Path traversal attacks remain a common security vulnerability (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=%22path+traversal%22) and many are due to either failing to filter out ".." when validating a path or incorrectly collapsing other sequences of "."s into ".." . Evidence suggests that improving education isn't fixing the problem. The majority of internet-facing applications are unlikely to require the ability to handle ".." in a path after startup, and many are unlikely to require it at all. This patch adds a prctl() to simply request that the VFS path resolution code return -EPERM if it hits a ".." in the process. Applications can either call this themselves, or a service manager can do this on their behalf before execing them. Note that this does break resolution of symlinks with ".." in them, which means it breaks the common case of /etc/whatever/sites-available.d containing site-specific configuration, with /etc/whatever/sites-enabled.d containing a set of relative symlinks to ../sites-available.d/ entries. In this case either configuration would need to be updated before deployment, or the process would call prctl() itself after parsing configuration (and then disable and re-enable the feature whenever re-reading configuration). Getting this right for all scenarios involving symlinks seems awkward and I'm not sure it's worth it, but also I don't even play a VFS expert on TV so if someone has clever ideas here we can extend this to support that case. Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxxxxx> --- fs/namei.c | 7 +++++++ include/linux/sched.h | 1 + include/uapi/linux/prctl.h | 3 +++ kernel/sys.c | 5 +++++ 4 files changed, 16 insertions(+) diff --git a/fs/namei.c b/fs/namei.c index 9d30c7aa9aa6..01d0fa415b64 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2431,6 +2431,13 @@ static int link_path_walk(const char *name, struct nameidata *nd) switch(lastword) { case LAST_WORD_IS_DOTDOT: + /* + * Deny .. in resolution if the process has indicated + * it wants to protect against path traversal + * vulnerabilities + */ + if (unlikely(current->deny_path_traversal)) + return -EPERM; nd->last_type = LAST_DOTDOT; nd->state |= ND_JUMPED; break; diff --git a/include/linux/sched.h b/include/linux/sched.h index d380bffee2ef..9fc7f4c11645 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1008,6 +1008,7 @@ struct task_struct { /* delay due to memory thrashing */ unsigned in_thrashing:1; #endif + unsigned deny_path_traversal:1; #ifdef CONFIG_PREEMPT_RT struct netdev_xmit net_xmit; #endif diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index 5c6080680cb2..d289acecef6c 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -353,4 +353,7 @@ struct prctl_mm_map { */ #define PR_LOCK_SHADOW_STACK_STATUS 76 +/* Block resolution of "../" in paths, returning -EPERM instead */ +#define PR_SET_PATH_TRAVERSAL_BLOCK 77 + #endif /* _LINUX_PRCTL_H */ diff --git a/kernel/sys.c b/kernel/sys.c index c4c701c6f0b4..204ea88d5597 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2809,6 +2809,11 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, return -EINVAL; error = arch_lock_shadow_stack_status(me, arg2); break; + case PR_SET_PATH_TRAVERSAL_BLOCK: + if ((arg2 > 1) || arg3 || arg4 || arg5) + return -EINVAL; + current->deny_path_traversal = !!arg2; + break; default: error = -EINVAL; break; -- 2.47.0
