| Message ID | 20190706145737.5299-5-cyphar@cyphar.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | namei: openat2(2) path resolution restrictions | expand |
On Sun, Jul 07, 2019 at 12:57:31AM +1000, Aleksa Sarai wrote: > Previously, path_init's handling of *at(dfd, ...) was only done once, > but with LOOKUP_BENEATH (and LOOKUP_IN_ROOT) we have to parse the > initial nd->path at different times (before or after absolute path > handling) depending on whether we have been asked to scope resolution > within a root. > if (*s == '/') { > - set_root(nd); > - if (likely(!nd_jump_root(nd))) > - return s; > - return ERR_PTR(-ECHILD); > + if (likely(!nd->root.mnt)) > + set_root(nd); How can we get there with non-NULL nd->root.mnt, when LOOKUP_ROOT case has been already handled by that point? > + error = nd_jump_root(nd); > + if (unlikely(error)) > + s = ERR_PTR(error);
On 2019-07-12, Al Viro <viro@zeniv.linux.org.uk> wrote: > On Sun, Jul 07, 2019 at 12:57:31AM +1000, Aleksa Sarai wrote: > > Previously, path_init's handling of *at(dfd, ...) was only done once, > > but with LOOKUP_BENEATH (and LOOKUP_IN_ROOT) we have to parse the > > initial nd->path at different times (before or after absolute path > > handling) depending on whether we have been asked to scope resolution > > within a root. > > > if (*s == '/') { > > - set_root(nd); > > - if (likely(!nd_jump_root(nd))) > > - return s; > > - return ERR_PTR(-ECHILD); > > > + if (likely(!nd->root.mnt)) > > + set_root(nd); > > How can we get there with non-NULL nd->root.mnt, when LOOKUP_ROOT case > has been already handled by that point? Yup, you're completely right. I will remove the if (!nd->root.mnt) in the next version.
On 2019-07-12, Aleksa Sarai <cyphar@cyphar.com> wrote: > On 2019-07-12, Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Sun, Jul 07, 2019 at 12:57:31AM +1000, Aleksa Sarai wrote: > > > Previously, path_init's handling of *at(dfd, ...) was only done once, > > > but with LOOKUP_BENEATH (and LOOKUP_IN_ROOT) we have to parse the > > > initial nd->path at different times (before or after absolute path > > > handling) depending on whether we have been asked to scope resolution > > > within a root. > > > > > if (*s == '/') { > > > - set_root(nd); > > > - if (likely(!nd_jump_root(nd))) > > > - return s; > > > - return ERR_PTR(-ECHILD); > > > > > + if (likely(!nd->root.mnt)) > > > + set_root(nd); > > > > How can we get there with non-NULL nd->root.mnt, when LOOKUP_ROOT case > > has been already handled by that point? > > Yup, you're completely right. I will remove the > if (!nd->root.mnt) > in the next version. Ah sorry, there is a reason for it -- later in the series the LOOKUP_BENEATH case means that you might end up with a non-NULL nd->root.mnt. If you want, I can move the addition of the conditional to later in the series (it was easier to split the patch by-hunk back when you originally asked me to split out dirfd_path_init()).
diff --git a/fs/namei.c b/fs/namei.c index 4895717d2760..b490bcf855f8 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2257,9 +2257,59 @@ static int link_path_walk(const char *name, struct nameidata *nd) } } +/* + * Configure nd->path based on the nd->dfd. This is only used as part of + * path_init(). + */ +static inline int dirfd_path_init(struct nameidata *nd) +{ + if (nd->dfd == AT_FDCWD) { + if (nd->flags & LOOKUP_RCU) { + struct fs_struct *fs = current->fs; + unsigned seq; + + do { + seq = read_seqcount_begin(&fs->seq); + nd->path = fs->pwd; + nd->inode = nd->path.dentry->d_inode; + nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq); + } while (read_seqcount_retry(&fs->seq, seq)); + } else { + get_fs_pwd(current->fs, &nd->path); + nd->inode = nd->path.dentry->d_inode; + } + } else { + /* Caller must check execute permissions on the starting path component */ + struct fd f = fdget_raw(nd->dfd); + struct dentry *dentry; + + if (!f.file) + return -EBADF; + + dentry = f.file->f_path.dentry; + + if (*nd->name->name && unlikely(!d_can_lookup(dentry))) { + fdput(f); + return -ENOTDIR; + } + + nd->path = f.file->f_path; + if (nd->flags & LOOKUP_RCU) { + nd->inode = nd->path.dentry->d_inode; + nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); + } else { + path_get(&nd->path); + nd->inode = nd->path.dentry->d_inode; + } + fdput(f); + } + return 0; +} + /* must be paired with terminate_walk() */ static const char *path_init(struct nameidata *nd, unsigned flags) { + int error; const char *s = nd->name->name; if (!*s) @@ -2293,52 +2343,17 @@ static const char *path_init(struct nameidata *nd, unsigned flags) nd->m_seq = read_seqbegin(&mount_lock); if (*s == '/') { - set_root(nd); - if (likely(!nd_jump_root(nd))) - return s; - return ERR_PTR(-ECHILD); - } else if (nd->dfd == AT_FDCWD) { - if (flags & LOOKUP_RCU) { - struct fs_struct *fs = current->fs; - unsigned seq; - - do { - seq = read_seqcount_begin(&fs->seq); - nd->path = fs->pwd; - nd->inode = nd->path.dentry->d_inode; - nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq); - } while (read_seqcount_retry(&fs->seq, seq)); - } else { - get_fs_pwd(current->fs, &nd->path); - nd->inode = nd->path.dentry->d_inode; - } - return s; - } else { - /* Caller must check execute permissions on the starting path component */ - struct fd f = fdget_raw(nd->dfd); - struct dentry *dentry; - - if (!f.file) - return ERR_PTR(-EBADF); - - dentry = f.file->f_path.dentry; - - if (*s && unlikely(!d_can_lookup(dentry))) { - fdput(f); - return ERR_PTR(-ENOTDIR); - } - - nd->path = f.file->f_path; - if (flags & LOOKUP_RCU) { - nd->inode = nd->path.dentry->d_inode; - nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); - } else { - path_get(&nd->path); - nd->inode = nd->path.dentry->d_inode; - } - fdput(f); + if (likely(!nd->root.mnt)) + set_root(nd); + error = nd_jump_root(nd); + if (unlikely(error)) + s = ERR_PTR(error); return s; } + error = dirfd_path_init(nd); + if (unlikely(error)) + return ERR_PTR(error); + return s; } static const char *trailing_symlink(struct nameidata *nd)
Previously, path_init's handling of *at(dfd, ...) was only done once, but with LOOKUP_BENEATH (and LOOKUP_IN_ROOT) we have to parse the initial nd->path at different times (before or after absolute path handling) depending on whether we have been asked to scope resolution within a root. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> --- fs/namei.c | 103 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 59 insertions(+), 44 deletions(-)