Re: [PATCH v14 2/6] namei: LOOKUP_IN_ROOT: chroot-like path resolution

On 2019-10-12, Aleksa Sarai wrote: > On 2019-10-12, Aleksa Sarai wrote: > > On 2019-10-10, Linus Torvalds wrote: > > > On Wed, Oct 9, 2019 at 10:42 PM Aleksa Sarai wrote: > > > > > > > > --- a/fs/namei.c > > > > +++ b/fs/namei.c >

[PATCH RESEND v14 0/6] open: introduce openat2(2) syscall

- sions. However, if a userspace program wishes to determine what extensions the running kernel supports, they may conduct a binary search on size (to find the largest value which doesn't produce an error of E2BIG.) SEE ALSO openat(2), path_resolution(7), syml

[PATCH RESEND v14 1/6] namei: O_BENEATH-style resolution restriction flags

d-email-drysd...@google.com/ [3]: https://lore.kernel.org/lkml/1404124096-21445-1-git-send-email-drysd...@google.com/ [4]: https://lwn.net/Articles/723057/ Cc: Christian Brauner Suggested-by: David Drysdale Suggested-by: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds Signe

[PATCH RESEND v14 2/6] namei: LOOKUP_IN_ROOT: chroot-like path resolution

iour regarding pathnames -- if the pathname is absolute then the dirfd is still used as the root of resolution of LOOKUP_IN_ROOT is specified (this is to avoid obvious foot-guns, at the cost of a minor API inconsistency). Signed-off-by: Aleksa Sarai --- fs/namei.c| 5 + include/

[PATCH RESEND v14 3/6] namei: permit ".." resolution with LOOKUP_{IN_ROOT, BENEATH}

nstruction. [*] It may be acceptable in the future to do a path_is_under() check (as with the alternative solution for "..") for magic-links after they are resolved. However this seems unlikely to be a feature that people *really* need -- it can be added later if it turns o

[PATCH RESEND v14 4/6] open: introduce openat2(2) syscall

s://sourceware.org/bugzilla/show_bug.cgi?id=17523 [4]: https://lore.kernel.org/lkml/20190930183316.10190-2-cyp...@cyphar.com/ Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai --- CREDITS | 4 +- arch/alpha/kernel/syscalls/syscall.tbl | 1 + a

[PATCH RESEND v14 5/6] selftests: add openat2(2) selftests

veral CVEs (and likely will be responsible for several more). Signed-off-by: Aleksa Sarai --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/openat2/.gitignore| 1 + tools/testing/selftests/openat2/Makefile | 8 + tools/testing/selftests/openat2

[PATCH RESEND v14 6/6] Documentation: path-lookup: mention LOOKUP_MAGICLINK_JUMPED

Now that we have a special flag to signify magic-link jumps, mention it within the path-lookup docs. And now that "magic link" is the correct term for nd_jump_link()-style symlinks, clean up references to this type of "symlink". Signed-off-by: Aleksa Sarai --- Documentat

Re: [PATCH RESEND v14 2/6] namei: LOOKUP_IN_ROOT: chroot-like path resolution

On 2019-10-27, Linus Torvalds wrote: > On Sat, Oct 26, 2019 at 2:58 PM Aleksa Sarai wrote: > > > > + /* LOOKUP_IN_ROOT treats absolute paths as being relative-to-dirfd. > > */ > > + if (flags & LOOKUP_IN_ROOT) > > + while (*s

[PATCH v15 0/9] open: introduce openat2(2) syscall

en- sions. However, if a userspace program wishes to determine what extensions the running kernel supports, they may conduct a binary search on size (to find the largest value which doesn't produce an error of E2BIG.) SEE ALSO openat(2), path_resolution(

[PATCH v15 1/9] namei: LOOKUP_NO_SYMLINKS: block symlink resolution

l.org/lkml/1415094884-18349-1-git-send-email-drysd...@google.com/ [4]: https://lore.kernel.org/lkml/1404124096-21445-1-git-send-email-drysd...@google.com/ Cc: Christian Brauner Suggested-by: Al Viro Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 3 +++ inc

