From: Joel Becker <Joel.Becker@oracle.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Andy Lutomirski <luto@mit.edu>, jim owens <jowens@hp.com>,
jmorris@namei.org, ocfs2-devel@oss.oracle.com,
viro@zeniv.linux.org.uk, mtk.manpages@gmail.com,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [RFC] The reflink(2) system call v4.
Date: Thu, 14 May 2009 15:00:29 -0700 [thread overview]
Message-ID: <20090514220029.GB30410@mail.oracle.com> (raw)
In-Reply-To: <1242324765.21772.95.camel@localhost.localdomain>
On Thu, May 14, 2009 at 02:12:45PM -0400, Stephen Smalley wrote:
> On Wed, 2009-05-13 at 23:57 -0400, Andy Lutomirski wrote:
> > Joel Becker wrote:
> > > +
> > > +Preserving the security context of the source file obviously requires
> > > +the privilege to do so. Callers that do not own the source file and do
> > > +not have CAP_CHOWN will get a new reflink with all non-security
> > > +attributes preserved; the security context of the new reflink will be
> > > +as a newly created file by that user.
> > > +
> >
> > There are plenty of syscalls that require some privilege and fail if the
> > caller doesn't have it. But I can think of only one syscall that does
> > *something different* depending on who called it: setuid.
> >
> > Please search the web and marvel at the disasters caused by setuid's
> > magical caller-dependent behavior (the sendmail bug is probably the most
> > famous [1]). This proposal for reflink is just asking for bugs where an
> > attacker gets some otherwise privileged program to call reflink but to
> > somehow lack the privileges (CAP_CHOWN, selinux rights, or whatever) to
> > copy security attributes, thus exposing a link with the wrong permissions.
> >
> > Would it really be that hard to have two syscalls, or a flag, or
> > whatever, where one of them preserves all security attributes and
> > *fails* if the caller isn't allowed to do that and the other one makes
> > the caller own the new link?
> >
> >
> > [1] http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
>
> Yes, I agree - the selection of whether or not to preserve the security
> attributes should be an explicit part of the kernel interface. Then the
> application still has the freedom to fall back on the non-preserving
> form of the call if that is truly what it wants.
Here's my problem. Every single shell script now has to do:
ln -r source target
[ $? != 0 ] && ln -r --no-perms source target
Every single program now has to do:
if (reflink(source, target) && errno == EPERM)
reflinkat(AT_FDCWD, source, AT_FDCWD, target, 0, REFLINK_NOPERMS);
Because the 99% user wants a real snapshot, and doesn't want to have to
think about it. The could, of course, code up their own permission
checks to see which variant of reflink to call, but it's still useless
(to them) boilerplate.
Also, if the 'common' user has to use the reflinkat() call?
We've lost.
Finally, how is this safer? Don't get me wrong, I do respect
the concern - that's why I originally went with your proposal of
is_owner_or_cap(). But the fact is that if you've hijacked a process
with enough privileges, you *can* make the full reflink, and if your
hijacked process doesn't but does have read access, you *can* make the
NOPERMS reflink. So doing it with the userspace code above is identical
to the kernel code, except that every userspace program has to handle it
themselves.
Joel
--
"Vote early and vote often."
