From patchwork Tue Aug  1 16:17:04 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Brauner <brauner@kernel.org>
X-Patchwork-Id: 13336989
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 30171C001DF
	for <linux-mm@archiver.kernel.org>; Tue,  1 Aug 2023 16:26:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 934D5940022; Tue,  1 Aug 2023 12:26:49 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8E53C940010; Tue,  1 Aug 2023 12:26:49 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7ADF9940022; Tue,  1 Aug 2023 12:26:49 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com
 [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 67A9D940010
	for <linux-mm@kvack.org>; Tue,  1 Aug 2023 12:26:49 -0400 (EDT)
Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 5640DC0B0A
	for <linux-mm@kvack.org>; Tue,  1 Aug 2023 16:26:48 +0000 (UTC)
X-FDA: 81076064496.04.37FE95F
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf17.hostedemail.com (Postfix) with ESMTP id 3C6EF4026B
	for <linux-mm@kvack.org>; Tue,  1 Aug 2023 16:25:04 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=Cvp+HNOT;
	dmarc=pass (policy=none) header.from=kernel.org;
	spf=pass (imf17.hostedemail.com: domain of brauner@kernel.org designates
 139.178.84.217 as permitted sender) smtp.mailfrom=brauner@kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1690907105;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=GaSM9bp02bNvLL+fp4dwGkAuQtdJajpm/0kh5OmGPxc=;
	b=bm5PGRyomOd1paLxD08g+wKChKHqkh6uYjaFZhU+BOAzMrwkkmci1No0+V2rGpPWTpihuV
	Rdd0mJ8/1ON8yL0NIlQHChuTiYKPq6Hkf+Y9uhgTYim4VdU+/GZynGCDoQJlU/apThoZaN
	BuKSGAWn6+vuf064fJhyAH5Nn89DJF8=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=Cvp+HNOT;
	dmarc=pass (policy=none) header.from=kernel.org;
	spf=pass (imf17.hostedemail.com: domain of brauner@kernel.org designates
 139.178.84.217 as permitted sender) smtp.mailfrom=brauner@kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690907105; a=rsa-sha256;
	cv=none;
	b=7/BPeOLFhE1Ugnz/P4jI6Kf7rLZb2Rv+mIkzwUV9aXBuS23MZWsKijK+kDWbZ5tK+q58PH
	7L1+Dnt0frpgCsXmiDhEquD68zS5ym2MIzTYizvqCxT+xfhPNY3sH11KN/Q9B/d2duJ3+N
	e0g1JMbmntMc2otVgU3aGYjdVk3irZY=
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id 53DA2614B7;
	Tue,  1 Aug 2023 16:18:01 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 47A4AC43391;
	Tue,  1 Aug 2023 16:17:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1690906680;
	bh=xBoGWntMNrsXQJEn+mV8Hxn5c2XYNGctn4xoDLNhtd8=;
	h=From:Date:Subject:To:Cc:From;
	b=Cvp+HNOTvEkzNScbaY04KtHMEqKitncIzEBZAfOVJWYY3OTAJLSE0QRlHfq+hbkSh
	 NB7Cg6+IviN1pl1tMFsNRz/FHHC5i1MMF5TGJrYTHqTfEGCWN2zVLz3YZtjeHpQM2t
	 A1CJx74Q65pjuu1QhSTYFxO/XsFOzwaozNnnYqAK87Hmtzhca8tKpYRV48mFTZwhW5
	 gleqx+9eh8s5osI3TMnQjIzh8/LxskK4vIPH+V1oGknnHNLEgXKp9TnSWxzGivnjNp
	 ry/YSTx+ZzrWUXxmuw5Y1C8TtndIU4jBKgmgE0U/RTGjFq+Rs+Ba0Ac7mLEsg3qwcG