[PATCH v15 2/9] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution

y: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 7 ++- include/linux/namei.h | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 4e85d6fa4048..1f0d871199e5 100644 ---

[PATCH v15 3/9] namei: LOOKUP_NO_XDEV: block mountpoint crossing

inus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 34 ++ include/linux/namei.h | 1 + 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 1f0d871199e5..b73ee1601bd4 100644 --- a/fs/namei.c +++ b/fs

[PATCH v15 4/9] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

mail-drysd...@google.com/ [6]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: David Drysdale Suggested-by: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds

[PATCH v15 5/9] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution

if they want to ensure that magic-link crossing is entirely disabled. /* Testing. */ LOOKUP_IN_ROOT is tested as part of the openat2(2) selftests. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Signed-off-by: Aleksa Sar

[PATCH v15 6/9] namei: LOOKUP_{IN_ROOT, BENEATH}: permit limited ".." resolution

ns out a lot of people want it. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ [2]: https://lore.kernel.org/lkml/cag48ez30wjhbsro2hoc_dr7v91m+hnfzbp5ogrmzaxbaorv...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: Jann Horn Sugge

[PATCH v15 8/9] selftests: add openat2(2) selftests

veral CVEs (and likely will be responsible for several more). Cc: Shuah Khan Signed-off-by: Aleksa Sarai --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/openat2/.gitignore| 1 + tools/testing/selftests/openat2/Makefile | 8 + tools/testing/selftes

[PATCH v15 7/9] open: introduce openat2(2) syscall

.gmail.com [3]: commit 629e014bb834 ("fs: completely ignore unknown open flags") [4]: https://sourceware.org/bugzilla/show_bug.cgi?id=17523 [5]: https://lore.kernel.org/lkml/20190930183316.10190-2-cyp...@cyphar.com/ Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai ---

[PATCH v15 9/9] Documentation: path-lookup: mention LOOKUP_MAGICLINK_JUMPED

Now that we have a special flag to signify magic-link jumps, mention it within the path-lookup docs. And now that "magic link" is the correct term for nd_jump_link()-style symlinks, clean up references to this type of "symlink". Signed-off-by: Aleksa Sarai --- Documentat

Re: [PATCH v15 0/9] open: introduce openat2(2) syscall

On 2019-11-05, Aleksa Sarai wrote: > This patchset is being developed here: > <https://github.com/cyphar/linux/tree/openat2/master> > > Patch changelog: > v15: > * Fix code style for LOOKUP_IN_ROOT handling in path_init(). [Linus > Torvalds] > * Split o

Re: [PATCH v15 0/9] open: introduce openat2(2) syscall

On 2019-11-12, Kees Cook wrote: > On Tue, Nov 12, 2019 at 12:24:04AM +1100, Aleksa Sarai wrote: > > On 2019-11-05, Aleksa Sarai wrote: > > > This patchset is being developed here: > > > <https://github.com/cyphar/linux/tree/openat2/master> > &g

Re: [PATCH v15 7/9] open: introduce openat2(2) syscall

On 2019-11-13, Al Viro wrote: > On Tue, Nov 05, 2019 at 08:05:51PM +1100, Aleksa Sarai wrote: > > +/* > > + * Arguments for how openat2(2) should open the target path. If @resolve is > > + * zero, then openat2(2) operates very similarly to openat(2). > > + * >

Re: [PATCH v15 5/9] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution

On 2019-11-13, Al Viro wrote: > On Tue, Nov 05, 2019 at 08:05:49PM +1100, Aleksa Sarai wrote: > > > @@ -2277,12 +2277,20 @@ static const char *path_init(struct nameidata *nd, > > unsigned flags) > > > > nd->m_seq = read_seqbegin(&mount_lock); > >

Re: [PATCH v15 5/9] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution

On 2019-11-13, Al Viro wrote: > On Wed, Nov 13, 2019 at 01:44:14PM +1100, Aleksa Sarai wrote: > > On 2019-11-13, Al Viro wrote: > > > On Tue, Nov 05, 2019 at 08:05:49PM +1100, Aleksa Sarai wrote: > > > > > > > @@ -2277,12 +2277,20 @@ static const char *

