namei: allow restricted O_CREAT of FIFOs and regular files

author Salvatore Mesoraca <s.mesoraca16@gmail.com>

Fri, 24 Aug 2018 00:00:35 +0000 (17:00 -0700)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sat, 1 Dec 2018 08:44:25 +0000 (09:44 +0100)
author Salvatore Mesoraca <s.mesoraca16@gmail.com>
Fri, 24 Aug 2018 00:00:35 +0000 (17:00 -0700)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 1 Dec 2018 08:44:25 +0000 (09:44 +0100)
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt

index 35e17f748ca78a927df127289ccd20689382aa73..af5859b2d0f91afa751d22de752b807cb1c1a573 100644 (file)
--- a/Documentation/sysctl/fs.txt
+++ b/Documentation/sysctl/fs.txt
@@ -34,7 +34,9 @@ Currently, these files are in /proc/sys/fs:
  - overflowgid
  - pipe-user-pages-hard
  - pipe-user-pages-soft
+- protected_fifos
  - protected_hardlinks
+- protected_regular
  - protected_symlinks
  - suid_dumpable
  - super-max
@@ -182,6 +184,24 @@ applied.
  
  ==============================================================
  
+protected_fifos:
+
+The intent of this protection is to avoid unintentional writes to
+an attacker-controlled FIFO, where a program expected to create a regular
+file.
+
+When set to "0", writing to FIFOs is unrestricted.
+
+When set to "1" don't allow O_CREAT open on FIFOs that we don't own
+in world writable sticky directories, unless they are owned by the
+owner of the directory.
+
+When set to "2" it also applies to group writable sticky directories.
+
+This protection is based on the restrictions in Openwall.
+
+==============================================================
+
  protected_hardlinks:
  
  A long-standing class of security issues is the hardlink-based
@@ -202,6 +222,22 @@ This protection is based on the restrictions in Openwall and grsecurity.
  
  ==============================================================
  
+protected_regular:
+
+This protection is similar to protected_fifos, but it
+avoids writes to an attacker-controlled regular file, where a program
+expected to create one.
+
+When set to "0", writing to regular files is unrestricted.
+
+When set to "1" don't allow O_CREAT open on regular files that we
+don't own in world writable sticky directories, unless they are
+owned by the owner of the directory.
+
+When set to "2" it also applies to group writable sticky directories.
+
+==============================================================
+
  protected_symlinks:
  
  A long-standing class of security issues is the symlink-based
diff --git a/fs/namei.c b/fs/namei.c

index 85ac38b99065c6c88537cdbccd49908c0e38430e..eb4626bad88a7c99e7fa30d54628e29787a1c26b 100644 (file)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -892,6 +892,8 @@ static inline void put_link(struct nameidata *nd)
  
  int sysctl_protected_symlinks __read_mostly = 0;
  int sysctl_protected_hardlinks __read_mostly = 0;
+int sysctl_protected_fifos __read_mostly;
+int sysctl_protected_regular __read_mostly;
  
  /**
   * may_follow_link - Check symlink following for unsafe situations
@@ -1005,6 +1007,45 @@ static int may_linkat(struct path *link)
         return -EPERM;
  }
  
+/**
+ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
+ *                       should be allowed, or not, on files that already
+ *                       exist.
+ * @dir: the sticky parent directory
+ * @inode: the inode of the file to open
+ *
+ * Block an O_CREAT open of a FIFO (or a regular file) when:
+ *   - sysctl_protected_fifos (or sysctl_protected_regular) is enabled
+ *   - the file already exists
+ *   - we are in a sticky directory
+ *   - we don't own the file
+ *   - the owner of the directory doesn't own the file
+ *   - the directory is world writable
+ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2
+ * the directory doesn't have to be world writable: being group writable will
+ * be enough.
+ *
+ * Returns 0 if the open is allowed, -ve on error.
+ */
+static int may_create_in_sticky(struct dentry * const dir,
+                               struct inode * const inode)
+{
+       if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
+           (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
+           likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
+           uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
+           uid_eq(current_fsuid(), inode->i_uid))
+               return 0;
+
+       if (likely(dir->d_inode->i_mode & 0002) ||
+           (dir->d_inode->i_mode & 0020 &&
+            ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
+             (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
+               return -EACCES;
+       }
+       return 0;
+}
+
  static __always_inline
  const char *get_link(struct nameidata *nd)
  {
@@ -3356,9 +3397,15 @@ static int do_last(struct nameidata *nd,
         if (error)
                 return error;
         audit_inode(nd->name, nd->path.dentry, 0);
-       error = -EISDIR;
-       if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
-               goto out;
+       if (open_flag & O_CREAT) {
+               error = -EISDIR;
+               if (d_is_dir(nd->path.dentry))
+                       goto out;
+               error = may_create_in_sticky(dir,
+                                            d_backing_inode(nd->path.dentry));
+               if (unlikely(error))
+                       goto out;
+       }
         error = -ENOTDIR;
         if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
                 goto out;
diff --git a/include/linux/fs.h b/include/linux/fs.h

index e9867aff53d8e6cb3713cca6e063d12f8829de6f..bcad2b963296d58d6001ffe9c70fc41212439a7f 100644 (file)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -69,6 +69,8 @@ extern struct inodes_stat_t inodes_stat;
  extern int leases_enable, lease_break_time;
  extern int sysctl_protected_symlinks;
  extern int sysctl_protected_hardlinks;
+extern int sysctl_protected_fifos;
+extern int sysctl_protected_regular;
  
  struct buffer_head;
  typedef int (get_block_t)(struct inode *inode, sector_t iblock,
diff --git a/kernel/sysctl.c b/kernel/sysctl.c

index 7df6be31be3617ed780fa52d24fe7611458011b1..23f658d311c05d40797e3459c7fdfcb2df6c046b 100644 (file)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1794,6 +1794,24 @@ static struct ctl_table fs_table[] = {
                 .extra1         = &zero,
                 .extra2         = &one,
         },
+       {
+               .procname       = "protected_fifos",
+               .data           = &sysctl_protected_fifos,
+               .maxlen         = sizeof(int),
+               .mode           = 0600,
+               .proc_handler   = proc_dointvec_minmax,
+               .extra1         = &zero,
+               .extra2         = &two,
+       },
+       {
+               .procname       = "protected_regular",
+               .data           = &sysctl_protected_regular,
+               .maxlen         = sizeof(int),
+               .mode           = 0600,
+               .proc_handler   = proc_dointvec_minmax,
+               .extra1         = &zero,
+               .extra2         = &two,
+       },
         {
                 .procname       = "suid_dumpable",
                 .data           = &suid_dumpable,
author	Salvatore Mesoraca <s.mesoraca16@gmail.com>
	Fri, 24 Aug 2018 00:00:35 +0000 (17:00 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 1 Dec 2018 08:44:25 +0000 (09:44 +0100)
Documentation/sysctl/fs.txt		patch \| blob \| history
fs/namei.c		patch \| blob \| history
include/linux/fs.h		patch \| blob \| history
kernel/sysctl.c		patch \| blob \| history