| Message ID | 1449070821-73820-15-git-send-email-seth.forshee@canonical.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
Quoting Seth Forshee (seth.forshee@canonical.com): > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> > --- > fs/ioctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/ioctl.c b/fs/ioctl.c > index 5d01d2638ca5..45c371bed7ee 100644 > --- a/fs/ioctl.c > +++ b/fs/ioctl.c > @@ -55,7 +55,7 @@ static int ioctl_fibmap(struct file *filp, int __user *p) > /* do we support this mess? */ > if (!mapping->a_ops->bmap) > return -EINVAL; > - if (!capable(CAP_SYS_RAWIO)) > + if (!ns_capable(filp->f_inode->i_sb->s_user_ns, CAP_SYS_RAWIO)) > return -EPERM; > res = get_user(block, p); > if (res) > -- > 1.9.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/
The fact that we need CAP_SYS_RAIO for FIBMAP is pretty silly, given that FIEMAP does not require privileges --- and in fact the preferred interface. Why not just simply drop the requirement for privileges for FIBMAP? (Seth, Serge, this isn't a real objection to your patch; but the fact that FIBMAP requires root has always been a bit silly, and this would be a great opportunity to simplify things a bit.) - Ted On Fri, Dec 04, 2015 at 01:11:43PM -0600, Serge E. Hallyn wrote: > Quoting Seth Forshee (seth.forshee@canonical.com): > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > > Acked-by: Serge Hallyn <serge.hallyn@canonical.com> > > > --- > > fs/ioctl.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/ioctl.c b/fs/ioctl.c > > index 5d01d2638ca5..45c371bed7ee 100644 > > --- a/fs/ioctl.c > > +++ b/fs/ioctl.c > > @@ -55,7 +55,7 @@ static int ioctl_fibmap(struct file *filp, int __user *p) > > /* do we support this mess? */ > > if (!mapping->a_ops->bmap) > > return -EINVAL; > > - if (!capable(CAP_SYS_RAWIO)) > > + if (!ns_capable(filp->f_inode->i_sb->s_user_ns, CAP_SYS_RAWIO)) > > return -EPERM; > > res = get_user(block, p); > > if (res) > > -- > > 1.9.1 > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > Please read the FAQ at http://www.tux.org/lkml/ > -- > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
Heh, I was looking over http://www.gossamer-threads.com/lists/linux/kernel/103611 a little while ago :) The same question was asked 16 years ago. Apparently the answer then was that it was easier than fixing the code. Quoting Theodore Ts'o (tytso@mit.edu): > The fact that we need CAP_SYS_RAIO for FIBMAP is pretty silly, given > that FIEMAP does not require privileges --- and in fact the preferred > interface. Why not just simply drop the requirement for privileges > for FIBMAP? > > (Seth, Serge, this isn't a real objection to your patch; but the fact > that FIBMAP requires root has always been a bit silly, and this would > be a great opportunity to simplify things a bit.) > > - Ted > > > On Fri, Dec 04, 2015 at 01:11:43PM -0600, Serge E. Hallyn wrote: > > Quoting Seth Forshee (seth.forshee@canonical.com): > > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > > > > Acked-by: Serge Hallyn <serge.hallyn@canonical.com> > > > > > --- > > > fs/ioctl.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/fs/ioctl.c b/fs/ioctl.c > > > index 5d01d2638ca5..45c371bed7ee 100644 > > > --- a/fs/ioctl.c > > > +++ b/fs/ioctl.c > > > @@ -55,7 +55,7 @@ static int ioctl_fibmap(struct file *filp, int __user *p) > > > /* do we support this mess? */ > > > if (!mapping->a_ops->bmap) > > > return -EINVAL; > > > - if (!capable(CAP_SYS_RAWIO)) > > > + if (!ns_capable(filp->f_inode->i_sb->s_user_ns, CAP_SYS_RAWIO)) > > > return -EPERM; > > > res = get_user(block, p); > > > if (res) > > > -- > > > 1.9.1 > > > > > > -- > > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > > > the body of a message to majordomo@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > Please read the FAQ at http://www.tux.org/lkml/ > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Dec 04, 2015 at 02:07:36PM -0600, Serge E. Hallyn wrote: > Heh, I was looking over http://www.gossamer-threads.com/lists/linux/kernel/103611 > a little while ago :) The same question was asked 16 years ago. Apparently > the answer then was that it was easier than fixing the code. So it seems then that either it still isn't safe and so unprivileged users shouldn't be allowed to do it at all, or else it's safe and we should drop the requirement completely. I can't say which is right, unfortunately. > > Quoting Theodore Ts'o (tytso@mit.edu): > > The fact that we need CAP_SYS_RAIO for FIBMAP is pretty silly, given > > that FIEMAP does not require privileges --- and in fact the preferred > > interface. Why not just simply drop the requirement for privileges > > for FIBMAP? > > > > (Seth, Serge, this isn't a real objection to your patch; but the fact > > that FIBMAP requires root has always been a bit silly, and this would > > be a great opportunity to simplify things a bit.) > > > > - Ted > > > > > > On Fri, Dec 04, 2015 at 01:11:43PM -0600, Serge E. Hallyn wrote: > > > Quoting Seth Forshee (seth.forshee@canonical.com): > > > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > > > > > > Acked-by: Serge Hallyn <serge.hallyn@canonical.com> > > > > > > > --- > > > > fs/ioctl.