Re: [PATCH v15 4/9] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

CHILD -- though it's not clear to me how likely a success would be in REF-walk if the parent components didn't already trigger an unlazy_walk() in RCU-walk. I guess that also means LOOKUP_NO_XDEV should trigger -ECHILD in follow_dotdot_rcu()? -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/> signature.asc Description: PGP signature

Re: [PATCH v15 6/9] namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution

On 2019-11-13, Al Viro wrote: > On Tue, Nov 05, 2019 at 08:05:50PM +1100, Aleksa Sarai wrote: > > > One other possible alternative (which previous versions of this patch > > used) would be to check with path_is_under() if there was a racing > > rename or mount (afte

Re: [PATCH v15 3/9] namei: LOOKUP_NO_XDEV: block mountpoint crossing

On 2019-11-13, Al Viro wrote: > On Tue, Nov 05, 2019 at 08:05:47PM +1100, Aleksa Sarai wrote: > > > @@ -862,6 +870,8 @@ static int nd_jump_root(struct nameidata *nd) > > void nd_jump_link(struct path *path) > > { > > struct nameidata *nd = curren

Re: [PATCH v15 4/9] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

On 2019-11-13, Aleksa Sarai wrote: > On 2019-11-13, Al Viro wrote: > > Minor nit here - I'd split "move the conditional call of set_root() > > into nd_jump_root()" into a separate patch before that one. Makes > > for fewer distractions in this one. I&#

Re: [PATCH v15 3/9] namei: LOOKUP_NO_XDEV: block mountpoint crossing

On 2019-11-14, Al Viro wrote: > On Thu, Nov 14, 2019 at 03:49:45PM +1100, Aleksa Sarai wrote: > > On 2019-11-13, Al Viro wrote: > > > On Tue, Nov 05, 2019 at 08:05:47PM +1100, Aleksa Sarai wrote: > > > > > > > @@ -862,6 +870,8 @@ static int nd_jump_r

[PATCH v16 00/12] open: introduce openat2(2) syscall

ernel supports, they may conduct a binary search on size (to find the largest value which doesn't produce an error of E2BIG.) SEE ALSO openat(2), path_resolution(7), symlink(7) Linux 2019-11-05 OPENAT2(2) --8<---

[PATCH v16 01/12] nsfs: clean-up ns_get_path() signature to return int

te fs") Signed-off-by: Aleksa Sarai --- fs/nsfs.c | 29 ++--- fs/proc/namespaces.c| 6 +++--- include/linux/proc_ns.h | 4 ++-- kernel/bpf/offload.c| 12 ++-- kernel/events/core.c| 2 +- 5 files changed, 26 insertions(+), 27 deletions(-)

[PATCH v16 02/12] namei: allow nd_jump_link() to produce errors

In preparation for LOOKUP_NO_MAGICLINKS, it's necessary to add the ability for nd_jump_link() to return an error which the corresponding get_link() caller must propogate back up to the VFS. Suggested-by: Al Viro Signed-off-by: Aleksa Sarai --- fs/namei.c | 3 ++- fs

[PATCH v16 03/12] namei: allow set_root() to produce errors

: Aleksa Sarai --- fs/namei.c | 35 --- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 965a25b2e3df..259652667881 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -798,7 +798,7 @@ static int complete_walk(struct nameidata *nd

[PATCH v16 04/12] namei: LOOKUP_NO_SYMLINKS: block symlink resolution

l.org/lkml/1415094884-18349-1-git-send-email-drysd...@google.com/ [4]: https://lore.kernel.org/lkml/1404124096-21445-1-git-send-email-drysd...@google.com/ Cc: Christian Brauner Suggested-by: Al Viro Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 3 +++ inc

[PATCH v16 05/12] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution

y: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 5 - include/linux/namei.h | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 14d6d3afb9d3..a97facc232af 100644 --- a/fs/name

