From patchwork Mon Dec 7 16:32:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956313 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F310C0018C for ; Mon, 7 Dec 2020 16:35:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D647F238E8 for ; Mon, 7 Dec 2020 16:35:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727721AbgLGQee (ORCPT ); Mon, 7 Dec 2020 11:34:34 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:34738 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727685AbgLGQed (ORCPT ); Mon, 7 Dec 2020 11:34:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358786; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wrGV7hqd0sY6Ndza0dri1YXg1lEmApvh0CGfKm2LK30=; b=FmO1iiLFgEBHI4OcONPXghQKl2A+ulevuWOeC0cq/5BhuYgEyUUPArObSz4lKpUlamlnNj ZmNpq0hbeACegyfQdkF7AHiwGYbcx+zlry2T5AjoM+HP7/za+UQcJ6+uu/FHkVQ+X5uw6i nhLy8ffpcfyjSjDVIiMvCfnjwaDbfbk= Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-11-K9FKU42NMyCZdirj6UtyyA-1; Mon, 07 Dec 2020 11:33:02 -0500 X-MC-Unique: K9FKU42NMyCZdirj6UtyyA-1 Received: by mail-ej1-f71.google.com with SMTP id n17so4051704eja.23 for ; Mon, 07 Dec 2020 08:33:02 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wrGV7hqd0sY6Ndza0dri1YXg1lEmApvh0CGfKm2LK30=; b=l/wY4u2evm5X9e3H9TgUuBGQB7diL7iK+QLxR2+GWAInAeNoHg8Nx3gGb4CQeDrkbl affBNgwcuE2EzmnQSTmc17uVst5QQmCQQgrbnfG0ecrjD7o3S7b+ZDUMNHMhd/hFjmqd PbwNmaX1uGqZw7JFvl2hbs+WVf7+ErlXdhMUwXsE2QgPQgKlUReIyLWzUtEZCmyAcBng ob6zhQAXAQtUTaslf6o8ehJXgDNf74Ushgl+3M1H+ofGUXRZ5FTANnIxkh/wNKlNCvWJ h1yl+77OfHeiWi84kd6lXOgHYj78D6ZOc9XmrjlaBPWgWTHWmkXmfbE54rIMoCQ10Q5/ ofvQ== X-Gm-Message-State: AOAM530GnbfjDe0F9BGoBFTUbp1Cee9rNm1j1WUeN0kfyhWE2ii/HGvf fdGx0UXZ8e7ALb1ImYSxH15HCbOWO90kOalNjU34TAxn8fvhvL5aQCj2trdgWmxY4FK8g7oPLS9 Lqoy0uBWNoLYitIuEPWIpcgT+9SsSLN098kaX X-Received: by 2002:a50:a694:: with SMTP id e20mr20629150edc.261.1607358781219; Mon, 07 Dec 2020 08:33:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJzacwDTqVI9lhkLtXTTX/Z6WL5s00t1gChOyqFQ1tlVS8dmeqyNuXCDk11RK7mg8BFu3gh98Q== X-Received: by 2002:a50:a694:: with SMTP id e20mr20629136edc.261.1607358781059; Mon, 07 Dec 2020 08:33:01 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.32.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:00 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 01/10] vfs: move cap_convert_nscap() call into vfs_setxattr() Date: Mon, 7 Dec 2020 17:32:46 +0100 Message-Id: <20201207163255.564116-2-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: cap_convert_nscap() does permission checking as well as conversion of the xattr value conditionally based on fs's user-ns. This is needed by overlayfs and probably other layered fs (ecryptfs) and is what vfs_foo() is supposed to do anyway. Signed-off-by: Miklos Szeredi Acked-by: James Morris --- fs/xattr.c | 17 +++++++++++------ include/linux/capability.h | 2 +- security/commoncap.c | 3 +-- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/fs/xattr.c b/fs/xattr.c index cd7a563e8bcd..fd57153b1f61 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -276,8 +276,16 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, { struct inode *inode = dentry->d_inode; struct inode *delegated_inode = NULL; + const void *orig_value = value; int error; + if (size && strcmp(name, XATTR_NAME_CAPS) == 0) { + error = cap_convert_nscap(dentry, &value, size); + if (error < 0) + return error; + size = error; + } + retry_deleg: inode_lock(inode); error = __vfs_setxattr_locked(dentry, name, value, size, flags, @@ -289,6 +297,9 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, if (!error) goto retry_deleg; } + if (value != orig_value) + kfree(value); + return error; } EXPORT_SYMBOL_GPL(vfs_setxattr); @@ -537,12 +548,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value, if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) posix_acl_fix_xattr_from_user(kvalue, size); - else if (strcmp(kname, XATTR_NAME_CAPS) == 0) { - error = cap_convert_nscap(d, &kvalue, size); - if (error < 0) - goto out; - size = error; - } } error = vfs_setxattr(d, kname, kvalue, size, flags); diff --git a/include/linux/capability.h b/include/linux/capability.h index 1e7fe311cabe..b2f698915c0f 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -270,6 +270,6 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) /* audit system wants to get cap info from files as well */ extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); -extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size); +extern int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size); #endif /* !_LINUX_CAPABILITY_H */ diff --git a/security/commoncap.c b/security/commoncap.c index 59bf3c1674c8..bacc1111d871 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -473,7 +473,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap) * * If all is ok, we return the new size, on error return < 0. */ -int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) +int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size) { struct vfs_ns_cap_data *nscap; uid_t nsrootid; @@ -516,7 +516,6 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) nscap->magic_etc = cpu_to_le32(nsmagic); memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); - kvfree(*ivalue); *ivalue = nscap; return newsize; } From patchwork Mon Dec 7 16:32:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956305 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0B1FC1B0D9 for ; Mon, 7 Dec 2020 16:34:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BE6AB238E5 for ; Mon, 7 Dec 2020 