From patchwork Mon Jul 31 17:53:29 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sumit Semwal X-Patchwork-Id: 109039 Delivered-To: patch@linaro.org Received: by 10.140.101.6 with SMTP id t6csp494863qge; Mon, 31 Jul 2017 10:54:14 -0700 (PDT) X-Received: by 10.99.66.130 with SMTP id p124mr16442129pga.53.1501523654047; Mon, 31 Jul 2017 10:54:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1501523654; cv=none; d=google.com; s=arc-20160816; b=CHB7eF7p9G6Nmbe9vRH8A1l9o3OdhETP9zHfuSegCJn9Tom8/a3TBmwZWODLivab/Z so00qu4cVSTvqtlPeVfOhriZbaMkqrKE5ojPcH/jsk3DikR8WH/STnoH4emeOxlTqHGg FXgTTSdBNEoVCQohfJp5boOT3G+OzPQK4xRB5OTXGnlM7K61H/o4XokcjDbtxoGOrKef iurhgVAu2oO/aOWWVEUhtMQ/aQdguGkrVKDYcKMRvYdsjTRWVlskDXEY5abGrWUV12Ot pBh8YICRs0LZGbvjDL6n6hwz7uQVwoGMGl/A2afnsFPaAJ6eRbm4SuvAhe3pHKb0u/8U 4wOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=i2nIVT4ro7ZL+DfLkxGsAHBsGkl7bEiedqcPR9i1WwA=; b=KUyYDzFek0LjLy74IrBd7cCN3G6ZlUphMaVtmitx9KdJMCc0iOD2c5OBaJ7cfqGD8r fSFZ/rzGyOiuh+Er9ycxJasgHgWpaYRbLhy/LNdSfUdcjpZmkI18ZPOubZQVdledIOgr EZQTvoSRr7mhm5pxHbMBioVeDlib6iQZnEoBi8D/hhgPLXrHpVXEJnq9reMn5bTYJwFl xeLTw8faOQFDC8oMidmtTSLvY1hAediLSPkb57PztCZz0HDsfA4Qm4wesM8zOh1y3gg6 zyEvYjXuHzZW/pd2RcJPa9FoJcqJN01l5lh6vSlzADheQhYb/PaOWcQB361R9kV7CoyW oJWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.b=KiQ4y12+; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2si17444585pln.785.2017.07.31.10.54.13; Mon, 31 Jul 2017 10:54:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.b=KiQ4y12+; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751701AbdGaRyM (ORCPT + 6 others); Mon, 31 Jul 2017 13:54:12 -0400 Received: from mail-pf0-f180.google.com ([209.85.192.180]:35157 "EHLO mail-pf0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751563AbdGaRyL (ORCPT ); Mon, 31 Jul 2017 13:54:11 -0400 Received: by mail-pf0-f180.google.com with SMTP id t86so13920728pfe.2 for ; Mon, 31 Jul 2017 10:54:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=i2nIVT4ro7ZL+DfLkxGsAHBsGkl7bEiedqcPR9i1WwA=; b=KiQ4y12+ABYYsF2hgd4zExNLgJouPFogjTtKdDYhs6vqHtoe5QiQWHZvgWfKdZqC3r n3edBC1W5XOZK2JtNvlOVeeom6xhaDx6B9dADo6mOv7wgI5LBtmLOk5bqrf9ncKsd7mn 38pEoSOjaZDE+nhblrZLfKMohIBz6TlRAHzmg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=i2nIVT4ro7ZL+DfLkxGsAHBsGkl7bEiedqcPR9i1WwA=; b=iOEDOzdKUO2iL+Iugq957L01FDE8TJQj8YCd/iWpBqnIldqKZG6QQDtB5UOfOYFZJb TMUX26CKdBCPiwMiMEzwrvpR8WsZt/2VdtnKdqePKE48V+OX2snI1Yo4PlANfBs0ekxq tbw74U5jzDvEDKCo8qtVvdcZa5A2cgqeDuYniNxE7MN13f7Ibo0sJwUGe6GaDO+mFPUP /l7Ne8QoYKDogqyxA8bL4v77sGlvFq+AMPClGelpNOUF+ZZ+MhpRdf+adqKJIEfPvA1q UqSTqUUDymzYiZuj5GG0bt4Ykrr4V+rTUON5bIp6m8PGX8xLirDeXrr/QwK5BWYP4sQp V+rw== X-Gm-Message-State: AIVw1119zEWEEHq8Ci2Z1/3DWVqhbJfUT+nPWfHZ+joPYSvnEUBpl4DR 27IqFjNBcmokeofL58Q1LQ== X-Received: by 10.84.178.164 with SMTP id z33mr14614895plb.419.1501523649967; Mon, 31 Jul 2017 10:54:09 -0700 (PDT) Received: from phantom.lan ([106.51.116.52]) by smtp.gmail.com with ESMTPSA id j29sm62148749pfj.68.2017.07.31.10.54.