[PATCH v16 06/12] namei: LOOKUP_NO_XDEV: block mountpoint crossing

inus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 29 + include/linux/namei.h | 1 + 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index a97facc232af..854a1cbbe7b0 100644 --- a/fs/namei.c +++ b/fs/

[PATCH v16 07/12] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

mail-drysd...@google.com/ [6]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: David Drysdale Suggested-by: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds

[PATCH v16 08/12] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution

if they want to ensure that magic-link crossing is entirely disabled. /* Testing. */ LOOKUP_IN_ROOT is tested as part of the openat2(2) selftests. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Signed-off-by: Aleksa Sara

[PATCH v16 09/12] namei: LOOKUP_{IN_ROOT, BENEATH}: permit limited ".." resolution

2]: https://lore.kernel.org/lkml/cag48ez30wjhbsro2hoc_dr7v91m+hnfzbp5ogrmzaxbaorv...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: Jann Horn Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c | 38 +- 1 file changed, 25 insertions

[PATCH v16 10/12] open: introduce openat2(2) syscall

.gmail.com [3]: commit 629e014bb834 ("fs: completely ignore unknown open flags") [4]: https://sourceware.org/bugzilla/show_bug.cgi?id=17523 [5]: https://lore.kernel.org/lkml/20190930183316.10190-2-cyp...@cyphar.com/ Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai ---

[PATCH v16 11/12] selftests: add openat2(2) selftests

veral CVEs (and likely will be responsible for several more). Cc: Shuah Khan Signed-off-by: Aleksa Sarai --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/openat2/.gitignore| 1 + tools/testing/selftests/openat2/Makefile | 8 + tools/testing/selftes

[PATCH v16 12/12] Documentation: path-lookup: include new LOOKUP flags

Now that we have new LOOKUP flags, we should document them in the relevant path-walking documentation. And now that we've settled on a common name for nd_jump_link() style symlinks ("magic links"), use that term where magic-link semantics are described. Signed-off-b

Re: [PATCH v16 09/12] namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution

On 2019-11-16, Al Viro wrote: > On Sat, Nov 16, 2019 at 11:27:59AM +1100, Aleksa Sarai wrote: > > > + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) { > > + bool m_retry = read_seqretry(&mount_lock, nd->m_seq); > > +

Re: [PATCH v16 06/12] namei: LOOKUP_NO_XDEV: block mountpoint crossing

On 2019-11-16, Al Viro wrote: > On Sat, Nov 16, 2019 at 11:27:56AM +1100, Aleksa Sarai wrote: > > > @@ -1383,6 +1398,8 @@ static int follow_dotdot_rcu(struct nameidata *nd) > > return -ECHILD; > > if (&

Re: [PATCH v16 02/12] namei: allow nd_jump_link() to produce errors

On 2019-11-16, Al Viro wrote: > On Sat, Nov 16, 2019 at 11:27:52AM +1100, Aleksa Sarai wrote: > > + error = nd_jump_link(&path); > > + if (error) > > + path_put(&path); > > > + error = nd_jump_link(&ns_path); > > + if (error) >

[PATCH v17 00/13] open: introduce openat2(2) syscall

erefore, most userspace programs will not need to have any special handling of exten- sions. However, if a userspace program wishes to determine what extensions the running kernel supports, they may conduct a binary search on size (to find the largest value which doesn

[PATCH v17 01/13] namei: only return -ECHILD from follow_dotdot_rcu()

reachable from their mnt_root") Suggested-by: Al Viro Signed-off-by: Aleksa Sarai --- fs/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 671c3c1a3425..5a47d9c09581 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1359,7 +1359,7 @@

[PATCH v17 02/13] nsfs: clean-up ns_get_path() signature to return int

te fs") Signed-off-by: Aleksa Sarai --- fs/nsfs.c | 29 ++--- fs/proc/namespaces.c| 6 +++--- include/linux/proc_ns.h | 4 ++-- kernel/bpf/offload.c| 12 ++-- kernel/events/core.c| 2 +- 5 files changed, 26 insertions(+), 27 deletions(-)