16:34:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727685AbgLGQef (ORCPT ); Mon, 7 Dec 2020 11:34:35 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:22498 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727666AbgLGQed (ORCPT ); Mon, 7 Dec 2020 11:34:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358786; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=otYj369xse9R2kbOApLqBDn6NdlRsKHBl6lYbw3xZEw=; b=asruxKtDPeoygh/SIkjx53TersoRBxm879j14KtQ2kxtL2yenvDvyQD43PU/cWglrLzNu2 cQ2QA/+M0WqHquLD9He2cQ6JstjShdYvjxh/P9ImxaV/Ztai4FYmXlw4toAxIUW6Bd3aNC 9CuR67+AM3qxWRe4634Fn7lDXMk9tVU= Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-543-1GmrjITdPVmWCIMn5pmI8Q-1; Mon, 07 Dec 2020 11:33:03 -0500 X-MC-Unique: 1GmrjITdPVmWCIMn5pmI8Q-1 Received: by mail-ej1-f72.google.com with SMTP id g18so4035608eje.1 for ; Mon, 07 Dec 2020 08:33:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=otYj369xse9R2kbOApLqBDn6NdlRsKHBl6lYbw3xZEw=; b=OK08DoXNZ5z7C9D6w9JSWzJKxEhHxjvgIeoOpRtxYY8iO2s/apyEu9bXwvkM2iEP5s 0Ic47RwiqBO8z4rOaGISVA1QWW1DKOqRrcUkqulvuFST6nPJhm90iArUk/t5FcKQ563e PpcdyWaVkegVUYTXnF+wXq61QLn7x0O4GVu/MLgTmJ/DKGsEnSZp2E/2ke56V5ezpYTb RB7NdX6edCges9DBx679q9THZDvo4YRPOYXf9IdH/c1q+mzujnvWtP5UYGKCrentCgz3 itd5ReBZMllSPBYShwa5jQs9SyHgp+DS1aMUVraXtUFpbAVgfqYNvnrFft0i5c7+CJsc v9pA== X-Gm-Message-State: AOAM533c4+tmibBwwAehkr5Bl8z0KZG7KSa6y8GixfpJEaJDAVqVGvj6 B8zqlmPo+853kxSa30fowKXPuwsVVzBKmcShLPysND9DQ2I+xB+By9GwpAR17XYkPj2bX2hrUcL tEQBRR8esMXkZoIy3MPetVyZP4s54Qeh+gpXn X-Received: by 2002:a17:906:c83b:: with SMTP id dd27mr19881673ejb.356.1607358782442; Mon, 07 Dec 2020 08:33:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJygw9J/iNohcy2imBMmRfiewi1ytt2qnsha6UorIQb1JISBnH+1nxrUZXhES5TAxxlwjwkJkQ== X-Received: by 2002:a17:906:c83b:: with SMTP id dd27mr19881657ejb.356.1607358782244; Mon, 07 Dec 2020 08:33:02 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:01 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 02/10] vfs: verify source area in vfs_dedupe_file_range_one() Date: Mon, 7 Dec 2020 17:32:47 +0100 Message-Id: <20201207163255.564116-3-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: Call remap_verify_area() on the source file as well as the destination. When called from vfs_dedupe_file_range() the check as already been performed, but not so if called from layered fs (overlayfs, etc...) Could ommit the redundant check in vfs_dedupe_file_range(), but leave for now to get error early (for fear of breaking backward compatibility). This call shouldn't be performance sensitive. Signed-off-by: Miklos Szeredi --- fs/remap_range.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/remap_range.c b/fs/remap_range.c index e6099beefa97..77dba3a49e65 100644 --- a/fs/remap_range.c +++ b/fs/remap_range.c @@ -456,8 +456,16 @@ loff_t vfs_dedupe_file_range_one(struct file *src_file, loff_t src_pos, if (ret) return ret; + /* + * This is redundant if called from vfs_dedupe_file_range(), but other + * callers need it and it's not performance sesitive... + */ + ret = remap_verify_area(src_file, src_pos, len, false); + if (ret) + goto out_drop_write; + ret = remap_verify_area(dst_file, dst_pos, len, true); - if (ret < 0) + if (ret) goto out_drop_write; ret = -EPERM; From patchwork Mon Dec 7 16:32:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956323 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EF31C3526C for ; Mon, 7 Dec 2020 16:35:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E619D238E7 for ; Mon, 7 Dec 2020 16:35:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727929AbgLGQfS (ORCPT ); Mon, 7 Dec 2020 11:35:18 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:37607 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727589AbgLGQec (ORCPT ); Mon, 7 Dec 2020 11:34:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358786; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YovU3sr3PaW3+O202/CGPLg5GcG7AOB5YNKN3Gg/9CM=; b=Z7RjMwM5cujFgJ0lPS6xHmwUpW23QTAlk1x3732QUUgbcR7UgmZATKf4bF7QYeT6kRm0Uh 4s/h2o5QO81CwFhG6x4+zgkHMDKUAd019OWtNiqkWCIz9HUrUTOTTNfvl9raff5RGBF3iP r2dn8j5zKrHWhwn6Ha4Ry79EYWH7JUQ= Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-79-9xNuyCL4PLSfoY6JWeqXZg-1; Mon, 07 Dec 2020 11:33:04 -0500 X-MC-Unique: 9xNuyCL4PLSfoY6JWeqXZg-1 Received: by mail-ej1-f71.google.com with SMTP id 3so3328515ejw.13 for ; Mon, 07 Dec 2020 08:33:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YovU3sr3PaW3+O202/CGPLg5GcG7AOB5YNKN3Gg/9CM=; b=gIOOxoxwfwOnkU21JHW37KvPV2vccPWB0DLuZk0F/YqAZ2RgAnZ1GOtLA7LuByNnXy ZaKntofuCl/mRhkymWBfdsIElpioxSycWDRdXuruxQgbx9OEqC38WwoJwVgspSkggbNC vDWOyQ3TmGXqzxHRJHuBWgOpE9NSdXEq2/roTnFIjcnHT1e+htRMl3Eb6R9puiGNrAiW wUfRKsrUN9FrgRxACxLes9IzprZpt1FLGsZbLFxNOHh422GTCK+gl0ZAaotMIzvueKhj 3PrYN3dFfnm52G2xJdL30AMU8UFc01odhOK8h3LkcJMQaeBjOAlYhzb82k5XnrAkzvb8 C6EA== X-Gm-Message-State: AOAM532Qo2SEdMeTChJrrPXabEi1Z/jMrtgZgogK4WYqHtbHnkxjeQl3 f7HyoKRIzWOGGKoleQyYRe0QOc7WmNDzr5a4ViTIt6LF2jnv+Uq5Fghr7GkwKE3RARLeDKIphaI xIwh3TsVt5GhOl1wrK4sGQfPH5wbAjVvTvw3c X-Received: by 2002:a17:906:fa12:: with SMTP id lo18mr20047771ejb.354.1607358783581; Mon, 07 Dec 2020 08:33:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJxRh6Xa+5iZaFkMzkShNmnm8HMI1mEJZ43C03cBXKlr6CObJxEgF3paS8CuYV44ij1yPUSsGQ== X-Received: by 2002:a17:906:fa12:: with SMTP id lo18mr20047758ejb.354.1607358783452; Mon, 07 Dec 2020 08:33:03 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:02 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 03/10] ovl: check privs before decoding file handle Date: Mon, 7 Dec 2020 17:32:48 +0100 Message-Id: <20201207163255.564116-4-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: CAP_DAC_READ_SEARCH is required by open_by_handle_at(2) so check it in ovl_decode_real_fh() as well to prevent privilege escalation for unprivileged overlay mounts. Signed-off-by: Miklos Szeredi --- fs/overlayfs/namei.