From patchwork Wed Feb 21 21:24:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566378 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 051B685927; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=ksBBUscTtNeHVRKTQ33gs+xmRpnyL0aORIEHsxnRrWU4OmLZ7peDs1c1VTCQI5ZALVKjYui9bdOvmU2460SRa/HOpKLe1HfJCnjeJP5egAQfCAXhEftNil5lrtaT9kkpSyLBst7Kvw9ZKlH7bf/fNsTu80TO+qMWDYS7hKc7hzw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=POA0PrUTN0FKS/Ur9K0S38PgsRMyq3Vpis2kmg0j4iE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=RTJk0VYZUCc1fi2aZSS62mVxQdaFSBKjnvXCglN2MzO1zz0M+NL/83MsZV6jtskgoHdIzvoum19G5kDMMhbauWVdVyX/6HBBZ29ym9453svLME0EdK56POTiLVJ7XDtv+eD+3/0PMkajYbHKrNnSq6DNbu5sUDhcF/X4HMnoIQk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qqKvgODs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qqKvgODs" Received: by smtp.kernel.org (Postfix) with ESMTPS id A553EC43390; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550705; bh=POA0PrUTN0FKS/Ur9K0S38PgsRMyq3Vpis2kmg0j4iE=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=qqKvgODsKJnsTaYg73BSok+1W6QS0nZeWSmY/OoFMRN/Yo2iKo6D60IXChaqGt0wq jQmnQX6sifPQ9jgl5rOuzwWgepvyOLtBnNKJOoPbWl9J63yZGl80o8XheQ9C00pTs7 r8NYLFy7jIuV8FkFcwy9/0jl0+wDbHf7JZoGdUXnwaNl2KDP0QhfJYgQhSenOfNqwS gtqUCdl2HpfLiDCqBXUtodU9lzsHmM/fu1J11vvZJ+8X9ZsF/UEp7XI7TiArFRD5kc /0OyZ9SGhM5UYp9qfKqB0zy3LoY1c4UuL8ne4EpevTlFG68XePgGCMiIibWi9MH+Au P1gK6wgVgmP5g== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89D7CC5478B; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:32 -0600 Subject: [PATCH v2 01/25] mnt_idmapping: split out core vfs[ug]id_t definitions into vfsid.h Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-1-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=5431; i=sforshee@kernel.org; h=from:subject:message-id; bh=POA0PrUTN0FKS/Ur9K0S38PgsRMyq3Vpis2kmg0j4iE=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moYRgftQvnaAhwOC79xM2UkR?= =?utf-8?q?CSDp2SfLboi/uca_yap7limJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqGAAKCRBTA5mu5fQxydMWCA_CHRl2ahpZ1XKaT9DAva+dTXDWZTZpLPKpm7?= =?utf-8?q?33cX3EuV3oihFi32EJQ+Hbq/1ldRB2eErVaDK91yBAd_VYE7/nJsEKc/ba9Ky35Ow?= =?utf-8?q?IschvNvH9KXD5jqpQpkd+kPdAd1T/X46nbVnBjZ0aWzPPeZmct0OAi+wG_Y2Y5ALq?= =?utf-8?q?TlJpHmtT8g2DFxWNYq8K08IvK+3vID7WhxzDmcUTeLKxMWiIqPrybnPekmiscIc5D?= =?utf-8?q?oUrMxz_Hn2Em05Yu8OId/6I1Kz9rtmzWSYPJqM6lFPekAY3jtogoHVIU9dmN9HkZE?= =?utf-8?q?WzCTpB8PPDUCjuGqD5J5?= +VK4khbwbHHVfmKGEE64anWErIPwII X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 The rootid member of cpu_vfs_cap_data is a kuid_t, but it should be a vfsuid_t as the id stored there is mapped into the mount idmapping. It's currently impossible to use vfsuid_t within cred.h though as it is defined in mnt_idmapping.h, which uses definitions from cred.h. Split out the core vfsid type definitions into a separate file which can be included from cred.h. Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- MAINTAINERS | 1 + include/linux/mnt_idmapping.h | 66 +------------------------------------- include/linux/vfsid.h | 74 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+), 65 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 73d898383e51..6286d78a759a 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -8210,6 +8210,7 @@ S: Maintained F: Documentation/filesystems/idmappings.rst F: fs/mnt_idmapping.c F: include/linux/mnt_idmapping.* +F: include/linux/vfsid.h F: tools/testing/selftests/mount_setattr/ FILESYSTEMS [IOMAP] diff --git a/include/linux/mnt_idmapping.h b/include/linux/mnt_idmapping.h index cd4d5c8781f5..f463b9e1e258 100644 --- a/include/linux/mnt_idmapping.h +++ b/include/linux/mnt_idmapping.h @@ -4,6 +4,7 @@ #include #include +#include struct mnt_idmap; struct user_namespace; @@ -11,61 +12,6 @@ struct user_namespace; extern struct mnt_idmap nop_mnt_idmap; extern struct user_namespace init_user_ns; -typedef struct { - uid_t val; -} vfsuid_t; - -typedef struct { - gid_t val; -} vfsgid_t; - -static_assert(sizeof(vfsuid_t) == sizeof(kuid_t)); -static_assert(sizeof(vfsgid_t) == sizeof(kgid_t)); -static_assert(offsetof(vfsuid_t, val) == offsetof(kuid_t, val)); -static_assert(offsetof(vfsgid_t, val) == offsetof(kgid_t, val)); - -#ifdef CONFIG_MULTIUSER -static inline uid_t __vfsuid_val(vfsuid_t uid) -{ - return uid.val; -} - -static inline gid_t __vfsgid_val(vfsgid_t gid) -{ - return gid.val; -} -#else -static inline uid_t __vfsuid_val(vfsuid_t uid) -{ - return 0; -} - -static inline gid_t __vfsgid_val(vfsgid_t gid) -{ - return 0; -} -#endif - -static inline bool vfsuid_valid(vfsuid_t uid) -{ - return __vfsuid_val(uid) != (uid_t)-1; -} - -static inline bool vfsgid_valid(vfsgid_t gid) -{ - return __vfsgid_val(gid) != (gid_t)-1; -} - -static inline bool vfsuid_eq(vfsuid_t left, vfsuid_t right) -{ - return vfsuid_valid(left) && __vfsuid_val(left) == __vfsuid_val(right); -} - -static inline bool vfsgid_eq(vfsgid_t left, vfsgid_t right) -{ - return vfsgid_valid(left) && __vfsgid_val(left) == __vfsgid_val(right); -} - /** * vfsuid_eq_kuid - check whether kuid and vfsuid have the same value * @vfsuid: the vfsuid to compare @@ -96,16 +42,6 @@ static inline bool vfsgid_eq_kgid(vfsgid_t vfsgid, kgid_t kgid) return vfsgid_valid(vfsgid) && __vfsgid_val(vfsgid) == __kgid_val(kgid); } -/* - * vfs{g,u}ids are created from k{g,u}ids. - * We don't allow them to be created from regular {u,g}id. - */ -#define VFSUIDT_INIT(val) (vfsuid_t){ __kuid_val(val) } -#define VFSGIDT_INIT(val) (vfsgid_t){ __kgid_val(val) } - -#define INVALID_VFSUID VFSUIDT_INIT(INVALID_UID) -#define INVALID_VFSGID VFSGIDT_INIT(INVALID_GID) - /* * Allow a vfs{g,u}id to be used as a k{g,u}id where we want to compare * whether the mapped value is identical to value of a k{g,u}id. diff --git a/include/linux/vfsid.h b/include/linux/vfsid.h new file mode 100644 index 000000000000..90262944b042 --- /dev/null +++ b/include/linux/vfsid.