From: David Drysdale <drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
To: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Alexander Viro
<viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
Meredydd Luff <meredydd-zPN50pYk8eUaUu29zAJCuw@public.gmane.org>,
Will Drewry <wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Jorge Lucangeli Obes
<jorgelo-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Ricky Zhou <rickyz-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Lee Campbell <leecam-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Julien Tinnes <jln-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Mike Depinet <mdepinet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
James Morris
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
Paolo Bonzini <pbonzini-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>,
Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
Michael Kerrisk
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Dave Chinner <david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org>,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-arch-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
fstests-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
David Drysdale <drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Subject: [PATCHv4 0/3] fs: add O_BENEATH flag to openat(2)
Date: Thu, 13 Aug 2015 10:32:43 +0100 [thread overview]
Message-ID: <1439458366-8223-1-git-send-email-drysdale@google.com> (raw)
A couple of questions with this iteration:
- Should we create a new errno (say ENOTBENEATH) for this policing, to
make it easier to distinguish this case from other EPERM failures?
(The FreeBSD implementation is considering this approach.)
- Al, does the code look OK for (in particular) integrating with the
shiny new re-worked fs/namei.c code?
Thanks.
This change adds a new O_BENEATH flag for openat(2) which restricts the
provided path, rejecting (with -EPERM) paths that are not beneath
the provided dfd.
This functionality was originally implemented as part of the internals
of the Capsicum security framework, which is available in FreeBSD 10.x
and which has previously had a Linux kernel port proposed [1].
However, as this behaviour is potentially useful as an independent feature,
this change exposes it via an openat(2) flag. (This variant was not
originally exposed in FreeBSD, but is currently being proposed there
too [2].)
Various folks from Chrome[OS] have indicated an interest in having this
functionality -- when combined with a seccomp filter it allows a directory
to be more safely accessed by a sandboxed process. Other folk have also
expressed an interest [3].
[1] https://lkml.org/lkml/2014/7/25/426
[2] https://reviews.freebsd.org/D2808
[3] https://groups.google.com/d/msg/capnproto/sKpzanYNZmQ/T9IbJIB-rqQJ
Changes since v3:
- Merge up to v4.2-rc6
- Reinstate local selftests (I'll send xfstest changes separately
if and when this is merged)
- Pull in common selftests makefile
Changes since v2:
- Move tests into xfstests [Dave Chinner, with thanks for feedback
on initial version]
- Merge up to v4.0-rc3 & latest man-pages
Changes since v1:
- Don't needlessly duplicate flags [Al Viro]
- Use EPERM rather than EACCES as error code [Paolo Bonzini]
- Disallow nd_jump_link for O_BENEATH [Al Viro/Andy Lutomirski]
- Add test of a jumped symlink (/proc/self/root)
Changes since the version included in the Capsicum v2 patchset:
- Add tests of normal symlinks
- Fix man-page typo
- Update patch to 3.17
Changes from v1 to v2 of Capsicum patchset:
- renamed O_BENEATH_ONLY to O_BENEATH [Christoph Hellwig]
David Drysdale (2):
fs: add O_BENEATH flag to openat(2)
selftests: Add test of O_BENEATH & openat(2)
arch/alpha/include/uapi/asm/fcntl.h | 1 +
arch/parisc/include/uapi/asm/fcntl.h | 1 +
arch/sparc/include/uapi/asm/fcntl.h | 1 +
fs/fcntl.c | 4 +-
fs/namei.c | 12 +-
fs/open.c | 4 +-
fs/proc/base.c | 4 +-
fs/proc/namespaces.c | 8 +-
include/linux/namei.h | 3 +-
include/uapi/asm-generic/fcntl.h | 4 +
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/openat/.gitignore | 4 +
tools/testing/selftests/openat/Makefile | 29 ++++
tools/testing/selftests/openat/openat.c | 258 ++++++++++++++++++++++++++++++
14 files changed, 326 insertions(+), 8 deletions(-)
create mode 100644 tools/testing/selftests/openat/.gitignore
create mode 100644 tools/testing/selftests/openat/Makefile
create mode 100644 tools/testing/selftests/openat/openat.c
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: David Drysdale <drysdale@google.com>
To: linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Meredydd Luff <meredydd@senatehouse.org>,
Will Drewry <wad@chromium.org>,
Jorge Lucangeli Obes <jorgelo@google.com>,
Ricky Zhou <rickyz@google.com>, Lee Campbell <leecam@google.com>,
Julien Tinnes <jln@google.com>,
Mike Depinet <mdepinet@google.com>,
James Morris <james.l.morris@oracle.com>,
Andy Lutomirski <luto@amacapital.net>,
Paolo Bonzini <pbonzini@redhat.com>,
Paul Moore <paul@paul-moore.com>,
Christoph Hellwig <hch@infradead.org>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Dave Chinner <david@fromorbit.com>,
linux-api@vger.kernel.org, linux-arch@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, fstests@vger.kernel.org,
David Drysdale <drysdale@google.com>
Subject: [PATCHv4 0/3] fs: add O_BENEATH flag to openat(2)
Date: Thu, 13 Aug 2015 10:32:43 +0100 [thread overview]
Message-ID: <1439458366-8223-1-git-send-email-drysdale@google.com> (raw)
Message-ID: <20150813093243.F7gZKHjpowmarhMbPhpZk9mWxIbfLJ8M7gPXr5TLJwY@z> (raw)
A couple of questions with this iteration:
- Should we create a new errno (say ENOTBENEATH) for this policing, to
make it easier to distinguish this case from other EPERM failures?