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c index a6162c4076db..82a55fdb1e7a 100644 --- a/fs/overlayfs/namei.c +++ b/fs/overlayfs/namei.c @@ -156,6 +156,9 @@ struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, struct dentry *real; int bytes; + if (!capable(CAP_DAC_READ_SEARCH)) + return NULL; + /* * Make sure that the stored uuid matches the uuid of the lower * layer where file handle will be decoded. From patchwork Mon Dec 7 16:32:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956321 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A002C433FE for ; Mon, 7 Dec 2020 16:35:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 675AF238E9 for ; Mon, 7 Dec 2020 16:35:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727916AbgLGQfN (ORCPT ); Mon, 7 Dec 2020 11:35:13 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:37721 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727666AbgLGQeg (ORCPT ); Mon, 7 Dec 2020 11:34:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z9GFPfP4QUc9Eox0SoIdqm6RVWFYT3GmDgPPKwCvoZY=; b=ReLv4IRXdNBZ8XxH3caocDdrtbs8etZnOJtsZqjxJvFmk+ixRRw+vh00OzlfrOIwSCbIWj 5IDUfk4oVoFbB04imtk9Lcxy80fNYb66Sb+tcyvbjAGAN/Ifn8/ezoERY96bzI8ASnL48f M6Hbj2fOQ6BMs9Hu8dOJP63zCkfrVQE= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-190-qaUte7glMECA-Kjj3xW8yg-1; Mon, 07 Dec 2020 11:33:07 -0500 X-MC-Unique: qaUte7glMECA-Kjj3xW8yg-1 Received: by mail-ed1-f70.google.com with SMTP id u18so6005168edy.5 for ; Mon, 07 Dec 2020 08:33:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Z9GFPfP4QUc9Eox0SoIdqm6RVWFYT3GmDgPPKwCvoZY=; b=OAOrMVvk27zOuc61H5MxWU+uonUX0LGBRW9pQ0ui7hxFnGtvbAlyKriQ+QRoev3pwJ 8oPc0CigP07ncHq1/BWI2V65UzFLCnvRa3j27N1rMwfznF5BbeqLnduc2SLsPkdYpx4w Ie3IIvXcBk+T/n0Owv+reRhZnOzV6kd0c8uhWupeBUtyMnZA3NXX4lj1FDEGBeMwKeSC jsuEyV2Em3LlE6eMBFdZBOZGPwtWpG4sOl4tU37eC0NylLoHi8CCywzaRj5EwmrnzKTE mQfGjjrsIXW3XzC2F7tnS62ezztwzuctwdvkNbeTbuVcSJy/ck36v66wPTuMEoqwE1rF Ag8w== X-Gm-Message-State: AOAM530ELCY4IZlEd9KsdpsjYtRTpmgn45DlLEadYzIWiuu96YXg5G3S r2v4KPs0rKbdIr2trASW0Nxb7R5Bzwb8+VTrw1YaGRMiqhp5FUGlRiJgxvxHZ9gP5kiMEiTlD+c k9cMaFfVgNFDkKHEzgABCTVVTPNs4M0gSzFEL X-Received: by 2002:a50:b243:: with SMTP id o61mr21246725edd.57.1607358785661; Mon, 07 Dec 2020 08:33:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJxdoaGF6V93HN0G1oEmt6WxNgh14Oc+j5HptlRhKBAGk7XVmmffsr/juqgIckKEWhSdANFcew== X-Received: by 2002:a50:b243:: with SMTP id o61mr21246662edd.57.1607358785086; Mon, 07 Dec 2020 08:33:05 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:03 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Dmitry Vyukov Subject: [PATCH v2 04/10] ovl: make ioctl() safe Date: Mon, 7 Dec 2020 17:32:49 +0100 Message-Id: <20201207163255.564116-5-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: ovl_ioctl_set_flags() does a capability check using flags, but then the real ioctl double-fetches flags and uses potentially different value. The "Check the capability before cred override" comment misleading: user can skip this check by presenting benign flags first and then overwriting them to non-benign flags. Just remove the cred override for now, hoping this doesn't cause a regression. The proper solution is to create a new setxflags i_op (patches are in the works). Xfstests don't show a regression. Reported-by: Dmitry Vyukov Signed-off-by: Miklos Szeredi Reviewed-by: Amir Goldstein --- fs/overlayfs/file.c | 75 ++------------------------------------------- 1 file changed, 3 insertions(+), 72 deletions(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index efccb7c1f9bc..3cd1590f2030 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -541,46 +541,26 @@ static long ovl_real_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct fd real; - const struct cred *old_cred; long ret; ret = ovl_real_fdget(file, &real); if (ret) return ret; - old_cred = ovl_override_creds(file_inode(file)->i_sb); ret = security_file_ioctl(real.file, cmd, arg); if (!ret) ret = vfs_ioctl(real.file, cmd, arg); - revert_creds(old_cred); fdput(real); return ret; } -static unsigned int ovl_iflags_to_fsflags(unsigned int iflags) -{ - unsigned int flags = 0; - - if (iflags & S_SYNC) - flags |= FS_SYNC_FL; - if (iflags & S_APPEND) - flags |= FS_APPEND_FL; - if (iflags & S_IMMUTABLE) - flags |= FS_IMMUTABLE_FL; - if (iflags & S_NOATIME) - flags |= FS_NOATIME_FL; - - return flags; -} - static long ovl_ioctl_set_flags(struct file *file, unsigned int cmd, - unsigned long arg, unsigned int flags) + unsigned long arg) { long ret; struct inode *inode = file_inode(file); - unsigned int oldflags; if (!inode_owner_or_capable(inode)) return -EACCES; @@ -591,12 +571,6 @@ static long ovl_ioctl_set_flags(struct file *file, unsigned int cmd, inode_lock(inode); - /* Check the capability before cred override */ - oldflags = ovl_iflags_to_fsflags(READ_ONCE(inode->i_flags)); - ret = vfs_ioc_setflags_prepare(inode, oldflags, flags); - if (ret) - goto unlock; - ret = ovl_maybe_copy_up(file_dentry(file), O_WRONLY); if (ret) goto unlock; @@ -613,46 +587,6 @@ static long ovl_ioctl_set_flags(struct file *file, unsigned int cmd, } -static long ovl_ioctl_set_fsflags(struct file *file, unsigned int cmd, - unsigned long arg) -{ - unsigned int flags; - - if (get_user(flags, (int __user *) arg)) - return -EFAULT; - - return ovl_ioctl_set_flags(file, cmd, arg, flags); -} - -static unsigned int ovl_fsxflags_to_fsflags(unsigned int xflags) -{ - unsigned int flags = 0; - - if (xflags & FS_XFLAG_SYNC) - flags |= FS_SYNC_FL; - if (xflags & FS_XFLAG_APPEND) - flags |= FS_APPEND_FL; - if (xflags & FS_XFLAG_IMMUTABLE) - flags |= FS_IMMUTABLE_FL; - if (xflags & FS_XFLAG_NOATIME) - flags |= FS_NOATIME_FL; - - return flags; -} - -static long ovl_ioctl_set_fsxflags(struct file *file, unsigned int cmd, - unsigned long arg) -{ - struct fsxattr fa; - - memset(&fa, 0, sizeof(fa)); - if (copy_from_user(&fa, (void __user *) arg, sizeof(fa))) - return -EFAULT; - - return ovl_ioctl_set_flags(file, cmd, arg, - ovl_fsxflags_to_fsflags(fa.fsx_xflags)); -} - long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { long ret; @@ -663,12 +597,9 @@ long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ret = ovl_real_ioctl(file, cmd, arg); break; - case FS_IOC_SETFLAGS: - ret = ovl_ioctl_set_fsflags(file, cmd, arg); - break; - case FS_IOC_FSSETXATTR: - ret = ovl_ioctl_set_fsxflags(file, cmd, arg); + case FS_IOC_SETFLAGS: + ret = ovl_ioctl_set_flags(file, cmd, arg); break; default: From patchwork Mon Dec 7 16:32:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956319 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E208CC2BBCA for ; Mon, 7 Dec 2020 16:35:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AA8B3238E8 for ; Mon, 7 Dec 2020 16:35:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727724AbgLGQfE (ORCPT ); Mon, 7 Dec 2020 11:35:04 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:35152 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727745AbgLGQeh (ORCPT ); Mon, 7 Dec 2020 11:34:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358791; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=slnEJYBwmhqKOQO5uk6sWnTW5gdRX2VMxeSBeR8XW8Q=; b=N28kZg9Hw74mQJFlpn+2d62+Kt5inYewJvL6Ysh1eCER89LlGh2FnJ/ABrWGKlVRlAMPOp 9QlGyWR3GpodDW4tmdwSQXU1tbrnWpCNugO6Cez7DYwgXapP+y5w2BDPJJqomw5mm3KwNx ePXsqse/r4rz+5V1QuKjcbZS50GlRsg= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-67-4SRpmfpaO56GA8ikLcCIaA-1; Mon, 07 Dec 2020 11:33:09 -0500 X-MC-Unique: 4SRpmfpaO56GA8ikLcCIaA-1 Received: by mail-ed1-f70.google.com with SMTP id r16so6003228eds.13 for ; Mon, 07 Dec 2020 08:33:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=slnEJYBwmhqKOQO5uk6sWnTW5gdRX2VMxeSBeR8XW8Q=; b=nmPMZ5ePurtUoUsJIelwNoyRpa5wgvoJU08xomhRS8ypI//1A3F+QLdUGJpeeYDA4P jBgs/y4mw9Cpq0YYoB9sDjpqf8YjCglEEs+SehIn2DSMv+N0CX3yl/x9fXSR6xxVAKvG qrWnFrtQfEGQ+/TKlH4yfB3kGwHCIjGBKNDQ8htMENuRHrD7n6vF4HCyg3zP9JQUvEeL +hB5YpY5ctHK+mScNRqnd6V86fNKJWl8Ouf6N4emxZZ5v5b+TYE0htLRCbHIpEPxS41O ouHdm81kHUwAkVIbTOAkDIPmTNiUbXt143oBUwuugo3tXIr4ofFhCUy4UTv1WZ5cxyQu tmew== X-Gm-Message-State: AOAM532gQIVI0r5wujayDYbCoFBDSnOP45WDA8XUg6NgpQKpmxeNdCGO JF8c9pcv4XDDowhtl73eYLgwl6dQ25D+8T0bJmr8gkSKWumln+08fI1W3QCbJRDYsljYQbm6+9B yrJxN4AzfvsqOtwq7DsLho/jaQEpRuGs4/Lpt X-Received: by 2002:a05:6402:1b1e:: with SMTP id by30mr19432220edb.75.1607358786631; Mon, 07 Dec 2020 08:33:06 -0800 (PST) X-Google-Smtp-Source: ABdhPJzx0eatSbnQFhmj8ZAY47IpBzt1G1gtOIufiyiAi4IqzHOg0Ye7dB87LiC49RkGGzdIWq8D8A== X-Received: by 2002:a05:6402:1b1e:: with SMTP id by30mr19432206edb.75.1607358786499; Mon, 07 Dec 2020 08:33:06 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:06 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 05/10] ovl: simplify file splice Date: Mon, 7 Dec 2020 17:32:50 +0100 Message-Id: <20201207163255.564116-6-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: generic_file_splice_read() and iter_file_splice_write() will call back into f_op->iter_read() and f_op->iter_write() respectively. These already do the real file lookup and cred override. So the code in ovl_splice_read() and ovl_splice_write() is redundant. In addition the ovl_file_accessed() call in ovl_splice_write() is incorrect, though probably harmless. Fix by calling generic_file_splice_read() and iter_file_splice_write() directly. Signed-off-by: Miklos Szeredi --- fs/overlayfs/file.c | 46 ++------------------------------------------- 1 file changed, 2 insertions(+), 44 deletions(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index 3cd1590f2030..dc767034d37b 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -397,48 +397,6 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) return ret; } -static ssize_t ovl_splice_read(struct file *in, loff_t *ppos, - struct pipe_inode_info *pipe, size_t len, - unsigned int flags) -{ - ssize_t ret; - struct fd real; - const struct cred *old_cred; - - ret = ovl_real_fdget(in, &real); - if (ret) - return ret; - - old_cred = ovl_override_creds(file_inode(in)->i_sb); - ret = generic_file_splice_read(real.file, ppos, pipe, len, flags); - revert_creds(old_cred); - - ovl_file_accessed(in); - fdput(real); - return ret; -} - -static ssize_t -ovl_splice_write(struct pipe_inode_info *pipe, struct file *out, - loff_t *ppos, size_t len, unsigned int flags) -{ - struct fd real; - const struct cred *old_cred; - ssize_t ret; - - ret = ovl_real_fdget(out, &real); - if (ret) - return ret; - - old_cred = ovl_override_creds(file_inode(out)->i_sb); - ret = iter_file_splice_write(pipe, real.file, ppos, len, flags); - revert_creds(old_cred); - - ovl_file_accessed(out); - fdput(real); - return ret; -} - static int ovl_fsync(struct file *file, loff_t start, loff_t end, int datasync) { struct fd real; @@ -732,8 +690,8 @@ const struct file_operations ovl_file_operations = { #ifdef CONFIG_COMPAT .compat_ioctl = ovl_compat_ioctl, #endif - .splice_read = ovl_splice_read, - .splice_write = ovl_splice_write, + .splice_read = generic_file_splice_read, + .splice_write = iter_file_splice_write, .copy_file_range = ovl_copy_file_range, .remap_file_range = ovl_remap_file_range, From patchwork Mon Dec 7 16:32:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956317 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA9FBC2BB3F for ; Mon, 7 Dec 2020 16:35:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 90047238E7 for ; Mon, 7 Dec 2020 16:35:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727704AbgLGQfE (ORCPT ); Mon, 7 Dec 2020 11:35:04 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:53309 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727743AbgLGQeh (ORCPT ); Mon, 7 Dec 2020 11:34:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358791; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J5CrqcdZP0JC44tlDBTo3v7wQmTJC4XSFRl9brgS1vk=; b=FtNH9yz2rv1q9rtBgWs/96DfuQSpw4da9CLyH+NhYaWjTFg6d0DhSav7BSQPF2yM6XV48j JLQVqo5lLYP2BwWXGBqOW54Qdk0Nb3jP2XAOfTDaBmh+0aaorI0LgHDYGXpuqpU+4T+uVu Q703hjpYu239bqy5n6aSIA+K//UEZto= Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-362-pI0vM5oLOTaH4BKiq4H7mA-1; Mon, 07 Dec 2020 11:33:09 -0500 X-MC-Unique: pI0vM5oLOTaH4BKiq4H7mA-1 Received: by mail-ed1-f72.google.com with SMTP id z20so5971909edl.21 for ; Mon, 07 Dec 2020 08:33:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=J5CrqcdZP0JC44tlDBTo3v7wQmTJC4XSFRl9brgS1vk=; b=azPPj9u61H4rwfnUJwiELZBur1a03Jqr8/1+sqpwdm/mFLCZfzvndvG0V9+QfHce2q jD9IATYxq/2L5CNj4+cYykmNFk1oK5+N0j1xJqFPPEFBDzEBIiwVsE7TVSW9YyVAiJEx hD4VQjR2hWzFsBSCxwkctRPnh0g70gDsbHMnVmPWMQgc5LJZXwtI/fiYwIqxQZlArYiW kQuDeDqZSe7sEepEkM0hmyjWSsTO9pthKo8G+m30NvK5NK4eM2AAoQUS44Z1hsRKbbFa 1lMKeT8pYdtdDFO3TZETVYOdm10LM9EUyBEpT+2eTsMZLlTDp8QR1nmzoXhA6LkU/tXc pTFg== X-Gm-Message-State: AOAM533BBcBU1gOEzfNVWao31OGPmNdrXKc6kRvFXT11q5SiaQqaLsI4 eHibhny5YaXysO0gKbrfexi1lGLxg9w1RwGkZj2vbhoG1OBlFYji6UwdkmiJwi5TVLsCvwH3GxK nj9MSBcRmDoHeFCALlxofrAe4TLwdG9GZhjwx X-Received: by 2002:a05:6402:1748:: with SMTP id v8mr21085851edx.136.1607358787977; Mon, 07 Dec 2020 08:33:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJzzAuhTSfXXuoEIUlmALY4vyTdGWr6hP1fGthB3JW1sF+CSvvUQT2iRkv0cNIfX52kx8D749Q== X-Received: by 2002:a05:6402:1748:: with SMTP id v8mr21085829edx.136.1607358787676; Mon, 07 Dec 2020 08:33:07 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:06 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 06/10] ovl: user xattr Date: Mon, 7 Dec 2020 17:32:51 +0100 Message-Id: <20201207163255.564116-7-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: Optionally allow using "user.overlay." namespace instead of "trusted.overlay." This is necessary for overlayfs to be able to be mounted in an unprivileged namepsace. Make the option explicit, since it makes the filesystem format be incompatible. Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the "user.overlay.redirect" or "user.overlay.metacopy" xattrs. Signed-off-by: Miklos Szeredi Reviewed-by: Amir Goldstein --- fs/overlayfs/inode.c | 10 ++++++-- fs/overlayfs/overlayfs.h | 8 +++--- fs/overlayfs/ovl_entry.h | 1 + fs/overlayfs/super.c | 55 ++++++++++++++++++++++++++++++++++++---- fs/overlayfs/util.c | 5 ++-- 5 files changed, 67 insertions(+), 12 deletions(-) diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index b584dca845ba..8ec3062999a9 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -329,8 +329,14 @@ static const char *ovl_get_link(struct dentry *dentry, bool ovl_is_private_xattr(struct super_block *sb, const char *name) { - return strncmp(name, OVL_XATTR_PREFIX, - sizeof(OVL_XATTR_PREFIX) - 1) == 0; + struct ovl_fs *ofs = sb->s_fs_info; + + if (ofs->config.userxattr) + return strncmp(name, OVL_XATTR_USER_PREFIX, + sizeof(OVL_XATTR_USER_PREFIX) - 1) == 0; + else + return strncmp(name, OVL_XATTR_TRUSTED_PREFIX, + sizeof(OVL_XATTR_TRUSTED_PREFIX) - 1) == 0; } int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name, diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index f8880aa2ba0e..46282111d6e6 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -22,7 +22,9 @@ enum ovl_path_type { #define OVL_TYPE_MERGE(type) ((type) & __OVL_PATH_MERGE) #define OVL_TYPE_ORIGIN(type) ((type) & __OVL_PATH_ORIGIN) -#define OVL_XATTR_PREFIX XATTR_TRUSTED_PREFIX "overlay." +#define OVL_XATTR_NAMESPACE "overlay." +#define OVL_XATTR_TRUSTED_PREFIX XATTR_TRUSTED_PREFIX OVL_XATTR_NAMESPACE +#define OVL_XATTR_USER_PREFIX XATTR_USER_PREFIX OVL_XATTR_NAMESPACE enum ovl_xattr { OVL_XATTR_OPAQUE, @@ -113,10 +115,10 @@ struct ovl_fh { #define OVL_FH_FID_OFFSET (OVL_FH_WIRE_OFFSET + \ offsetof(struct ovl_fb, fid)) -extern const char *ovl_xattr_table[]; +extern const char *ovl_xattr_table[][2]; static inline const char *ovl_xattr(struct ovl_fs *ofs, enum ovl_xattr ox) { - return ovl_xattr_table[ox]; + return ovl_xattr_table[ox][ofs->config.userxattr]; } static inline int ovl_do_rmdir(struct inode *dir, struct dentry *dentry) diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h index 1b5a2094df8e..d634c7ba3b9c 100644 --- a/fs/overlayfs/ovl_entry.h +++ b/fs/overlayfs/ovl_entry.h @@ -17,6 +17,7 @@ struct ovl_config { bool nfs_export; int xino; bool metacopy; + bool userxattr; bool ovl_volatile; }; diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index 290983bcfbb3..189380b946be 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -411,6 +411,7 @@ enum { OPT_INDEX_ON, OPT_INDEX_OFF, OPT_NFS_EXPORT_ON, + OPT_USERXATTR, OPT_NFS_EXPORT_OFF, OPT_XINO_ON, OPT_XINO_OFF, @@ -429,6 +430,7 @@ static const match_table_t ovl_tokens = { {OPT_REDIRECT_DIR, "redirect_dir=%s"}, {OPT_INDEX_ON, "index=on"}, {OPT_INDEX_OFF, "index=off"}, + {OPT_USERXATTR, "userxattr"}, {OPT_NFS_EXPORT_ON, "nfs_export=on"}, {OPT_NFS_EXPORT_OFF, "nfs_export=off"}, {OPT_XINO_ON, "xino=on"}, @@ -585,6 +587,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config) config->ovl_volatile = true; break; + case OPT_USERXATTR: + config->userxattr = true; + break; + default: pr_err("unrecognized mount option \"%s\" or missing value\n", p); @@ -688,6 +694,28 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config) } } + + /* Resolve userxattr -> !redirect && !metacopy dependency */ + if (config->userxattr) { + if (config->redirect_follow && redirect_opt) { + pr_err("conflicting options: userxattr,redirect_dir=%s\n", + config->redirect_mode); + return -EINVAL; + } + if (config->metacopy && metacopy_opt) { + pr_err("conflicting options: userxattr,metacopy=on\n"); + return -EINVAL; + } + /* + * Silently disable default setting of redirect and metacopy. + * This shall be the default in the future as well: these + * options must be explicitly enabled if used together with + * userxattr. + */ + config->redirect_dir = config->redirect_follow = false; + config->metacopy = false; + } + return 0; } @@ -1037,8 +1065,14 @@ ovl_posix_acl_default_xattr_handler = { .set = ovl_posix_acl_xattr_set, }; -static const struct xattr_handler ovl_own_xattr_handler = { - .prefix = OVL_XATTR_PREFIX, +static const struct xattr_handler ovl_own_trusted_xattr_handler = { + .prefix = OVL_XATTR_TRUSTED_PREFIX, + .get = ovl_own_xattr_get, + .set = ovl_own_xattr_set, +}; + +static const struct xattr_handler ovl_own_user_xattr_handler = { + .prefix = OVL_XATTR_USER_PREFIX, .get = ovl_own_xattr_get, .set = ovl_own_xattr_set, }; @@ -1049,12 +1083,22 @@ static const struct xattr_handler ovl_other_xattr_handler = { .set = ovl_other_xattr_set, }; -static const struct xattr_handler *ovl_xattr_handlers[] = { +static const struct xattr_handler *ovl_trusted_xattr_handlers[] = { +#ifdef CONFIG_FS_POSIX_ACL + &ovl_posix_acl_access_xattr_handler, + &ovl_posix_acl_default_xattr_handler, +#endif + &ovl_own_trusted_xattr_handler, + &ovl_other_xattr_handler, + NULL +}; + +static const struct xattr_handler *ovl_user_xattr_handlers[] = { #ifdef CONFIG_FS_POSIX_ACL &ovl_posix_acl_access_xattr_handler, &ovl_posix_acl_default_xattr_handler, #endif - &ovl_own_xattr_handler, + &ovl_own_user_xattr_handler, &ovl_other_xattr_handler, NULL }; @@ -1991,7 +2035,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) cap_lower(cred->cap_effective, CAP_SYS_RESOURCE); sb->s_magic = OVERLAYFS_SUPER_MAGIC; - sb->s_xattr = ovl_xattr_handlers; + sb->s_xattr = ofs->config.userxattr ? ovl_user_xattr_handlers : + ovl_trusted_xattr_handlers; sb->s_fs_info = ofs; sb->s_flags |= SB_POSIXACL; sb->s_iflags |= SB_I_SKIP_SYNC; diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c index 23f475627d07..66eaf4db027f 100644 --- a/fs/overlayfs/util.c +++ b/fs/overlayfs/util.c @@ -582,9 +582,10 @@ bool ovl_check_dir_xattr(struct super_block *sb, struct dentry *dentry, #define OVL_XATTR_METACOPY_POSTFIX "metacopy" #define OVL_XATTR_TAB_ENTRY(x) \ - [x] = OVL_XATTR_PREFIX x ## _POSTFIX + [x] = { [false] = OVL_XATTR_TRUSTED_PREFIX x ## _POSTFIX, \ + [true] = OVL_XATTR_USER_PREFIX x ## _POSTFIX } -const char *ovl_xattr_table[] = { +const char *ovl_xattr_table[][2] = { OVL_XATTR_TAB_ENTRY(OVL_XATTR_OPAQUE), OVL_XATTR_TAB_ENTRY(OVL_XATTR_REDIRECT), OVL_XATTR_TAB_ENTRY(OVL_XATTR_ORIGIN), From patchwork Mon Dec 7 16:32:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956315 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D455C1B0E3 for ; Mon, 7 Dec 2020 16:35:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5C3DD238E8 for ; Mon, 7 Dec 2020 16:35:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727885AbgLGQfB (ORCPT ); Mon, 7 Dec 2020 11:35:01 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:36601 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727704AbgLGQei (ORCPT ); Mon, 7 Dec 2020 11:34:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358792; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WrWD39vQ5236vo/77WTHcclMwYYEe2kMnOzynaA/vIg=; b=WiJfPFuvP82BTfFLYWTgoyT2hsXFJczhgll13eCieVipEmC6ny+An0ekNfoblKbYVTECZZ D5MK2OPrMZpoXxSmd5lW14e9w/UwfCFEIqbWEfOCW/W9buaneMYClx7vsMGBVh4+EFxBM2 qQ6llKkMrMGmAxtOLal+TU7V7w3/rJ4= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-573-IGCgKdClPTGEnYt-ViIvZA-1; Mon, 07 Dec 2020 11:33:10 -0500 X-MC-Unique: IGCgKdClPTGEnYt-ViIvZA-1 Received: by mail-ed1-f69.google.com with SMTP id l24so5980117edt.16 for ; Mon, 07 Dec 2020 08:33:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WrWD39vQ5236vo/77WTHcclMwYYEe2kMnOzynaA/vIg=; b=szs41aCQnEvufJUOCPQOdiHihhpFtrX2xPChDaqqHTsxHJE4nCwwVAqNDyUO45WTpb NwO22E0m440JKLg1l0B2y1Qh2fhm5d9s4+COpUJFTadTiUrGU2d8mRPdEt9q3Z0xRxcD C9DaM+ubgJrKq0OvKJ9xjXoDsSJsgDIK8nt69EHPblomtGeKyw0uZjz8cDps68nfKtdF 23ZnIUa5yXj0x3h7/kHOtbphdixTvlqUopYbMq2JipNcHj/tBBUGw3o+YI3k039NLczC kV1NTaz5dYQvZJKw9HkIkvAmptkV3xwApsajTzHbGlIite10UZ1MEwxTaVgUUuL81vh/ ZvsA== X-Gm-Message-State: AOAM533YbDDIB0xvKSK+V1W4HjXSTaoxF3hmRRNxoo9D/izmTLHSfkIq l77cQwlehTezl5rnCRx3ePlXFV8XSP54MmGMgZqEmanusMY3d+fr1SBCuMxzYxE4lZyzUT6QwOL AEQed6LstGY7qO+O9fqgox346NafvRJ/rLQbs X-Received: by 2002:a05:6402:b57:: with SMTP id bx23mr20433024edb.191.1607358789300; Mon, 07 Dec 2020 08:33:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJyDZ8PBOMTmy7Viq25/DAuAax7RMDShGdfStsG7a9V/Uv4Vpsy2gyL1w0kDb+e0n297b859wQ== X-Received: by 2002:a05:6402:b57:: with SMTP id bx23mr20433017edb.191.1607358789148; Mon, 07 Dec 2020 08:33:09 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:08 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 07/10] ovl: do not fail when setting origin xattr Date: Mon, 7 Dec 2020 17:32:52 +0100 Message-Id: <20201207163255.564116-8-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: Comment above call already says this, but only EOPNOTSUPP is ignored, other failures are not. For example setting "user.