[PATCH v17 03/13] namei: allow nd_jump_link() to produce errors

In preparation for LOOKUP_NO_MAGICLINKS, it's necessary to add the ability for nd_jump_link() to return an error which the corresponding get_link() caller must propogate back up to the VFS. Suggested-by: Al Viro Signed-off-by: Aleksa Sarai --- fs/namei.c | 3 ++- fs

[PATCH v17 04/13] namei: allow set_root() to produce errors

: Aleksa Sarai --- fs/namei.c | 35 --- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 1024a641f075..74574a69a614 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -798,7 +798,7 @@ static int complete_walk(struct nameidata *nd

[PATCH v17 05/13] namei: LOOKUP_NO_SYMLINKS: block symlink resolution

l.org/lkml/1415094884-18349-1-git-send-email-drysd...@google.com/ [4]: https://lore.kernel.org/lkml/1404124096-21445-1-git-send-email-drysd...@google.com/ Cc: Christian Brauner Suggested-by: Al Viro Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 3 +++ inc

[PATCH v17 06/13] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution

y: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 10 +- include/linux/namei.h | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 303731935eb2..415a897729c8 100644 ---

[PATCH v17 07/13] namei: LOOKUP_NO_XDEV: block mountpoint crossing

inus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 31 +++ include/linux/namei.h | 1 + 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 415a897729c8..321c8ad5d6b3 100644 --- a/fs/namei.c +++ b/fs/

[PATCH v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

mail-drysd...@google.com/ [6]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: David Drysdale Suggested-by: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds

[PATCH v17 09/13] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution

if they want to ensure that magic-link crossing is entirely disabled. /* Testing. */ LOOKUP_IN_ROOT is tested as part of the openat2(2) selftests. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Signed-off-by: Aleksa Sara

[PATCH v17 10/13] namei: LOOKUP_{IN_ROOT, BENEATH}: permit limited ".." resolution

2]: https://lore.kernel.org/lkml/cag48ez30wjhbsro2hoc_dr7v91m+hnfzbp5ogrmzaxbaorv...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: Jann Horn Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c | 37 - 1 file changed, 24 insertions

[PATCH v17 11/13] open: introduce openat2(2) syscall

.gmail.com [3]: commit 629e014bb834 ("fs: completely ignore unknown open flags") [4]: https://sourceware.org/bugzilla/show_bug.cgi?id=17523 [5]: https://lore.kernel.org/lkml/20190930183316.10190-2-cyp...@cyphar.com/ Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai ---

[PATCH v17 12/13] selftests: add openat2(2) selftests

veral CVEs (and likely will be responsible for several more). Cc: Shuah Khan Signed-off-by: Aleksa Sarai --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/openat2/.gitignore| 1 + tools/testing/selftests/openat2/Makefile | 8 + tools/testing/selftes

[PATCH v17 13/13] Documentation: path-lookup: include new LOOKUP flags

Now that we have new LOOKUP flags, we should document them in the relevant path-walking documentation. And now that we've settled on a common name for nd_jump_link() style symlinks ("magic links"), use that term where magic-link semantics are described. Signed-off-b

[PATCH RESEND v17 00/13] open: introduce openat2(2) syscall

special handling of exten- sions. However, if a userspace program wishes to determine what extensions the running kernel supports, they may conduct a binary search on size (to find the largest value which doesn't produce an error of E2BIG.) SEE ALSO openat(2)

[PATCH RESEND v17 01/13] namei: only return -ECHILD from follow_dotdot_rcu()

reachable from their mnt_root") Suggested-by: Al Viro Signed-off-by: Aleksa Sarai --- fs/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 671c3c1a3425..5a47d9c09581 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1359,7 +1359,7 @@

[PATCH RESEND v17 02/13] nsfs: clean-up ns_get_path() signature to return int

te fs") Signed-off-by: Aleksa Sarai --- fs/nsfs.c | 29 ++--- fs/proc/namespaces.c| 6 +++--- include/linux/proc_ns.h | 4 ++-- kernel/bpf/offload.c| 12 ++-- kernel/events/core.c| 2 +- 5 files changed, 26 insertions(+), 27 deletions(-)