- Al Capone
Joel Becker
Principal Software Developer
Oracle
E-mail: joel.becker@oracle.com
Phone: (650) 506-8127
next prev parent reply other threads:[~2009-05-14 22:00 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-03 6:15 [RFC] The reflink(2) system call Joel Becker
2009-05-03 6:15 ` [PATCH 1/3] fs: Document the " Joel Becker
2009-05-03 8:01 ` Christoph Hellwig
2009-05-04 2:46 ` Joel Becker
2009-05-04 6:36 ` Michael Kerrisk
2009-05-04 7:12 ` Joel Becker
2009-05-03 13:08 ` Boaz Harrosh
2009-05-03 23:08 ` Al Viro
2009-05-04 2:49 ` Joel Becker
2009-05-03 23:45 ` Theodore Tso
2009-05-04 1:44 ` Tao Ma
2009-05-04 18:25 ` Joel Becker
2009-05-04 21:18 ` [Ocfs2-devel] " Joel Becker
2009-05-04 22:23 ` Theodore Tso
2009-05-05 6:55 ` Joel Becker
2009-05-05 1:07 ` Jamie Lokier
2009-05-05 7:16 ` Joel Becker
2009-05-05 8:09 ` Andreas Dilger
2009-05-05 16:56 ` Joel Becker
2009-05-05 21:24 ` Andreas Dilger
2009-05-05 21:32 ` Joel Becker
2009-05-06 7:15 ` [Ocfs2-devel] " Theodore Tso
2009-05-06 14:24 ` jim owens
2009-05-06 14:30 ` jim owens
2009-05-06 17:50 ` jim owens
2009-05-12 19:20 ` Jamie Lokier
2009-05-12 19:30 ` Jamie Lokier
2009-05-12 19:11 ` Jamie Lokier
2009-05-12 19:37 ` jim owens
2009-05-12 20:11 ` Jamie Lokier
2009-05-05 13:01 ` Theodore Tso
2009-05-05 13:19 ` Jamie Lokier
2009-05-05 13:39 ` Chris Mason
2009-05-05 15:36 ` Jamie Lokier
2009-05-05 15:41 ` Chris Mason
2009-05-05 16:03 ` Jamie Lokier
2009-05-05 16:18 ` Chris Mason
2009-05-05 20:48 ` jim owens
2009-05-05 21:57 ` Jamie Lokier
2009-05-05 22:04 ` Joel Becker
2009-05-05 22:11 ` Jamie Lokier
2009-05-05 22:24 ` Joel Becker
2009-05-05 23:14 ` Jamie Lokier
2009-05-05 22:12 ` Jamie Lokier
2009-05-05 22:21 ` Joel Becker
2009-05-05 22:32 ` James Morris
2009-05-05 22:39 ` Joel Becker
2009-05-12 19:40 ` Jamie Lokier
2009-05-05 22:28 ` jim owens
2009-05-05 23:12 ` Jamie Lokier
2009-05-05 16:46 ` Jörn Engel
2009-05-05 16:54 ` Jörn Engel
2009-05-05 22:03 ` Jamie Lokier
2009-05-05 21:44 ` copyfile semantics Andreas Dilger
2009-05-05 21:48 ` Matthew Wilcox
2009-05-05 22:25 ` Trond Myklebust
2009-05-05 22:06 ` Jamie Lokier
2009-05-06 5:57 ` Jörn Engel
2009-05-05 14:21 ` [PATCH 1/3] fs: Document the reflink(2) system call Theodore Tso
2009-05-05 15:32 ` Jamie Lokier
2009-05-05 22:49 ` James Morris
2009-05-05 17:05 ` Joel Becker
2009-05-05 17:00 ` Joel Becker
2009-05-05 17:29 ` Theodore Tso
2009-05-05 22:36 ` Jamie Lokier
2009-05-05 22:30 ` Jamie Lokier
2009-05-05 22:37 ` Joel Becker
2009-05-05 23:08 ` jim owens
2009-05-05 13:01 ` Jamie Lokier
2009-05-05 17:09 ` Joel Becker
2009-05-03 6:15 ` [PATCH 2/3] fs: Add vfs_reflink() and the ->reflink() inode operation Joel Becker
2009-05-03 8:03 ` Christoph Hellwig
2009-05-04 2:51 ` Joel Becker
2009-05-03 6:15 ` [PATCH 3/3] fs: Add the reflink(2) system call Joel Becker
2009-05-03 6:27 ` Matthew Wilcox
2009-05-03 6:39 ` Al Viro
2009-05-03 7:48 ` Christoph Hellwig
2009-05-03 11:16 ` Al Viro
