From: Aleksa Sarai <cyphar@cyphar.com>
To: Christian Brauner <christian@brauner.io>
Cc: Jann Horn <jannh@google.com>, Al Viro <viro@zeniv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andy Lutomirski <luto@kernel.org>,
jlayton@kernel.org, Bruce Fields <bfields@fieldses.org>,
Arnd Bergmann <arnd@arndb.de>,
shuah@kernel.org, David Howells <dhowells@redhat.com>,
Tycho Andersen <tycho@tycho.ws>,
kernel list <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org,
linux-arch <linux-arch@vger.kernel.org>,
linux-kselftest@vger.kernel.org, dev@opencontainers.org,
containers@lists.linux-foundation.org
Subject: Re: [PATCH 1/3] namei: implement O_BENEATH-style AT_* flags
Date: Tue, 2 Oct 2018 02:04:31 +1000 [thread overview]
Message-ID: <20181001160431.emb6b2hf32b754cl@ryuk> (raw)
In-Reply-To: <20181001130038.s5ztphs3pl2zt3ut@brauner.io>
[-- Attachment #1: Type: text/plain, Size: 2409 bytes --]
On 2018-10-01, Christian Brauner <christian@brauner.io> wrote:
> On Mon, Oct 01, 2018 at 02:28:03PM +0200, Jann Horn wrote:
> > On Sat, Sep 29, 2018 at 4:28 PM Aleksa Sarai <cyphar@cyphar.com> wrote:
> > > * AT_BENEATH: Disallow ".." or absolute paths (either in the path or
> > > found during symlink resolution) to escape the starting point of name
> > > resolution, though ".." is permitted in cases like "foo/../bar".
> > > Relative symlinks are still allowed (as long as they don't escape the
> > > starting point).
> >
> > As I said on the other thread, I would strongly prefer an API that
> > behaves along the lines of David Drysdale's old patch
> > https://lore.kernel.org/lkml/1439458366-8223-2-git-send-email-drysdale@google.com/
> > : Forbid any use of "..". This would also be more straightforward to
> > implement safely. If that doesn't work for you, I would like it if you
> > could at least make that an option. I would like it if this API could
> > mitigate straightforward directory traversal bugs such as
> > https://bugs.chromium.org/p/project-zero/issues/detail?id=1583, where
> > a confused deputy attempts to access a path like
> > "/mnt/media_rw/../../data" while intending to access a directory under
> > "/mnt/media_rw".
>
> Oh, the semantics for this changed in this patchset, hah. I was still on
> vacation so didn't get to look at it before it was sent out. From prior
> discussion I remember that the original intention actual was what you
> argue for. And the patchset should be as tight as possible. Having
> special cases where ".." is allowed just sounds like an invitation for
> userspace to get it wrong.
> Aleksa, did you have a specific use-case in mind that made you change
> this or was it already present in an earlier iteration of the patchset
> by someone else?
Al's original patchset allowed "..". A quick survey of my machine shows
that there are 100k symlinks that contain ".." (~37% of all symlinks on
my machine). This indicates to me that you would be restricting a large
amount of reasonable resolutions because of this restriction.
I posted a proposed way to protect against ".." shenanigans. If it's
turns out this is not possible, I'm okay with disallowing ".." (assuming
Al is also okay with that).
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: cyphar at cyphar.com (Aleksa Sarai)
Subject: [PATCH 1/3] namei: implement O_BENEATH-style AT_* flags
Date: Tue, 2 Oct 2018 02:04:31 +1000 [thread overview]
Message-ID: <20181001160431.emb6b2hf32b754cl@ryuk> (raw)
In-Reply-To: <20181001130038.s5ztphs3pl2zt3ut@brauner.io>
On 2018-10-01, Christian Brauner <christian at brauner.io> wrote:
> On Mon, Oct 01, 2018 at 02:28:03PM +0200, Jann Horn wrote:
> > On Sat, Sep 29, 2018 at 4:28 PM Aleksa Sarai <cyphar at cyphar.com> wrote:
> > > * AT_BENEATH: Disallow ".." or absolute paths (either in the path or
> > > found during symlink resolution) to escape the starting point of name
> > > resolution, though ".." is permitted in cases like "foo/../bar".
> > > Relative symlinks are still allowed (as long as they don't escape the
> > > starting point).
