namei: allow restricted O_CREAT of FIFOs and regular files

author Salvatore Mesoraca <s.mesoraca16@gmail.com>

Fri, 24 Aug 2018 00:00:35 +0000 (17:00 -0700)

committer Linus Torvalds <torvalds@linux-foundation.org>

Fri, 24 Aug 2018 01:48:43 +0000 (18:48 -0700)
author Salvatore Mesoraca <s.mesoraca16@gmail.com>
Fri, 24 Aug 2018 00:00:35 +0000 (17:00 -0700)
committer Linus Torvalds <torvalds@linux-foundation.org>
Fri, 24 Aug 2018 01:48:43 +0000 (18:48 -0700)
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt

index 6c00c1e2743fa2048882514d8644a908fff3a475..819caf8ca05f8b4b16226c0f5d6f76068de09131 100644 (file)
--- a/Documentation/sysctl/fs.txt
+++ b/Documentation/sysctl/fs.txt
@@ -34,7 +34,9 @@ Currently, these files are in /proc/sys/fs:
  - overflowgid
  - pipe-user-pages-hard
  - pipe-user-pages-soft
+- protected_fifos
  - protected_hardlinks
+- protected_regular
  - protected_symlinks
  - suid_dumpable
  - super-max
@@ -182,6 +184,24 @@ applied.
  
  ==============================================================
  
+protected_fifos:
+
+The intent of this protection is to avoid unintentional writes to
+an attacker-controlled FIFO, where a program expected to create a regular
+file.
+
+When set to "0", writing to FIFOs is unrestricted.
+
+When set to "1" don't allow O_CREAT open on FIFOs that we don't own
+in world writable sticky directories, unless they are owned by the
+owner of the directory.
+
+When set to "2" it also applies to group writable sticky directories.
+
+This protection is based on the restrictions in Openwall.
+
+==============================================================
+
  protected_hardlinks:
  
  A long-standing class of security issues is the hardlink-based
@@ -202,6 +222,22 @@ This protection is based on the restrictions in Openwall and grsecurity.
  
  ==============================================================
  
+protected_regular:
+
+This protection is similar to protected_fifos, but it
+avoids writes to an attacker-controlled regular file, where a program
+expected to create one.
+
+When set to "0", writing to regular files is unrestricted.
+
+When set to "1" don't allow O_CREAT open on regular files that we
+don't own in world writable sticky directories, unless they are
+owned by the owner of the directory.
+
+When set to "2" it also applies to group writable sticky directories.
+
+==============================================================
+
  protected_symlinks:
  
  A long-standing class of security issues is the symlink-based
diff --git a/fs/namei.c b/fs/namei.c

index ae6aa9ae757c559ca1ac35c70a31da319142a5f3..0cab6494978c1295b965f503422bdbeacff6ccc4 100644 (file)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -887,6 +887,8 @@ static inline void put_link(struct nameidata *nd)
  
  int sysctl_protected_symlinks __read_mostly = 0;
  int sysctl_protected_hardlinks __read_mostly = 0;
+int sysctl_protected_fifos __read_mostly;
+int sysctl_protected_regular __read_mostly;
  
  /**
   * may_follow_link - Check symlink following for unsafe situations
@@ -1003,6 +1005,45 @@ static int may_linkat(struct path *link)
         return -EPERM;
  }
  
+/**
+ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
+ *                       should be allowed, or not, on files that already
+ *                       exist.
+ * @dir: the sticky parent directory
+ * @inode: the inode of the file to open
+ *
+ * Block an O_CREAT open of a FIFO (or a regular file) when:
+ *   - sysctl_protected_fifos (or sysctl_protected_regular) is enabled
+ *   - the file already exists
+ *   - we are in a sticky directory
+ *   - we don't own the file
+ *   - the owner of the directory doesn't own the file
+ *   - the directory is world writable
+ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2
+ * the directory doesn't have to be world writable: being group writable will
+ * be enough.
+ *
+ * Returns 0 if the open is allowed, -ve on error.
+ */
+static int may_create_in_sticky(struct dentry * const dir,
+                               struct inode * const inode)
+{
+       if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
+           (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
+           likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
+           uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
+           uid_eq(current_fsuid(), inode->i_uid))
+               return 0;
+
+       if (likely(dir->d_inode->i_mode & 0002) ||
+           (dir->d_inode->i_mode & 0020 &&
+            ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
+             (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
+               return -EACCES;
+       }
+       return 0;
+}
+
  static __always_inline
  const char *get_link(struct nameidata *nd)
  {
@@ -3348,9 +3389,15 @@ finish_open:
         if (error)
                 return error;
         audit_inode(nd->name, nd->path.dentry, 0);
-       error = -EISDIR;
-       if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
-               goto out;
+       if (open_flag & O_CREAT) {
+               error = -EISDIR;
+               if (d_is_dir(nd->path.dentry))
+                       goto out;
+               error = may_create_in_sticky(dir,
+                                            d_backing_inode(nd->path.dentry));
+               if (unlikely(error))
+                       goto out;
+       }
         error = -ENOTDIR;
         if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
                 goto out;
diff --git a/include/linux/fs.h b/include/linux/fs.h

index e5710541183b00cc62ae7f7745bc2d8412f7b86b..33322702c910b9cb879d05a03c070c51487c0d26 100644 (file)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -74,6 +74,8 @@ extern struct inodes_stat_t inodes_stat;
  extern int leases_enable, lease_break_time;
  extern int sysctl_protected_symlinks;
  extern int sysctl_protected_hardlinks;
+extern int sysctl_protected_fifos;
+extern int sysctl_protected_regular;
  
  typedef __kernel_rwf_t rwf_t;
  
diff --git a/kernel/sysctl.c b/kernel/sysctl.c

index 71ceb6c13c1a54030ed23e86e89da1079636d223..cc02050fd0c493378228eb6960e15449754f1387 100644 (file)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1807,6 +1807,24 @@ static struct ctl_table fs_table[] = {
                 .extra1         = &zero,
                 .extra2         = &one,
         },
+       {
+               .procname       = "protected_fifos",
+               .data           = &sysctl_protected_fifos,
+               .maxlen         = sizeof(int),
+               .mode           = 0600,
+               .proc_handler   = proc_dointvec_minmax,
+               .extra1         = &zero,
+               .extra2         = &two,
+       },
+       {
+               .procname       = "protected_regular",
+               .data           = &sysctl_protected_regular,
+               .maxlen         = sizeof(int),
+               .mode           = 0600,
+               .proc_handler   = proc_dointvec_minmax,
+               .extra1         = &zero,
+               .extra2         = &two,
+       },
         {
                 .procname       = "suid_dumpable",
                 .data           = &suid_dumpable,
author	Salvatore Mesoraca <s.mesoraca16@gmail.com>
	Fri, 24 Aug 2018 00:00:35 +0000 (17:00 -0700)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Fri, 24 Aug 2018 01:48:43 +0000 (18:48 -0700)
Documentation/sysctl/fs.txt		patch \| blob \| history
fs/namei.c		patch \| blob \| history
include/linux/fs.h		patch \| blob \| history
kernel/sysctl.c		patch \| blob \| history