[5/9] anon_inode: raise SB_I_NODEV and SB_I_NOEXEC

Message ID	20250407-work-anon_inode-v1-5-53a44c20d44e@kernel.org (mailing list archive)
State	New
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77BF0233D91; Mon, 7 Apr 2025 09:54:50 +0000 (UTC) From: Christian Brauner <brauner@kernel.org> Date: Mon, 07 Apr 2025 11:54:19 +0200 Subject: [PATCH 5/9] anon_inode: raise SB_I_NODEV and SB_I_NOEXEC Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20250407-work-anon_inode-v1-5-53a44c20d44e@kernel.org> References: <20250407-work-anon_inode-v1-0-53a44c20d44e@kernel.org> In-Reply-To: <20250407-work-anon_inode-v1-0-53a44c20d44e@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Christoph Hellwig <hch@infradead.org>, Mateusz Guzik <mjguzik@gmail.com>, Penglei Jiang <superman.xpt@gmail.com>, Al Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>, Jeff Layton <jlayton@kernel.org>, Josef Bacik <josef@toxicpanda.com>, syzbot+5d8e79d323a13aa0b248@syzkaller.appspotmail.com, Christian Brauner <brauner@kernel.org>, stable@vger.kernel.org
Series	fs: harden anon inodes \| expand [0/9] fs: harden anon inodes [1/9] anon_inode: use a proper mode internally [2/9] pidfs: use anon_inode_getattr() [3/9] anon_inode: explicitly block ->setattr() [4/9] pidfs: use anon_inode_setattr() [5/9] anon_inode: raise SB_I_NODEV and SB_I_NOEXEC [6/9] selftests/filesystems: add first test for anonymous inodes [7/9] selftests/filesystems: add second test for anonymous inodes [8/9] selftests/filesystems: add third test for anonymous inodes [9/9] selftests/filesystems: add fourth test for anonymous inodes

Message ID

20250407-work-anon_inode-v1-5-53a44c20d44e@kernel.org (mailing list archive)

State

New

Headers

From: Christian Brauner <brauner@kernel.org>
Date: Mon, 07 Apr 2025 11:54:19 +0200
Subject: [PATCH 5/9] anon_inode: raise SB_I_NODEV and SB_I_NOEXEC
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20250407-work-anon_inode-v1-5-53a44c20d44e@kernel.org>
References: <20250407-work-anon_inode-v1-0-53a44c20d44e@kernel.org>
In-Reply-To: <20250407-work-anon_inode-v1-0-53a44c20d44e@kernel.org>
To: linux-fsdevel@vger.kernel.org
Cc: Christoph Hellwig <hch@infradead.org>,
 Mateusz Guzik <mjguzik@gmail.com>, Penglei Jiang <superman.xpt@gmail.com>,
 Al Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>,
 Jeff Layton <jlayton@kernel.org>, Josef Bacik <josef@toxicpanda.com>,
 syzbot+5d8e79d323a13aa0b248@syzkaller.appspotmail.com,
 Christian Brauner <brauner@kernel.org>, stable@vger.kernel.org

Series

fs: harden anon inodes | expand

Commit Message

Christian Brauner April 7, 2025, 9:54 a.m. UTC

It isn't possible to execute anoymous inodes because they cannot be
opened in any way after they have been created. This includes execution:

execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH)

Anonymous inodes have inode->f_op set to no_open_fops which sets
no_open() which returns ENXIO. That means any call to do_dentry_open()
which is the endpoint of the do_open_execat() will fail. There's no
chance to execute an anonymous inode. Unless a given subsystem overrides
it ofc.

Howerver, we should still harden this and raise SB_I_NODEV and
SB_I_NOEXEC on the superblock itself so that no one gets any creative
ideas.

Cc: <stable@vger.kernel.org> # all LTS kernels
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/anon_inodes.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Jan Kara April 7, 2025, 2:07 p.m. UTC | #1

On Mon 07-04-25 11:54:19, Christian Brauner wrote:
> It isn't possible to execute anoymous inodes because they cannot be
				^^ anonymous

> opened in any way after they have been created. This includes execution:
> 
> execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH)
> 
> Anonymous inodes have inode->f_op set to no_open_fops which sets
> no_open() which returns ENXIO. That means any call to do_dentry_open()
> which is the endpoint of the do_open_execat() will fail. There's no
> chance to execute an anonymous inode. Unless a given subsystem overrides
> it ofc.
> 
> Howerver, we should still harden this and raise SB_I_NODEV and
  ^^^ However

> SB_I_NOEXEC on the superblock itself so that no one gets any creative
> ideas.