> >
> > As I said on the other thread, I would strongly prefer an API that
> > behaves along the lines of David Drysdale's old patch
> > https://lore.kernel.org/lkml/1439458366-8223-2-git-send-email-drysdale at google.com/
> > : Forbid any use of "..". This would also be more straightforward to
> > implement safely. If that doesn't work for you, I would like it if you
> > could at least make that an option. I would like it if this API could
> > mitigate straightforward directory traversal bugs such as
> > https://bugs.chromium.org/p/project-zero/issues/detail?id=1583, where
> > a confused deputy attempts to access a path like
> > "/mnt/media_rw/../../data" while intending to access a directory under
> > "/mnt/media_rw".
>
> Oh, the semantics for this changed in this patchset, hah. I was still on
> vacation so didn't get to look at it before it was sent out. From prior
> discussion I remember that the original intention actual was what you
> argue for. And the patchset should be as tight as possible. Having
> special cases where ".." is allowed just sounds like an invitation for
> userspace to get it wrong.
> Aleksa, did you have a specific use-case in mind that made you change
> this or was it already present in an earlier iteration of the patchset
> by someone else?
Al's original patchset allowed "..". A quick survey of my machine shows
that there are 100k symlinks that contain ".." (~37% of all symlinks on
my machine). This indicates to me that you would be restricting a large
amount of reasonable resolutions because of this restriction.
I posted a proposed way to protect against ".." shenanigans. If it's
turns out this is not possible, I'm okay with disallowing ".." (assuming
Al is also okay with that).
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linaro.org/pipermail/linux-kselftest-mirror/attachments/20181002/3234394a/attachment.sig>
WARNING: multiple messages have this Message-ID (diff)
From: cyphar@cyphar.com (Aleksa Sarai)
Subject: [PATCH 1/3] namei: implement O_BENEATH-style AT_* flags
Date: Tue, 2 Oct 2018 02:04:31 +1000 [thread overview]
Message-ID: <20181001160431.emb6b2hf32b754cl@ryuk> (raw)
Message-ID: <20181001160431.oPuQ-pOdIHuyWiQRf9HhZtccYmxK7iR_4LFdkDfALvc@z> (raw)
In-Reply-To: <20181001130038.s5ztphs3pl2zt3ut@brauner.io>
On 2018-10-01, Christian Brauner <christian@brauner.io> wrote:
> On Mon, Oct 01, 2018@02:28:03PM +0200, Jann Horn wrote:
> > On Sat, Sep 29, 2018@4:28 PM Aleksa Sarai <cyphar@cyphar.com> wrote:
> > > * AT_BENEATH: Disallow ".." or absolute paths (either in the path or
> > > found during symlink resolution) to escape the starting point of name
> > > resolution, though ".." is permitted in cases like "foo/../bar".
> > > Relative symlinks are still allowed (as long as they don't escape the
> > > starting point).
> >
> > As I said on the other thread, I would strongly prefer an API that
> > behaves along the lines of David Drysdale's old patch
> > https://lore.kernel.org/lkml/1439458366-8223-2-git-send-email-drysdale at google.com/
> > : Forbid any use of "..". This would also be more straightforward to
> > implement safely. If that doesn't work for you, I would like it if you
> > could at least make that an option. I would like it if this API could
> > mitigate straightforward directory traversal bugs such as
> > https://bugs.chromium.org/p/project-zero/issues/detail?id=1583, where
> > a confused deputy attempts to access a path like
> > "/mnt/media_rw/../../data" while intending to access a directory under
> > "/mnt/media_rw".
>
> Oh, the semantics for this changed in this patchset, hah. I was still on
> vacation so didn't get to look at it before it was sent out. From prior
> discussion I remember that the original intention actual was what you
> argue for. And the patchset should be as tight as possible. Having
> special cases where ".." is allowed just sounds like an invitation for
> userspace to get it wrong.
> Aleksa, did you have a specific use-case in mind that made you change
> this or was it already present in an earlier iteration of the patchset
> by someone else?
Al's original patchset allowed "..". A quick survey of my machine shows
that there are 100k symlinks that contain ".." (~37% of all symlinks on
my machine). This indicates to me that you would be restricting a large
amount of reasonable resolutions because of this restriction.
I posted a proposed way to protect against ".." shenanigans. If it's
turns out this is not possible, I'm okay with disallowing ".." (assuming
Al is also okay with that).
