21.05.2024 22:01, Jann Horn пишет:
On Sat, Apr 27, 2024 at 1:24 PM Stas Sergeev <stsp2@xxxxxxxxx> wrote:
This patch-set implements the OA2_CRED_INHERIT flag for openat2() syscall.
It is needed to perform an open operation with the creds that were in
effect when the dir_fd was opened, if the dir was opened with O_CRED_ALLOW
flag. This allows the process to pre-open some dirs and switch eUID
(and other UIDs/GIDs) to the less-privileged user, while still retaining
the possibility to open/create files within the pre-opened directory set.
As Andy Lutomirski mentioned before, Linux already has Landlock
(https://docs.kernel.org/userspace-api/landlock.html) for unprivileged
filesystem sandboxing. What benefits does OA2_CRED_INHERIT have
compared to Landlock?
The idea is different.
OA2_CRED_INHERIT was supposed to give you an additional access (to what
you can't access otherwise, after a priv drop), while landlock allows
you to explicitly restrict an access. OA2_CRED_INHERIT more answered
with idmapped mounts rather than the landlock, but idmapped mounts are
not fully unpriv'd.
