linux

mirror of https://github.com/torvalds/linux synced 2024-09-06 09:51:23 +00:00

Find a file

Aleksa Sarai ab87f9a56c namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution Allow LOOKUP_BENEATH and LOOKUP_IN_ROOT to safely permit ".." resolution (in the case of LOOKUP_BENEATH the resolution will still fail if ".." resolution would resolve a path outside of the root -- while LOOKUP_IN_ROOT will chroot(2)-style scope it). Magic-link jumps are still disallowed entirely[]. As Jann explains[1,2], the need for this patch (and the original no-".." restriction) is explained by observing there is a fairly easy-to-exploit race condition with chroot(2) (and thus by extension LOOKUP_IN_ROOT and LOOKUP_BENEATH if ".." is allowed) where a rename(2) of a path can be used to "skip over" nd->root and thus escape to the filesystem above nd->root. thread1 [attacker]: for (;;) renameat2(AT_FDCWD, "/a/b/c", AT_FDCWD, "/a/d", RENAME_EXCHANGE); thread2 [victim]: for (;;) openat2(dirb, "b/c/../../etc/shadow", { .flags = O_PATH, .resolve = RESOLVE_IN_ROOT } ); With fairly significant regularity, thread2 will resolve to "/etc/shadow" rather than "/a/b/etc/shadow". There is also a similar (though somewhat more privileged) attack using MS_MOVE. With this patch, such cases will be detected during* ".." resolution and will return -EAGAIN for userspace to decide to either retry or abort the lookup. It should be noted that ".." is the weak point of chroot(2) -- walking into a subdirectory tautologically cannot result in you walking outside nd->root (except through a bind-mount or magic-link). There is also no other way for a directory's parent to change (which is the primary worry with ".." resolution here) other than a rename or MS_MOVE. The primary reason for deferring to userspace with -EAGAIN is that an in-kernel retry loop (or doing a path_is_under() check after re-taking the relevant seqlocks) can become unreasonably expensive on machines with lots of VFS activity (nfsd can cause lots of rename_lock updates). Thus it should be up to userspace how many times they wish to retry the lookup -- the selftests for this attack indicate that there is a ~35% chance of the lookup succeeding on the first try even with an attacker thrashing rename_lock. A variant of the above attack is included in the selftests for openat2(2) later in this patch series. I've run this test on several machines for several days and no instances of a breakout were detected. While this is not concrete proof that this is safe, when combined with the above argument it should lend some trustworthiness to this construction. [] It may be acceptable in the future to do a path_is_under() check for magic-links after they are resolved. However this seems unlikely to be a feature that people really* need -- it can be added later if it turns out a lot of people want it. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=oMM0vHWuLD6EULmne3R6xa53w@mail.gmail.com/ [2]: https://lore.kernel.org/lkml/CAG48ez30WJhbsro2HOc_DR7V91M+hNFzBP5ogRMZaxbAORvqzg@mail.gmail.com/ Cc: Christian Brauner <christian.brauner@ubuntu.com> Suggested-by: Jann Horn <jannh@google.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>		2019-12-08 19:09:44 -05:00
arch	ARM fixes for 5.5-rc:	2019-12-06 16:12:39 -08:00
block	block: fix memleak of bio integrity data	2019-12-05 11:38:36 -07:00
certs
crypto
Documentation	powerpc updates for 5.5 #2	2019-12-06 13:36:31 -08:00
drivers	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-12-08 13:28:11 -08:00
fs	namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution	2019-12-08 19:09:44 -05:00
include	namei: LOOKUP_IN_ROOT: chroot-like scoped resolution	2019-12-08 19:09:43 -05:00
init	init/Kconfig: fix indentation	2019-12-04 19:44:13 -08:00
ipc
kernel	nsfs: clean-up ns_get_path() signature to return int	2019-12-08 19:09:37 -05:00
lib	lib/: fix Kconfig indentation	2019-12-07 11:00:19 -08:00
LICENSES
mm	Merge branch 'akpm' (patches from Andrew)	2019-12-05 09:46:26 -08:00
net	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-12-08 13:28:11 -08:00
samples	samples/bpf: Fix broken xdp_rxq_info due to map order assumptions	2019-12-04 17:54:15 -08:00
scripts	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-12-08 13:28:11 -08:00
security	namei: allow nd_jump_link() to produce errors	2019-12-08 19:09:38 -05:00
sound	sound updates #2 for 5.5-rc1	2019-12-06 13:06:14 -08:00
tools	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-12-08 13:28:11 -08:00
usr	arch: sembuf.h: make uapi asm/sembuf.h self-contained	2019-12-04 19:44:14 -08:00
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes	.gitattributes: use 'dts' diff driver for dts files	2019-12-04 19:44:11 -08:00
.gitignore
.mailmap	Merge mainline/master into arm/fixes	2019-12-05 13:18:54 -08:00
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-12-08 13:28:11 -08:00
Makefile	Linux 5.5-rc1	2019-12-08 14:57:55 -08:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.