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_MNT_VFSID_H +#define _LINUX_MNT_VFSID_H + +#include +#include +#include + +typedef struct { + uid_t val; +} vfsuid_t; + +typedef struct { + gid_t val; +} vfsgid_t; + +static_assert(sizeof(vfsuid_t) == sizeof(kuid_t)); +static_assert(sizeof(vfsgid_t) == sizeof(kgid_t)); +static_assert(offsetof(vfsuid_t, val) == offsetof(kuid_t, val)); +static_assert(offsetof(vfsgid_t, val) == offsetof(kgid_t, val)); + +#ifdef CONFIG_MULTIUSER +static inline uid_t __vfsuid_val(vfsuid_t uid) +{ + return uid.val; +} + +static inline gid_t __vfsgid_val(vfsgid_t gid) +{ + return gid.val; +} +#else +static inline uid_t __vfsuid_val(vfsuid_t uid) +{ + return 0; +} + +static inline gid_t __vfsgid_val(vfsgid_t gid) +{ + return 0; +} +#endif + +static inline bool vfsuid_valid(vfsuid_t uid) +{ + return __vfsuid_val(uid) != (uid_t)-1; +} + +static inline bool vfsgid_valid(vfsgid_t gid) +{ + return __vfsgid_val(gid) != (gid_t)-1; +} + +static inline bool vfsuid_eq(vfsuid_t left, vfsuid_t right) +{ + return vfsuid_valid(left) && __vfsuid_val(left) == __vfsuid_val(right); +} + +static inline bool vfsgid_eq(vfsgid_t left, vfsgid_t right) +{ + return vfsgid_valid(left) && __vfsgid_val(left) == __vfsgid_val(right); +} + +/* + * vfs{g,u}ids are created from k{g,u}ids. + * We don't allow them to be created from regular {u,g}id. + */ +#define VFSUIDT_INIT(val) (vfsuid_t){ __kuid_val(val) } +#define VFSGIDT_INIT(val) (vfsgid_t){ __kgid_val(val) } + +#define INVALID_VFSUID VFSUIDT_INIT(INVALID_UID) +#define INVALID_VFSGID VFSGIDT_INIT(INVALID_GID) + +#endif /* _LINUX_MNT_VFSID_H */ From patchwork Wed Feb 21 21:24:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566380 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A7EC126F2A; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=joUsvo0W/cyCmTR0gUF0Stldrr5XoHonDBnEkACQM5dAkQZ+9fmC/Skl9GTIJUowi13KL0wuXGsv+YJ5iAdllkGr/OF03CkDae4k51olsaejIS+HiL413pSMxF21Xfa5GzOWtAbufl84JBXjVQveEGGB9XatKavFtmtHLgJIPEQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=s8BhiBRhiwiAP2lDz8YD4FeHbwY0FdRcy4khC2QXOeo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=O0ZOSo3bUG4inu5/QzZDulXaIEk0zkszcoTjQUHgFtXHbLP8ULgEu1Rr2TuxCndOYDZVn4H2IHzip4hChwCHtWXQGnt0iu9nxU1LJbQWhAPnZhAe1S5tple5nIYdmGXNOoNXd23viUmnSTE+48zdfRAWT5s7V/WfYx8ShiNFn+c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uXPYl07o; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uXPYl07o" Received: by smtp.kernel.org (Postfix) with ESMTPS id B86F8C43399; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550705; bh=s8BhiBRhiwiAP2lDz8YD4FeHbwY0FdRcy4khC2QXOeo=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=uXPYl07oVJX+lSh2eI/G9ENNQzwWI9Mvd+lPPnS6208khlfYH04meDoyVGSUGw3vD Y5dT61JFbTj9wiNDaIw/OrzWU9sphp7z0rSs4bU2n9aiPNCnvZiq1PgoJc6pv8ZUeK iFQslb7CZGoiI7eahfCmzZiklTbrNC2fa6pYy5Q15bhI84I36YOjG/0nAz3cdtqBvp mVdJlooRtDlj5cx14RgtR2sX1xQ4lRc0gLLmPpMa7YN0j4tLMP8bxmVhYkwg/4UEW3 NQJgDWDfuuWKAoe3A+ehgmX5GcrurfMsCXplT5qOaUjzLxp7o0QQkdgHx2gQ9meX2J ZxY03ei4WaFIQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 987E5C48BEB; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:33 -0600 Subject: [PATCH v2 02/25] mnt_idmapping: include cred.h Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-2-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=615; i=sforshee@kernel.org; h=from:subject:message-id; bh=s8BhiBRhiwiAP2lDz8YD4FeHbwY0FdRcy4khC2QXOeo=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moZWJyTYqEQXXwQLJ5EhCO4I?= =?utf-8?q?sZaODJ1GwzPRkjR_O9Ooj0yJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqGQAKCRBTA5mu5fQxycLAB/_4gilqSDMXmqmW5ACdjlSaK8IVbKVXj692sO?= =?utf-8?q?mAd52ZU7RyDpRMqErfeo+jKA9HZ4jpNMRinnIbv5ZJc_IgyPm1VNoeYHtZ3uI+nzh?= =?utf-8?q?AuZFC6/OM+l+muPeJwJFVYuiRHY0MnqLcJ402ZyYNVL5NCRfHg0HB09x+_p8g4irx?= =?utf-8?q?XYe4CvbNPE7Hj4Nl8+MePzf15MKpUJS1fMu5eW+uEkv0BRqLqbIkXGqoGLyP28E8x?= =?utf-8?q?hjA0HY_Il7EAF6BoAhxoG52+v9loCyzJZjiN4oMZ5A1QRkvhA9MEZRXmz386l+/K1?= =?utf-8?q?dmGAwPxn6EbEOtRlfb55?= qnL3LrPDn/o6PZFFOlK7G26VetuwcU X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 mnt_idmapping.h uses declarations from cred.h, so it should include that file directly. Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- include/linux/mnt_idmapping.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/mnt_idmapping.h b/include/linux/mnt_idmapping.h index f463b9e1e258..6deba8d5481e 100644 --- a/include/linux/mnt_idmapping.h +++ b/include/linux/mnt_idmapping.h @@ -5,6 +5,7 @@ #include #include #include +#include struct mnt_idmap; struct user_namespace; From patchwork Wed Feb 21 21:24:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566381 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A847126F37; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=s+Tyb/1adFhbgjmvpSOn16ahmo+bvHVa99SDNGqBz+iBTHEUM7SuJeBZzrvScsMEXqhTp1AwJcqmdHkHAz3ot+nZcnH9+Utjcn52sWNa7S5rSghCdG5zQXyaWVuFEqifVBoUQ3+U8MRR0Nms1+bExFY2WHY3mCEp01lGO7CBOXs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=bxTL27ZkILW3Z/PzdK+zkxv1J47CpCEVsrwmLCLu4uQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=QF50VmNq9egvcicmhu7XRlB0hduNG4nQ0xCLssKiu6UcZnp4ennrpCGl32gBGOlpah/RKiM8IJM62IvD3QqL0qX0LMTAmSFOkK3f2ZahGzVwg4/EI2RgMTLJuQDoXiEWUpL7WZrju336yeCB5qaGRYYNA0Wt3WhoN2YcKn/VDYs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AOHOscL/; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AOHOscL/" Received: by smtp.kernel.org (Postfix) with ESMTPS id C711BC43394; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550705; bh=bxTL27ZkILW3Z/PzdK+zkxv1J47CpCEVsrwmLCLu4uQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=AOHOscL/gjT4JPVPVXnI5f9pRqdhqa/wBBC75l1WdNJ6VbSJSV31AtM1BKILqsmUA sjYzkl1/isGO7UsLJOsgrnlLXrX05mSEhr1WiSOTZEz7ig2nmpG7W8J6frSzVd9LG+ Z2ybF5x+PHjg1EAllZ3tvUZu2YDU8e7KnFimS2EFFEClLob/yjzuGf7jkU9sfYOZWq /NWaLnD9y4GFIlQalpBw2q6tuQGWIJKUk3cObd/ODZW9JERyRtyJ1E9vKF8QEdwra4 MBeM617WCZQUqFp/utwbyPkujJtwOzKN3tQHgqTX1Gouv3+FIWWEosjryZOgo75+nS pWriqrFtdh4yQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8FDEC5478D; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:34 -0600 Subject: [PATCH v2 03/25] capability: add static asserts for comapatibility of vfs_cap_data and vfs_ns_cap_data Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-3-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1385; i=sforshee@kernel.org; h=from:subject:message-id; bh=bxTL27ZkILW3Z/PzdK+zkxv1J47CpCEVsrwmLCLu4uQ=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moa/fJIxAg3DN6LOTcQsDvH+?