lookup: in capability mode, silently strengthen BENEATH to RBENEATH
AbandonedPublic
Actions

Authored by kib on Feb 16 2021, 5:27 AM.

Details

Reviewers

emaste
markj
arichardson

Group Reviewers

capsicum

Summary

Otherwise O_BENEATH allowed to temporary escape the capability sandbox and worked as oracle for checks of existence of directories outside it. This was found by the capsicum-test test checking O_BENEATH behavior in capability mode.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

kib requested review of this revision.Feb 16 2021, 5:27 AM

kib created this revision.

kib mentioned this in D28687: WIP: Update capsicum-test after O_BENEATH changes..Feb 16 2021, 5:30 AM

I would change the commit message to use something like strengthen instead of downgrade since RBENEATH is a stricter version of BENEATH.

sys/kern/vfs_lookup.c
333	Does this need to be cleared? Shouldn't RBENEATH have priority if both are set?

kib marked an inline comment as done.Feb 16 2021, 11:04 AM

kib added inline comments.

sys/kern/vfs_lookup.c
333	Internally they work differently. For BENEATH, there is a concept of 'latch' when path descends below the topping directory. The latch is cleared when we leave the hierarchy. It must not be tracked or checked for RBENEATH, so flags are used in different code paths. As such it is too problematic to keep them both.

kib retitled this revision from lookup: in capability mode, silently downgrade BENEATH to RBENEATH to lookup: in capability mode, silently strenghen BENEATH to RBENEATH.Feb 16 2021, 11:04 AM

arichardson added inline comments.Feb 16 2021, 11:09 AM

sys/kern/vfs_lookup.c
312–315	This might be needed if we shouldn't be setting both?
333	Thanks for the explanation. In that case maybe there should be a KASSERT() that we never set both?

kib marked 3 inline comments as done.Feb 16 2021, 1:10 PM

kib added inline comments.

sys/kern/vfs_lookup.c
312–315	'else' is not strictly needed but would be a good change for clarity.

Set only one of OPER_{R,}BENEATH flags.

arichardson added inline comments.Feb 16 2021, 1:34 PM

sys/kern/vfs_lookup.c
312–315	It seems that adding the else fixed my test case using `O_BENEATH\|O_RESOLVE_BENEATH`, so it does seem to make a functional difference.
440	I guess we never set both now, but maybe this should also come first and be an else if?

kib marked 2 inline comments as done.Feb 16 2021, 1:54 PM

kib added inline comments.

sys/kern/vfs_lookup.c
440	I do not think that this change would add anything. IMO the current structure is even cleaner than going to if else.

LGTM with the typo in the commit message fixed (strenghen -> strengthen)

This revision is now accepted and ready to land.Feb 16 2021, 2:13 PM

And maybe mention something like "this was found by the capsicum-test test checking O_BENEATH behaviour in capability mode" in the commit message.

kib retitled this revision from lookup: in capability mode, silently strenghen BENEATH to RBENEATH to lookup: in capability mode, silently strengthen BENEATH to RBENEATH.Feb 16 2021, 2:43 PM

kib edited the summary of this revision. (Show Details)

oshogbo added a subscriber: oshogbo.Feb 16 2021, 6:34 PM

oshogbo added inline comments.