android_kernel_google_msm/Documentation
Kees Cook ec7215ac09 fs: add link restrictions
This adds symlink and hardlink restrictions to the Linux VFS.

Symlinks:

A long-standing class of security issues is the symlink-based
time-of-check-time-of-use race, most commonly seen in world-writable
directories like /tmp. The common method of exploitation of this flaw
is to cross privilege boundaries when following a given symlink (i.e. a
root process follows a symlink belonging to another user). For a likely
incomplete list of hundreds of examples across the years, please see:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp

The solution is to permit symlinks to only be followed when outside
a sticky world-writable directory, or when the uid of the symlink and
follower match, or when the directory owner matches the symlink's owner.

Some pointers to the history of earlier discussion that I could find:

 1996 Aug, Zygo Blaxell
  http://marc.info/?l=bugtraq&m=87602167419830&w=2
 1996 Oct, Andrew Tridgell
  http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html
 1997 Dec, Albert D Cahalan
  http://lkml.org/lkml/1997/12/16/4
 2005 Feb, Lorenzo Hernández García-Hierro
  http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html
 2010 May, Kees Cook
  https://lkml.org/lkml/2010/5/30/144

Past objections and rebuttals could be summarized as:

 - Violates POSIX.
   - POSIX didn't consider this situation and it's not useful to follow
     a broken specification at the cost of security.
 - Might break unknown applications that use this feature.
   - Applications that break because of the change are easy to spot and
     fix. Applications that are vulnerable to symlink ToCToU by not having
     the change aren't. Additionally, no applications have yet been found
     that rely on this behavior.
 - Applications should just use mkstemp() or O_CREATE|O_EXCL.
   - True, but applications are not perfect, and new software is written
     all the time that makes these mistakes; blocking this flaw at the
     kernel is a single solution to the entire class of vulnerability.
 - This should live in the core VFS.
   - This should live in an LSM. (https://lkml.org/lkml/2010/5/31/135)
 - This should live in an LSM.
   - This should live in the core VFS. (https://lkml.org/lkml/2010/8/2/188)

Hardlinks:

On systems that have user-writable directories on the same partition
as system files, a long-standing class of security issues is the
hardlink-based time-of-check-time-of-use race, most commonly seen in
world-writable directories like /tmp. The common method of exploitation
of this flaw is to cross privilege boundaries when following a given
hardlink (i.e. a root process follows a hardlink created by another
user). Additionally, an issue exists where users can "pin" a potentially
vulnerable setuid/setgid file so that an administrator will not actually
upgrade a system fully.

The solution is to permit hardlinks to only be created when the user is
already the existing file's owner, or if they already have read/write
access to the existing file.

Many Linux users are surprised when they learn they can link to files
they have no access to, so this change appears to follow the doctrine
of "least surprise". Additionally, this change does not violate POSIX,
which states "the implementation may require that the calling process
has permission to access the existing file"[1].

This change is known to break some implementations of the "at" daemon,
though the version used by Fedora and Ubuntu has been fixed[2] for
a while. Otherwise, the change has been undisruptive while in use in
Ubuntu for the last 1.5 years.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/linkat.html
[2] http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf940a49eda3279

This patch is based on the patches in Openwall and grsecurity, along with
suggestions from Al Viro. I have added a sysctl to enable the protected
behavior, and documentation.