= =?utf-8?q?cZkYg8eiXdC9JTK_9qLOZZKJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqGgAKCRBTA5mu5fQxyYwTB/_0d04ClkP7dmDAlcfihBhhJW2R5p6fTL0P2e?= =?utf-8?q?SnUHdh3EIvIuiO7fUd8A1x3SG34fs+5Dvuh9su7zIEW_EIkSiAN6/ApACZYiaq8hA?= =?utf-8?q?6USOPOYTJoprKB9gxYdSZnwtM0jBsTQJJBWeniB0tmsNqNK5IcG+4zjzf_9T+E79h?= =?utf-8?q?tjMvGDgTfzhPO4Rz4RDUXIp4f743XGZig4ke+wGBits11N8mEtI93rEHrj2RYYHjs?= =?utf-8?q?bFC5wB_spyh4kqE0A8w5lxKuce5v4NGcHPr8rawPMXMe/3gbFJTGSB1biA/M9v2Sa?= =?utf-8?q?lORt97iZEgk3CuwSNFuW?= mtlO95lKDpr28Q6/Y6GSGWAay4GQM9 X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Capability code depends on vfs_ns_cap_data being an extension of vfs_cap_data, so verify this at compile time. Suggested-by: Christian Brauner Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- include/uapi/linux/capability.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h index 5bb906098697..0fd75aab9754 100644 --- a/include/uapi/linux/capability.h +++ b/include/uapi/linux/capability.h @@ -16,6 +16,10 @@ #include +#ifdef __KERNEL__ +#include +#endif + /* User-level do most of the mapping between kernel and user capabilities based on the version tag given by the kernel. The kernel might be somewhat backwards compatible, but don't bet on @@ -100,6 +104,15 @@ struct vfs_ns_cap_data { #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 +#else + +static_assert(offsetof(struct vfs_cap_data, magic_etc) == + offsetof(struct vfs_ns_cap_data, magic_etc)); +static_assert(offsetof(struct vfs_cap_data, data) == + offsetof(struct vfs_ns_cap_data, data)); +static_assert(sizeof(struct vfs_cap_data) == + offsetof(struct vfs_ns_cap_data, rootid)); + #endif From patchwork Wed Feb 21 21:24:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566379 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A4D5126F22; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=epMT59YZR/00MVkLCi3Rns9b/ElM2uRGDgeuwoWWwLSof2Ff5ix5Qur1D3xNBNU9e7/xUwaXWvJ/nPBh0qTtl/cKgLPYCnqzHepPoNFgGJSdcWNsIjzeZP8h3BC7rInaDN9ojzvNoSB5mtZGtV04arp4WgEERMTnaECnndUoYWM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=Y5Y30p4SCfTGfQg8oU5oIf6A+JB4LZOuEG/nIXEuQzs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XJ91hQbpw/n3pbHyyqa0aZhABKBG0aVG/ge/eva84oQAyAHR/ztMQ3T2i+FWJtoLWy+P1Q1zU9mCJ9NBohjdXLybAqZK1qUhMcf0mjl6+WVeTZHIL5IvDCL9Kg70ZkLluUf/H3Kp//xGE4KzppHRKPVp1Wk/qFJHGbrw8Ppc5u4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Fcm3hib9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Fcm3hib9" Received: by smtp.kernel.org (Postfix) with ESMTPS id CBABDC43601; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550705; bh=Y5Y30p4SCfTGfQg8oU5oIf6A+JB4LZOuEG/nIXEuQzs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=Fcm3hib9cZ7v6IA4PdMbWds9TcIQjq1Pe0abjXDgnWnXea7U66tAyZEJ9AqU/WzOr k0Ke9qMTzeRQcrCl1ZpoW9YR5mrz/NZxsxXlQiXvhqIsQ3ZwYE9XzF3oG0P9PV4Y+U REMePuXyccPVR9aXWY3Y72WgxLUnON1uU3jbNBAtEZ+Hd6SRJvkYXCyBLN+GWOwHYh g1cIu/yHGW9iwkbs1qFnkRLb9NZXFxQhQmDPgOKHaeigRwEf7TOAJdNJsB5qhIKB7r 2gtYPmo4bvWYmah5ftVUSetfRzgnfUMSIjq+EJHd0t9g8erLoOuByKpelp5tIWm/+B qSAHqbhs6UoCQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8FDBC5478A; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:35 -0600 Subject: [PATCH v2 04/25] capability: rename cpu_vfs_cap_data to vfs_caps Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-4-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=3545; i=sforshee@kernel.org; h=from:subject:message-id; bh=Y5Y30p4SCfTGfQg8oU5oIf6A+JB4LZOuEG/nIXEuQzs=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mobLp7u/pdNjeacbXMjbSmEj?= =?utf-8?q?yV6rMwMwivWNU01_Kh0BkwWJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqGwAKCRBTA5mu5fQxyY9qB/_9zUYtdKwx4X8HLo4wnjsbAIGYaWULalOUka?= =?utf-8?q?xXnOKjI5Cs4QTHrFSqLwolWhCcuwuJCqxufBU3HxTnc_mxPuO1+61LNNhi/pCD44c?= =?utf-8?q?/qRrZUVVTkRAtKBczWgUu6i3XXeeqJLm6XeipSXmdG8cXmXYG8Z187Qbq_F5NubGa?= =?utf-8?q?dgplNl+QZZZQxAr5Ejyxm7NmVVnTwEBMdlEobRDFUGTFx2dSAaIon/Yk9iw58upAs?= =?utf-8?q?iDc80O_IxJbm6qPqST7KMcaLpBxCduVum8Kw1Ljhi2YFVnvMFzw1j5/byvyaLLhuW?= =?utf-8?q?5jFhzBU4PIXJo3y89Kng?= MOIi8lpcWkKwus9TggxdTwSRIABNLw X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 vfs_caps is a more generic name which is better suited to the broader use this struct will see in subsequent commits. Reviewed-by: Christian Brauner Acked-by: Paul Moore Signed-off-by: Seth Forshee (DigitalOcean) --- include/linux/capability.h | 4 ++-- kernel/auditsc.c | 4 ++-- security/commoncap.c | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index 0c356a517991..c24477e660fc 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -24,7 +24,7 @@ extern int file_caps_enabled; typedef struct { u64 val; } kernel_cap_t; /* same as vfs_ns_cap_data but in cpu endian and always filled completely */ -struct cpu_vfs_cap_data { +struct vfs_caps { __u32 magic_etc; kuid_t rootid; kernel_cap_t permitted; @@ -211,7 +211,7 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) /* audit system wants to get cap info from files as well */ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, const struct dentry *dentry, - struct cpu_vfs_cap_data *cpu_caps); + struct vfs_caps *cpu_caps); int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry, const void **ivalue, size_t size); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6f0d6fb6523f..783d0bf69ca5 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2247,7 +2247,7 @@ void __audit_getname(struct filename *name) static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry) { - struct cpu_vfs_cap_data caps; + struct vfs_caps caps; int rc; if (!dentry) @@ -2800,7 +2800,7 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm, { struct audit_aux_data_bprm_fcaps *ax; struct audit_context *context = audit_context(); - struct cpu_vfs_cap_data vcaps; + struct vfs_caps vcaps; ax = kmalloc(sizeof(*ax), GFP_KERNEL); if (!ax) diff --git a/security/commoncap.c b/security/commoncap.c index 162d96b3a676..7cda247dc7e9 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -584,7 +584,7 @@ int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry, * Calculate the