[PATCH RESEND v17 03/13] namei: allow nd_jump_link() to produce errors

In preparation for LOOKUP_NO_MAGICLINKS, it's necessary to add the ability for nd_jump_link() to return an error which the corresponding get_link() caller must propogate back up to the VFS. Suggested-by: Al Viro Signed-off-by: Aleksa Sarai --- fs/namei.c | 3 ++- fs

[PATCH RESEND v17 04/13] namei: allow set_root() to produce errors

: Aleksa Sarai --- fs/namei.c | 35 --- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 1024a641f075..74574a69a614 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -798,7 +798,7 @@ static int complete_walk(struct nameidata *nd

[PATCH RESEND v17 05/13] namei: LOOKUP_NO_SYMLINKS: block symlink resolution

l.org/lkml/1415094884-18349-1-git-send-email-drysd...@google.com/ [4]: https://lore.kernel.org/lkml/1404124096-21445-1-git-send-email-drysd...@google.com/ Cc: Christian Brauner Suggested-by: Al Viro Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 3 +++ inc

[PATCH RESEND v17 06/13] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution

y: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 10 +- include/linux/namei.h | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 303731935eb2..415a897729c8 100644 ---

[PATCH RESEND v17 07/13] namei: LOOKUP_NO_XDEV: block mountpoint crossing

inus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 31 +++ include/linux/namei.h | 1 + 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 415a897729c8..321c8ad5d6b3 100644 --- a/fs/namei.c +++ b/fs/

[PATCH RESEND v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

mail-drysd...@google.com/ [6]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: David Drysdale Suggested-by: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds

[PATCH RESEND v17 09/13] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution

if they want to ensure that magic-link crossing is entirely disabled. /* Testing. */ LOOKUP_IN_ROOT is tested as part of the openat2(2) selftests. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Signed-off-by: Aleksa Sara

[PATCH RESEND v17 10/13] namei: LOOKUP_{IN_ROOT, BENEATH}: permit limited ".." resolution

2]: https://lore.kernel.org/lkml/cag48ez30wjhbsro2hoc_dr7v91m+hnfzbp5ogrmzaxbaorv...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: Jann Horn Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c | 37 - 1 file changed, 24 insertions

[PATCH RESEND v17 11/13] open: introduce openat2(2) syscall

.gmail.com [3]: commit 629e014bb834 ("fs: completely ignore unknown open flags") [4]: https://sourceware.org/bugzilla/show_bug.cgi?id=17523 [5]: https://lore.kernel.org/lkml/20190930183316.10190-2-cyp...@cyphar.com/ Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai ---

[PATCH RESEND v17 12/13] selftests: add openat2(2) selftests

veral CVEs (and likely will be responsible for several more). Cc: Shuah Khan Signed-off-by: Aleksa Sarai --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/openat2/.gitignore| 1 + tools/testing/selftests/openat2/Makefile | 8 + tools/testing/selftes

[PATCH RESEND v17 13/13] Documentation: path-lookup: include new LOOKUP flags

Now that we have new LOOKUP flags, we should document them in the relevant path-walking documentation. And now that we've settled on a common name for nd_jump_link() style symlinks ("magic links"), use that term where magic-link semantics are described. Signed-off-b

Re: [PATCH v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

On 2019-11-25, Al Viro wrote: > On Sun, Nov 17, 2019 at 12:17:08PM +1100, Aleksa Sarai wrote: > > > + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) { > > + /* > > +* Do a final check to ensure that the path didn't escape. Note > >

Re: [PATCH v17 10/13] namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution

On 2019-11-25, Al Viro wrote: > On Sun, Nov 17, 2019 at 12:17:10PM +1100, Aleksa Sarai wrote: > > + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) { > > + /* > > +* If there was a racing rename or mount along our > >

Re: [PATCH v17 10/13] namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution

On 2019-11-26, Aleksa Sarai wrote: > On 2019-11-25, Al Viro wrote: > > On Sun, Nov 17, 2019 at 12:17:10PM +1100, Aleksa Sarai wrote: > > > + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) { > > > + /* > > > + * If t

