags |= LOOKUP_CACHED; } + if (flags & OA2_CRED_INHERIT) { + /* Inherit creds only with scoped look-up modes. */ + if (!(lookup_flags & LOOKUP_IS_SCOPED)) + return -EPERM; + /* Reject /proc "magic" links if inheriting creds. */ + lookup_flags |= LOOKUP_NO_MAGICLINKS; + } + op->lookup_flags = lookup_flags; return 0; } diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h index e074ee9c1e36..33b9c7ad056b 100644 --- a/include/linux/fcntl.h +++ b/include/linux/fcntl.h @@ -12,6 +12,8 @@ FASYNC | O_DIRECT | O_LARGEFILE | O_DIRECTORY | O_NOFOLLOW | \ O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE | O_CRED_ALLOW) +#define VALID_OPENAT2_FLAGS (VALID_OPEN_FLAGS | OA2_CRED_INHERIT) + /* List of all valid flags for the how->resolve argument: */ #define VALID_RESOLVE_FLAGS \ (RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS | \ diff --git a/include/uapi/linux/openat2.h b/include/uapi/linux/openat2.h index a5feb7604948..f803558ad62f 100644 --- a/include/uapi/linux/openat2.h +++ b/include/uapi/linux/openat2.h @@ -40,4 +40,6 @@ struct open_how { return -EAGAIN if that's not possible. */ +#define OA2_CRED_INHERIT (1UL << 28) + #endif /* _UAPI_LINUX_OPENAT2_H */