From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D35DC00A89 for ; Fri, 30 Oct 2020 15:09:26 +0000 (UTC) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 870D82151B for ; Fri, 30 Oct 2020 15:09:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 870D82151B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=containers-bounces@lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id D55F687505; Fri, 30 Oct 2020 15:09:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qc1d3AKxbB1O; Fri, 30 Oct 2020 15:09:23 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id A43EA87502; Fri, 30 Oct 2020 15:09:23 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 952F9C0859; Fri, 30 Oct 2020 15:09:23 +0000 (UTC) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id BFD28C0051 for ; Fri, 30 Oct 2020 15:09:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id A634887505 for ; Fri, 30 Oct 2020 15:09:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npCYInRX+eSk for ; Fri, 30 Oct 2020 15:09:20 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by hemlock.osuosl.org (Postfix) with ESMTPS id 0402487502 for ; Fri, 30 Oct 2020 15:09:19 +0000 (UTC) Received: from mail-ua1-f69.google.com ([209.85.222.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kYW0Q-0001tS-UC for containers@lists.linux-foundation.org; Fri, 30 Oct 2020 15:07:55 +0000 Received: by mail-ua1-f69.google.com with SMTP id z9so817890uao.20 for ; Fri, 30 Oct 2020 08:07:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=xa7Ya7WFCD66IO3n4EspVdAVBWL69bn4xyiCQC0MCNc=; b=s7KNbKVxjYV1d0OwT6MLi6TLYYfVj664eySHaP4g1LIMmWzSnf1Cq2VlG9RQl2NW9h 1yEe0h6pRoNCMj4HB/DjTUS4rT9DEQi++wUl11rD0mn5dHJ6v9Lh2TnJ7ubet246Uhfr U2iOTUXX4m1b3G6hSaIMGOfKzmavPy7g68//picI4P7/2CQnavV6QlQ5oATHww9KfKV7 zmd6eR6tYwqDNvl2M3VTti2R0C1FAX6SweExCrqISlzvnAk5xIvNhr4VfAi5PKrAI6Th b7HU7i57HJwXxaDMV6xzbm/PbB4rg3kIiac30YreawREwIILrLrr9k2s5zXfKcYyboPH rfEw== X-Gm-Message-State: AOAM531O7ZIeJeI5I4cjtuT8NIzBykEN7w2G17AjXBHKg1Td9XgAPiAC IqhICfE4SX6r9FmN7CHNrf7YWLEab8GPYTZXVGmAFYjiVYTuUEBvR9egxwIpRuEztcLCMoY/Ww6 y8HdVryAsOKicQyOV5s4fDpeN1tSzI4ItKzZHbQrgq6vb2CepRQkPlQ== X-Received: by 2002:a9d:7f90:: with SMTP id t16mr2120457otp.231.1604070472481; Fri, 30 Oct 2020 08:07:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxrwanxbYDDJUUK4/p/rI4RmYyrOvYEAiYYd5ZsrwMuhegPWsvTXQZPd/YkhjdWXy2r86N00Q== X-Received: by 2002:a9d:7f90:: with SMTP id t16mr2120406otp.231.1604070472204; Fri, 30 Oct 2020 08:07:52 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f03a:863:709:f18c]) by smtp.gmail.com with ESMTPSA id d22sm1412368oij.53.2020.10.30.08.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Oct 2020 08:07:49 -0700 (PDT) Date: Fri, 30 Oct 2020 10:07:48 -0500 From: Seth Forshee To: "Eric W. Biederman" Subject: Re: [PATCH 00/34] fs: idmapped mounts Message-ID: <20201030150748.GA176340@ubuntu-x1> References: <20201029003252.2128653-1-christian.brauner@ubuntu.com> <87pn51ghju.fsf@x220.int.ebiederm.org> <20201029155148.5odu4j2kt62ahcxq@yavin.dot.cyphar.com> <87361xdm4c.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <87361xdm4c.fsf@x220.int.ebiederm.org> Cc: Lennart Poettering , Mimi Zohar , David Howells , Andreas Dilger , containers@lists.linux-foundation.org, Tycho Andersen , Miklos Szeredi , smbarber@chromium.org, Christoph Hellwig , linux-ext4@vger.kernel.org, Mrunal Patel , Kees Cook , Arnd Bergmann , Jann Horn , selinux@vger.kernel.org, Josh Triplett , linux-fsdevel@vger.kernel.org, Alexander Viro , Andy Lutomirski , OGAWA Hirofumi , Geoffrey Thomas , James Bottomley , John Johansen , Theodore Tso , Dmitry Kasatkin , Stephen Smalley , Jonathan Corbet , linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-api@vger.kernel.org, Casey Schaufler , Alban Crequy , linux-integrity@vger.kernel.org, Todd Kjos X-BeenThere: containers@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux Containers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: containers-bounces@lists.linux-foundation.org Sender: "Containers" On Thu, Oct 29, 2020 at 11:37:23AM -0500, Eric W. Biederman wrote: > First and foremost: A uid shift on write to a filesystem is a security > bug waiting to happen. This is especially in the context of facilities > like iouring, that play very agressive games with how process context > makes it to system calls. > > The only reason containers were not immediately exploitable when iouring > was introduced is because the mechanisms are built so that even if > something escapes containment the security properties still apply. > Changes to the uid when writing to the filesystem does not have that > property. The tiniest slip in containment will be a security issue. > > This is not even the least bit theoretical. I have seem reports of how > shitfs+overlayfs created a situation where anyone could read > /etc/shadow. This bug was the result of a complex interaction with several contributing factors. It's fair to say that one component was overlayfs writing through an id-shifted mount, but the primary cause was related to how copy-up was done coupled with allowing unprivileged overlayfs mounts in a user ns. Checks that the mounter had access to the lower fs file were not done before copying data up, and so the file was copied up temporarily to the id shifted upperdir. Even though it was immediately removed, other factors made it possible for the user to get the file contents from the upperdir. Regardless, I do think you raise a good point. We need to be wary of any place the kernel could open files through a shifted mount, especially when the open could be influenced by userspace. Perhaps kernel file opens through shifted mounts should to be opt-in. I.e. unless a flag is passed, or a different open interface used, the open will fail if the dentry being opened is subject to id shifting. This way any kernel writes which would be subject to id shifting will only happen through code which as been written to take it into account. Seth _______________________________________________ Containers mailing list Containers@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/containers