From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F19BC4741F for ; Fri, 30 Oct 2020 15:07:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EE8E62075E for ; Fri, 30 Oct 2020 15:07:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726928AbgJ3PH6 (ORCPT ); Fri, 30 Oct 2020 11:07:58 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:44516 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726239AbgJ3PH5 (ORCPT ); Fri, 30 Oct 2020 11:07:57 -0400 Received: from mail-oo1-f72.google.com ([209.85.161.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kYW0P-0001sP-IQ for linux-security-module@vger.kernel.org; Fri, 30 Oct 2020 15:07:53 +0000 Received: by mail-oo1-f72.google.com with SMTP id w3so2945684oov.6 for ; Fri, 30 Oct 2020 08:07:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=xa7Ya7WFCD66IO3n4EspVdAVBWL69bn4xyiCQC0MCNc=; b=QfhG6CPexnY5m687x9nwnU2SHd6h5jOve2vw/vHkwiwwi83IawDIpU7AV0SpES40Am zEkHezqalSTtqr7HDGZ6rDJ0lVYjdbEWpnwHIZtehYkxM19o8aeIicrTbu1k4UJ9gokt neYxcCOcpnUQHUMYeZsFEEW/yfRr/VYfThbPW+nsc8D0sLq5DnxMqdF5sJfwFGIlpTe8 hRMK+a/AMZSZ9qzDW/1ZhluhUWNk2xK5AbKW+v5+8SSHsUzidTjuGFnQnVxEtLANH9DR PFQxn+eVlUFJoxixDS7wbsiT1OwRisDBiD9t8cdGA9PeQy+HQ1lYbyHnbrtfuGGFFtSE oB9g== X-Gm-Message-State: AOAM532dXgULNMk/oUo+TK2nlez3XtHY/VYV7dSPh37PIlnNMeVs3ySQ QpIQtPpGa/XbyUhJC4flpSSyWUQYoPUbpazdgIFwM6tH+wPBJVpgLXzdDq7WAiPcMieaLMSuaXR I57Ugl6LjyZb9Pezr12QazawBGRcjB6mbUMaqpXZIb07HzMYOSj1LOw== X-Received: by 2002:a9d:7f90:: with SMTP id t16mr2120449otp.231.1604070472479; Fri, 30 Oct 2020 08:07:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxrwanxbYDDJUUK4/p/rI4RmYyrOvYEAiYYd5ZsrwMuhegPWsvTXQZPd/YkhjdWXy2r86N00Q== X-Received: by 2002:a9d:7f90:: with SMTP id t16mr2120406otp.231.1604070472204; Fri, 30 Oct 2020 08:07:52 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f03a:863:709:f18c]) by smtp.gmail.com with ESMTPSA id d22sm1412368oij.53.2020.10.30.08.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Oct 2020 08:07:49 -0700 (PDT) Date: Fri, 30 Oct 2020 10:07:48 -0500 From: Seth Forshee To: "Eric W. Biederman" Cc: Aleksa Sarai , Christian Brauner , Alexander Viro , Christoph Hellwig , linux-fsdevel@vger.kernel.org, John Johansen , James Morris , Mimi Zohar , Dmitry Kasatkin , Stephen Smalley , Casey Schaufler , Arnd Bergmann , Andreas Dilger , OGAWA Hirofumi , Geoffrey Thomas , Mrunal Patel , Josh Triplett , Andy Lutomirski , Amir Goldstein , Miklos Szeredi , Theodore Tso , Alban Crequy , Tycho Andersen , David Howells , James Bottomley , Jann Horn , =?utf-8?B?U3TDqXBoYW5l?= Graber , Lennart Poettering , smbarber@chromium.org, Phil Estes , Serge Hallyn , Kees Cook , Todd Kjos , Jonathan Corbet , containers@lists.linux-foundation.org, linux-security-module@vger.kernel.org, linux-api@vger.kernel.org, linux-ext4@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-audit@redhat.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org Subject: Re: [PATCH 00/34] fs: idmapped mounts Message-ID: <20201030150748.GA176340@ubuntu-x1> References: <20201029003252.2128653-1-christian.brauner@ubuntu.com> <87pn51ghju.fsf@x220.int.ebiederm.org> <20201029155148.5odu4j2kt62ahcxq@yavin.dot.cyphar.com> <87361xdm4c.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87361xdm4c.fsf@x220.int.ebiederm.org> Precedence: bulk List-ID: On Thu, Oct 29, 2020 at 11:37:23AM -0500, Eric W. Biederman wrote: > First and foremost: A uid shift on write to a filesystem is a security > bug waiting to happen. This is especially in the context of facilities > like iouring, that play very agressive games with how process context > makes it to system calls. > > The only reason containers were not immediately exploitable when iouring > was introduced is because the mechanisms are built so that even if > something escapes containment the security properties still apply. > Changes to the uid when writing to the filesystem does not have that > property. The tiniest slip in containment will be a security issue. > > This is not even the least bit theoretical. I have seem reports of how > shitfs+overlayfs created a situation where anyone could read > /etc/shadow. This bug was the result of a complex interaction with several contributing factors. It's fair to say that one component was overlayfs writing through an id-shifted mount, but the primary cause was related to how copy-up was done coupled with allowing unprivileged overlayfs mounts in a user ns. Checks that the mounter had access to the lower fs file were not done before copying data up, and so the file was copied up temporarily to the id shifted upperdir. Even though it was immediately removed, other factors made it possible for the user to get the file contents from the upperdir. Regardless, I do think you raise a good point. We need to be wary of any place the kernel could open files through a shifted mount, especially when the open could be influenced by userspace. Perhaps kernel file opens through shifted mounts should to be opt-in. I.e. unless a flag is passed, or a different open interface used, the open will fail if the dentry being opened is subject to id shifting. This way any kernel writes which would be subject to id shifting will only happen through code which as been written to take it into account. Seth