	 47SlKkpT8oDuQ==
From: Christian Brauner <brauner@kernel.org>
Date: Tue, 01 Aug 2023 18:17:04 +0200
Subject: [PATCH] tmpfs: verify {g,u}id mount options correctly
MIME-Version: 1.0
Message-Id: <20230801-vfs-fs_context-uidgid-v1-1-daf46a050bbf@kernel.org>
X-B4-Tracking: v=1; b=H4sIAP8vyWQC/x3MTQrCMBBA4auUWTslqfQHryIi6WTSzsJUMjEUS
 u9udPkt3jtAOQkr3JoDEhdR2WKFvTRAq4sLo/hq6Ex3NZOxWIJi0CdtMfOe8SN+EY/j2A80eZo
 tGajtO3GQ/f+9P6pnp4xzcpHW3+3lNHNqy9D2mMjCeX4BXBbVIYkAAAA=
To: Seth Forshee <sforshee@kernel.org>, Hugh Dickins <hughd@google.com>
Cc: Seth Jenkins <sethjenkins@google.com>, linux-fsdevel@vger.kernel.org,
 linux-mm@kvack.org, Christian Brauner <brauner@kernel.org>
X-Mailer: b4 0.13-dev-099c9
X-Developer-Signature: v=1; a=openpgp-sha256; l=3336; i=brauner@kernel.org;
 h=from:subject:message-id; bh=xBoGWntMNrsXQJEn+mV8Hxn5c2XYNGctn4xoDLNhtd8=;
 b=owGbwMvMwCU28Zj0gdSKO4sYT6slMaScNDBTefniV71tes6s2p3XLr0tk7Jf9OpvIb9rE+OynueK
 3tHLO0pZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACZy+wojQ0M0X/yOjNqaB5uiX7rVzD
 vQJ3S6bnP6jcIZYTv9GSwMyhgZZoh/XRN/QaBKvTXsgbPm8a0RU/QnFzwMDDz76tpWQ1MnVgA=
X-Developer-Key: i=brauner@kernel.org; a=openpgp;
 fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624
X-Rspam-User: 
X-Stat-Signature: fxdjasychx4fp7f488qhq8uatdcftcyk
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: 3C6EF4026B
X-HE-Tag: 1690907104-66562
X-HE-Meta: 
 U2FsdGVkX18tS6XxSWVHWEY+fPYxdSVeHM4OgPDzu6QB79PbzKWykHJkt9bqTwVNPyV+AHSuALgznqu3dMv2q3PvEqIZi4btICqQUXxFXEYRcJ6aeAzRb8gAhZwOexGGQTb6lPzfIoCNoemdwKGvPO+yOeozzF/JHbXDPFn/iH+Cm4dlF4c4DQlCr4CzkTIVQVsVKAukQfvH1v0AViIv3bjEVucUijHZMtyllVpemHoTiqEOoBqWB/Y1tOdnryQg4JXhhcaxfcfdlYCyQfiSnu0AtQpZpM6Xl4lPh63mJEU9EslQJe4V+FYGYAmhtCaovbFL7W4t54Y9ckQJpyOXAQ583tqLuxUegFS1oIGXCMMLLUzBA3CG+HwTHZn+XBmQybig1UjTHjh/tPh+5CiBBp5hp6Bs/o9gz0DEyxQtb8jtcTbQeAj/HD6SRbvx51xSGklv5zGuiaVYaGHfcYtwnSphLYc4CoG40/DGkcmo/lnM/k6QQl3cua82eoTTGP8bCfPGAZ2cjJU14oUnKvda7GL6nTXQ6qUoFO7KFEZuT+otjKd2V1LBxqnQJCWbbzsS5UhBYCZNgJyaPb8j1sj8+TdeilIJidP6CXiJn9Zeue9JmfM3/oZVyT6HLE0B29z6UTMZqch9Xop0wrpBzQUfoxZZa2rgkfNGUWXO51D6gv/SN72UfxoB7dX20tuYkQTdyjJla9ovJnwVIUyK4kV+MyU9vSKMwlwh4TR+qD5okJTyGAgbGKPiqEvjDuv4ccO4+s0ewyA2VbmEhhDOHlmJ/jGZASESZBULBO4nr9xUMa7jrxhrBVTYnuQrfL10o1FuuDIErAUcKMIpB9+OteD3+U/ORWLPtGB4hNS2jpA9pT4YzhnMMYClgTc4nJJZqK/bYSK/fH0Gwf1sGq3L+99Vb8iXiftJvsdEec1DS74oBYJt/GiTdoeCinuxjTWlfRXlU+cRz+ms0+FtpE6tbK7
 nTkLqAg5
 pE4QUCqzo72XxAIRSvHqQ6p3Gaymp08tTBftQTgEz6MFZYcApFip6Dm/cqq4rDsuPip2jrgDTsJ/ZfxIsI/yCc/dEBYQruNuoEZt6YWQLI9mlXVzs868g8r0S5anAScjHfVTmya/nZ693ymiKJeQi9dgxDdhUp3wZ1fXxT7Xs9XkXG8mI3jRyqU/8Wr/WratbyyKpAIr7rS/EttWoBmkjZ2L4S4sJD8DFOxJX09rWkmwhYPzJZCzOVXR5V0VbHo3GUALPIA81O6vJLcNbt/SJKwhAbSK8t5fhe0h+Rr6gnLokLmQscft/VMOURk40Zg84u3gaj53wZ8bek02U+tW/LEjbED8i7JG22pilbI2L+AZLGIsE0hVGRrO5mzqg7D5C1f4uUGpQMA5uLjU=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

