From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FSL_HELO_FAKE,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 220CFC35247 for ; Mon, 3 Feb 2020 22:16:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E364520720 for ; Mon, 3 Feb 2020 22:16:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UT/YLhMN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727150AbgBCWQB (ORCPT ); Mon, 3 Feb 2020 17:16:01 -0500 Received: from mail-il1-f193.google.com ([209.85.166.193]:33193 "EHLO mail-il1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726278AbgBCWQA (ORCPT ); Mon, 3 Feb 2020 17:16:00 -0500 Received: by mail-il1-f193.google.com with SMTP id s18so14089375iln.0 for ; Mon, 03 Feb 2020 14:15:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=N18s231yY+8bRBxz6jlhKscwOcWQ7ObAnQtkJ/vjaq8=; b=UT/YLhMNgCkg6m8MJUbzv2/FNS9NWOl8g+UoRsZlKp8VgBY9m8zq+rvatIR9qXvJsA 784jnT/62MmfoSkYBxWo8Kcm4imJwmk12n7gWzmkKfe4+f0cezZTgPiVZ+ni9glcjJi/ 6pXl0NAwRHduY2KI6cXBzvPE6llyBVYk5dGgofKcIA2HvZhQ5OBlxjPs4zdlYJ9uLLBB t8mw+8K1b10SDE2zkOD0sq81zKMKO5GUApEpT4lZ6OzdFFpfhQK67amA62oDy2ty6vVr IYS6Hg69b3FUHJpSe+o+khHl4JucLZvOK067pZZC6/p/Orcmyqj3htAzwVE9cUsYkrFG PL9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=N18s231yY+8bRBxz6jlhKscwOcWQ7ObAnQtkJ/vjaq8=; b=JFSurcea4FXaAMgnX1ohskAF9CGa0hTBAHf3+ybhQOxQOkKNOqoRm9KviRsejwdZc4 RKVV/cXldeuZGKyeN/DBu2dmufx/K9TtKWaqGd/za5mtJrnecCE7SEil3DXoftUG0Ei/ hBJHVeiYegGTh4xzwE/JxLAE7lUgHtqTkWIkIH+Li4aLjUE/VrbGWt3i26o4HZXlLXgM TRYfiOnKsQ9At1wzpJURTwABpBhR49z9CQBn3JbGagcvPIjNlZ5WlSjqvSxxYsDaXFrr vHt+CgNsFB8+kq5A4A0+7SocCnuQ/ogc5sFv+ooqZFHxKh5QIhhrrXyFDehWply6NYqf X3IQ== X-Gm-Message-State: APjAAAWdJLWmcWLwtU08+bG8lcgM8Z7xSsX1jl3Yg4xmqv+SRj02WVfr rF0Y1CeuqDdQ9qU751FygZuOQA== X-Google-Smtp-Source: APXvYqyj2dne19ab1rjfalZGoyo95xeVJVbOUcISZLU0CPvZuSl4lzRIXlRCEKqGWYzuYS/FRUGnUA== X-Received: by 2002:a92:4a0a:: with SMTP id m10mr17469494ilf.84.1580768159049; Mon, 03 Feb 2020 14:15:59 -0800 (PST) Received: from google.com ([2620:15c:183:200:855f:8919:84a7:4794]) by smtp.gmail.com with ESMTPSA id a21sm6017650ioh.29.2020.02.03.14.15.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2020 14:15:58 -0800 (PST) Date: Mon, 3 Feb 2020 15:15:56 -0700 From: Ross Zwisler To: Aleksa Sarai Cc: Matthew Wilcox , Ross Zwisler , linux-kernel@vger.kernel.org, Mattias Nissler , Benjamin Gordon , Raul Rangel , Micah Morton , Dmitry Torokhov , Jan Kara , David Howells , Alexander Viro , linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v4] Add a "nosymfollow" mount option. Message-ID: <20200203221556.GA210383@google.com> References: <20200131002750.257358-1-zwisler@google.com> <20200131004558.GA6699@bombadil.infradead.org> <20200131015134.5ovxakcavk2x4diz@yavin.dot.cyphar.com> <20200131212021.GA108613@google.com> <20200201062744.fehlhq3jtetfcxuw@yavin.dot.cyphar.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200201062744.fehlhq3jtetfcxuw@yavin.dot.cyphar.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Feb 01, 2020 at 05:27:44PM +1100, Aleksa Sarai wrote: > On 2020-01-31, Ross Zwisler wrote: <> > > On Fri, Jan 31, 2020 at 12:51:34PM +1100, Aleksa Sarai wrote: > > If noxdev would involve a pathname traversal to make sure you don't ever leave > > mounts with noxdev set, I think this could potentially cover the use cases I'm > > worried about. This would restrict symlink traversal to files within the same > > filesystem, and would restrict traversal to both normal and bind mounts from > > within the restricted filesystem, correct? > > Yes, but it would have to block all mountpoint crossings including > bind-mounts, because the obvious way of checking for mountpoint > crossings (vfsmount comparisons) results in bind-mounts being seen as > different mounts. This is how LOOKUP_NO_XDEV works. Would this be a > show-stopped for ChromeOS? > > I personally find "noxdev" to be a semantically clearer statement of > intention ("I don't want any lookup that reaches this mount-point to > leave") than "nosymfollow" (though to be fair, this is closer in > semantics to the other "no*" mount flags). But after looking at [1] and > thinking about it for a bit, I don't really have a problem with either > solution. For ChromeOS we want to protect data both on user-provided filesystems (i.e. USB attached drives and the like) as well as on our "stateful" partition. The noxdev mount option would resolve our concerns for user-provided filesystems, but I don't think that we would be able to use it for stateful because symlinks on stateful that point elsewhere within stable are still a security risk. There is more explanation on why this is the case in [1]. Thank you for linking to that, by the way. I think our security concerns around both use cases, user-provided filesystems and the stateful partition, can be resolved in ChromeOS with the nosymfollow mount flag. Based on that, my current preference is for the 'nosymfollow' mount flag. > The only problem is that "noxdev" would probably need to be settable on > bind-mounts, and from [2] it looks like the new mount API struggles with > configuring bind-mounts. > > > > However, the underlying argument for "noxdev" was that you could use it > > > to constrain something like "tar -xf" inside a mountpoint (which could > > > -- in principle -- be a bind-mount). I'm not so sure that "nosymfollow" > > > has similar "obviously useful" applications (though I'd be happy to be > > > proven wrong). > > > > In ChromeOS we use the LSM referenced in my patch to provide a blanket > > enforcement that symlinks aren't traversed at all on user-supplied > > filesystems, which are considered untrusted. I'd essentially like to build on > > the protections offered by LOOKUP_NO_SYMLINKS and extend that protection to > > all accesses to user-supplied filesystems. > > Yeah, after writing my mail I took a look at [1] and I agree that having > a solution which helps older programs would be helpful. With openat2 and > libpathrs[3] I'm hoping to lead the charge on a "rewrite userspace" > effort, but waiting around for that to be complete probably isn't a > workable solution. ;) Sounds great. Here, I'll merge the nosymfollow patch forward with the current ToT which includes your openat2(2) changes, and we can go from there. Thanks for all the feedback. > [1]: https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data#TOC-Restricting-symlink-traversal > [2]: https://lwn.net/Articles/809125/ > [3]: https://github.com/openSUSE/libpathrs