*" will fail with EPERM on symlink/special. Ignore this error as well. Signed-off-by: Miklos Szeredi --- fs/overlayfs/copy_up.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 955ecd4030f0..8a7ef40d98f8 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -352,7 +352,8 @@ int ovl_set_origin(struct dentry *dentry, struct dentry *lower, fh ? fh->fb.len : 0, 0); kfree(fh); - return err; + /* Ignore -EPERM from setting "user.*" on symlink/special */ + return err == -EPERM ? 0 : err; } /* Store file handle of @upper dir in @index dir entry */ From patchwork Mon Dec 7 16:32:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956307 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C4E2C2BBCD for ; Mon, 7 Dec 2020 16:35:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 56227238EA for ; Mon, 7 Dec 2020 16:35:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727805AbgLGQel (ORCPT ); Mon, 7 Dec 2020 11:34:41 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:28290 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727783AbgLGQek (ORCPT ); Mon, 7 Dec 2020 11:34:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=q1fH8U2k617dM0XyiEykpCNbr+LOxy6e2jOJ7NB6sW0=; b=T0+2xB3iqqlQO38Ocx5wf702KoWyIEkSaz4NqibfUOM754sLBuAxr27ebjZ3z1VMESArMn gCLgRL4iiNjdh2G59bnuoKgT0IYuQeAnYFCoRhN2f+Gq7pecu0FYToZFRMwtUmc56t7K/1 enfN7gory8SOJB40GLEHAmtrGtL50YY= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-43-Y_ccCjLIM6ywqbUnY5ktbw-1; Mon, 07 Dec 2020 11:33:12 -0500 X-MC-Unique: Y_ccCjLIM6ywqbUnY5ktbw-1 Received: by mail-ed1-f70.google.com with SMTP id cq17so2500395edb.17 for ; Mon, 07 Dec 2020 08:33:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=q1fH8U2k617dM0XyiEykpCNbr+LOxy6e2jOJ7NB6sW0=; b=GC/z+tjRrjgth0QpfkEBxQugHRpPnkD9PJy16CurcagHlflgmRGu3bD5vB309Szy8y WDq3gRzueyNE3V7UtHyOoCZhzc+z9QFzQ9GpgWsWk7X0pjZdDG+CDp2EAbqdtyJG5fTm QVq9oM2M7W+wbEgtmb2w4mpORW32AV+d58w/vuFLYcqksQFmV2XK9TxCQOPtvg/+vBtr 0pXkvTIss/rImaQOsBIiJJ9smkRw+h5/h0lip9OrKE0z58VenGShdi7+aIy39UIN1JTP opCAc9LA4JvAEgNJF/ZJLTzCGpzLkj/1gf7VHQfuMx8JJqboT0a+WTZF6pEd155VEn3n Ihew== X-Gm-Message-State: AOAM532krvaMnZwGdDzh7uTq1MEdRrFPYo0ZuF8QlB8OFtWT8yDDeeKf +ypmZNNpY8UY2c6FY2AME+ZJhK51b0Zt+tEvnZShNRO4gDsst66a/LZaal9/RKqX6MctiEngn2h ZwDv9K4qx7B8de2kuHPfltme8+05qOxN1PgjX X-Received: by 2002:a17:906:a2d0:: with SMTP id by16mr19156479ejb.207.1607358790895; Mon, 07 Dec 2020 08:33:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJweaIFgMC09TO4pnW1Q9E6ePGnwgJZA2DaWMFT2e+UPWDLsluzpW5Ef28/5k5tUJJKQ0PR7fA== X-Received: by 2002:a17:906:a2d0:: with SMTP id by16mr19156470ejb.207.1607358790718; Mon, 07 Dec 2020 08:33:10 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:10 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 08/10] ovl: do not fail because of O_NOATIME Date: Mon, 7 Dec 2020 17:32:53 +0100 Message-Id: <20201207163255.564116-9-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: In case the file cannot be opened with O_NOATIME because of lack of capabilities, then clear O_NOATIME instead of failing. Signed-off-by: Miklos Szeredi --- fs/overlayfs/file.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index dc767034d37b..d6ac7ac66410 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -53,9 +53,10 @@ static struct file *ovl_open_realfile(const struct file *file, err = inode_permission(realinode, MAY_OPEN | acc_mode); if (err) { realfile = ERR_PTR(err); - } else if (!inode_owner_or_capable(realinode)) { - realfile = ERR_PTR(-EPERM); } else { + if (!inode_owner_or_capable(realinode)) + flags &= ~O_NOATIME; + realfile = open_with_fake_path(&file->f_path, flags, realinode, current_cred()); } From patchwork Mon Dec 7 16:32:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956311 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 433E0C3526D for ; Mon, 7 Dec 2020 16:35:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 20391238E7 for ; Mon, 7 Dec 2020 16:35:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727417AbgLGQer (ORCPT ); Mon, 7 Dec 2020 11:34:47 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:26821 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726989AbgLGQeq (ORCPT ); Mon, 7 Dec 2020 11:34:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358799; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PLCQKZfzWqBvZ3fNsIg7ssx6JJEt23zVLXYENI3nPr8=; b=XoRmRV1WFlFP0ibUANPo3GUVFFyxpiGr+0f6l8UvW1ye74TCKLFFp/uWCuFuOiWm24VTCC KVCbbKniwpAxXRSOqDh0RxcW0kPR5D7SnlohQeGcKdjvZwp8WWz9JhJ6ca0Vv1VdI/nFjT oa/jzA6cdd3RQQLEKwMqOTzlrvJFXl4= Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-242-zF-bMYniOGOxvdBOW_wb2g-1; Mon, 07 Dec 2020 11:33:13 -0500 X-MC-Unique: zF-bMYniOGOxvdBOW_wb2g-1 Received: by mail-ej1-f71.google.com with SMTP id u10so4054934ejy.18 for ; Mon, 07 Dec 2020 08:33:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PLCQKZfzWqBvZ3fNsIg7ssx6JJEt23zVLXYENI3nPr8=; b=MrgHiM7rGXp5RmCLlr/Oy1fodjOEMIVaUAwSEH8dCcsp6iSBOu4seumEGSKY44nJ33 3KGIQ25lLnF2DpKE9RlzuR/Y30QTfDZPSJx9WadwQVPZybRIjqngIswwZ2IoKxeAXnZw