1. 21 12月, 2012 4 次提交
  2. 30 11月, 2012 1 次提交
  3. 27 10月, 2012 1 次提交
    • L
      VFS: don't do protected {sym,hard}links by default · 561ec64a
      Linus Torvalds 提交于
      In commit 800179c9 ("This adds symlink and hardlink restrictions to
      the Linux VFS"), the new link protections were enabled by default, in
      the hope that no actual application would care, despite it being
      technically against legacy UNIX (and documented POSIX) behavior.
      
      However, it does turn out to break some applications.  It's rare, and
      it's unfortunate, but it's unacceptable to break existing systems, so
      we'll have to default to legacy behavior.
      
      In particular, it has broken the way AFD distributes files, see
      
        http://www.dwd.de/AFD/
      
      along with some legacy scripts.
      
      Distributions can end up setting this at initrd time or in system
      scripts: if you have security problems due to link attacks during your
      early boot sequence, you have bigger problems than some kernel sysctl
      setting. Do:
      
      	echo 1 > /proc/sys/fs/protected_symlinks
      	echo 1 > /proc/sys/fs/protected_hardlinks
      
      to re-enable the link protections.
      
      Alternatively, we may at some point introduce a kernel config option
      that sets these kinds of "more secure but not traditional" behavioural
      options automatically.
      Reported-by: NNick Bowler <nbowler@elliptictech.com>
      Reported-by: NHolger Kiehl <Holger.Kiehl@dwd.de>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org # v3.6
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      561ec64a
  4. 13 10月, 2012 6 次提交
  5. 12 10月, 2012 6 次提交
    • J
      vfs: unexport getname and putname symbols · 8e377d15
      Jeff Layton 提交于
      I see no callers in module code.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      8e377d15
    • J
      audit: overhaul __audit_inode_child to accomodate retrying · 4fa6b5ec
      Jeff Layton 提交于
      In order to accomodate retrying path-based syscalls, we need to add a
      new "type" argument to audit_inode_child. This will tell us whether
      we're looking for a child entry that represents a create or a delete.
      
      If we find a parent, don't automatically assume that we need to create a
      new entry. Instead, use the information we have to try to find an
      existing entry first. Update it if one is found and create a new one if
      not.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      4fa6b5ec
    • J
      audit: set the name_len in audit_inode for parent lookups · bfcec708
      Jeff Layton 提交于
      Currently, this gets set mostly by happenstance when we call into
      audit_inode_child. While that might be a little more efficient, it seems
      wrong. If the syscall ends up failing before audit_inode_child ever gets
      called, then you'll have an audit_names record that shows the full path
      but has the parent inode info attached.
      
      Fix this by passing in a parent flag when we call audit_inode that gets
      set to the value of LOOKUP_PARENT. We can then fix up the pathname for
      the audit entry correctly from the get-go.
      
      While we're at it, clean up the no-op macro for audit_inode in the
      !CONFIG_AUDITSYSCALL case.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      bfcec708
    • J
      audit: reverse arguments to audit_inode_child · c43a25ab
      Jeff Layton 提交于
      Most of the callers get called with an inode and dentry in the reverse
      order. The compiler then has to reshuffle the arg registers and/or
      stack in order to pass them on to audit_inode_child.
      
      Reverse those arguments for a micro-optimization.
      Reported-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      c43a25ab
    • J
      audit: remove unnecessary NULL ptr checks from do_path_lookup · f78570dd
      Jeff Layton 提交于
      As best I can tell, whenever retval == 0, nd->path.dentry and nd->inode
      are also non-NULL. Eliminate those checks and the superfluous
      audit_context check.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f78570dd
    • A
      vfs: bogus warnings in fs/namei.c · 98f6ef64
      Arnd Bergmann 提交于
      The follow_link() function always initializes its *p argument,
      or returns an error, but when building with 'gcc -s', the compiler
      gets confused by the __always_inline attribute to the function
      and can no longer detect where the cookie was initialized.
      
      The solution is to always initialize the pointer from follow_link,
      even in the error path. When building with -O2, this has zero impact
      on generated code and adds a single instruction in the error path
      for a -Os build on ARM.
      
