| Message ID | 1449070821-73820-8-git-send-email-seth.forshee@canonical.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On Wed, Dec 02, 2015 at 09:40:07AM -0600, Seth Forshee wrote: > Filesystem uids which don't map into a user namespace may result > in inode->i_uid being INVALID_UID. A symlink and its parent > could have different owners in the filesystem can both get > mapped to INVALID_UID, which may result in following a symlink > when this would not have otherwise been permitted when protected > symlinks are enabled. > > Add a new helper function, uid_valid_eq(), and use this to > validate that the ids in may_follow_link() are both equal and > valid. Also add an equivalent helper for gids, which is > currently unused. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> > --- > fs/namei.c | 2 +- > include/linux/uidgid.h | 10 ++++++++++ > 2 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/fs/namei.c b/fs/namei.c > index 288e8a74bf88..4ccafd391697 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -902,7 +902,7 @@ static inline int may_follow_link(struct nameidata *nd) > return 0; > > /* Allowed if parent directory and link owner match. */ > - if (uid_eq(parent->i_uid, inode->i_uid)) > + if (uid_valid_eq(parent->i_uid, inode->i_uid)) > return 0; > > if (nd->flags & LOOKUP_RCU) > diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h > index 03835522dfcb..e09529fe2668 100644 > --- a/include/linux/uidgid.h > +++ b/include/linux/uidgid.h > @@ -117,6 +117,16 @@ static inline bool gid_valid(kgid_t gid) > return __kgid_val(gid) != (gid_t) -1; > } > > +static inline bool uid_valid_eq(kuid_t left, kuid_t right) > +{ > + return uid_eq(left, right) && uid_valid(left); > +} > + > +static inline bool gid_valid_eq(kgid_t left, kgid_t right) > +{ > + return gid_eq(left, right) && gid_valid(left); > +} > + > #ifdef CONFIG_USER_NS > > extern kuid_t make_kuid(struct user_namespace *from, uid_t uid); > -- > 1.9.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/
diff --git a/fs/namei.c b/fs/namei.c index 288e8a74bf88..4ccafd391697 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -902,7 +902,7 @@ static inline int may_follow_link(struct nameidata *nd) return 0; /* Allowed if parent directory and link owner match. */ - if (uid_eq(parent->i_uid, inode->i_uid)) + if (uid_valid_eq(parent->i_uid, inode->i_uid)) return 0; if (nd->flags & LOOKUP_RCU) diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h index 03835522dfcb..e09529fe2668 100644 --- a/include/linux/uidgid.h +++ b/include/linux/uidgid.h @@ -117,6 +117,16 @@ static inline bool gid_valid(kgid_t gid) return __kgid_val(gid) != (gid_t) -1; } +static inline bool uid_valid_eq(kuid_t left, kuid_t right) +{ + return uid_eq(left, right) && uid_valid(left); +} + +static inline bool gid_valid_eq(kgid_t left, kgid_t right) +{ + return gid_eq(left, right) && gid_valid(left); +} + #ifdef CONFIG_USER_NS extern kuid_t make_kuid(struct user_namespace *from, uid_t uid);
Filesystem uids which don't map into a user namespace may result in inode->i_uid being INVALID_UID. A symlink and its parent could have different owners in the filesystem can both get mapped to INVALID_UID, which may result in following a symlink when this would not have otherwise been permitted when protected symlinks are enabled. Add a new helper function, uid_valid_eq(), and use this to validate that the ids in may_follow_link() are both equal and valid. Also add an equivalent helper for gids, which is currently unused. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> --- fs/namei.c | 2 +- include/linux/uidgid.h | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-)