new process capability sets from the capability sets attached * to a file. */ -static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, +static inline int bprm_caps_from_vfs_caps(struct vfs_caps *caps, struct linux_binprm *bprm, bool *effective, bool *has_fcap) @@ -635,7 +635,7 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, */ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, const struct dentry *dentry, - struct cpu_vfs_cap_data *cpu_caps) + struct vfs_caps *cpu_caps) { struct inode *inode = d_backing_inode(dentry); __u32 magic_etc; @@ -646,7 +646,7 @@ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, vfsuid_t rootvfsuid; struct user_namespace *fs_ns; - memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); + memset(cpu_caps, 0, sizeof(struct vfs_caps)); if (!inode) return -ENODATA; @@ -725,7 +725,7 @@ static int get_file_caps(struct linux_binprm *bprm, const struct file *file, bool *effective, bool *has_fcap) { int rc = 0; - struct cpu_vfs_cap_data vcaps; + struct vfs_caps vcaps; cap_clear(bprm->cred->cap_permitted); From patchwork Wed Feb 21 21:24:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566382 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64B73128394; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=Q4q8JKsmPlno6NaoZkrWCcxn1MSitML1Zes745M4k/I2ohzcWTulvSU+Ae+Mw0yovjndjFXDEdggd18tE4VAj/cUGRAn8456kYzcRhRjlkVcPkHjUY62s597aHe7nzqfEJsqXrcTFCk1oS4lyZU6o0JKhn5UIFLbCbSa2633Vt8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=YMHnxXBEI/P1sDB6/aXu4KjyTt4t2HZBNesMC/3zNhs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DlgR4cYhTE+BjJubSU8YMlbKueXkTuvxL+OqT/ys4zNA0pIowotpo+9642R0bMYVXdkyWmc+ZAxPY+vcKKPdvXujaFJ4CCF+NwxSPBShVo+uTLFoE/e2OJpcSJA0GsKCu5cuDIJluZ0yuBnTXm2fQytvQN2y3kq4um1ZCpLAOWE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=XjwxMbdv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="XjwxMbdv" Received: by smtp.kernel.org (Postfix) with ESMTPS id DA736C43142; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550705; bh=YMHnxXBEI/P1sDB6/aXu4KjyTt4t2HZBNesMC/3zNhs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=XjwxMbdvpIklZ8ZuHRgo1ZSr3vrHNwetBmLgeLQE2/bMuolrgZlbTjx8oPW9vwdgi cLmH0Q2OwPUDxt0zRKR/wdErY+SE0avhim9OvOhNSVr8N1OkjwZFA6YgwD7LElt12Z 5QNuTTmceyB+2/4GW5sZzuzVlJlGSF0xbhruokYGvZYf3iQkr62QmX/uw+8a2XmCVh 9/box8wK3rfkiM0mxilfKZuDCdkYKM/vEn/t/JdMKq8sjN/J8TDYURff8m0KjUKgIL bCu4g1Nv7T5UvRVIbNvsSLgkeF351qz1KsZphPgu4QwgHP+oJvwcSYHFqphnW0jBXy pEYIHqTPQLAAQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C73FCC5478C; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:36 -0600 Subject: [PATCH v2 05/25] capability: use vfsuid_t for vfs_caps rootids Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-5-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=2813; i=sforshee@kernel.org; h=from:subject:message-id; bh=YMHnxXBEI/P1sDB6/aXu4KjyTt4t2HZBNesMC/3zNhs=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moc9PlzOKO/Kyx+lBa/M3xom?= =?utf-8?q?Z3GPJVZxjtiE7L2_DuW0zcKJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqHAAKCRBTA5mu5fQxyWfCB/_43YTrTvfhVuOT0q1B/D6FhejPBxQNkO/BnY?= =?utf-8?q?Q3ZrnKJbTbp44bZUF5mGs5jcP2xDdmAjW4CEnAhSy9M_pSzcb+7UKv6auwA0B0Y6B?= =?utf-8?q?d0Rabx/8z/3pnoUYWlLrgXWJluVZbFhrZmEhI0nSpdP/a3wwqdkBRl7xn_ATu5t0u?= =?utf-8?q?CHGnbdr9CRQvE2DGGQiB0rHgAD6mxoWAPQpW+fKMiBNbPOwu7YKPvaynD5JTZ6Evl?= =?utf-8?q?TiSlrf_whTtvzTnkpe2dGqZVxeEsNQ35AkJQgMEAYwSro7u4f2w9R/b5hO7M8WOg8?= =?utf-8?q?/KkOoZBzahTBqYE+QJg2?= KzNOWFT6FYRXRuHJ01Uf7V739eWk+C X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 The rootid is a kuid_t, but it contains an id which maped into a mount idmapping, so it is really a vfsuid. This is confusing and creates potential for misuse of the value, so change it to vfsuid_t. Acked-by: Paul Moore Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- include/linux/capability.h | 3 ++- kernel/auditsc.c | 5 +++-- security/commoncap.c | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index c24477e660fc..eb46d346bbbc 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -16,6 +16,7 @@ #include #include #include +#include #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 @@ -26,7 +27,7 @@ typedef struct { u64 val; } kernel_cap_t; /* same as vfs_ns_cap_data but in cpu endian and always filled completely */ struct vfs_caps { __u32 magic_etc; - kuid_t rootid; + vfsuid_t rootid; kernel_cap_t permitted; kernel_cap_t inheritable; }; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 783d0bf69ca5..65691450b080 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -65,6 +65,7 @@ #include #include // struct open_how #include +#include #include "audit.h" @@ -2260,7 +2261,7 @@ static inline int audit_copy_fcaps(struct audit_names *name, name->fcap.permitted = caps.permitted; name->fcap.inheritable = caps.inheritable; name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); - name->fcap.rootid = caps.rootid; + name->fcap.rootid = AS_KUIDT(caps.rootid); name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; @@ -2816,7 +2817,7 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm, ax->fcap.permitted = vcaps.permitted; ax->fcap.inheritable = vcaps.inheritable; ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); - ax->fcap.rootid = vcaps.rootid; + ax->fcap.rootid = AS_KUIDT(vcaps.rootid); ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; ax->old_pcap.permitted = old->cap_permitted; diff --git a/security/commoncap.c b/security/commoncap.c index 7cda247dc7e9..a0b5c9740759 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -711,7 +711,7 @@ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, cpu_caps->permitted.val &= CAP_VALID_MASK; cpu_caps->inheritable.val &= CAP_VALID_MASK; - cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid); + cpu_caps->rootid = rootvfsuid; return 0; } From patchwork Wed Feb 21 21:24:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566383 