      Without this patch, building with gcc-4.6 through gcc-4.8 and
      CONFIG_CC_OPTIMIZE_FOR_SIZE results in:
      
      fs/namei.c: In function 'link_path_walk':
      fs/namei.c:649:24: warning: 'cookie' may be used uninitialized in this function [-Wuninitialized]
      fs/namei.c:1544:9: note: 'cookie' was declared here
      fs/namei.c: In function 'path_lookupat':
      fs/namei.c:649:24: warning: 'cookie' may be used uninitialized in this function [-Wuninitialized]
      fs/namei.c:1934:10: note: 'cookie' was declared here
      fs/namei.c: In function 'path_openat':
      fs/namei.c:649:24: warning: 'cookie' may be used uninitialized in this function [-Wuninitialized]
      fs/namei.c:2899:9: note: 'cookie' was declared here
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      98f6ef64
  6. 10 10月, 2012 1 次提交
  7. 27 9月, 2012 2 次提交
  8. 22 8月, 2012 1 次提交
  9. 17 8月, 2012 1 次提交
  10. 15 8月, 2012 2 次提交
  11. 04 8月, 2012 1 次提交
  12. 31 7月, 2012 2 次提交
    • J
      fs: Push mnt_want_write() outside of i_mutex · c30dabfe
      Jan Kara 提交于
      Currently, mnt_want_write() is sometimes called with i_mutex held and sometimes
      without it. This isn't really a problem because mnt_want_write() is a
      non-blocking operation (essentially has a trylock semantics) but when the
      function starts to handle also frozen filesystems, it will get a full lock
      semantics and thus proper lock ordering has to be established. So move
      all mnt_want_write() calls outside of i_mutex.
      
      One non-trivial case needing conversion is kern_path_create() /
      user_path_create() which didn't include mnt_want_write() but now needs to
      because it acquires i_mutex.  Because there are virtual file systems which
      don't bother with freeze / remount-ro protection we actually provide both
      versions of the function - one which calls mnt_want_write() and one which does
      not.
      
      [AV: scratch the previous, mnt_want_write() has been moved to kern_path_create()
      by now]
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      c30dabfe
    • A
      simplify lookup_open()/atomic_open() - do the temporary mnt_want_write() early · 64894cf8
      Al Viro 提交于
      The write ref to vfsmount taken in lookup_open()/atomic_open() is going to
      be dropped; we take the one to stay in dentry_open().  Just grab the temporary
      in caller if it looks like we are going to need it (create/truncate/writable open)
      and pass (by value) "has it succeeded" flag.  Instead of doing mnt_want_write()
      inside, check that flag and treat "false" as "mnt_want_write() has just failed".
      mnt_want_write() is cheap and the things get considerably simpler and more robust
      that way - we get it and drop it in the same function, to start with, rather
      than passing a "has something in the guts of really scary functions taken it"
      back to caller.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      64894cf8
  13. 30 7月, 2012 7 次提交
    • A
      fix O_EXCL handling for devices · f8310c59
      Al Viro 提交于
      O_EXCL without O_CREAT has different semantics; it's "fail if already opened",
      not "fail if already exists".  commit 71574865 broke that...
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f8310c59
    • K
      fs: add link restriction audit reporting · a51d9eaa
      Kees Cook 提交于
      Adds audit messages for unexpected link restriction violations so that
      system owners will have some sort of potentially actionable information
      about misbehaving processes.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      a51d9eaa
    • K
      fs: add link restrictions · 800179c9
      Kees Cook 提交于
      This adds symlink and hardlink restrictions to the Linux VFS.
      
      Symlinks:
      
      A long-standing class of security issues is the symlink-based
      time-of-check-time-of-use race, most commonly seen in world-writable
      directories like /tmp. The common method of exploitation of this flaw
      is to cross privilege boundaries when following a given symlink (i.e. a
      root process follows a symlink belonging to another user). For a likely
      incomplete list of hundreds of examples across the years, please see:
      http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
      
      The solution is to permit symlinks to only be followed when outside
      a sticky world-writable directory, or when the uid of the symlink and
      follower match, or when the directory owner matches the symlink's owner.
      