[PATCH v18 00/13] open: introduce openat2(2) syscall

al handling of extensions. However, if a userspace program wishes to determine what extensions the running kernel supports, they may conduct a binary search on size (to find the largest value which doesn't produce an error of E2BIG.) SEE ALSO openat(2), path_resolutio

[PATCH v18 01/13] namei: only return -ECHILD from follow_dotdot_rcu()

reachable from their mnt_root") Suggested-by: Al Viro Signed-off-by: Aleksa Sarai --- fs/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 671c3c1a3425..5a47d9c09581 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1359,7 +1359,7 @@

[PATCH v18 02/13] nsfs: clean-up ns_get_path() signature to return int

te fs") Signed-off-by: Aleksa Sarai --- fs/nsfs.c | 29 ++--- fs/proc/namespaces.c| 6 +++--- include/linux/proc_ns.h | 4 ++-- kernel/bpf/offload.c| 12 ++-- kernel/events/core.c| 2 +- 5 files changed, 26 insertions(+), 27 deletions(-)

[PATCH v18 03/13] namei: allow nd_jump_link() to produce errors

In preparation for LOOKUP_NO_MAGICLINKS, it's necessary to add the ability for nd_jump_link() to return an error which the corresponding get_link() caller must propogate back up to the VFS. Suggested-by: Al Viro Signed-off-by: Aleksa Sarai --- fs/namei.c | 3 ++- fs

[PATCH v18 04/13] namei: allow set_root() to produce errors

: Aleksa Sarai --- fs/namei.c | 35 --- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 1024a641f075..74574a69a614 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -798,7 +798,7 @@ static int complete_walk(struct nameidata *nd

[PATCH v18 05/13] namei: LOOKUP_NO_SYMLINKS: block symlink resolution

l.org/lkml/1415094884-18349-1-git-send-email-drysd...@google.com/ [4]: https://lore.kernel.org/lkml/1404124096-21445-1-git-send-email-drysd...@google.com/ Cc: Christian Brauner Suggested-by: Al Viro Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 3 +++ inc

[PATCH v18 06/13] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution

y: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 10 +- include/linux/namei.h | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 303731935eb2..415a897729c8 100644 ---

[PATCH v18 07/13] namei: LOOKUP_NO_XDEV: block mountpoint crossing

inus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c| 31 +++ include/linux/namei.h | 1 + 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 415a897729c8..321c8ad5d6b3 100644 --- a/fs/namei.c +++ b/fs/

[PATCH v18 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution

mail-drysd...@google.com/ [6]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: David Drysdale Suggested-by: Al Viro Suggested-by: Andy Lutomirski Suggested-by: Linus Torvalds

[PATCH v18 09/13] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution

if they want to ensure that magic-link crossing is entirely disabled. /* Testing. */ LOOKUP_IN_ROOT is tested as part of the openat2(2) selftests. [1]: https://lore.kernel.org/lkml/CAG48ez1jzNvxB+bfOBnERFGp=omm0vhwuld6eulmne3r6xa...@mail.gmail.com/ Cc: Christian Brauner Signed-off-by: Aleksa Sara

[PATCH v18 10/13] namei: LOOKUP_{IN_ROOT, BENEATH}: permit limited ".." resolution

2]: https://lore.kernel.org/lkml/cag48ez30wjhbsro2hoc_dr7v91m+hnfzbp5ogrmzaxbaorv...@mail.gmail.com/ Cc: Christian Brauner Suggested-by: Jann Horn Suggested-by: Linus Torvalds Signed-off-by: Aleksa Sarai --- fs/namei.c | 43 +++ 1 file changed, 27 ins

[PATCH v18 11/13] open: introduce openat2(2) syscall

.gmail.com [3]: commit 629e014bb834 ("fs: completely ignore unknown open flags") [4]: https://sourceware.org/bugzilla/show_bug.cgi?id=17523 [5]: https://lore.kernel.org/lkml/20190930183316.10190-2-cyp...@cyphar.com/ Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai ---

