Commit dab741e0 authored by Mattias Nissler's avatar Mattias Nissler Committed by Al Viro
Browse files

Add a "nosymfollow" mount option. 

For mounts that have the new "nosymfollow" option, don't follow symlinks
when resolving paths. The new option is similar in spirit to the
existing "nodev", "noexec", and "nosuid" options, as well as to the
LOOKUP_NO_SYMLINKS resolve flag in the openat2(2) syscall. Various BSD
variants have been supporting the "nosymfollow" mount option for a long
time with equivalent implementations.

Note that symlinks may still be created on file systems mounted with
the "nosymfollow" option present. readlink() remains functional, so
user space code that is aware of symlinks can still choose to follow
them explicitly.

Setting the "nosymfollow" mount option helps prevent privileged
writers from modifying files unintentionally in case there is an
unexpected link along the accessed path. The "nosymfollow" option is
thus useful as a defensive measure for systems that need to deal with
untrusted file systems in privileged contexts.

More information on the history and motivation for this patch can be
found here:

https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data#TOC-Restricting-symlink-traversal



Signed-off-by: default avatarMattias Nissler <mnissler@chromium.org>
Signed-off-by: default avatarRoss Zwisler <zwisler@google.com>
Reviewed-by: default avatarAleksa Sarai <cyphar@cyphar.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 9123e3a7

fs/namei.c

+2 −1
Original line number Diff line number Diff line
@@ -1626,7 +1626,8 @@ static const char *pick_link(struct nameidata *nd, struct path *link, 
			return ERR_PTR(error);

	}



	if (unlikely(nd->flags & LOOKUP_NO_SYMLINKS))

	if (unlikely(nd->flags & LOOKUP_NO_SYMLINKS) ||

			unlikely(link->mnt->mnt_flags & MNT_NOSYMFOLLOW))

		return ERR_PTR(-ELOOP);



	if (!(nd->flags & LOOKUP_RCU)) {

fs/namespace.c

+2 −0
Original line number Diff line number Diff line
@@ -3160,6 +3160,8 @@ int path_mount(const char *dev_name, struct path *path, 
		mnt_flags &= ~(MNT_RELATIME | MNT_NOATIME);

	if (flags & MS_RDONLY)

		mnt_flags |= MNT_READONLY;

	if (flags & MS_NOSYMFOLLOW)

		mnt_flags |= MNT_NOSYMFOLLOW;



	/* The default atime for remount is preservation */

	if ((flags & MS_REMOUNT) &&

fs/proc_namespace.c

+1 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ static void show_mnt_opts(struct seq_file *m, struct vfsmount *mnt) 
		{ MNT_NOATIME, ",noatime" },

		{ MNT_NODIRATIME, ",nodiratime" },

		{ MNT_RELATIME, ",relatime" },

		{ MNT_NOSYMFOLLOW, ",nosymfollow" },

		{ 0, NULL }

	};

	const struct proc_fs_opts *fs_infop;

fs/statfs.c

+2 −0
Original line number Diff line number Diff line
@@ -29,6 +29,8 @@ static int flags_by_mnt(int mnt_flags) 
		flags |= ST_NODIRATIME;

	if (mnt_flags & MNT_RELATIME)

		flags |= ST_RELATIME;

	if (mnt_flags & MNT_NOSYMFOLLOW)

		flags |= ST_NOSYMFOLLOW;

	return flags;

}

include/linux/mount.h

+2 −1
Original line number Diff line number Diff line
@@ -30,6 +30,7 @@ struct fs_context; 
#define MNT_NODIRATIME	0x10

#define MNT_RELATIME	0x20

#define MNT_READONLY	0x40	/* does the user want this to be r/o? */

#define MNT_NOSYMFOLLOW	0x80



#define MNT_SHRINKABLE	0x100

#define MNT_WRITE_HOLD	0x200
@@ -46,7 +47,7 @@ struct fs_context; 
#define MNT_SHARED_MASK	(MNT_UNBINDABLE)

#define MNT_USER_SETTABLE_MASK  (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \

				 | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \

				 | MNT_READONLY)

				 | MNT_READONLY | MNT_NOSYMFOLLOW)

#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )



#define MNT_INTERNAL_FLAGS (MNT_SHARED | MNT_WRITE_HOLD | MNT_INTERNAL | \

CRA Git | Maintained and supported by SUSTech CRA and CCSE