Re: selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
	Shuah Khan <shuahkh@osg.samsung.com>, Greg KH <greg@kroah.com>,
	Naresh Kamboju <naresh.kamboju@linaro.org>,
	"open list\:KERNEL SELFTEST FRAMEWORK" 
	<linux-kselftest@vger.kernel.org>,
	"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Shuah Khan <shuah@kernel.org>
Subject: Re: selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+
Date: Thu, 29 Jun 2017 11:26:47 -0500	[thread overview]
Message-ID: <87tw2y4v5k.fsf@xmission.com> (raw)
In-Reply-To: <CALCETrWqR2omk-mXLZ425Mp-XpRVRcGwX1CNAexBiPxzKO87vQ@mail.gmail.com> (Andy Lutomirski's message of "Thu, 29 Jun 2017 08:39:59 -0700")

Andy Lutomirski <luto@kernel.org> writes:

> On Thu, Jun 29, 2017 at 7:23 AM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>> ebiederm@xmission.com (Eric W. Biederman) writes:
>>
>>> Andy Lutomirski <luto@kernel.org> writes:
>>>>
>>>> Hi Eric-
>>>>
>>>> This is rather odd.  The selftest
>>>> (tools/testing/selftests/capabilities/test_execve), run as root, fails
>>>> on current kernels.  The failure is worked around by this:
>>>>
>>>> diff --git a/tools/testing/selftests/capabilities/test_execve.c
>>>> b/tools/testing/selftests/capabilities/test_execve.c
>>>> index 10a21a958aaf..6db60889b211 100644
>>>> --- a/tools/testing/selftests/capabilities/test_execve.c
>>>> +++ b/tools/testing/selftests/capabilities/test_execve.c
>>>> @@ -139,8 +139,8 @@ static void chdir_to_tmpfs(void)
>>>>         if (chdir(cwd) != 0)
>>>>                 err(1, "chdir to private tmpfs");
>>>>
>>>> -       if (umount2(".", MNT_DETACH) != 0)
>>>> -               err(1, "detach private tmpfs");
>>>> +//     if (umount2(".", MNT_DETACH) != 0)
>>>> +//             err(1, "detach private tmpfs");
>>>>  }
>>>>
>>>>  static void copy_fromat_to(int fromfd, const char *fromname, const
>>>> char *toname)
>>>>
>>>> I think this is due to the line:
>>>>
>>>> p->mnt_ns = NULL;
>>>>
>>>> in umount_tree().  The test is putting us into a situation in which
>>>> our cwd has ->mnt_ns = NULL, which is making it act as if it's nosuid.
>>>> I can imagine this breaking some weird user code (like my test!).  Is
>>>> it a real problem, though?
>>
>> I just wanted to follow up and say this the mnt_may_suid test appears
>> to be doing exactly what it was designed to do.
>>
>> It's goal is not to allow a suid exec from another mount namespace and
>> in this test the umount2(".", MNT_DETACH) creates a poor man's mount
>> namespace.
>>
>> So assuming that we want to not allow execing executables from other
>> mount namespaces the behavior appears to be exactly correct in this
>> case.
>
> Fair enough.  Given that the only known failure is my really wonky
> test case, I'll just fix my test.
>
> That being said, I do know of production code that uses MNT_DETACH:
> Sandstorm.  It mounts a tmpfs, opens an fd to it, and MNT_DETACHes it.
> That gives it a directory that can't be seen by its children.  Using
> mount namespaces for this would be awkward.  Admittedly, MNT_DETACH is
> a bit of an awful way to do this -- what it really wants is the
> ability to set up a mount tree that logically belongs to its mount
> namespace but isn't bound anywhere.  A couple years ago, we talked
> about adding an API for more or less that: first create a filesystem
> (i.e. superblock) and then bind it in if you want it bound.
>
> But Sandstorm still works, so this isn't a big deal.

If it proved desirable I think we could remove the check_mnt test in
mnt_may_suid.  I believe the current_in_userns check actually handles
the namespace confusion case.

At the same time using check_mnt does make it easier to think about
these things.  Which if it doesn't limit us in the real world is a plus.

Eric

next prev parent reply	other threads:[~2017-06-29 16:34 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-27  8:40 selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+ Naresh Kamboju
2017-06-27 15:13 ` Greg KH
2017-06-27 15:16   ` Greg KH
2017-06-27 15:48     ` Paul Elder
2017-06-27 23:16     ` Shuah Khan
2017-06-28  4:35       ` Kees Cook
2017-06-28 21:21         ` Andy Lutomirski
2017-06-29 14:02           ` Eric W. Biederman
2017-06-29 14:23             ` Eric W. Biederman
2017-06-29 15:39               ` Andy Lutomirski
2017-06-29 16:26                 ` Eric W. Biederman [this message]
2017-06-27 15:32 ` Shuah Khan
2017-06-27 15:40   ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87tw2y4v5k.fsf@xmission.com \
    --to=ebiederm@xmission.com \
    --cc=greg@kroah.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=naresh.kamboju@linaro.org \
    --cc=shuah@kernel.org \
    --cc=shuahkh@osg.samsung.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.