Re: [PATCH v6 0/3] implement OA2_CRED_INHERIT flag for openat2()

From: stsp
Date: Tue May 07 2024 - 08:56:03 EST

Next message: Amelie Delaunay: "[PATCH v2 03/12] MAINTAINERS: Add entry for STM32 DMA controllers drivers and documentation"
Previous message: Vincent Guittot: "Re: [PATCH v2] sched: Consolidate cpufreq updates"
In reply to: Aleksa Sarai: "Re: [PATCH v6 0/3] implement OA2_CRED_INHERIT flag for openat2()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

07.05.2024 14:58, Aleksa Sarai пишет:

On 2024-05-07, stsp <stsp2@xxxxxxxxx> wrote:

07.05.2024 10:50, Aleksa Sarai пишет:

If you are a privileged process which plans to change users,

Not privileged at all. But I think what you say is still possible with
userns?

It is possible to configure MOUNT_ATTR_IDMAP in a user namespace but
there are some restrictions that I suspect will make this complicated.
If you try to do something with a regular filesystem you'll probably run
into issues because you won't have CAP_SYS_ADMIN in the super block's
userns. But you could probably do it with tmpfs.

Then its likely not a replacement for
my proposal, as I really don't need that
on tmpfs.
Perhaps right now I can use the helper
process and an rpc as a replacement.
This is much more work and is slower,
but more or less can approximate my
original design decision quite precisely.
Another disadvantage of an rpc approach
is that the fds I get from the helper
process, can not be trusted, as in this
case kernel doesn't guarantee the fd
actually refers to the resource I requested.
I've seen a few OSes where rpc is checked
by a trusted entity to avoid such problem.

A new attack I just thought of while writing this mail is that because
there is no RESOLVE_NO_XDEV requirement, it should be possible for the
process to get an arbitrary write primitive by creating a new
userns+mountns and then bind-mounting / underneath the directory.

Doesn't this need a write perm to a
directory? In his case this is not a threat,
because you are not supposed to have a
write perm to that dir. OA2_CRED_INHERIT
is the only way to write.

No, bind-mounts don't require write permission.

Oh, isn't this a problem by itself?
Yes, in this case my patch needs to
avoid RESOLVE_NO_XDEV, but I find this a harsh restriction. Maybe the bind mount was done before a priv drop? Then it is fully legitimate. Anyway, I don't know if I should work on it or not, as there seem to be no indication of a possible acceptance.

Next message: Amelie Delaunay: "[PATCH v2 03/12] MAINTAINERS: Add entry for STM32 DMA controllers drivers and documentation"
Previous message: Vincent Guittot: "Re: [PATCH v2] sched: Consolidate cpufreq updates"
In reply to: Aleksa Sarai: "Re: [PATCH v6 0/3] implement OA2_CRED_INHERIT flag for openat2()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]