From patchwork Wed Nov 21 19:58:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 10693145 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7352E15A7 for ; Wed, 21 Nov 2018 19:59:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 608592C9F5 for ; Wed, 21 Nov 2018 19:59:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 54C2D2C9F7; Wed, 21 Nov 2018 19:59:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0815B2C9F5 for ; Wed, 21 Nov 2018 19:59:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388498AbeKVGfF (ORCPT ); Thu, 22 Nov 2018 01:35:05 -0500 Received: from mail-vs1-f74.google.com ([209.85.217.74]:52051 "EHLO mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732450AbeKVGfC (ORCPT ); Thu, 22 Nov 2018 01:35:02 -0500 Received: by mail-vs1-f74.google.com with SMTP id p1so2506023vsc.18 for ; Wed, 21 Nov 2018 11:59:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=d7sicbEgcvJ3lW3PNFo8/Z0SzxtWlaphKtgjSSnmx8k=; b=vNDxFmXtA51tbgjAuIjrIz7Jyywxiv6MkfRJ172+m3T/xbQHCvZGFZL5SvmJC6MMht hBxb4Y9ipgQecf0RKnfSrHW8Gk8vRPz92Sofz8uwtaW+E8Jg9A2uRCZ0mL1GYsuJxI94 C7oAGlAxYcj58rQWC5HE//6bRg0Ss5v5+20JoKUW1VZtUuPFxHfOcJueiUDzVw/Sh495 ew5H4zUo/PqRyZMdhbPV5AETAvbsvcp3DUaTdFR7PAhUg40ujksXIZTtsVM3ZxDifiiq 7+SJR4dtWZt7xO3Y6btpJdUt0y18WgF87tDL1qwtzMyfdDsqcHOtVss/2/qFTypVrb84 dbbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=d7sicbEgcvJ3lW3PNFo8/Z0SzxtWlaphKtgjSSnmx8k=; b=PpNUg6KsQPJCtKvwteoElAWziVYXq7bOW7SkXlZugqBVeC3LL+h6cOvNACkcKvL4m2 gi5nIr2rX5z3oBWNR48mX+2aILgTwTJ3uQLqFc5IgmCAcRvQ1UNphgeWcfFRRwjBSWdb cuZ+X87tmfDBBuV4DFBRmpN3Vj+Hnx/cj07yRnGrT2dimsoXvtPpIDriyF1aoeFDQc0H PFkhVIgfzit0gvLviumKJ3RYruYQtoTX6JDDDofZXYIk5T5x/rht+xhwUubmOxFxW8pi 4nl1iqcrBaGgG50veJ/BxH7Fub3DM/yR45V9ojSi9AEeYa1LiqiIu+YqVPABTZLbexZr Bc9A== X-Gm-Message-State: AGRZ1gLrbnhEvcK3IJs8bOmI7adZz+G798M1b0m1IyxdG+oiwz6LSfu/ xEheBMO4rJH+1KgildBqlIH7xO0ilA== X-Google-Smtp-Source: AJdET5fiXmiv4HnIYOrfownj8ApwHNTz55U27qI2n0mYSmjjVtv5PKhHSjfpvJjQUJTzO64mYKu9RmWopw== X-Received: by 2002:a67:470d:: with SMTP id u13mr6443291vsa.41.1542830358037; Wed, 21 Nov 2018 11:59:18 -0800 (PST) Date: Wed, 21 Nov 2018 20:58:59 +0100 Message-Id: <20181121195859.10894-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.20.0.rc0.387.gc7a69e6b6c-goog Subject: [PATCH] fs: add a comment explaining how MNT_NS_INTERNAL affects mnt_may_suid() From: Jann Horn To: Alexander Viro , jannh@google.com Cc: Andy Lutomirski , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP commit 380cf5ba6b0a ("fs: Treat foreign mounts as nosuid"), in addition to the intended effect, also prevented suid execution of memfd files. (And I think that's a good change.) Signed-off-by: Jann Horn --- fs/namespace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index a7f91265ea67..e68488426e42 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3400,6 +3400,9 @@ bool mnt_may_suid(struct vfsmount *mnt) * prevents namespaces from trusting potentially unsafe * suid/sgid bits, file caps, or security labels that originate * in other namespaces. + * + * check_mnt() rejects MNT_NS_INTERNAL mounts; this means that suid + * execution is blocked for files on internal mounts, e.g. memfds. */ return !(mnt->mnt_flags & MNT_NOSUID) && check_mnt(real_mount(mnt)) && current_in_userns(mnt->mnt_sb->s_user_ns);