;)

Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> 
> Cc: <stable@vger.kernel.org> # all LTS kernels
> Signed-off-by: Christian Brauner <brauner@kernel.org>
> ---
>  fs/anon_inodes.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
> index cb51a90bece0..e51e7d88980a 100644
> --- a/fs/anon_inodes.c
> +++ b/fs/anon_inodes.c
> @@ -86,6 +86,8 @@ static int anon_inodefs_init_fs_context(struct fs_context *fc)
>  	struct pseudo_fs_context *ctx = init_pseudo(fc, ANON_INODE_FS_MAGIC);
>  	if (!ctx)
>  		return -ENOMEM;
> +	fc->s_iflags |= SB_I_NOEXEC;
> +	fc->s_iflags |= SB_I_NODEV;
>  	ctx->dops = &anon_inodefs_dentry_operations;
>  	return 0;
>  }
> 
> -- 
> 2.47.2
>

Christian Brauner April 7, 2025, 2:18 p.m. UTC | #2

On Mon, Apr 07, 2025 at 04:07:47PM +0200, Jan Kara wrote:
> On Mon 07-04-25 11:54:19, Christian Brauner wrote:
> > It isn't possible to execute anoymous inodes because they cannot be
> 				^^ anonymous
> 
> > opened in any way after they have been created. This includes execution:
> > 
> > execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH)
> > 
> > Anonymous inodes have inode->f_op set to no_open_fops which sets
> > no_open() which returns ENXIO. That means any call to do_dentry_open()
> > which is the endpoint of the do_open_execat() will fail. There's no
> > chance to execute an anonymous inode. Unless a given subsystem overrides
> > it ofc.
> > 
> > Howerver, we should still harden this and raise SB_I_NODEV and
>   ^^^ However
> 
> > SB_I_NOEXEC on the superblock itself so that no one gets any creative
> > ideas.
> 
> ;)

I've told our new AI overloards to sprinkle-in some typos so no one
realizes I've been mostly replaced by a bot.

Or I'm just generally tired so I fat-finger a lot more than usual. :D

> 
> Feel free to add:
> 
> Reviewed-by: Jan Kara <jack@suse.cz>
> 
> 								Honza
> 
> > 
> > Cc: <stable@vger.kernel.org> # all LTS kernels
> > Signed-off-by: Christian Brauner <brauner@kernel.org>
> > ---
> >  fs/anon_inodes.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
> > index cb51a90bece0..e51e7d88980a 100644
> > --- a/fs/anon_inodes.c
> > +++ b/fs/anon_inodes.c
> > @@ -86,6 +86,8 @@ static int anon_inodefs_init_fs_context(struct fs_context *fc)
> >  	struct pseudo_fs_context *ctx = init_pseudo(fc, ANON_INODE_FS_MAGIC);
> >  	if (!ctx)
> >  		return -ENOMEM;
> > +	fc->s_iflags |= SB_I_NOEXEC;
> > +	fc->s_iflags |= SB_I_NODEV;
> >  	ctx->dops = &anon_inodefs_dentry_operations;
> >  	return 0;
> >  }
> > 
> > -- 
> > 2.47.2
> > 
> -- 
> Jan Kara <jack@suse.com>
> SUSE Labs, CR

diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index cb51a90bece0..e51e7d88980a 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -86,6 +86,8 @@  static int anon_inodefs_init_fs_context(struct fs_context *fc)
 	struct pseudo_fs_context *ctx = init_pseudo(fc, ANON_INODE_FS_MAGIC);
 	if (!ctx)
 		return -ENOMEM;
+	fc->s_iflags |= SB_I_NOEXEC;
+	fc->s_iflags |= SB_I_NODEV;
 	ctx->dops = &anon_inodefs_dentry_operations;
 	return 0;
 }

[5/9] anon_inode: raise SB_I_NODEV and SB_I_NOEXEC

Commit Message

Comments

Patch