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64BC512839A; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=HfzGVwEVeGYAbE/kIbKUkJLg1awgCry22FfH6+EIGW4I0EmAk0DAsbxoBRYnRqaWWsoVNfQ+JXzc5LJTTZh5aAbwo4S0nipMgkTLIgaMUXutxeQVrHZ8kZl6MD1oeo3l8s0MayJyTbNnPoSYNAo/BTe6m2gpa09sergJWEvyomQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=KV67NQ3jY16wtebp+H7T3tkKlXDYN1N/ejbqZKr3l94=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=kTKbvoPZfgk87YyJIoirED3/JXQsaoAaMpWKDWEp0PIz8TyWybe4sbQYL8oba08xnRUJJR0vAALSi2mVsbRBPxdhf+KxBzSHC/jITUEDLBX/9Lb0NlH4RnBFIRymObwpT972xNlG3JFDOejGGzj/TtyFHoRiHQ8arTi05MVJgtA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=tdMpuRoC; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="tdMpuRoC" Received: by smtp.kernel.org (Postfix) with ESMTPS id 062F9C4166D; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=KV67NQ3jY16wtebp+H7T3tkKlXDYN1N/ejbqZKr3l94=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=tdMpuRoC3KRrCsZbyIG1qt+q1GFq3KoiPjqrICz36gS5wz1CP2h0hpSqfJ5U9BbJs nUb5YDHmg5qSfeA9p6Jh8HqXx1uofZAPRUSUwdKOmXAmtk+a7KEUfSK8j1atP2hONS 7QRML7jrkapTT5C12iX+ZUhUg0nxsAL9f7LU3Xl9hQFO1KGnZQSxaWXyXGj8WW6E52 aoRTEBVS9qtuFFIqgWrGHzVuw58kwyf4vszeUlYfX/1xgpMlircLrDeM7hTBwY/1Ld IfLaHPTrxmJMGQIB7uRJ4nnFUrBoWZqhE/o8xBJmMdnbfuSw0pQb2zf4M1aW+hYNrv HxW1NuFvhYEEQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7B54C48BEB; Wed, 21 Feb 2024 21:25:05 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:37 -0600 Subject: [PATCH v2 06/25] capability: provide helpers for converting between xattrs and vfs_caps Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-6-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=11618; i=sforshee@kernel.org; h=from:subject:message-id; bh=KV67NQ3jY16wtebp+H7T3tkKlXDYN1N/ejbqZKr3l94=; =?utf-8?q?b=3DowGbwMvMwMUYzDxz3dMvhicZT6slMaRey5L9sT2C27hXw2e3XWJbx5+YymITz?= =?utf-8?q?i362vFF8xZty9M/_byHdyWjMwsDIxSArpsgyYd791RrczwVtdsiehxnEygQyhYGLU?= =?utf-8?q?wAm4rad/X+g8zyJNnf7WoOgs5U3n6_18k1ZeYR/J/0d5s+vVDpvbJqbP/6ZdE97vs?= =?utf-8?q?ZWj9udDda0ag+Xn1b3N1TIinUNiM9gKKywLpgn2XlN/_6JEup8NZvseR55rte2ezD?= =?utf-8?q?5Kp2mXf5J7P3cTI8H9mhMC3OcHh+c3zrxr9SJbO2XDZUTZ+4YZg8dk3vC_74ngsrn?= =?utf-8?q?38p5k64YGz434v3WthuH1WK2xqt+ExVlIlnye245wt8jPKjnu3l5C3QkOauPCcp3D?= =?utf-8?q?AhSKR1_57HW8ymHbzqLdG5vvKnD5Xl9441bceXxXn6hgj690/6a3m1+7z1li/sXG7?= =?utf-8?q?4/LmZb7milT+V5mC84LX?= ZWjY5Iinf5y9rD21/cv7O8XVAWAA== X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 To pass around vfs_caps instead of raw xattr data we will need to convert between the two representations near userspace and disk boundaries. We already convert xattrs from disks to vfs_caps, so move that code into a helper, and change get_vfs_caps_from_disk() to use the helper. When converting vfs_caps to xattrs we have different considerations depending on the destination of the xattr data. For xattrs which will be written to disk we need to reject the xattr if the rootid does not map into the filesystem's user namespace, whereas xattrs read by userspace may need to undergo a conversion from v3 to v2 format when the rootid does not map. So this helper is split into an internal and an external interface. The internal interface does not return an error if the rootid has no mapping in the target user namespace and will be used for conversions targeting userspace. The external interface returns EOVERFLOW if the rootid has no mapping and will be used for all other conversions. Signed-off-by: Seth Forshee (DigitalOcean) --- include/linux/capability.h | 10 ++ security/commoncap.c | 228 +++++++++++++++++++++++++++++++++++---------- 2 files changed, 187 insertions(+), 51 deletions(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index eb46d346bbbc..a0893ac4664b 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -209,6 +209,16 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) ns_capable(ns, CAP_SYS_ADMIN); } +/* helpers to convert between xattr and in-kernel representations */ +int vfs_caps_from_xattr(struct mnt_idmap *idmap, + struct user_namespace *src_userns, + struct vfs_caps *vfs_caps, + const void *data, size_t size); +ssize_t vfs_caps_to_xattr(struct mnt_idmap *idmap, + struct user_namespace *dest_userns, + const struct vfs_caps *vfs_caps, + void *data, size_t size); + /* audit system wants to get cap info from files as well */ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, const struct dentry *dentry, diff --git a/security/commoncap.c b/security/commoncap.c index a0b5c9740759..7531c9634997 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -619,54 +619,41 @@ static inline int bprm_caps_from_vfs_caps(struct vfs_caps *caps, } /** - * get_vfs_caps_from_disk - retrieve vfs caps from disk + * vfs_caps_from_xattr - convert raw caps xattr data to vfs_caps * - * @idmap: idmap of the mount the inode was found from - * @dentry: dentry from which @inode is retrieved - * @cpu_caps: vfs capabilities + * @idmap: idmap of the mount the inode was found from + * @src_userns: user namespace for ids in xattr data + * @vfs_caps: destination buffer for vfs_caps data + * @data: rax xattr caps data + * @size: size of xattr data * - * Extract the on-exec-apply capability sets for an executable file. + * Converts a raw security.capability xattr into the kernel-internal + * capabilities format. * - * If the inode has been found through an idmapped mount the idmap of - * the vfsmount must be passed through @idmap. This function will then - * take care to map the inode according to @idmap before checking - * permissions. On non-idmapped mounts or if permission checking is to be - * performed on the raw inode simply pass @nop_mnt_idmap. + * If the xattr is being read or written through an idmapped mount the + * idmap of the vfsmount must be passed through @idmap. This function + * will then take care to map the rootid according to @idmap. + * + * Return: On success, return 0; on error, return < 0. */ -int get_vfs_caps_from_disk(struct mnt_idmap *idmap, - const struct dentry *dentry, - struct vfs_caps *cpu_caps) +int vfs_caps_from_xattr(struct mnt_idmap *idmap, + struct user_namespace *src_userns, + struct vfs_caps *vfs_caps, + const void *data, size_t size) { - struct inode *inode = d_backing_inode(dentry); __u32 magic_etc; - int size; - struct vfs_ns_cap_data data, *nscaps = &data; - struct vfs_cap_data *caps = (struct vfs_cap_data *) &data; + const struct vfs_ns_cap_data *ns_caps = data; + struct