From patchwork Fri Dec 22 14:32:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dongsu Park X-Patchwork-Id: 10130565 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2C58960318 for ; Fri, 22 Dec 2017 14:32:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 23E6A29FA9 for ; Fri, 22 Dec 2017 14:32:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1893D29FE9; Fri, 22 Dec 2017 14:32:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8B45429FA9 for ; Fri, 22 Dec 2017 14:32:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756518AbdLVOcb (ORCPT ); Fri, 22 Dec 2017 09:32:31 -0500 Received: from mail-wm0-f65.google.com ([74.125.82.65]:38155 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756202AbdLVOb3 (ORCPT ); Fri, 22 Dec 2017 09:31:29 -0500 Received: by mail-wm0-f65.google.com with SMTP id 64so21933222wme.3 for ; Fri, 22 Dec 2017 06:31:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=m5iA5Dmn2V3YOlr7Hnois8hy3qpjtjIb/qqCwHa7RJM=; b=Icl3jvj/k16+u44iED443cp5gvLLXxx9kDIjnMFFSjeJYo4LwIp1SEYRE+M7zvO6gQ wd2Zigl3YiM/5tjRjGVAiJkTIy2dWMZ64V6//xjpkAl5JSuKnhjSPCY8VGetwpIWfmEN xrTRWt9UB4hMe2hZUFVr99L0yOVlvDKm0G7Ik= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=m5iA5Dmn2V3YOlr7Hnois8hy3qpjtjIb/qqCwHa7RJM=; b=Z2lWUayBzBjzsLUOtbHS/C13a+uBhs5BamTdrxHECibhSgxPAWtr2Xw/XG5Y7C00z4 7CVMBMskgVzOgKGY+OuqiOA1owqMryevr/+uEkamkMQy0te7yXZz+fGe4tPPwlDxW4SU yAAu1yHiILJ81dwfROun3rq0x7X3OHcUW8lJV2hN9Wbv8LQTvSOpid6SOq42ls0Zpt4z TzlbawvdvNfm7GvAMuTOVHr+84Rl5HhWleRmxAIHmKmz2pYfzHKzTXfe4MXb7P6/TO+K Tkkm3pEo4LO3wd2fysGIfabM1aBrzpB+4i9xd5eShrXq7XaRYNUfzzKny/Rl9MvYohvs XyvQ== X-Gm-Message-State: AKGB3mKo/f1PtR1xyn1J2gWTRx76xgf0KUEOqBo/U2uplr5vzH/Sr60B rUJfWeFFvf9pGIo8OoV80rZ9vw== X-Google-Smtp-Source: ACJfBosx63uzVEVYWlzy+j7EzIKtSrgn8n+YNaJOyavOUj1DInOfBTqECmO5wk11n3fg6fNye1wUrw== X-Received: by 10.80.205.218 with SMTP id h26mr15098046edj.157.1513953088553; Fri, 22 Dec 2017 06:31:28 -0800 (PST) Received: from dberlin.localdomain ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id j39sm19698065ede.38.2017.12.22.06.31.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Dec 2017 06:31:28 -0800 (PST) From: Dongsu Park To: linux-kernel@vger.kernel.org Cc: containers@lists.linux-foundation.org, Alban Crequy , "Eric W . Biederman" , Miklos Szeredi , Seth Forshee , Sargun Dhillon , Dongsu Park , linux-fsdevel@vger.kernel.org, Serge Hallyn Subject: [PATCH 09/11] fuse: Restrict allow_other to the superblock's namespace or a descendant Date: Fri, 22 Dec 2017 15:32:33 +0100 Message-Id: X-Mailer: git-send-email 2.13.6 In-Reply-To: References: Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Seth Forshee Unprivileged users are normally restricted from mounting with the allow_other option by system policy, but this could be bypassed for a mount done with user namespace root permissions. In such cases allow_other should not allow users outside the userns to access the mount as doing so would give the unprivileged user the ability to manipulate processes it would otherwise be unable to manipulate. Restrict allow_other to apply to users in the same userns used at mount or a descendant of that namespace. Also export current_in_userns() for use by fuse when built as a module. Patch v4 is available: https://patchwork.kernel.org/patch/8944671/ Cc: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Miklos Szeredi Signed-off-by: Seth Forshee Signed-off-by: Dongsu Park Reviewed-by: Serge Hallyn Reviewed-by: "Eric W. Biederman" --- fs/fuse/dir.c | 2 +- kernel/user_namespace.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index ad1cfac1..d41559a0 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -1030,7 +1030,7 @@ int fuse_allow_current_process(struct fuse_conn *fc) const struct cred *cred; if (fc->allow_other) - return 1; + return current_in_userns(fc->user_ns); cred = current_cred(); if (uid_eq(cred->euid, fc->user_id) && diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 246d4d4c..492c255e 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -1235,6 +1235,7 @@ bool current_in_userns(const struct user_namespace *target_ns) { return in_userns(target_ns, current_user_ns()); } +EXPORT_SYMBOL(current_in_userns); static inline struct user_namespace *to_user_ns(struct ns_common *ns) {