On Fri, May 21, 2021 at 12:22 PM Matthew Bobrowski <repnop@xxxxxxxxxx> wrote:
>
> Hey Amir/Christian,
>
> On Thu, May 20, 2021 at 04:43:48PM +0300, Amir Goldstein wrote:
> > On Thu, May 20, 2021 at 11:17 AM Christian Brauner
> > <christian.brauner@xxxxxxxxxx> wrote:
> > > > +#define FANOTIFY_PIDFD_INFO_HDR_LEN \
> > > > + sizeof(struct fanotify_event_info_pidfd)
> > > >
> > > > static int fanotify_fid_info_len(int fh_len, int name_len)
> > > > {
> > > > @@ -141,6 +143,9 @@ static int fanotify_event_info_len(unsigned int info_mode,
> > > > if (fh_len)
> > > > info_len += fanotify_fid_info_len(fh_len, dot_len);
> > > >
> > > > + if (info_mode & FAN_REPORT_PIDFD)
> > > > + info_len += FANOTIFY_PIDFD_INFO_HDR_LEN;
> > > > +
> > > > return info_len;
> > > > }
> > > >
> > > > @@ -401,6 +406,29 @@ static int copy_fid_info_to_user(__kernel_fsid_t *fsid,
> > > > return info_len;
> > > > }
> > > >
> > > > +static int copy_pidfd_info_to_user(struct pid *pid,
> > > > + char __user *buf,
> > > > + size_t count)
> > > > +{
> > > > + struct fanotify_event_info_pidfd info = { };
> > > > + size_t info_len = FANOTIFY_PIDFD_INFO_HDR_LEN;
> > > > +
> > > > + if (WARN_ON_ONCE(info_len > count))
> > > > + return -EFAULT;
> > > > +
> > > > + info.hdr.info_type = FAN_EVENT_INFO_TYPE_PIDFD;
> > > > + info.hdr.len = info_len;
> > > > +
> > > > + info.pidfd = pidfd_create(pid, 0);
> > > > + if (info.pidfd < 0)
> > > > + info.pidfd = FAN_NOPIDFD;
> > > > +
> > > > + if (copy_to_user(buf, &info, info_len))
> > > > + return -EFAULT;
> > >
> > > Hm, well this kinda sucks. The caller can end up with a pidfd in their
> > > fd table and when the copy_to_user() failed they won't know what fd it
> >
> > Good catch!
>
> Super awesome catch Christian, thanks pulling this up!
>
> > But I prefer to solve it differently, because moving fd_install() to the
> > end of this function does not guarantee that copy_event_to_user()
> > won't return an error one day with dangling pidfd in fd table.
>
> I can see the angle you're approaching this from...
>
> > It might be simpler to do pidfd_create() next to create_fd() in
> > copy_event_to_user() and pass pidfd to copy_pidfd_info_to_user().
> > pidfd can be closed on error along with fd on out_close_fd label.
> >
> > You also forgot to add CAP_SYS_ADMIN check before pidfd_create()
> > (even though fanotify_init() does check for that).
>
> I didn't really understand the need for this check here given that the
> administrative bits are already being checked for in fanotify_init()
> i.e. FAN_REPORT_PIDFD can never be set for an unprivileged listener;
> thus never walking any of the pidfd_mode paths. Is this just a defense
> in depth approach here, or is it something else that I'm missing?
>
We want to be extra careful not to create privilege escalations,
so even if the fanotify fd is leaked or intentionally passed to a less
privileged user, it cannot get an open pidfd.
IOW, it is *much* easier to be defensive in this case than to prove
that the change cannot introduce any privilege escalations.
Thanks,
Amir.