      Some pointers to the history of earlier discussion that I could find:
      
       1996 Aug, Zygo Blaxell
        http://marc.info/?l=bugtraq&m=87602167419830&w=2
       1996 Oct, Andrew Tridgell
        http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html
       1997 Dec, Albert D Cahalan
        http://lkml.org/lkml/1997/12/16/4
       2005 Feb, Lorenzo Hernández García-Hierro
        http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html
       2010 May, Kees Cook
        https://lkml.org/lkml/2010/5/30/144
      
      Past objections and rebuttals could be summarized as:
      
       - Violates POSIX.
         - POSIX didn't consider this situation and it's not useful to follow
           a broken specification at the cost of security.
       - Might break unknown applications that use this feature.
         - Applications that break because of the change are easy to spot and
           fix. Applications that are vulnerable to symlink ToCToU by not having
           the change aren't. Additionally, no applications have yet been found
           that rely on this behavior.
       - Applications should just use mkstemp() or O_CREATE|O_EXCL.
         - True, but applications are not perfect, and new software is written
           all the time that makes these mistakes; blocking this flaw at the
           kernel is a single solution to the entire class of vulnerability.
       - This should live in the core VFS.
         - This should live in an LSM. (https://lkml.org/lkml/2010/5/31/135)
       - This should live in an LSM.
         - This should live in the core VFS. (https://lkml.org/lkml/2010/8/2/188)
      
      Hardlinks:
      
      On systems that have user-writable directories on the same partition
      as system files, a long-standing class of security issues is the
      hardlink-based time-of-check-time-of-use race, most commonly seen in
      world-writable directories like /tmp. The common method of exploitation
      of this flaw is to cross privilege boundaries when following a given
      hardlink (i.e. a root process follows a hardlink created by another
      user). Additionally, an issue exists where users can "pin" a potentially
      vulnerable setuid/setgid file so that an administrator will not actually
      upgrade a system fully.
      
      The solution is to permit hardlinks to only be created when the user is
      already the existing file's owner, or if they already have read/write
      access to the existing file.
      
      Many Linux users are surprised when they learn they can link to files
      they have no access to, so this change appears to follow the doctrine
      of "least surprise". Additionally, this change does not violate POSIX,
      which states "the implementation may require that the calling process
      has permission to access the existing file"[1].
      
      This change is known to break some implementations of the "at" daemon,
      though the version used by Fedora and Ubuntu has been fixed[2] for
      a while. Otherwise, the change has been undisruptive while in use in
      Ubuntu for the last 1.5 years.
      
      [1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/linkat.html
      [2] http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf940a49eda3279
      