(The FreeBSD implementation is considering this approach.)
- Al, does the code look OK for (in particular) integrating with the
shiny new re-worked fs/namei.c code?
Thanks.
This change adds a new O_BENEATH flag for openat(2) which restricts the
provided path, rejecting (with -EPERM) paths that are not beneath
the provided dfd.
This functionality was originally implemented as part of the internals
of the Capsicum security framework, which is available in FreeBSD 10.x
and which has previously had a Linux kernel port proposed [1].
However, as this behaviour is potentially useful as an independent feature,
this change exposes it via an openat(2) flag. (This variant was not
originally exposed in FreeBSD, but is currently being proposed there
too [2].)
Various folks from Chrome[OS] have indicated an interest in having this
functionality -- when combined with a seccomp filter it allows a directory
to be more safely accessed by a sandboxed process. Other folk have also
expressed an interest [3].
[1] https://lkml.org/lkml/2014/7/25/426
[2] https://reviews.freebsd.org/D2808
[3] https://groups.google.com/d/msg/capnproto/sKpzanYNZmQ/T9IbJIB-rqQJ
Changes since v3:
- Merge up to v4.2-rc6
- Reinstate local selftests (I'll send xfstest changes separately
if and when this is merged)
- Pull in common selftests makefile
Changes since v2:
- Move tests into xfstests [Dave Chinner, with thanks for feedback
on initial version]
- Merge up to v4.0-rc3 & latest man-pages
Changes since v1:
- Don't needlessly duplicate flags [Al Viro]
- Use EPERM rather than EACCES as error code [Paolo Bonzini]
- Disallow nd_jump_link for O_BENEATH [Al Viro/Andy Lutomirski]
- Add test of a jumped symlink (/proc/self/root)
Changes since the version included in the Capsicum v2 patchset:
- Add tests of normal symlinks
- Fix man-page typo
- Update patch to 3.17
Changes from v1 to v2 of Capsicum patchset:
- renamed O_BENEATH_ONLY to O_BENEATH [Christoph Hellwig]
David Drysdale (2):
fs: add O_BENEATH flag to openat(2)
selftests: Add test of O_BENEATH & openat(2)
arch/alpha/include/uapi/asm/fcntl.h | 1 +
arch/parisc/include/uapi/asm/fcntl.h | 1 +
arch/sparc/include/uapi/asm/fcntl.h | 1 +
fs/fcntl.c | 4 +-
fs/namei.c | 12 +-
fs/open.c | 4 +-
fs/proc/base.c | 4 +-
fs/proc/namespaces.c | 8 +-
include/linux/namei.h | 3 +-
include/uapi/asm-generic/fcntl.h | 4 +
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/openat/.gitignore | 4 +
tools/testing/selftests/openat/Makefile | 29 ++++
tools/testing/selftests/openat/openat.c | 258 ++++++++++++++++++++++++++++++
14 files changed, 326 insertions(+), 8 deletions(-)
create mode 100644 tools/testing/selftests/openat/.gitignore
create mode 100644 tools/testing/selftests/openat/Makefile
create mode 100644 tools/testing/selftests/openat/openat.c
--
1.9.1
next reply other threads:[~2015-08-13 9:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-13 9:32 David Drysdale [this message]
2015-08-13 9:32 ` [PATCHv4 0/3] fs: add O_BENEATH flag to openat(2) David Drysdale
[not found] ` <1439458366-8223-1-git-send-email-drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2015-08-13 9:32 ` [PATCHv4 1/3] " David Drysdale
2015-08-13 9:32 ` David Drysdale
2015-08-13 9:32 ` [PATCHv4 2/3] selftests: Add test of O_BENEATH & openat(2) David Drysdale
2015-08-13 9:32 ` [PATCHv4 man-pages 3/3] open.2: describe O_BENEATH flag David Drysdale
2015-08-13 9:32 ` David Drysdale
2015-08-13 17:38 ` Andy Lutomirski
2015-08-13 17:38 ` Andy Lutomirski
2015-08-14 5:33 ` Michael Kerrisk (man-pages)
2015-08-14 5:33 ` Michael Kerrisk (man-pages)
2015-08-14 9:29 ` David Drysdale
2015-08-14 9:29 ` David Drysdale
2015-08-14 14:17 ` Andy Lutomirski
2015-08-14 14:17 ` Andy Lutomirski
[not found] ` <CALCETrXLhp6-dVq8TS0_vSQBJieP-SrabhoDJE0PZ8KpMz1m0A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-14 15:30 ` David Drysdale
2015-08-14 15:30 ` David Drysdale
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1439458366-8223-1-git-send-email-drysdale@google.com \
--to=drysdale-hpiqsd4aklfqt0dzr+alfa@public.gmane.org \
--cc=david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=fstests-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=jln-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=jorgelo-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=leecam-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-arch-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mdepinet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=meredydd-zPN50pYk8eUaUu29zAJCuw@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org \
--cc=pbonzini-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=rickyz-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
--cc=wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).