KYsMSUR2LN+dwyNxaHu5nqEOnSKN04jlZLqyBpvBRV5i6MHj2YDWfRtJBZRyvPIB+I5+ iecfsT2j0Q/P1UoKy81yqHyUzUGdzG8NbS1Z2fztSD4JJeI4BEn+BMF56MWhJUbvVR02 D3ADv3VxKYtcgwh+znKKEts8t5p+HXuy60NiNNg0x9v1FHMH6G6iQQC08bm2X9BNzt/4 grnA== X-Gm-Message-State: AOAM533uncpKAqTNei2TNbBvRzCofCHyQBK7rqbiP9eRtKzUrUFclryp sAF9VACZufwp6234J9ATd9PpwWR/eWAFZVtLkyHesVhHg6ZHRysTtVH/t8I7vmiMy8mPkM36LPT 9MYlC3ceiHLZtdGdnoFIc2AYb6Lx6NvMY41oX X-Received: by 2002:a50:9f4a:: with SMTP id b68mr20511327edf.296.1607358792115; Mon, 07 Dec 2020 08:33:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJwcfXNOTxIA60QUdAr/l6040dD7T0L3kweELtDlwwC95Xbikn5wQvx9TnMAECGb3KS/JY4RKA== X-Received: by 2002:a50:9f4a:: with SMTP id b68mr20511314edf.296.1607358791932; Mon, 07 Dec 2020 08:33:11 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:11 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 09/10] ovl: do not get metacopy for userxattr Date: Mon, 7 Dec 2020 17:32:54 +0100 Message-Id: <20201207163255.564116-10-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: When looking up an inode on the lower layer for which the mounter lacks read permisison the metacopy check will fail. This causes the lookup to fail as well, even though the directory is readable. So ignore EACCES for the "userxattr" case and assume no metacopy for the unreadable file. Signed-off-by: Miklos Szeredi --- fs/overlayfs/util.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c index 66eaf4db027f..703c6e529f39 100644 --- a/fs/overlayfs/util.c +++ b/fs/overlayfs/util.c @@ -880,6 +880,13 @@ int ovl_check_metacopy_xattr(struct ovl_fs *ofs, struct dentry *dentry) if (res < 0) { if (res == -ENODATA || res == -EOPNOTSUPP) return 0; + /* + * getxattr on user.* may fail with EACCES in case there's no + * read permission on the inode. Not much we can do, other than + * tell the caller that this is not a metacopy inode. + */ + if (ofs->config.userxattr && res == -EACCES) + return 0; goto out; } From patchwork Mon Dec 7 16:32:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 11956309 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B67B1C2BBD5 for ; Mon, 7 Dec 2020 16:35:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 96D03238EA for ; Mon, 7 Dec 2020 16:35:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727827AbgLGQeo (ORCPT ); Mon, 7 Dec 2020 11:34:44 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:36673 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727786AbgLGQen (ORCPT ); Mon, 7 Dec 2020 11:34:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607358797; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RE0m3vgq1/OaRAwZjvKOK2ey/mE38mR/q+wtN6wib9s=; b=Qzytzw8vjJDV98dN0C5Eu/5I1z/cNMLl4F+ISK6FIXPx9cHutqMZ6vmbdF9M7HGL0u4MwC kfgiZuUse3Ndn1yiunTqjkFesgchdVEcK6EXinrTYlMzQ9+rRLEVh+ZWZZKSroOjeJgo/N 5gEZXpzKezYeozmqp0qAv7CsfykxCjs= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-389-xB9HqcBQP2GXFBLO3A54zA-1; Mon, 07 Dec 2020 11:33:16 -0500 X-MC-Unique: xB9HqcBQP2GXFBLO3A54zA-1 Received: by mail-ed1-f69.google.com with SMTP id ca7so6045946edb.12 for ; Mon, 07 Dec 2020 08:33:15 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RE0m3vgq1/OaRAwZjvKOK2ey/mE38mR/q+wtN6wib9s=; b=mV20PZk1bb0qbLIL05S9l/Uj7KaKwYqAdu/BZ+/uKLjkPfe0E1pH2CRSP7Q1SNaBKe 2yvUnU/oE1yIf5OIEpccg2wBWnT2HRX0zmc1Z4bJstek1JmfmB0M6xx2D09SC9iGVZHa NhPyxpzLXI+CPI2jr7kvA7zheHjt4m9m1yBkYK7hgiFDtfcGm/G4twJ/Px4il3zxGEQZ jdJhgmO9klZAuqGQx0lOhzbfQVnNlYoCQRZmhSMzGUOCJ3ltQQVtp+bktRZcoKdraGjI 3yD/PmWkV2JXb4ceHTwBuflmJEOz5+rwtXoT7EKAoaj0d0MzuW5k1WSvRxzDjY3WQ+4B gfzA== X-Gm-Message-State: AOAM532uW7hZEpqgFaYFlc8by12+bDwCu/L9ibsMEiI+KVvK2LX2qPHr gsJuamfT1rQqEvDtQ+T5neyenw/l26z/agrn3yRANpwugwtkCnv4x5eyGklolB1TO2UmU5JTOMT 3utzuoqGZ0G1WuTypdMWpkZFPFiKUfTWv6P/r X-Received: by 2002:a50:d74c:: with SMTP id i12mr20512777edj.236.1607358793437; Mon, 07 Dec 2020 08:33:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJzZo9cLo2B/sr3LytBzOfhCP7NvepbgDDGPqp8OuSqAKVtWfqlfy6nWwFOViRsEnP4mLzJm9A== X-Received: by 2002:a50:d74c:: with SMTP id i12mr20512764edj.236.1607358793260; Mon, 07 Dec 2020 08:33:13 -0800 (PST) Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67]) by smtp.gmail.com with ESMTPSA id op5sm12801964ejb.43.2020.12.07.08.33.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 08:33:12 -0800 (PST) From: Miklos Szeredi To: "Eric W . Biederman" Cc: linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 10/10] ovl: unprivieged mounts Date: Mon, 7 Dec 2020 17:32:55 +0100 Message-Id: <20201207163255.564116-11-mszeredi@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201207163255.564116-1-mszeredi@redhat.com> References: <20201207163255.564116-1-mszeredi@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mszeredi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: bulk List-ID: Enable unprivileged user namespace mounts of overlayfs. Overlayfs's permission model (*) ensures that the mounter itself cannot gain additional privileges by the act of creating an overlayfs mount. This feature request is coming from the "rootless" container crowd. (*) Documentation/filesystems/overlayfs.txt#Permission model Signed-off-by: Miklos Szeredi --- fs/overlayfs/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index 189380b946be..019e6f1834b0 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -2073,6 +2073,7 @@ static struct dentry *ovl_mount(struct file_system_type *fs_type, int flags, static struct file_system_type ovl_fs_type = { .owner = THIS_MODULE, .name = "overlay", + .fs_flags = FS_USERNS_MOUNT, .mount = ovl_mount, .kill_sb = kill_anon_super, };