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/fs/ioctl.c b/fs/ioctl.c > > > > index 5d01d2638ca5..45c371bed7ee 100644 > > > > --- a/fs/ioctl.c > > > > +++ b/fs/ioctl.c > > > > @@ -55,7 +55,7 @@ static int ioctl_fibmap(struct file *filp, int __user *p) > > > > /* do we support this mess? */ > > > > if (!mapping->a_ops->bmap) > > > > return -EINVAL; > > > > - if (!capable(CAP_SYS_RAWIO)) > > > > + if (!ns_capable(filp->f_inode->i_sb->s_user_ns, CAP_SYS_RAWIO)) > > > > return -EPERM; > > > > res = get_user(block, p); > > > > if (res) > > > > -- > > > > 1.9.1 > > > > > > > > -- > > > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > > > > the body of a message to majordomo@vger.kernel.org > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > Please read the FAQ at http://www.tux.org/lkml/ > > > -- > > > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > > > the body of a message to majordomo@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Dec 04, 2015 at 02:45:32PM -0600, Seth Forshee wrote: > On Fri, Dec 04, 2015 at 02:07:36PM -0600, Serge E. Hallyn wrote: > > Heh, I was looking over http://www.gossamer-threads.com/lists/linux/kernel/103611 > > a little while ago :) The same question was asked 16 years ago. Apparently > > the answer then was that it was easier than fixing the code. > > So it seems then that either it still isn't safe and so unprivileged > users shouldn't be allowed to do it at all, or else it's safe and we > should drop the requirement completely. I can't say which is right, > unfortunately. It may not have been safe 16 years agoo, but giving invalid arguments to FIBMAP is safe for ext4 and ext2. This is the sort of thing that tools like trinity should and does test for, so I think it should be fine to remove the root check for FIBMAP. - Ted
On Fri, Dec 04, 2015 at 06:11:52PM -0500, Theodore Ts'o wrote: > On Fri, Dec 04, 2015 at 02:45:32PM -0600, Seth Forshee wrote: > > On Fri, Dec 04, 2015 at 02:07:36PM -0600, Serge E. Hallyn wrote: > > > Heh, I was looking over http://www.gossamer-threads.com/lists/linux/kernel/103611 > > > a little while ago :) The same question was asked 16 years ago. Apparently > > > the answer then was that it was easier than fixing the code. > > > > So it seems then that either it still isn't safe and so unprivileged > > users shouldn't be allowed to do it at all, or else it's safe and we > > should drop the requirement completely. I can't say which is right, > > unfortunately. > > It may not have been safe 16 years agoo, but giving invalid arguments > to FIBMAP is safe for ext4 and ext2. This is the sort of thing that > tools like trinity should and does test for, so I think it should be > fine to remove the root check for FIBMAP. Seth, can I tempt you into sending a standalone patch to remove that? :) -serge
> On Dec 4, 2015, at 4:11 PM, Theodore Ts'o <tytso@mit.edu> wrote: > > On Fri, Dec 04, 2015 at 02:45:32PM -0600, Seth Forshee wrote: >> On Fri, Dec 04, 2015 at 02:07:36PM -0600, Serge E. Hallyn wrote: >>> Heh, I was looking over http://www.gossamer-threads.com/lists/linux/kernel/103611 >>> a little while ago :) The same question was asked 16 years ago. Apparently >>> the answer then was that it was easier than fixing the code. >> >> So it seems then that either it still isn't safe and so unprivileged >> users shouldn't be allowed to do it at all, or else it's safe and we >> should drop the requirement completely. I can't say which is right, >> unfortunately. > > It may not have been safe 16 years agoo, but giving invalid arguments > to FIBMAP is safe for ext4 and ext2. This is the sort of thing that > tools like trinity should and does test for, so I think it should be > fine to remove the root check for FIBMAP. You can use FIEMAP on regular files and directories without special permission: $ filefrag -v /etc Filesystem type is: ef53 File size of /etc is 12288 (3 blocks of 4096 bytes) ext: logical_offset: physical_offset: length: expected: flags: 0: 0.. 0: 8396832.. 8396832: 1: 1: 1.. 2: 8397051.. 8397052: 2: 8396833: last,eof /etc: 2 extents found FIEMAP also has the benefit that you don't need to call it millions of times for large files, like is needed for FIBMAP. Cheers, Andreas
On Fri, Dec 04, 2015 at 05:43:49PM -0600, Serge E. Hallyn wrote: > On Fri, Dec 04, 2015 at 06:11:52PM -0500, Theodore Ts'o wrote: > > On Fri, Dec 04, 2015 at 02:45:32PM -0600, Seth Forshee wrote: > > > On Fri, Dec 04, 2015 at 02:07:36PM -0600, Serge E. Hallyn wrote: > > > > Heh, I was looking over http://www.gossamer-threads.com/lists/linux/kernel/103611 > > > > a little while ago :) The same question was asked 16 years ago. Apparently > > > > the answer then was that it was easier than fixing the code. > > > > > > So it seems then that either it still isn't safe and so unprivileged > > > users shouldn't be allowed to do it at all, or else it's safe and we > > > should drop the requirement completely. I can't say which is right, > > > unfortunately. > > > > It may not have been safe 16 years agoo, but giving invalid arguments > > to FIBMAP is safe for ext4 and ext2. This is the sort of thing that > > tools like trinity should and does test for, so I think it should be > > fine to remove the root check for FIBMAP. > > Seth, can I tempt you into sending a standalone patch to remove that? :) Patch sent. I'll drop this patch in v2.
diff --git a/fs/ioctl.c b/fs/ioctl.c index 5d01d2638ca5..45c371bed7ee 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -55,7 +55,7 @@ static int ioctl_fibmap(struct file *filp, int __user *p) /* do we support this mess? */ if (!mapping->a_ops->bmap) return -EINVAL; - if (!capable(CAP_SYS_RAWIO)) + if (!ns_capable(filp->f_inode->i_sb->s_user_ns, CAP_SYS_RAWIO)) return -EPERM; res = get_user(block, p); if (res)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> --- fs/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)