vfs_cap_data *caps = (struct vfs_cap_data *)ns_caps; kuid_t rootkuid; - vfsuid_t rootvfsuid; - struct user_namespace *fs_ns; - - memset(cpu_caps, 0, sizeof(struct vfs_caps)); - - if (!inode) - return -ENODATA; - fs_ns = inode->i_sb->s_user_ns; - size = __vfs_getxattr((struct dentry *)dentry, inode, - XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ); - if (size == -ENODATA || size == -EOPNOTSUPP) - /* no data, that's ok */ - return -ENODATA; - - if (size < 0) - return size; + memset(vfs_caps, 0, sizeof(*vfs_caps)); if (size < sizeof(magic_etc)) return -EINVAL; - cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc); + vfs_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc); - rootkuid = make_kuid(fs_ns, 0); + rootkuid = make_kuid(src_userns, 0); switch (magic_etc & VFS_CAP_REVISION_MASK) { case VFS_CAP_REVISION_1: if (size != XATTR_CAPS_SZ_1) @@ -679,39 +666,178 @@ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, case VFS_CAP_REVISION_3: if (size != XATTR_CAPS_SZ_3) return -EINVAL; - rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid)); + rootkuid = make_kuid(src_userns, le32_to_cpu(ns_caps->rootid)); break; default: return -EINVAL; } - rootvfsuid = make_vfsuid(idmap, fs_ns, rootkuid); - if (!vfsuid_valid(rootvfsuid)) - return -ENODATA; + vfs_caps->rootid = make_vfsuid(idmap, src_userns, rootkuid); + if (!vfsuid_valid(vfs_caps->rootid)) + return -EOVERFLOW; - /* Limit the caps to the mounter of the filesystem - * or the more limited uid specified in the xattr. + vfs_caps->permitted.val = le32_to_cpu(caps->data[0].permitted); + vfs_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable); + + /* + * Rev1 had just a single 32-bit word, later expanded + * to a second one for the high bits */ - if (!rootid_owns_currentns(rootvfsuid)) - return -ENODATA; + if ((magic_etc & VFS_CAP_REVISION_MASK) != VFS_CAP_REVISION_1) { + vfs_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32; + vfs_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32; + } + + vfs_caps->permitted.val &= CAP_VALID_MASK; + vfs_caps->inheritable.val &= CAP_VALID_MASK; + + return 0; +} + +/* + * Inner implementation of vfs_caps_to_xattr() which does not return an + * error if the rootid does not map into @dest_userns. + */ +static ssize_t __vfs_caps_to_xattr(struct mnt_idmap *idmap, + struct user_namespace *dest_userns, + const struct vfs_caps *vfs_caps, + void *data, size_t size) +{ + struct vfs_ns_cap_data *ns_caps = data; + struct vfs_cap_data *caps = (struct vfs_cap_data *)ns_caps; + kuid_t rootkuid; + uid_t rootid; + + memset(ns_caps, 0, size); + + rootid = 0; + switch (vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) { + case VFS_CAP_REVISION_1: + if (size < XATTR_CAPS_SZ_1) + return -EINVAL; + size = XATTR_CAPS_SZ_1; + break; + case VFS_CAP_REVISION_2: + if (size < XATTR_CAPS_SZ_2) + return -EINVAL; + size = XATTR_CAPS_SZ_2; + break; + case VFS_CAP_REVISION_3: + if (size < XATTR_CAPS_SZ_3) + return -EINVAL; + size = XATTR_CAPS_SZ_3; + rootkuid = from_vfsuid(idmap, dest_userns, vfs_caps->rootid); + rootid = from_kuid(dest_userns, rootkuid); + ns_caps->rootid = cpu_to_le32(rootid); + break; - cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted); - cpu_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable); + default: + return -EINVAL; + } + + caps->magic_etc = cpu_to_le32(vfs_caps->magic_etc); + + caps->data[0].permitted = cpu_to_le32(lower_32_bits(vfs_caps->permitted.val)); + caps->data[0].inheritable = cpu_to_le32(lower_32_bits(vfs_caps->inheritable.val)); /* * Rev1 had just a single 32-bit word, later expanded * to a second one for the high bits */ - if ((magic_etc & VFS_CAP_REVISION_MASK) != VFS_CAP_REVISION_1) { - cpu_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32; - cpu_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32; + if ((vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) != VFS_CAP_REVISION_1) { + caps->data[1].permitted = + cpu_to_le32(upper_32_bits(vfs_caps->permitted.val)); + caps->data[1].inheritable = + cpu_to_le32(upper_32_bits(vfs_caps->inheritable.val)); } - cpu_caps->permitted.val &= CAP_VALID_MASK; - cpu_caps->inheritable.val &= CAP_VALID_MASK; + return size; +} + + +/** + * vfs_caps_to_xattr - convert vfs_caps to raw caps xattr data + * + * @idmap: idmap of the mount the inode was found from + * @dest_userns: user namespace for ids in xattr data + * @vfs_caps: source vfs_caps data + * @data: destination buffer for rax xattr caps data + * @size: size of the @data buffer + * + * Converts a kernel-internal capability into the raw security.capability + * xattr format. + * + * If the xattr is being read or written through an idmapped mount the + * idmap of the vfsmount must be passed through @idmap. This function + * will then take care to map the rootid according to @idmap. + * + * Return: On success, return the size of the xattr data. On error, + * return < 0. + */ +ssize_t vfs_caps_to_xattr(struct mnt_idmap *idmap, + struct user_namespace *dest_userns, + const struct vfs_caps *vfs_caps, + void *data, size_t size) +{ + struct vfs_ns_cap_data *caps = data; + int ret; + + ret = __vfs_caps_to_xattr(idmap, dest_userns, vfs_caps, data, size); + if (ret > 0 && + (vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_3 && + le32_to_cpu(caps->rootid) == (uid_t)-1) + return -EOVERFLOW; + return ret; +} + +/** + * get_vfs_caps_from_disk - retrieve vfs caps from disk + * + * @idmap: idmap of the mount the inode was found from + * @dentry: dentry from which @inode is retrieved + * @cpu_caps: vfs capabilities + * + * Extract the on-exec-apply capability sets for an executable file. + * + * If the inode has been found through an idmapped mount the idmap of + * the vfsmount must be passed through @idmap. This function will then + * take care to map the inode according to @idmap before checking + * permissions. On non-idmapped mounts or if permission checking is to be + * performed on the raw inode simply pass @nop_mnt_idmap. + */ +int get_vfs_caps_from_disk(struct mnt_idmap *idmap, + const struct dentry *dentry, + struct vfs_caps *cpu_caps) +{ + struct inode *inode = d_backing_inode(dentry); + int size, ret; + struct vfs_ns_cap_data data, *nscaps = &data; + + if (!inode) + return -ENODATA; - cpu_caps->rootid = rootvfsuid; + size = __vfs_getxattr((struct dentry *)dentry, inode, + XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ); + if (size == -ENODATA || size == -EOPNOTSUPP) + /* no data, that's ok */ + return -ENODATA; + + if (size < 0) + return size; + + ret = vfs_caps_from_xattr(idmap, inode->i_sb->s_user_ns, + cpu_caps, nscaps, size); + if (ret == -EOVERFLOW) + return -ENODATA; + if (ret) + return ret; + + /* Limit the caps to the mounter of the filesystem + * or the more limited uid specified in the xattr. + */ + if (!rootid_owns_currentns(cpu_caps->rootid)) + return -ENODATA; return 0; } From patchwork Wed Feb 21 21:24:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566384 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 74082128819; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=XmFZyYXmXVX50b8ufSxdjg3F1sN8kGvjB3m9VTxOLmBydO851FkizF7fp7Wp7xTu94KBDaTVFsRj5rjy1PI+PIHNuPCA05uWhhF8rBMeItvhD+Hc1vRbzqtAyZxUahaqDOcyAjnd6pnWDpH8ozBpr+E2hP6APVtw5/nR0FheoTE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=OhFFK2aqwLPE1WOUvtrX8svKCrxfnUe+iJ8IlWQVyNc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=tYB1YnHxIwzGatyRWOScTdI0L3OG9DXzJCi+ZQRK9OLaN+ftkwTAeoGXlwL5g7ucUtuMLqmcbJkJg/C0fjbkD/WC3KgAfiQyaz0TH2/LiyHMhRRbZaPDdefoHN3jl8cqfULtEEY7ZG/jwFOYrg/2CRwO0dyutrBdcRH91H6xiTE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RZlkCZR8; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RZlkCZR8" Received: by smtp.kernel.org (Postfix) with ESMTPS id 39E73C41679; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=OhFFK2aqwLPE1WOUvtrX8svKCrxfnUe+iJ8IlWQVyNc=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=RZlkCZR8EhACEKs533voXeKxdPegitqhuX3z+DURsKNsWzw1nUSRXg2qO1/O6bxVa hD7SyJbDNexmwxY61JfdIwdNgEW6W7AFebONEMq3JprI4reQniICejGasqx21vLFe8 dz/LgdGWyvQxSaMlRaqObz2+vDyr5myLud3DDlJs38QPVyyPnLD+RDini2/Yrpswhz W0l9eQB0jsOGpSmO6FLVQxpfGYwxztqIwdmwpEfvMJjJFLLERzKZHmKXYZGQ3vVtco 9mCq8U5hUgfCLcx/54VhcMsDn70tRVjAUfrxbSYtg6L1PV3X0t3uVI7zjwzETq+Ojj 3eh/MiuqF1P+A== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04FC0C54791; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:38 -0600 Subject: [PATCH v2 07/25] capability: provide a helper for converting vfs_caps to xattr for userspace Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-7-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=4882; i=sforshee@kernel.org; h=from:subject:message-id; bh=OhFFK2aqwLPE1WOUvtrX8svKCrxfnUe+iJ8IlWQVyNc=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moe+AhIBa2iFKus4HKFQ2il7?= =?utf-8?q?yas4jPP3dyS1+Ne_5Mxo69eJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqHgAKCRBTA5mu5fQxybNwB/_0Q84CMY/0WnJZlUjjtKZuKkVW2vuFaN8zeS?= =?utf-8?q?2QYvI/A8cu38Pd7o4lvanR9S9hXj4vl4S6oG1Mty8l9_rvg72P/DOk5fedO0P0xte?= =?utf-8?q?tekIGcH2ISDFUwuzWZV6bEEezmJxftYAfqlz43NxT/FQmhxVP0HxL/T7C_6axOrX9?= =?utf-8?q?+LATljuFCYBTlmEJxQYbvp8gb/zhITu0gcFUULQFVRJRLB6qe+6k4BQbXc9MO5E5Y?= =?utf-8?q?Q8d0NA_k+rEqS6CmssspC20ypVSjz2/p2jiq8s2SQRQOicbBpeL5eObtE35O2Aa2h?= =?utf-8?q?gGTIjwO9eFWGTjh3O3Ca?= xgnvBlVxCegczqxtnWEXgMFeBGeNVF X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 cap_inode_getsecurity() implements a handful of policies for capability xattrs read by userspace: - It returns EINVAL if the on-disk capability is in v1 format. - It masks off all bits in magic_etc except for the version and VFS_CAP_FLAGS_EFFECTIVE. - v3 capabilities are converted to v2 format if the rootid returned to userspace would be 0 or if the rootid corresponds to root in an ancestor user namespace. - It returns EOVERFLOW for a v3 capability whose rootid does not map to a valid id in current_user_ns() or to root in an ancestor namespace. These policies must be maintained when converting vfs_caps to an xattr for userspace. Provide a vfs_caps_to_user_xattr() helper which will enforce these policies. Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- include/linux/capability.h | 4 +++ security/commoncap.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) diff --git a/include/linux/capability.h b/include/linux/capability.h index a0893ac4664b..eb06d7c6224b 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -218,6 +218,10 @@ ssize_t vfs_caps_to_xattr(struct mnt_idmap *idmap, struct user_namespace *dest_userns, const struct vfs_caps *vfs_caps, void *data, size_t size); +ssize_t vfs_caps_to_user_xattr(struct mnt_idmap *idmap, + struct user_namespace *dest_userns, + const struct vfs_caps *vfs_caps, + void *data, size_t size); /* audit system wants to get cap info from files as well */ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, diff --git a/security/commoncap.c b/security/commoncap.c index 7531c9634997..289530e58c37 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -791,6 +791,84 @@ ssize_t vfs_caps_to_xattr(struct mnt_idmap *idmap, return ret; } +/** + * vfs_caps_to_user_xattr - convert vfs_caps to caps xattr for userspace + * + * @idmap: idmap of the mount the inode was found from + * @dest_userns: user namespace for ids in xattr data + * @vfs_caps: source vfs_caps data + * @data: destination buffer for rax xattr caps data + * @size: size of the @data buffer + * + * Converts a kernel-internal capability into the raw security.capability + * xattr format. Implements the following policies required for fscaps + * returned to userspace: + * + * - Returns -EINVAL if the on-disk capability is in v1 format. + * - Masks off all bits in magic_etc except for the version and + * VFS_CAP_FLAGS_EFFECTIVE. + * - Converts v3 capabilities to v2 format if the rootid returned to + * userspace would be 0 or if the rootid corresponds to root in an + * ancestor user namespace. + * - Returns EOVERFLOW for a v3 capability whose rootid does not map to a + * valid id in current_user_ns() or to root in an ancestor namespace. + * + * If the xattr is being read or written through an idmapped mount the + * idmap of the vfsmount must be passed through @idmap. This function + * will then take care to map the rootid according to @idmap. + * + * Return: On