[PATCH v18 12/13] selftests: add openat2(2) selftests

veral CVEs (and likely will be responsible for several more). Cc: Shuah Khan Signed-off-by: Aleksa Sarai --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/openat2/.gitignore| 1 + tools/testing/selftests/openat2/Makefile | 8 + tools/testing/selftes

[PATCH v18 13/13] Documentation: path-lookup: include new LOOKUP flags

Now that we have new LOOKUP flags, we should document them in the relevant path-walking documentation. And now that we've settled on a common name for nd_jump_link() style symlinks ("magic links"), use that term where magic-link semantics are described. Signed-off-b

[PATCH v9 01/10] namei: obey trailing magic-link DAC permissions

ckage[1]) gracefully handle the permission error and do not cause any user-visible problems. In order to give users a heads-up, a warning is given whenever may_open_magiclink() refuses access. [1]: http://git.altlinux.org/people/legion/packages/kbd.git Co-developed-by: Andy Lutomirski Co-develo

[PATCH v9 00/10] namei: openat2(2) path resolution restrictions

https://lwn.net/Articles/603929/ [5]: https://lwn.net/Articles/723057/ [6]: https://github.com/cyphar/filepath-securejoin [7]: https://github.com/openSUSE/libpathrs Aleksa Sarai (10): namei: obey trailing magic-link DAC permissions procfs: switch magic-link modes to be more sane open: O_EMPT

[PATCH v9 03/10] open: O_EMPTYPATH: procfs-less file descriptor re-opening

expense of further complicating O_PATH makes little sense. Ultimately, if users ask for this we can always add RESOLVE_EMPTY_PATH to resolveat(2) in the future. Signed-off-by: Aleksa Sarai --- fs/fcntl.c | 2 +- fs/namei.c | 27 +++

[PATCH v9 02/10] procfs: switch magic-link modes to be more sane

for writing (because it is the current->mm of a live process). With the new O_PATH restrictions, changing the default mode of these magic-links allows us to avoid delayed-access attacks such as we saw in CVE-2019-5736. Signed-off-by: Aleksa Sarai --- fs/proc/base.c |

[PATCH v9 08/10] open: openat2(2) syscall

, openat2(2) has the ability for users to disallow certain re-opening modes through @how->upgrade_mask. At the moment, there is no UPGRADE_NOEXEC. Co-developed-by: Christian Brauner Signed-off-by: Aleksa Sarai --- arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools

[PATCH v9 06/10] namei: LOOKUP_IN_ROOT: chroot-like path resolution

ath seems to be the most consistent behaviour (and also avoids foot-gunning users who want to scope paths that are absolute). [1]: https://github.com/cyphar/filepath-securejoin Co-developed-by: Christian Brauner Signed-off-by: Aleksa Sarai --- fs/namei.c| 6 +++--- include/linux

[PATCH v9 04/10] namei: split out nd->dfd handling to dirfd_path_init

Signed-off-by: Aleksa Sarai --- fs/namei.c | 103 ++--- 1 file changed, 59 insertions(+), 44 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 4895717d2760..b490bcf855f8 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2257,9 +2257,59 @@ st

[PATCH v9 10/10] selftests: add openat2(2) selftests

on the now-disallowed functionality of upgrading an O_RDONLY descriptor to O_RDWR. Signed-off-by: Aleksa Sarai --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/memfd/memfd_test.c| 7 +- tools/testing/selftests/openat2/.gitignore| 1 + tools/testing

[PATCH v9 09/10] kselftest: save-and-restore errno to allow for %m formatting

Previously, using "%m" in a ksft_* format string can result in strange output because the errno value wasn't saved before calling other libc functions. The solution is to simply save and restore the errno before we format the user-supplied format string. Signed-off-by: Aleksa Sa

[PATCH v9 07/10] namei: aggressively check for nd->root escape on ".." resolution

have run a variant of the above attack in a loop on several machines with this patch, and no instances of a breakout were detected. While this is not concrete proof that this is safe, when combined with the above argument it should lend some trustworthiness to this construction. Cc: Al Viro Cc: J

  1   2   3   >