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linaro.org/pipermail/linux-kselftest-mirror/attachments/20181002/3234394a/attachment.sig>
next prev parent reply other threads:[~2018-10-01 16:04 UTC|newest]
Thread overview: 161+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-29 10:34 [PATCH 0/3] namei: implement various scoping AT_* flags Aleksa Sarai
2018-09-29 10:34 ` Aleksa Sarai
2018-09-29 10:34 ` cyphar
2018-09-29 10:34 ` [PATCH 1/3] namei: implement O_BENEATH-style " Aleksa Sarai
2018-09-29 10:34 ` Aleksa Sarai
2018-09-29 10:34 ` cyphar
2018-09-29 14:48 ` Christian Brauner
2018-09-29 14:48 ` Christian Brauner
2018-09-29 14:48 ` christian
2018-09-29 15:34 ` Aleksa Sarai
2018-09-29 15:34 ` Aleksa Sarai
2018-09-29 15:34 ` cyphar
2018-09-30 4:38 ` Aleksa Sarai
2018-09-30 4:38 ` Aleksa Sarai
2018-09-30 4:38 ` cyphar
2018-10-01 12:28 ` Jann Horn
2018-10-01 12:28 ` Jann Horn
2018-10-01 12:28 ` jannh
2018-10-01 13:00 ` Christian Brauner
2018-10-01 13:00 ` Christian Brauner
2018-10-01 13:00 ` christian
2018-10-01 16:04 ` Aleksa Sarai [this message]
2018-10-01 16:04 ` Aleksa Sarai
2018-10-01 16:04 ` cyphar
2018-10-04 17:20 ` Christian Brauner
2018-10-04 17:20 ` Christian Brauner
2018-10-04 17:20 ` christian
2018-09-29 13:15 ` [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution Aleksa Sarai
2018-09-29 13:15 ` Aleksa Sarai
2018-09-29 13:15 ` cyphar
2018-09-29 13:15 ` [PATCH 3/3] selftests: vfs: add AT_* path resolution tests Aleksa Sarai
2018-09-29 13:15 ` Aleksa Sarai
2018-09-29 13:15 ` cyphar
2018-09-29 16:35 ` [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution Jann Horn
2018-09-29 16:35 ` Jann Horn
2018-09-29 16:35 ` jannh
2018-09-29 17:25 ` Andy Lutomirski
2018-09-29 17:25 ` Andy Lutomirski
2018-09-29 17:25 ` luto
2018-10-01 9:46 ` Aleksa Sarai
2018-10-01 9:46 ` Aleksa Sarai
2018-10-01 9:46 ` cyphar
2018-10-01 5:44 ` Aleksa Sarai
2018-10-01 5:44 ` Aleksa Sarai
2018-10-01 5:44 ` cyphar
2018-10-01 10:13 ` Jann Horn
2018-10-01 10:13 ` Jann Horn
2018-10-01 10:13 ` jannh
2018-10-01 16:18 ` Aleksa Sarai
2018-10-01 16:18 ` Aleksa Sarai
2018-10-01 16:18 ` cyphar
2018-10-04 17:27 ` Christian Brauner
2018-10-04 17:27 ` Christian Brauner
2018-10-04 17:27 ` christian
2018-10-01 10:42 ` Christian Brauner
2018-10-01 10:42 ` Christian Brauner
2018-10-01 10:42 ` christian
2018-10-01 11:29 ` Jann Horn
2018-10-01 11:29 ` Jann Horn
2018-10-01 11:29 ` jannh
2018-10-01 12:35 ` Christian Brauner
2018-10-01 12:35 ` Christian Brauner
2018-10-01 12:35 ` christian
2018-10-01 13:55 ` Bruce Fields
2018-10-01 13:55 ` Bruce Fields
2018-10-01 13:55 ` bfields
2018-10-01 14:28 ` Andy Lutomirski
2018-10-01 14:28 ` Andy Lutomirski
2018-10-01 14:28 ` luto
2018-10-02 7:32 ` Aleksa Sarai
2018-10-02 7:32 ` Aleksa Sarai
2018-10-02 7:32 ` cyphar
2018-10-03 22:09 ` Andy Lutomirski
2018-10-03 22:09 ` Andy Lutomirski
2018-10-03 22:09 ` luto
2018-10-06 20:56 ` Florian Weimer
2018-10-06 20:56 ` Florian Weimer
2018-10-06 20:56 ` fw
