From: Greg Kurz <groug@kaod.org>
To: Akihiko Odaki <akihiko.odaki@gmail.com>
Cc: Michael Roitzsch <reactorcontrol@icloud.com>,
Christian Schoenebeck <qemu_oss@crudebyte.com>,
qemu-devel@nongnu.org, qemu-stable@nongnu.org,
Keno Fischer <keno@juliacomputing.com>,
Will Cohen <wwcohen@gmail.com>
Subject: Re: [PATCH v2 2/5] 9pfs: fix qemu_mknodat(S_IFSOCK) on macOS
Date: Wed, 27 Apr 2022 12:18:10 +0200 [thread overview]
Message-ID: <20220427121810.15783101@bahia> (raw)
In-Reply-To: <26d489bd-90c5-5b92-309b-4e07c83ec778@gmail.com>
On Wed, 27 Apr 2022 11:27:28 +0900
Akihiko Odaki <akihiko.odaki@gmail.com> wrote:
> On 2022/04/26 21:38, Greg Kurz wrote:
[..skip..]
> >
> > I think Christian's explanation is clear enough. We don't guarantee
> > that v9fs_co_foo() calls run atomically. As a consequence, the client
> > might see transient states or be able to interact with an ongoing
> > request. And to answer your question, we have no specific rationale
> > on security with that.
> >
> > I'm not sure what the concerns are but unless you come up with a
> > valid scenario [*] I don't see any reason to prevent this patch
> > to go forward.
> >
> > [*] things like:
> > - client escaping the shared directory
> > - QEMU crashing
> > - QEMU hogging host resources
> > - client-side unprivileged user gaining elevated privleges
> > in the guest
>
> I was just not sure if such transient states are safe. The past
> discussion was about the length of the non-atomic time window where a
> path name is used to identify a particular file, but if such states are
> not considered problematic, the length does not matter all and we can
> confidently say the sequence of bind() and chmod() is safe.
>
> Considering the transient states are tolerated in 9pfs, we need to
> design this function to be tolerant with transient states as well. The
> use of chmod() is not safe when we consider about transient states. A
> malicious actor may replace the file at the path with a symlink which
> may escape the shared directory and chmod() will naively follow it.
You get a point here. Thanks for your tenacity ! :-)
> chmod() should be replaced with fchmodat_nofollow() or something similar.
>
On a GNU/Linux system, this could be achieved by calling fchmod() on
the socket fd *before* calling bind() but I'm afraid this hack might
not work with a BSDish OS.
Replacing chmod() with fchmodat_nofollow(dirfd, addr.sun_path, mode)
won't make things atomic as above but at least it won't follow a
malicious symbolic link : mknod() on the client will fail with
ELOOP, which is fine when it comes to not breaking out of the shared
directory.
This brings up a new problem I hadn't realized before : the
fchmodat_nofollow() implementation in 9p-local.c is really
a linux only thing to cope with AT_SYMLINK_NOFOLLOW not being
supported with fchmodat(). It looks that this should move to
9p-util-linux.c and a proper version should be added for macOS
in 9p-util-darwin.c
Cheers,
--
Greg
> Regards,
> Akihiko Odaki
>
> >
> > Cheers,
> >
> > --
> > Greg
> >
> >> Regards,
> >> Akihiko Odaki
> >
>
next prev parent reply other threads:[~2022-04-27 10:38 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-21 15:08 [PATCH v2 0/5] 9pfs: macOS host fixes Christian Schoenebeck
2022-04-21 15:07 ` [PATCH v2 1/5] 9pfs: fix qemu_mknodat(S_IFREG) on macOS Christian Schoenebeck
2022-04-21 16:32 ` Greg Kurz
2022-04-21 15:07 ` [PATCH v2 2/5] 9pfs: fix qemu_mknodat(S_IFSOCK) " Christian Schoenebeck
2022-04-21 16:36 ` Greg Kurz
2022-04-21 17:29 ` Christian Schoenebeck
2022-04-22 2:43 ` Akihiko Odaki
2022-04-22 14:06 ` Christian Schoenebeck
2022-04-23 4:33 ` Akihiko Odaki
2022-04-24 18:45 ` Christian Schoenebeck
2022-04-26 3:57 ` Akihiko Odaki
2022-04-26 12:38 ` Greg Kurz
2022-04-27 2:27 ` Akihiko Odaki
2022-04-27 10:18 ` Greg Kurz [this message]
2022-04-27 12:32 ` Christian Schoenebeck
2022-04-27 13:31 ` Greg Kurz
2022-04-27 16:18 ` Christian Schoenebeck
2022-04-27 17:12 ` Will Cohen
2022-04-27 18:16 ` Christian Schoenebeck
2022-04-27 17:37 ` Greg Kurz
2022-04-27 18:36 ` Christian Schoenebeck
2022-04-21 15:07 ` [PATCH v2 3/5] 9pfs: fix wrong encoding of rdev field in Rgetattr " Christian Schoenebeck
2022-04-21 16:39 ` Greg Kurz
2022-04-21 15:07 ` [PATCH v2 4/5] 9pfs: fix wrong errno being sent to Linux client on macOS host Christian Schoenebeck
2022-04-21 16:39 ` Greg Kurz
2022-04-21 15:07 ` [PATCH v2 5/5] 9pfs: fix removing non-existent POSIX ACL xattr " Christian Schoenebeck
2022-04-21 16:40 ` Greg Kurz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220427121810.15783101@bahia \
--to=groug@kaod.org \
--cc=akihiko.odaki@gmail.com \
--cc=keno@juliacomputing.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=qemu_oss@crudebyte.com \
--cc=reactorcontrol@icloud.com \
--cc=wwcohen@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).