A while ago we received the following report:

"The other outstanding issue I noticed comes from the fact that
fsconfig syscalls may occur in a different userns than that which
called fsopen. That means that resolving the uid/gid via
current_user_ns() can save a kuid that isn't mapped in the associated
namespace when the filesystem is finally mounted. This means that it
is possible for an unprivileged user to create files owned by any
group in a tmpfs mount (since we can set the SUID bit on the tmpfs
directory), or a tmpfs that is owned by any user, including the root
group/user."

The contract for {g,u}id mount options and {g,u}id values in general set
from userspace has always been that they are translated according to the
caller's idmapping. In so far, tmpfs has been doing the correct thing.
But since tmpfs is mountable in unprivileged contexts it is also
necessary to verify that the resulting {k,g}uid is representable in the
namespace of the superblock to avoid such bugs as above.

The new mount api's cross-namespace delegation abilities are already
widely used. After having talked to a bunch of userspace this is the
most faithful solution with minimal regression risks. I know of one
users - systemd - that makes use of the new mount api in this way and
they don't set unresolable {g,u}ids. So the regression risk is minimal.

Link: https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com
Fixes: f32356261d44 ("vfs: Convert ramfs, shmem, tmpfs, devtmpfs, rootfs to use the new mount API")
Reported-by: Seth Jenkins <sethjenkins@google.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
---

---
 mm/shmem.c | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)


---
base-commit: 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5
change-id: 20230801-vfs-fs_context-uidgid-7756c8dcb1c0

diff --git a/mm/shmem.c b/mm/shmem.c
index 2f2e0e618072..1c0b2dafafe5 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -3636,6 +3636,8 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param)
 	unsigned long long size;
 	char *rest;
 	int opt;
+	kuid_t kuid;
+	kgid_t kgid;
 
 	opt = fs_parse(fc, shmem_fs_parameters, param, &result);
 	if (opt < 0)
@@ -3671,14 +3673,32 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param)
 		ctx->mode = result.uint_32 & 07777;
 		break;
 	case Opt_uid:
-		ctx->uid = make_kuid(current_user_ns(), result.uint_32);
-		if (!uid_valid(ctx->uid))
+		kuid = make_kuid(current_user_ns(), result.uint_32);
+		if (!uid_valid(kuid))
 			goto bad_value;
+
+		/*
+		 * The requested uid must be representable in the
+		 * filesystem's idmapping.
+		 */
+		if (!kuid_has_mapping(fc->user_ns, kuid))
+			goto bad_value;
+
+		ctx->uid = kuid;
 		break;
 	case Opt_gid:
-		ctx->gid = make_kgid(current_user_ns(), result.uint_32);
-		if (!gid_valid(ctx->gid))
+		kgid = make_kgid(current_user_ns(), result.uint_32);
+		if (!gid_valid(kgid))
 			goto bad_value;
+
+		/*
+		 * The requested gid must be representable in the
+		 * filesystem's idmapping.
+		 */
+		if (!kgid_has_mapping(fc->user_ns, kgid))
+			goto bad_value;
+
+		ctx->gid = kgid;
 		break;
 	case Opt_huge:
 		ctx->huge = result.uint_32;