2018-10-06 21:49 ` Christian Brauner
2018-10-06 21:49 ` Christian Brauner
2018-10-06 21:49 ` christian
2018-10-01 14:00 ` Christian Brauner
2018-10-01 14:00 ` Christian Brauner
2018-10-01 14:00 ` christian
2018-10-04 16:26 ` Aleksa Sarai
2018-10-04 16:26 ` Aleksa Sarai
2018-10-04 16:26 ` cyphar
2018-10-04 17:31 ` Christian Brauner
2018-10-04 17:31 ` Christian Brauner
2018-10-04 17:31 ` christian
2018-10-04 18:26 ` Jann Horn
2018-10-04 18:26 ` Jann Horn
2018-10-04 18:26 ` jannh
2018-10-05 15:07 ` Aleksa Sarai
2018-10-05 15:07 ` Aleksa Sarai
2018-10-05 15:07 ` cyphar
2018-10-05 15:55 ` Jann Horn
2018-10-05 15:55 ` Jann Horn
2018-10-05 15:55 ` jannh
2018-10-06 2:10 ` Aleksa Sarai
2018-10-06 2:10 ` Aleksa Sarai
2018-10-06 2:10 ` cyphar
2018-10-08 10:50 ` Jann Horn
2018-10-08 10:50 ` Jann Horn
2018-10-08 10:50 ` jannh
2018-09-29 14:25 ` [PATCH 0/3] namei: implement various scoping AT_* flags Andy Lutomirski
2018-09-29 14:25 ` Andy Lutomirski
2018-09-29 14:25 ` luto
2018-09-29 15:45 ` Aleksa Sarai
2018-09-29 15:45 ` Aleksa Sarai
2018-09-29 15:45 ` cyphar
2018-09-29 16:34 ` Andy Lutomirski
2018-09-29 16:34 ` Andy Lutomirski
2018-09-29 16:34 ` luto
2018-09-29 19:44 ` Matthew Wilcox
2018-09-29 19:44 ` Matthew Wilcox
2018-09-29 19:44 ` willy
2018-09-29 14:38 ` Christian Brauner
2018-09-29 14:38 ` Christian Brauner
2018-09-29 14:38 ` christian
2018-09-30 4:44 ` Aleksa Sarai
2018-09-30 4:44 ` Aleksa Sarai
2018-09-30 4:44 ` cyphar
2018-09-30 13:54 ` Alban Crequy
2018-09-30 13:54 ` Alban Crequy
2018-09-30 13:54 ` alban
2018-09-30 14:02 ` Christian Brauner
2018-09-30 14:02 ` Christian Brauner
2018-09-30 14:02 ` christian
2018-09-30 19:45 ` Mickaël Salaün
2018-09-30 19:45 ` Mickaël Salaün
2018-09-30 19:45 ` Mickaël Salaün
2018-09-30 19:45 `
2018-09-30 21:46 ` Jann Horn
2018-09-30 21:46 ` Jann Horn
2018-09-30 21:46 ` Jann Horn
2018-09-30 21:46 ` jannh
2018-09-30 22:37 ` Mickaël Salaün
2018-09-30 22:37 ` Mickaël Salaün
2018-09-30 22:37 `
2018-10-01 20:14 ` James Morris
2018-10-01 20:14 ` James Morris
2018-10-01 20:14 ` jmorris
2018-10-01 4:08 ` Dave Chinner
2018-10-01 4:08 ` Dave Chinner
2018-10-01 4:08 ` david
2018-10-01 5:47 ` Aleksa Sarai
2018-10-01 5:47 ` Aleksa Sarai
2018-10-01 5:47 ` cyphar
2018-10-01 6:14 ` Dave Chinner
2018-10-01 6:14 ` Dave Chinner
2018-10-01 6:14 ` david
2018-10-01 13:28 ` David Laight
2018-10-01 13:28 ` David Laight
2018-10-01 13:28 ` David.Laight
2018-10-01 16:15 ` Aleksa Sarai
2018-10-01 16:15 ` Aleksa Sarai
2018-10-01 16:15 ` cyphar
2018-10-03 13:21 ` David Laight
2018-10-03 13:21 ` David Laight
2018-10-03 13:21 ` David.Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181001160431.emb6b2hf32b754cl@ryuk \
--to=cyphar@cyphar.com \
--cc=arnd@arndb.de \
--cc=bfields@fieldses.org \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=dev@opencontainers.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@kernel.org \
--cc=shuah@kernel.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.