      This patch is based on the patches in Openwall and grsecurity, along with
      suggestions from Al Viro. I have added a sysctl to enable the protected
      behavior, and documentation.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Acked-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      800179c9
    • J
      vfs: don't let do_last pass negative dentry to audit_inode · 3134f37e
      Jeff Layton 提交于
      I can reliably reproduce the following panic by simply setting an audit
      rule on a recent 3.5.0+ kernel:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
       IP: [<ffffffff810d1250>] audit_copy_inode+0x10/0x90
       PGD 7acd9067 PUD 7b8fb067 PMD 0
       Oops: 0000 [#86] SMP
       Modules linked in: nfs nfs_acl auth_rpcgss fscache lockd sunrpc tpm_bios btrfs zlib_deflate libcrc32c kvm_amd kvm joydev virtio_net pcspkr i2c_piix4 floppy virtio_balloon microcode virtio_blk cirrus drm_kms_helper ttm drm i2c_core [last unloaded: scsi_wait_scan]
       CPU 0
       Pid: 1286, comm: abrt-dump-oops Tainted: G      D      3.5.0+ #1 Bochs Bochs
       RIP: 0010:[<ffffffff810d1250>]  [<ffffffff810d1250>] audit_copy_inode+0x10/0x90
       RSP: 0018:ffff88007aebfc38  EFLAGS: 00010282
       RAX: 0000000000000000 RBX: ffff88003692d860 RCX: 00000000000038c4
       RDX: 0000000000000000 RSI: ffff88006baf5d80 RDI: ffff88003692d860
       RBP: ffff88007aebfc68 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
       R13: ffff880036d30f00 R14: ffff88006baf5d80 R15: ffff88003692d800
       FS:  00007f7562634740(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000040 CR3: 000000003643d000 CR4: 00000000000006f0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
       Process abrt-dump-oops (pid: 1286, threadinfo ffff88007aebe000, task ffff880079614530)
       Stack:
        ffff88007aebfdf8 ffff88007aebff28 ffff88007aebfc98 ffffffff81211358
        ffff88003692d860 0000000000000000 ffff88007aebfcc8 ffffffff810d4968
        ffff88007aebfcc8 ffff8800000038c4 0000000000000000 0000000000000000
       Call Trace:
        [<ffffffff81211358>] ? ext4_lookup+0xe8/0x160
        [<ffffffff810d4968>] __audit_inode+0x118/0x2d0
        [<ffffffff811955a9>] do_last+0x999/0xe80
        [<ffffffff81191fe8>] ? inode_permission+0x18/0x50
        [<ffffffff81171efa>] ? kmem_cache_alloc_trace+0x11a/0x130
        [<ffffffff81195b4a>] path_openat+0xba/0x420
        [<ffffffff81196111>] do_filp_open+0x41/0xa0
        [<ffffffff811a24bd>] ? alloc_fd+0x4d/0x120
        [<ffffffff811855cd>] do_sys_open+0xed/0x1c0
        [<ffffffff810d40cc>] ? __audit_syscall_entry+0xcc/0x300
        [<ffffffff811856c1>] sys_open+0x21/0x30
        [<ffffffff81611ca9>] system_call_fastpath+0x16/0x1b
        RSP <ffff88007aebfc38>
       CR2: 0000000000000040
      
      The problem is that do_last is passing a negative dentry to audit_inode.
      The comments on lookup_open note that it can pass back a negative dentry
      if O_CREAT is not set.
      
      This patch fixes the oops, but I'm not clear on whether there's a better
      approach.
      
      Cc: Miklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      3134f37e
    • A
      pull mnt_want_write()/mnt_drop_write() into kern_path_create()/done_path_create() resp. · a8104a9f
      Al Viro 提交于
      One side effect - attempt to create a cross-device link on a read-only fs fails
      with EROFS instead of EXDEV now.  Makes more sense, POSIX allows, etc.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      a8104a9f
    • A
      mknod: take sanity checks on mode into the very beginning · 8e4bfca1
      Al Viro 提交于
      Note that applying umask can't affect their results.  While
      that affects errno in cases like
      	mknod("/no_such_directory/a", 030000)
      yielding -EINVAL (due to impossible mode_t) instead of
      -ENOENT (due to inexistent directory), IMO that makes a lot
      more sense, POSIX allows to return either and any software
      that relies on getting -ENOENT instead of -EINVAL in that
      case deserves everything it gets.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      8e4bfca1
    • A
      new helper: done_path_create() · 921a1650
      Al Viro 提交于
      releases what needs to be released after {kern,user}_path_create()
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      921a1650
  14. 23 7月, 2012 3 次提交
  15. 14 7月, 2012 2 次提交
    • D
      VFS: Split inode_permission() · 0bdaea90
      David Howells 提交于
      Split inode_permission() into inode- and superblock-dependent parts.
      
      This is aimed at unionmounts where the superblock from the upper layer has to
      be checked rather than the superblock from the lower layer as the upper layer
      may be writable, thus allowing an unwritable file from the lower layer to be
      copied up and modified.
      
      Original-author: Valerie Aurora <vaurora@redhat.com>
      Signed-off-by: David Howells <dhowells@redhat.com> (Further development)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      0bdaea90
    • D
      VFS: Comment mount following code · f015f126
      David Howells 提交于
      Add comments describing what the directions "up" and "down" mean and ref count
      handling to the VFS mount following family of functions.
      
      Signed-off-by: Valerie Aurora <vaurora@redhat.com> (Original author)
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f015f126