There have long been two ways to ask the kernel to create a new hardlink to the inode represented by an fd: linkat(..., AT_EMPTY_PATH) and AT_SYMLINK_FOLLOW on /proc/self/fd/N. The latter has no particular security restrictions, but the former required privilege until: commit bb2314b47996491bbc5add73633905c3120b6268 Author: Andy Lutomirski <luto@xxxxxxxxxxxxxx> Date: Thu Aug 1 21:44:31 2013 -0700 fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink Spender pointed out that there could be code that passes an fd to an untrusted, chrooted process, and allowing that process to flink the fd could be dangerous. (I'm not aware of any actual known attack.) So let's be careful for now: only allow linkat(..., AT_EMPTY_PATH) if the target is I_LINKABLE. I_LINKABLE is only set for inodes created by O_TMPFILE without O_EXCL, which is an explicit request for flinkability. Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> --- fs/namei.c | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 89a612e..44ffd3d 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3652,6 +3652,32 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de } /* + * flink is dangerous. For now, only allow it when specifically requested + * or when the caller is privileged. + * + * NB: This is not currently enforced for AT_SYMLINK_FOLLOW on procfs. + * Fixing that would be intrusive and could break something. + */ +static bool may_flink(const struct path *path) +{ + bool ret; + struct inode *inode = path->dentry->d_inode; + + /* + * This is racy: I_LINKABLE could be cleared between this check + * and the actual link operation. This is odd but not a security + * problem: the caller could get the same effect by flinking once + * and then using normal link(2) to create a second link. + */ + + spin_lock(&inode->i_lock); + ret = !!(inode->i_state & I_LINKABLE); + spin_unlock(&inode->i_lock); + + return ret || capable(CAP_DAC_READ_SEARCH); +} + +/* * Hardlinks are often used in delicate situations. We avoid * security-related surprises by not following symlinks on the * newname. --KAB @@ -3670,10 +3696,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0) return -EINVAL; - /* - * Using empty names is equivalent to using AT_SYMLINK_FOLLOW - * on /proc/self/fd/<fd>. - */ + if (flags & AT_EMPTY_PATH) how = LOOKUP_EMPTY; @@ -3684,6 +3707,11 @@ retry: if (error) return error; + if ((flags & AT_EMPTY_PATH) && !may_flink(&old_path)) { + error = -EPERM; + goto out; + } + new_dentry = user_path_create(newdfd, newname, &new_path, (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html