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 31 Jul 2017 10:54:08 -0700 (PDT) From: Sumit Semwal To: stable@vger.kernel.org Cc: Linus Torvalds , Sumit Semwal Subject: [PATCH for-4.4 1/3] Make file credentials available to the seqfile interfaces Date: Mon, 31 Jul 2017 23:23:29 +0530 Message-Id: <1501523611-18222-2-git-send-email-sumit.semwal@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1501523611-18222-1-git-send-email-sumit.semwal@linaro.org> References: <1501523611-18222-1-git-send-email-sumit.semwal@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Linus Torvalds Commit 34dbbcdbf63360661ff7bda6c5f52f99ac515f92 upstream. A lot of seqfile users seem to be using things like %pK that uses the credentials of the current process, but that is actually completely wrong for filesystem interfaces. The unix semantics for permission checking files is to check permissions at _open_ time, not at read or write time, and that is not just a small detail: passing off stdin/stdout/stderr to a suid application and making the actual IO happen in privileged context is a classic exploit technique. So if we want to be able to look at permissions at read time, we need to use the file open credentials, not the current ones. Normal file accesses can just use "f_cred" (or any of the helper functions that do that, like file_ns_capable()), but the seqfile interfaces do not have any such options. It turns out that seq_file _does_ save away the user_ns information of the file, though. Since user_ns is just part of the full credential information, replace that special case with saving off the cred pointer instead, and suddenly seq_file has all the permission information it needs. [sumits: this is used in Ubuntu as a fix for CVE-2015-8944] Signed-off-by: Linus Torvalds Signed-off-by: Sumit Semwal --- fs/seq_file.c | 7 ++++--- include/linux/seq_file.h | 13 ++++--------- 2 files changed, 8 insertions(+), 12 deletions(-) -- 2.7.4 diff --git a/fs/seq_file.c b/fs/seq_file.c index d672e2fec459..6dc4296eed62 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -72,9 +72,10 @@ int seq_open(struct file *file, const struct seq_operations *op) mutex_init(&p->lock); p->op = op; -#ifdef CONFIG_USER_NS - p->user_ns = file->f_cred->user_ns; -#endif + + // No refcounting: the lifetime of 'p' is constrained + // to the lifetime of the file. + p->file = file; /* * Wrappers around seq_open(e.g. swaps_open) need to be diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h index dde00defbaa5..f3d45dd42695 100644 --- a/include/linux/seq_file.h +++ b/include/linux/seq_file.h @@ -7,13 +7,10 @@ #include #include #include +#include +#include struct seq_operations; -struct file; -struct path; -struct inode; -struct dentry; -struct user_namespace; struct seq_file { char *buf; @@ -27,9 +24,7 @@ struct seq_file { struct mutex lock; const struct seq_operations *op; int poll_event; -#ifdef CONFIG_USER_NS - struct user_namespace *user_ns; -#endif + const struct file *file; void *private; }; @@ -147,7 +142,7 @@ int seq_release_private(struct inode *, struct file *); static inline struct user_namespace *seq_user_ns(struct seq_file *seq) { #ifdef CONFIG_USER_NS - return seq->user_ns; + return seq->file->f_cred->user_ns; #else extern struct user_namespace init_user_ns; return &init_user_ns;