[5.10,CANDIDATE,12/15] attr: add setattr_should_drop_sgid()

Message ID	20230317110817.1226324-13-amir73il@gmail.com (mailing list archive)
State	Superseded, archived
Headers	show Return-Path: <linux-xfs-owner@vger.kernel.org> From: Amir Goldstein <amir73il@gmail.com> To: "Darrick J . Wong" <djwong@kernel.org> Cc: Leah Rumancik <leah.rumancik@gmail.com>, Chandan Babu R <chandan.babu@oracle.com>, Christian Brauner <brauner@kernel.org>, linux-xfs@vger.kernel.org Subject: [PATCH 5.10 CANDIDATE 12/15] attr: add setattr_should_drop_sgid() Date: Fri, 17 Mar 2023 13:08:14 +0200 Message-Id: <20230317110817.1226324-13-amir73il@gmail.com> In-Reply-To: <20230317110817.1226324-1-amir73il@gmail.com> References: <20230317110817.1226324-1-amir73il@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	xfs backports for 5.10.y (from v5.15.103) \| expand [5.10,CANDIDATE,00/15] xfs backports for 5.10.y (from v5.15.103) [5.10,CANDIDATE,01/15] xfs: don't assert fail on perag references on teardown [5.10,CANDIDATE,02/15] xfs: purge dquots after inode walk fails during quotacheck [5.10,CANDIDATE,03/15] xfs: don't leak btree cursor when insrec fails after a split [5.10,CANDIDATE,04/15] xfs: remove XFS_PREALLOC_SYNC [5.10,CANDIDATE,05/15] xfs: fallocate() should call file_modified() [5.10,CANDIDATE,06/15] xfs: set prealloc flag in xfs_alloc_file_space() [5.10,CANDIDATE,07/15] xfs: use setattr_copy to set vfs inode attributes [5.10,CANDIDATE,08/15] fs: add mode_strip_sgid() helper [5.10,CANDIDATE,09/15] fs: move S_ISGID stripping into the vfs_*() helpers [5.10,CANDIDATE,10/15] attr: add in_group_or_capable() [5.10,CANDIDATE,11/15] fs: move should_remove_suid() [5.10,CANDIDATE,12/15] attr: add setattr_should_drop_sgid() [5.10,CANDIDATE,13/15] attr: use consistent sgid stripping checks [5.10,CANDIDATE,14/15] fs: use consistent setgid checks in is_sxid() [5.10,CANDIDATE,15/15] xfs: remove xfs_setattr_time() declaration

Message ID

20230317110817.1226324-13-amir73il@gmail.com (mailing list archive)

State

Superseded, archived

Headers

From: Amir Goldstein <amir73il@gmail.com>
To: "Darrick J . Wong" <djwong@kernel.org>
Cc: Leah Rumancik <leah.rumancik@gmail.com>,
        Chandan Babu R <chandan.babu@oracle.com>,
        Christian Brauner <brauner@kernel.org>,
        linux-xfs@vger.kernel.org
Subject: [PATCH 5.10 CANDIDATE 12/15] attr: add setattr_should_drop_sgid()
Date: Fri, 17 Mar 2023 13:08:14 +0200
Message-Id: <20230317110817.1226324-13-amir73il@gmail.com>
In-Reply-To: <20230317110817.1226324-1-amir73il@gmail.com>
References: <20230317110817.1226324-1-amir73il@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

xfs backports for 5.10.y (from v5.15.103) | expand

Commit Message

Amir Goldstein March 17, 2023, 11:08 a.m. UTC

commit 72ae017c5451860443a16fb2a8c243bff3e396b8 upstream.

[backported to 5.10.y, prior to idmapped mounts]

The current setgid stripping logic during write and ownership change
operations is inconsistent and strewn over multiple places. In order to
consolidate it and make more consistent we'll add a new helper
setattr_should_drop_sgid(). The function retains the old behavior where
we remove the S_ISGID bit unconditionally when S_IXGRP is set but also
when it isn't set and the caller is neither in the group of the inode
nor privileged over the inode.

We will use this helper both in write operation permission removal such
as file_remove_privs() as well as in ownership change operations.

Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
---
 fs/attr.c     | 25 +++++++++++++++++++++++++
 fs/internal.h |  5 +++++
 2 files changed, 30 insertions(+)

diff --git a/fs/attr.c b/fs/attr.c
index 666489157978..c8049ae34a2e 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -20,6 +20,31 @@ 
 
 #include "internal.h"
 
+/**
+ * setattr_should_drop_sgid - determine whether the setgid bit needs to be
+ *                            removed
+ * @inode:	inode to check
+ *
+ * This function determines whether the setgid bit needs to be removed.
+ * We retain backwards compatibility and require setgid bit to be removed
+ * unconditionally if S_IXGRP is set. Otherwise we have the exact same
+ * requirements as setattr_prepare() and setattr_copy().
+ *
+ * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise.
+ */
+int setattr_should_drop_sgid(const struct inode *inode)
+{
+	umode_t mode = inode->i_mode;
+
+	if (!(mode & S_ISGID))
+		return 0;
+	if (mode & S_IXGRP)
+		return ATTR_KILL_SGID;
+	if (!in_group_or_capable(inode, inode->i_gid))
+		return ATTR_KILL_SGID;
+	return 0;
+}
+
 /*
  * The logic we want is
  *
diff --git a/fs/internal.h b/fs/internal.h
index 0fe920d9f393..d5d9fcdae10c 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -197,3 +197,8 @@  int sb_init_dio_done_wq(struct super_block *sb);
  */
 int do_statx(int dfd, const char __user *filename, unsigned flags,
 	     unsigned int mask, struct statx __user *buffer);
+
+/*
+ * fs/attr.c
+ */
+int setattr_should_drop_sgid(const struct inode *inode);

[5.10,CANDIDATE,12/15] attr: add setattr_should_drop_sgid()

Commit Message

Patch