From patchwork Fri Sep 16 12:19:21 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 9335635 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A76106077F for ; Fri, 16 Sep 2016 12:20:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9873029F6D for ; Fri, 16 Sep 2016 12:20:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8CEB929F84; Fri, 16 Sep 2016 12:20:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 76AFE29F7F for ; Fri, 16 Sep 2016 12:19:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934609AbcIPMTt (ORCPT ); Fri, 16 Sep 2016 08:19:49 -0400 Received: from mail-wm0-f48.google.com ([74.125.82.48]:35767 "EHLO mail-wm0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934822AbcIPMTj (ORCPT ); Fri, 16 Sep 2016 08:19:39 -0400 Received: by mail-wm0-f48.google.com with SMTP id l132so34532412wmf.0 for ; Fri, 16 Sep 2016 05:19:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DtsF7+5p1wg8h2BofIAqZp1jCEwVlDi11k5MiqPzMNM=; b=nIp9+RZ0YjQCv5KLnmBIeYjObOhATitrKb2gASS7oa14WmCf5yFUsIqDZdXqXYjfiG jaMXN0Ae77NJPc0SUy6UiJlQgGcZPgNwrFpqdORYgtt1HQ2/lppOGxdgZ7aBrSskxOqM xH4yyU3R5qnW1Vdm2LwvynHNteiQCoipUl0uTo1iipk2EKbyKYCJmCbU5sW5sSdGl3Pp kqf8VSPqAVvSMqEr55VCJuZ9eFYPkPffcmpk2gFwHCwx7FpACeVKUmNZIQ9rZ6/lCJI2 iShe4p1o+/eF2p00h3d6P+Hm4+JkI1TNkoSV7sZdHydFUHWGB+fr1uTyr/mcBXDJMnTy PVjw== X-Gm-Message-State: AE9vXwO3yoDSDtSiJeLuv8jIrYwy+6bVpVAi5NOTVS8mI8yqDTKlgdotSbJZsnaMCY5Z3CV/ X-Received: by 10.28.2.85 with SMTP id 82mr7664675wmc.23.1474028377040; Fri, 16 Sep 2016 05:19:37 -0700 (PDT) Received: from veci.piliscsaba.szeredi.hu (4E5CE698.dsl.pool.telekom.hu. [78.92.230.152]) by smtp.gmail.com with ESMTPSA id n7sm8169812wjs.34.2016.09.16.05.19.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Sep 2016 05:19:35 -0700 (PDT) From: Miklos Szeredi To: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Al Viro , Subject: [PATCH 02/12] vfs: move permission checking into notify_change() for utimes(NULL) Date: Fri, 16 Sep 2016 14:19:21 +0200 Message-Id: <1474028371-21288-3-git-send-email-mszeredi@redhat.com> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1474028371-21288-1-git-send-email-mszeredi@redhat.com> References: <1474028371-21288-1-git-send-email-mszeredi@redhat.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This fixes a bug where the permission was not properly checked in overlayfs. The testcase is ltp/utimensat01. It is also cleaner and safer to do the permission checking in the vfs helper instead of the caller. This patch introduces an additional ia_valid flag ATTR_TOUCH (since touch(1) is the most obvious user of utimes(NULL)) that is passed into notify_change whenever the conditions for this special permission checking mode are met. Reported-by: Aihua Zhang Signed-off-by: Miklos Szeredi Tested-by: Aihua Zhang Cc: # v3.18+ --- fs/attr.c | 15 +++++++++++++++ fs/utimes.c | 17 +---------------- include/linux/fs.h | 1 + 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index 42bb42bb3c72..3c42cab06b5d 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -202,6 +202,21 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de return -EPERM; } + /* + * If utimes(2) and friends are called with times == NULL (or both + * times are UTIME_NOW), then we need to check for write permission + */ + if (ia_valid & ATTR_TOUCH) { + if (IS_IMMUTABLE(inode)) + return -EPERM; + + if (!inode_owner_or_capable(inode)) { + error = inode_permission(inode, MAY_WRITE); + if (error) + return error; + } + } + if ((ia_valid & ATTR_MODE)) { umode_t amode = attr->ia_mode; /* Flag setting protected by i_mutex */ diff --git a/fs/utimes.c b/fs/utimes.c index 794f5f5b1fb5..ba54b9e648c9 100644 --- a/fs/utimes.c +++ b/fs/utimes.c @@ -87,21 +87,7 @@ static int utimes_common(struct path *path, struct timespec *times) */ newattrs.ia_valid |= ATTR_TIMES_SET; } else { - /* - * If times is NULL (or both times are UTIME_NOW), - * then we need to check permissions, because - * inode_change_ok() won't do it. - */ - error = -EPERM; - if (IS_IMMUTABLE(inode)) - goto mnt_drop_write_and_out; - - error = -EACCES; - if (!inode_owner_or_capable(inode)) { - error = inode_permission(inode, MAY_WRITE); - if (error) - goto mnt_drop_write_and_out; - } + newattrs.ia_valid |= ATTR_TOUCH; } retry_deleg: inode_lock(inode); @@ -113,7 +99,6 @@ retry_deleg: goto retry_deleg; } -mnt_drop_write_and_out: mnt_drop_write(path->mnt); out: return error; diff --git a/include/linux/fs.h b/include/linux/fs.h index 901e25d495cc..7c391366fb43 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -224,6 +224,7 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset, #define ATTR_KILL_PRIV (1 << 14) #define ATTR_OPEN (1 << 15) /* Truncating from open(O_TRUNC) */ #define ATTR_TIMES_SET (1 << 16) +#define ATTR_TOUCH (1 << 17) /* * Whiteout is represented by a char device. The following constants define the