From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E981DC2D0C3 for ; Mon, 30 Dec 2019 07:35:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C12872071E for ; Mon, 30 Dec 2019 07:35:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1577691310; bh=m8eVohNyKttmgU5ay7SHm+slg90RHhjhhS7LlHAagHs=; h=References:In-Reply-To:From:Date:Subject:To:Cc:List-ID:From; b=DvPEc+dM5okARbUby03oMr3u1JuuJWhX9P907Y0GYWvoYYUgw3+OruKU7zeLTFD4O 24CqvV1HB+93stgPx05SQVXkBjgBcCaGworN/VrT/euyD7+HOM1+nf33O9LrhEWnQk QvK0IhfoyiZ0F/H7GElOhmZgpvzsFyvQB5bHkoco= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727215AbfL3HfJ (ORCPT ); Mon, 30 Dec 2019 02:35:09 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:34655 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727189AbfL3HfJ (ORCPT ); Mon, 30 Dec 2019 02:35:09 -0500 Received: by mail-lf1-f66.google.com with SMTP id l18so16419582lfc.1 for ; Sun, 29 Dec 2019 23:35:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=C8VcqoghW5rOvSMJZ0IRIDoHi0nnnASGxtcLP9nLAOE=; b=dcr/plKaY7CZ9pAbFtoIBm1kJ5332NaIez2y+adUYFlSYClNPYMFXaLR/4ZeaHThae 0NCLKYZWzj0ZhsWf2e47n3ViMgFwTwrkmZNIbW13YNQIezqPgp+Z6vCLkGnc5OMABuVx VOl557q4dUt0XZZxaC0scsChHGK80Gm1/Peb8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C8VcqoghW5rOvSMJZ0IRIDoHi0nnnASGxtcLP9nLAOE=; b=AV08z6KyUcnbrpzBAqXJQ/126fQQBUjZIruJlsl7FAm591GrRjNxmkXPof/Kp/aMJv FQvcUia3eiC9kk96FpXYhVJgDqEsafgqiUTrXygLhgvwof8GgSlZuHhxcKa2IkGwk/14 aeN7u+VMntgj/JOcwZOEvsoZyVdo/4cokvDKqWAeE+ON3ZSWRdJIjtzRulIbf9RmT8Ex w0cvdQAwGsuQ5IPbNs73EowmI6GNhRMFKYxXSAX1IRtVBSiMhKhUfgz4eiu9XJny02ET 1djvHnccFeeO/ZnlvP1ymaH9lEtNV+qAQc7Ce42O0ptvUhlqVCBm0UZpHptnltTh6HY3 gpOw== X-Gm-Message-State: APjAAAXRmZghcIr355sWMYpf8C/ufFFKxuivFbjMHl9AdsFki1yqBUso IfvqZ8TT5Ivgj4P7VpFA+ZcNMkeyl9A= X-Google-Smtp-Source: APXvYqwmrvRCbJtDSQncl9Q9+6S0+0BF8j5cCw+Xawh08UZjOPE3cYOfmDNB4gL/gHHmoCukwrIN+g== X-Received: by 2002:a19:ca59:: with SMTP id h25mr36546762lfj.27.1577691306394; Sun, 29 Dec 2019 23:35:06 -0800 (PST) Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com. [209.85.208.176]) by smtp.gmail.com with ESMTPSA id t1sm17027076lji.98.2019.12.29.23.35.05 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 29 Dec 2019 23:35:05 -0800 (PST) Received: by mail-lj1-f176.google.com with SMTP id z22so27643920ljg.1 for ; Sun, 29 Dec 2019 23:35:05 -0800 (PST) X-Received: by 2002:a2e:9ad8:: with SMTP id p24mr37380088ljj.148.1577691304745; Sun, 29 Dec 2019 23:35:04 -0800 (PST) MIME-Version: 1.0 References: <20191230052036.8765-1-cyphar@cyphar.com> <20191230052036.8765-2-cyphar@cyphar.com> In-Reply-To: <20191230052036.8765-2-cyphar@cyphar.com> From: Linus Torvalds Date: Sun, 29 Dec 2019 23:34:48 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC 1/1] mount: universally disallow mounting over symlinks To: Aleksa Sarai Cc: Al Viro , David Howells , Eric Biederman , stable , Christian Brauner , Serge Hallyn , dev@opencontainers.org, Linux Containers , Linux API , linux-fsdevel , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Sun, Dec 29, 2019 at 9:21 PM Aleksa Sarai wrote: > > + if (d_is_symlink(mp->m_dentry) || > + d_is_symlink(mnt->mnt.mnt_root)) > + return -EINVAL; So I don't hate this kind of check in general - overmounting a symlink sounds odd, but at the same time I get the feeling that the real issue is that something went wrong earlier. Yeah, the mount target kind of _is_ a path, but at the same time, we most definitely want to have the permission to really open the directory in question, don't we, and I don't see that we should accept a O_PATH file descriptor. I feel like the only valid use of "O_PATH" files is to then use them as the base for an openat() and friends (ie fchmodat/execveat() etc). But maybe I'm completely wrong, and people really do want O_PATH handling exactly for mounting too. It does sound a bit odd. By definition, mounting wants permissions to the mount-point, so what's the point of using O_PATH? So instead of saying "don't overmount symlinks", I would feel like it's the mount system call that should use a proper file descriptor that isn't FMODE_PATH. Is it really the symlink that is the issue? Because if it's the symlink that is the issue then I feel like O_NOFOLLOW should have triggered it, but your other email seems to say that you really need O_PATH | O_SYMLINK. So I'm not sayng that this patch is wrong, but it really smells a bit like it's papering over the more fundamental issue. For example, is the problem that when you do a proper fd = open("somepath", O_PATH); in one process, and then another thread does fd = open("/proc//fd/", O_RDWR); then we get confused and do bad things on that *second* open? Because now the second open doesn't have O_PATH, and doesn't ghet marked FMODE_PATH, but the underlying file descriptor is one of those limited "is really only useful for openat() and friends". I dunno. I haven't thought through the whole thing. But the oopses you quote seem like we're really doing something wrong, and it really does feel like your patch in no way _fixes_ the wrong thing we're doing, it's just hiding the symptoms. Linus