From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org ([198.145.29.99]:37058 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388226AbeKPEfR (ORCPT ); Thu, 15 Nov 2018 23:35:17 -0500 Date: Thu, 15 Nov 2018 13:26:20 -0500 From: Sasha Levin To: Loic Cc: stable@vger.kernel.org, s.mesoraca16@gmail.com, keescook@chromium.org, solar@openwall.com, viro@zeniv.linux.org.uk, dan.carpenter@oracle.com, akpm@linux-foundation.org, torvalds@linux-foundation.org Subject: Re: [PATCH] namei: allow restricted O_CREAT of FIFOs and regular files Message-ID: <20181115182620.GM95254@sasha-vm> References: <20181023203739.c43434428c1886d87e5e86e1@opensec.fr> <20181115170549.GD95254@sasha-vm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20181115170549.GD95254@sasha-vm> Sender: stable-owner@vger.kernel.org List-ID: On Thu, Nov 15, 2018 at 12:05:49PM -0500, Sasha Levin wrote: >On Tue, Oct 23, 2018 at 08:37:39PM +0200, Loic wrote: >>Hello, >> >>Please picked up this patch for linux 4.9 and 4.14 (linux 4.4 needs a small modification). >>Indeed, this code will be beneficial to the GNU/Linux distributions that use a longterm kernel. >> >>Compiled/tested without problem. >> >>Thank. >> >>[ Upstream commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 ] >> >>From: Salvatore Mesoraca >>Date: Thu, 23 Aug 2018 17:00:35 -0700 >>Subject: namei: allow restricted O_CREAT of FIFOs and regular files >> >>Disallows open of FIFOs or regular files not owned by the user in world >>writable sticky directories, unless the owner is the same as that of the >>directory or the file is opened without the O_CREAT flag. The purpose >>is to make data spoofing attacks harder. This protection can be turned >>on and off separately for FIFOs and regular files via sysctl, just like >>the symlinks/hardlinks protection. This patch is based on Openwall's >>"HARDEN_FIFO" feature by Solar Designer. >> >>This is a brief list of old vulnerabilities that could have been prevented >>by this feature, some of them even allow for privilege escalation: >> >>CVE-2000-1134 >>CVE-2007-3852 >>CVE-2008-0525 >>CVE-2009-0416 >>CVE-2011-4834 >>CVE-2015-1838 >>CVE-2015-7442 >>CVE-2016-7489 >> >>This list is not meant to be complete. It's difficult to track down all >>vulnerabilities of this kind because they were often reported without any >>mention of this particular attack vector. In fact, before >>hardlinks/symlinks restrictions, fifos/regular files weren't the favorite >>vehicle to exploit them. >> >>[s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter] >> Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda >> Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com >>[keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future] >>[keescook@chromium.org: adjust commit subjet] >>Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast >>Signed-off-by: Salvatore Mesoraca >>Signed-off-by: Kees Cook >>Suggested-by: Solar Designer >>Suggested-by: Kees Cook >>Cc: Al Viro >>Cc: Dan Carpenter >>Signed-off-by: Andrew Morton >>Signed-off-by: Linus Torvalds > >Loic, could you please sign off on this one? You did so for the other >but not this. Actually, you only Cc'ed yourself on the other one, you'd need to sign off on both of them. It's fine doing it as a reply for each commit, no need to respin the patch. -- Thanks, Sasha