On Thu, Jul 12, 2018 at 7:54 AM David Howells <dhowells@xxxxxxxxxx> wrote: > > I think we *have* to open the source files/devices with the creds of whoever > called fsopen() or fspick() - that way you can't upgrade your privs by passing > your context fd to a suid program. To enforce this, I think it's simplest for > fscontext_write() to call override_creds() right after taking the uapi_mutex > and then call revert_creds() right before dropping the mutex. No. Don't play games with override_creds. It's wrong. You have to use file->f_creds - no games, no garbage. But "write()" simply is *NOT* a good "command" interface. If you want to send a command, use an ioctl or a system call. Because it's not just about credentials. It's not just about fooling a suid app into writing an error message to a descriptor you wrote. It's also about things like "splice()", which can write to your target using a kernel buffer, and thus trick you into doing a command while we have the context set to kernel addresses. Are we trying to get away from that issue? Yes. But it's just another example of why "write()" IS NOT TO BE USED FOR COMMANDS. Only use write() for data. That's final. We're not adding yet another clueless fuck-up of an interface just because people cannot understand this very simple rule: "write()" is for data, not for commands. No more excuses. Linus