Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements

Christian Brauner <brauner@xxxxxxxxxx> · Thu, 11 Apr 2024 11:04:59 +0200

On Wed, Apr 10, 2024 at 07:39:49PM -0700, Linus Torvalds wrote:
> On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> > +                       if (f.file->f_cred != current_cred() &&
> > +                           !capable(CAP_DAC_READ_SEARCH)) {
> > +                               fdput(f);
> > +                               return ERR_PTR(-ENOENT);
> > +                       }
> > +               }
> 
> Side note: I suspect that this could possibly be relaxed further, by
> making the rule be that if something has been explicitly opened to be
> used as a path (ie O_PATH was used at open time), we can link to it
> even across different credentials.

I had a similar discussion a while back someone requested that we relax
permissions so linkat can be used in containers. And I drafted the
following patch back then:

https://lore.kernel.org/all/20231113-undenkbar-gediegen-efde5f1c34bc@brauner

IOW, I had intended to make this work with containers so that we check
CAP_DAC_READ_SEARCH in the namespace of the opener of the file. My
thinking had been that this can serve as a way to say "Hey, I could've
opened this file in the openers namespace therefore let me make a path
to it.". I didn't actually send it because I thought the original author
would but imho, that would be a worthwhile addition to your patch if
this makes sense...

> 
> IOW, the above could perhaps even be
> 
> +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> +                       if (!(f.file->f_mode & FMODE_PATH) &&
> +                           f.file->f_cred != current_cred() &&
> +                           !capable(CAP_DAC_READ_SEARCH)) {
> +                               fdput(f);
> +                               return ERR_PTR(-ENOENT);
> +                       }
> +               }
> 
> which would _allow_ people to pass in paths as file descriptors if
> they actually wanted to.
> 
> After all, the only thing you can do with an O_PATH file descriptor is
> to use it as a path - there would be no other reason to use O_PATH in
> the first place. So if you now pass it to somebody else, clearly you
> are intentionally trying to make it available *as* a path.
> 
> So you could imagine doing something like this:
> 
>          // Open path as root
>          int fd = open('filename", O_PATH);
> 
>         // drop privileges
>         // setresuid(..) or chmod() or enter new namespace or whatever
> 
>         linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH);
> 
> and it would open the path with one set of privileges, but then
> intentionally go into a more restricted mode and create a link to the
> source within that restricted environment.
> 
> Sensible? Who knows. I'm just throwing this out as another "this may
> be the solution to our historical flink() issues".
> 
>            Linus