From owner-freebsd-bugs@freebsd.org  Tue Jul 28 16:50:18 2020
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5A38936F302
 for <freebsd-bugs@mailman.nyi.freebsd.org>;
 Tue, 28 Jul 2020 16:50:18 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4BGN2f1pXNz4cp1
 for <freebsd-bugs@freebsd.org>; Tue, 28 Jul 2020 16:50:18 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 3E08936F301; Tue, 28 Jul 2020 16:50:18 +0000 (UTC)
Delivered-To: bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3DD1536EFB2
 for <bugs@mailman.nyi.freebsd.org>; Tue, 28 Jul 2020 16:50:18 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BGN2f100jz4crX
 for <bugs@FreeBSD.org>; Tue, 28 Jul 2020 16:50:18 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 014DD1205C
 for <bugs@FreeBSD.org>; Tue, 28 Jul 2020 16:50:18 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 06SGoHhC086376
 for <bugs@FreeBSD.org>; Tue, 28 Jul 2020 16:50:17 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 06SGoHea086375
 for bugs@FreeBSD.org; Tue, 28 Jul 2020 16:50:17 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 248335] O_BENEATH leaks information about parent directories
Date: Tue, 28 Jul 2020 16:50:17 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: sunfish@mozilla.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-248335-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 16:50:18 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248335

            Bug ID: 248335
           Summary: O_BENEATH leaks information about parent directories
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: sunfish@mozilla.com

The behaviour of `O_BENEATH` in code like this:

```c
  int dirfd =3D open("/foo", O_RDONLY);
  int bar =3D openat(dirfd, "/foo/bar", O_RDONLY|O_BENEATH);
```

on FreeBSD-CURRENT, if I read the man page [0] correctly, is to attempt to =
open
the absolute path "/foo/bar", since "/foo" is a prefix that "ends up at the
topping directory". `openat` with `O_BENEATH` also resolves ".." paths which
temporarily escape the topping directory if the final path is within the
topping directory. These means that information about the path above the
topping directory leaks through the result of the `openat`. This is undesir=
able
for sandboxing applications which wish to avoid leaking information about t=
he
host filesystem outside the sandbox.

One way to avoid this is to enable Capsicum capability mode, however since =
that
affects process-wide state, it isn't suitable for lightweight sandboxing use
cases which just want to sandbox paths in selected `openat` calls. And, it
appears to have the side effect of disallowing ".." entirely.

Another way to avoid this is for these use cases to check for absolute paths
and ".." manually, however this wouldn't protect against symlinks to absolu=
te
paths or symlinks containing "..", which can't always be prevented. It may =
also
have the side effect of disallowing ".." entirely--there are techniques for
emulating sandboxed ".." resolution [4], however they incur significant
overhead.

FreeBSD's `O_BENEATH` was modified to have its current behaviour in D17714 =
[3].
It's unclear from the discussion what the motivating use cases are. For the=
 use
case of sandboxing untrusted paths, it would be desirable to have a way to
avoid leaking information about the host filesystem above the topping
directory.

FreeBSD's current `O_BENEATH` also appears to differ from Linux's new
`openat2`'s `RESOLVE_BENEATH` flag, or any of its other flags [1]. Linux's
`openat2` with `RESOLVE_BENEATH` fails with `EACCES` on any absolute path, =
or
any path that escapes even temporarily in an intermediate component. As an
additional data point, this is the behaviour of CloudABI's `libemulator` as
well [2].

I'm not very familiar with FreeBSD, so corrections if I've misunderstood or
missed anything are most welcome!

[0]
https://svnweb.freebsd.org/base/head/lib/libc/sys/open.2?revision=3D340347&=
view=3Dmarkup&pathrev=3D340347
[1] https://man7.org/linux/man-pages/man2/openat2.2.html
[2]
https://github.com/NuxiNL/cloudabi-utils/blob/master/src/libemulator/posix.=
c#L1271
[3] https://reviews.freebsd.org/D17714
[4]
https://github.com/NuxiNL/cloudabi-utils/blob/master/src/libemulator/posix.=
c#L1205

--=20
You are receiving this mail because:
You are the assignee for the bug.=