Change-Id: Ic4872c58e8a0672147c73b13175ea143e19915ba
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-12-07 22:28:48 +04:00
..
ABI netfilter: remove ip_queue support 2018-12-07 22:00:11 +04:00
accounting
acpi
aoe
arm uio: msm_sharedmem: Add new device driver for sharedmemory access 2014-07-15 23:59:19 +00:00
auxdisplay
backlight
blackfin
block block: Add test-iosched scheduler 2013-02-27 18:13:18 -08:00
blockdev UPSTREAM: zram: deprecate zram attrs sysfs nodes 2018-01-01 21:27:12 +03:00
cdrom
cgroups memcg: fix/change behavior of shared anon at moving task 2018-01-01 22:02:04 +03:00
connector
console
cpu-freq
cpuidle
cris
crypto crypto: Add MSM crypto drivers 2013-02-25 11:29:28 -08:00
development-process
device-mapper
devicetree ARM: configs: flo: Go back to 100Hz 2018-03-23 18:43:28 +03:00
DocBook ALSA: Remove transfer_ack_{begin,end} callbacks from struct snd_pcm_runtime 2017-03-07 05:44:05 +00:00
driver-model
dvb Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
early-userspace
EDID
fault-injection
fb
filesystems don't pass nameidata to ->create() 2018-12-07 22:28:00 +04:00
firmware_class firmware loader: document firmware cache mechanism 2017-12-28 12:57:14 +03:00
frv
hid HID: uhid: add documentation 2013-03-04 12:45:09 -08:00
hwmon hwmon: (coretemp) Add support for Atom CE4110/4150/4170 2014-04-14 06:44:31 -07:00
i2c i2c-piix4: Add AMD CZ SMBus device ID 2014-06-07 16:02:14 -07:00
i2o
ia64
ide
infiniband
input
ioctl
isdn
ja_JP Documentation: Update stable address in Chinese and Japanese translations 2014-06-07 16:02:02 -07:00
kbuild
kdump
ko_KR
laptops
leds
m68k
make
mips
misc-devices
mmc mmc: use percentage changed sectors as indication to check BKOPS need 2013-03-15 17:08:16 -07:00
mn10300
mtd mtd: msm_qpic_nand: Initial driver for QPIC based NAND controller 2013-02-27 18:17:42 -08:00
namespaces
netlabel
networking ipv6: add option to drop unsolicited neighbor advertisements 2018-12-07 21:59:38 +04:00
nfc
parisc
PCI
pcmcia
power Documentation: Point to correct header file 2013-02-25 11:36:56 -08:00
powerpc
pps
prctl Documentation: prctl/seccomp_filter 2014-10-31 19:46:17 -07:00
pti
ptp
rapidio
RCU
s390
scheduler
scsi
security KEYS: Add invalidation support 2016-10-29 23:12:12 +08:00
serial
sh
sound Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
sparc
spi
sysctl fs: add link restrictions 2018-12-07 22:28:48 +04:00
target
telephony
thermal
timers time: Remove CONFIG_TIMER_STATS 2017-07-02 13:03:26 +03:00
trace
usb usb: misc: Add kickstart bridge driver 2013-02-27 18:19:01 -08:00
vDSO
video4linux
virtual
vm UPSTREAM: zsmalloc: zsmalloc documentation 2018-01-01 21:27:11 +03:00
w1
watchdog
wimax
x86 x86-64, espfix: Don't leak bits 31:16 of %esp returning to 16-bit stack 2014-08-07 12:00:10 -07:00
zh_CN Documentation: Update stable address in Chinese and Japanese translations 2014-06-07 16:02:02 -07:00
.gitignore
00-INDEX
android.txt
applying-patches.txt
atomic_ops.txt
bad_memory.txt
basic_profiling.txt
binfmt_misc.txt
braille-console.txt
bt8xxgpio.txt
btmrvl.txt
BUG-HUNTING
bus-virt-phys-mapping.txt
cachetlb.txt
Changes
circular-buffers.txt
clk.txt
coccinelle.txt
CodingStyle
cpu-hotplug.txt
cpu-load.txt
cputopology.txt
crc32.txt
csdio.txt mmc: Char SDIO Device Driver 2013-02-25 11:29:22 -08:00
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt
dell_rbu.txt
devices.txt
digsig.txt
DMA-API-HOWTO.txt
DMA-API.txt
DMA-attributes.txt common: DMA-mapping: Add strongly ordered memory attribute 2013-03-07 15:23:21 -08:00
dma-buf-sharing.txt
DMA-ISA-LPC.txt
dmaengine.txt
dontdiff
dynamic-debug-howto.txt
edac.txt
eisa.txt
email-clients.txt
feature-removal-schedule.txt netfilter: remove xt_NOTRACK 2018-12-07 22:04:24 +04:00
flexible-arrays.txt
futex-requeue-pi.txt
gcov.txt
genlock.txt base: genlock: allow synchronization with a single gralloc handle 2013-02-25 11:29:17 -08:00
gpio.txt
highuid.txt
HOWTO
hw_random.txt
hwspinlock.txt
init.txt
initrd.txt
Intel-IOMMU.txt
intel_txt.txt
io-mapping.txt
io_ordering.txt
iostats.txt
IPMI.txt
IRQ-affinity.txt
IRQ-domain.txt
IRQ.txt
irqflags-tracing.txt
isapnp.txt
java.txt
kernel-doc-nano-HOWTO.txt
kernel-docs.txt
kernel-parameters.txt Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
kmemcheck.txt
kmemleak.txt
kobject.txt
kprobes.txt
kref.txt
ldm.txt
local_ops.txt
lockdep-design.txt
lockstat.txt
lockup-watchdogs.txt
logo.gif
logo.txt
lzo.txt Documentation: lzo: document part of the encoding 2015-02-02 17:04:43 +08:00
magic-number.txt
Makefile
ManagementStyle
mca.txt
md.txt
media-framework.txt
memory-barriers.txt
memory-hotplug.txt
memory.txt
mono.txt
mutex-design.txt
nommu-mmap.txt
numastat.txt
oops-tracing.txt
padata.txt
parport-lowlevel.txt
parport.txt
pi-futex.txt
pinctrl.txt pinctrl: fix example .get_group_pins implementation signature 2015-09-18 09:20:24 +08:00
pnp.txt
preempt-locking.txt
printk-formats.txt
prio_tree.txt
ramoops.txt
rbtree.txt
remoteproc.txt
rfkill.txt
robust-futex-ABI.txt
robust-futexes.txt
rpmsg.txt
rt-mutex-design.txt
rt-mutex.txt
rtc.txt
SAK.txt
SecurityBugs
serial-console.txt
sgi-ioc4.txt
sgi-visws.txt
SM501.txt
sparse.txt
spinlocks.txt
stable_api_nonsense.txt
stable_kernel_rules.txt stable_kernel_rules: Add pointer to netdev-FAQ for network patches 2014-09-25 11:49:09 +08:00
static-keys.txt
SubmitChecklist
SubmittingDrivers
SubmittingPatches
svga.txt
sync.txt sync: add Documentation/sync.txt 2013-03-15 17:13:08 -07:00
sysfs-rules.txt
sysrq.txt
unaligned-memory-access.txt
unicode.txt
unshare.txt
VGA-softcursor.txt
vgaarbiter.txt
video-output.txt
volatile-considered-harmful.txt
workqueue.txt
xz.txt
zorro.txt