2009-05-04 2:53 ` Joel Becker
2009-05-04 2:53 ` Joel Becker
2009-05-03 8:04 ` Christoph Hellwig
2009-05-07 22:15 ` [RFC] The reflink(2) system call v2 Joel Becker
2009-05-08 1:39 ` James Morris
2009-05-08 1:49 ` Joel Becker
2009-05-08 13:01 ` Tetsuo Handa
2009-05-08 2:59 ` jim owens
2009-05-08 3:10 ` Joel Becker
2009-05-08 11:53 ` jim owens
2009-05-08 12:16 ` jim owens
2009-05-08 14:11 ` jim owens
2009-05-11 20:40 ` [RFC] The reflink(2) system call v4 Joel Becker
2009-05-11 22:27 ` James Morris
2009-05-11 22:34 ` Joel Becker
2009-05-12 1:12 ` James Morris
2009-05-12 12:18 ` Stephen Smalley
2009-05-12 17:22 ` Joel Becker
2009-05-12 17:32 ` Stephen Smalley
2009-05-12 18:03 ` Joel Becker
2009-05-12 18:04 ` Stephen Smalley
2009-05-12 18:28 ` Joel Becker
2009-05-12 18:37 ` Stephen Smalley
2009-05-14 18:06 ` Stephen Smalley
2009-05-14 18:25 ` Stephen Smalley
2009-05-14 23:25 ` James Morris
2009-05-15 11:54 ` Stephen Smalley
2009-05-15 13:35 ` James Morris
2009-05-15 15:44 ` Stephen Smalley
2009-05-13 1:47 ` Casey Schaufler
2009-05-13 16:43 ` Joel Becker
2009-05-13 17:23 ` Stephen Smalley
2009-05-13 18:27 ` Joel Becker
2009-05-12 12:01 ` Stephen Smalley
2009-05-11 23:11 ` jim owens
2009-05-11 23:42 ` Joel Becker
2009-05-12 11:31 ` Jörn Engel
2009-05-12 13:12 ` jim owens
2009-05-12 20:24 ` Jamie Lokier
2009-05-14 18:43 ` Jörn Engel
2009-05-12 15:04 ` Sage Weil
2009-05-12 15:23 ` jim owens
2009-05-12 16:16 ` Sage Weil
2009-05-12 17:45 ` jim owens
2009-05-12 20:29 ` Jamie Lokier
2009-05-12 17:28 ` Joel Becker
2009-05-13 4:30 ` Sage Weil
2009-05-14 3:57 ` Andy Lutomirski
2009-05-14 18:12 ` Stephen Smalley
2009-05-14 22:00 ` Joel Becker [this message]
2009-05-15 1:20 ` Jamie Lokier
2009-05-15 12:01 ` Stephen Smalley
2009-05-15 15:22 ` Joel Becker
2009-05-15 15:55 ` Stephen Smalley
2009-05-15 16:42 ` Joel Becker
2009-05-15 17:01 ` Shaya Potter
2009-05-15 20:53 ` [Ocfs2-devel] " Joel Becker
2009-05-18 9:17 ` Jörn Engel
2009-05-18 13:02 ` Stephen Smalley
2009-05-18 14:33 ` Stephen Smalley
2009-05-18 17:15 ` Stephen Smalley
2009-05-18 18:26 ` Joel Becker
2009-05-19 16:32 ` [Ocfs2-devel] " Sage Weil
2009-05-19 19:33 ` Jonathan Corbet
2009-05-19 20:15 ` Jamie Lokier
[not found] ` <20090519132057.419b9de0@bike.lwn.net>
[not found] ` <20090519193244.GB25521@mail.oracle.com>
2009-05-19 19:41 ` Jonathan Corbet
2009-05-28 0:24 ` [RFC] The reflink(2) system call v5 Joel Becker
2009-09-14 22:24 ` Joel Becker
2009-05-11 20:49 ` [RFC] The reflink(2) system call v2 Joel Becker
2009-05-11 22:49 ` jim owens
2009-05-11 23:46 ` Joel Becker
2009-05-12 0:54 ` Chris Mason
2009-05-12 20:36 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090514220029.GB30410@mail.oracle.com \
--to=joel.becker@oracle.com \
--cc=jmorris@namei.org \
--cc=jowens@hp.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mtk.manpages@gmail.com \
--cc=ocfs2-devel@oss.oracle.com \
--cc=sds@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).