success, return the size of the xattr data. On error, + * return < 0. + */ +ssize_t vfs_caps_to_user_xattr(struct mnt_idmap *idmap, + struct user_namespace *dest_userns, + const struct vfs_caps *vfs_caps, + void *data, size_t size) +{ + struct vfs_ns_cap_data *ns_caps = data; + bool is_v3; + u32 magic; + + /* Preserve previous behavior of returning EINVAL for v1 caps */ + if ((vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_1) + return -EINVAL; + + size = __vfs_caps_to_xattr(idmap, dest_userns, vfs_caps, data, size); + if (size < 0) + return size; + + magic = vfs_caps->magic_etc & + (VFS_CAP_REVISION_MASK | VFS_CAP_FLAGS_EFFECTIVE); + ns_caps->magic_etc = cpu_to_le32(magic); + + /* + * If this is a v3 capability with a valid, non-zero rootid, return + * the v3 capability to userspace. A v3 capability with a rootid of + * 0 will be converted to a v2 capability below for compatibility + * with old userspace. + */ + is_v3 = (vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_3; + if (is_v3) { + uid_t rootid = le32_to_cpu(ns_caps->rootid); + if (rootid != (uid_t)-1 && rootid != (uid_t)0) + return size; + } + + if (!rootid_owns_currentns(vfs_caps->rootid)) + return -EOVERFLOW; + + /* This comes from a parent namespace. Return as a v2 capability. */ + if (is_v3) { + magic = VFS_CAP_REVISION_2 | + (vfs_caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE); + ns_caps->magic_etc = cpu_to_le32(magic); + ns_caps->rootid = cpu_to_le32(0); + size = XATTR_CAPS_SZ_2; + } + + return size; +} + /** * get_vfs_caps_from_disk - retrieve vfs caps from disk * From patchwork Wed Feb 21 21:24:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566385 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95A761292F2; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=OUhjUqUp9GAagDE/p+8QTS7s6gMyuGFOZT58Kp08OSIDhHok3xTJPp07e0nedtkrVzyCp6V7Fh5U1P9Ekq8CaD7XetOwP2knhK3aVundWbkH/KRGrF4JvnjmEs7KwRbW+FtGa+qwQN0lKS7GgRi+wGMDM48l+HWKYfVenduRtOI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=MjPDmuGYxTwVV3XD9s9x96VSdlRd13Fx8UY16afoWLI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=dHBnN2FQAk/IZKQ+qavkZvjRz2BAu24srcaL3wQqWxH5JT0sxHYWSrkndUr/TFV9BK4d83pUBHACMm6VNHLi36D1l7oLePl+Uo8UrgvM4IvEs0Y5QeYjxTjCJbr47vlXPiBCke8XZl3kjBTE3yX1poXeih9vfVbyFRMkGAyNUEo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=G+32nzQs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="G+32nzQs" Received: by smtp.kernel.org (Postfix) with ESMTPS id 4790EC43390; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=MjPDmuGYxTwVV3XD9s9x96VSdlRd13Fx8UY16afoWLI=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=G+32nzQsv2yA6coHTy2HUa1t9RBiDR2AasBhQofnI4QyW/IVAwvXXtib5syKL9VI1 XYeuJazXkEnUDWxhHFfB30px/QQ4SZ/lM2CQjtlruAVC7gHMI5V339a0r19mU3WKr7 pxQFGREc7DUro23NFpTz4WpsaaqIhWsbSeSqXDix962HqnmSMg38nn8fZcH+cp4GpR y8cRFE8J63EdITcOIkUI6OFpmlgs0znPBuyzPWB2OFW4RKCYY32zWkqnziQ+o0/LDA mFAYc2ntRvNmb8wPKZXXv+G9IziYus6/LQ1MFu9rb5vtZr1bAxNPAGvKYyTt3yocWG RUyg3VTXWCdwA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36F87C5478B; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:39 -0600 Subject: [PATCH v2 08/25] xattr: add is_fscaps_xattr() helper Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-8-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=898; i=sforshee@kernel.org; h=from:subject:message-id; bh=MjPDmuGYxTwVV3XD9s9x96VSdlRd13Fx8UY16afoWLI=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mofpeDW0VRFpT+qzsFdS/fHW?= =?utf-8?q?j5IKuhck4JZotJG_3ni+RRWJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqHwAKCRBTA5mu5fQxyRAAB/_9E0ZBYKot+MRKSR27p0Kv0vDG4b1T8VUYNX?= =?utf-8?q?dxn7GTVrucCBGVtpVtqSyN8mJcxmFFj6dgjcjWE/8Fq_5ZjeTdXL+YyPRBKcf0KBr?= =?utf-8?q?bLryipvjsqSujzheGkbqC8maXAS3ScS4R+vuzpQuiMRBhwd432RWhFkRu_ALGbz9F?= =?utf-8?q?zAX6BGGK/+JaabY7XD/jynxRjg5i8POSN19q0OJlsOqUpYJrmjTusaT4lCzgC+6ix?= =?utf-8?q?XcwFzw_+z6fBZXxwGNAJ/G0yohMDqfv4/nS298M7iKZhieHyKr5Hz/dZ+rOFIiwoG?= =?utf-8?q?WzyRw8ccnmGTkNSWT3Dq?= Yxtsflp7R+yVNxyPqIPgRpugwoXtdA X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Add a helper to determine if an xattr time is XATTR_NAME_CAPS instead of open-coding a string comparision. Suggested-by: Amir Goldstein Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- include/linux/xattr.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/linux/xattr.h b/include/linux/xattr.h index d20051865800..cbacfb4d74fa 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -28,6 +28,11 @@ static inline bool is_posix_acl_xattr(const char *name) (strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0); } +static inline bool is_fscaps_xattr(const char *name) +{ + return strcmp(name, XATTR_NAME_CAPS) == 0; +} + /* * struct xattr_handler: When @name is set, match attributes with exactly that * name. When @prefix is set instead, match attributes with that prefix and From patchwork Wed Feb 21 21:24:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566388 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BDC9129A66; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=PW9yPz5xZBz4e/8ZDHG/QhwWbmae9CMKl7ZJgv+I227ztFV24o4Gs3V7kWX7qepelMoaf7QobYEIiykOPw0EHbEBZLDvnl6LirdejzZUipxatoMkoUUd4pz/zFV7MqAH3ESgDW5AXovfUl19RviveDOeJ4HHw5oWF1GiG6Q83kY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=4t7VYe2pfzhO0kZ+94iPfJDYCD1vDaacDt9TOtFcBjg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZiN6/S4x5rCfz5ZDSdocvpHcrRS8Utix04RHxBfIV8QF5e1b1/48XanMunTdHIiUXYqmRh6aCQLsCPLZbrYXkKm2LYa+YTB1NXSs6qD53ABOPobqvqQiExl5x0sjoJBptMPadRvPl9xzm1dBwtSNIy0WFuUfr0qAl0ZoIQiJSXE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=H4NDZ9Yn; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="H4NDZ9Yn" Received: by smtp.kernel.org (Postfix) with ESMTPS id 56CF4C32781; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=4t7VYe2pfzhO0kZ+94iPfJDYCD1vDaacDt9TOtFcBjg=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=H4NDZ9Yn8LguadXM61Cv/+vC8MjNfXRmyxgNTVcyElmxvP+ZVw35iZ9BJ7IdwcyOr klDsbyltojrU0OZIrg8apY3dBD2mSdC9xU4iNyYTVOU+M7zy9hRPndMTn9IsdtNmGd +NGF0WBfpQ/oslQMoZB282va2ZI//vz8DD+t6UG5UTpaoI7rIHvvb7jfcDYEcaa+Mb giTO54jW/xYtFV4hilLZPOJpxEgkHYGZnrNk0IHVgTmsWiPXt0ryuHgHBoBoVoQ3bT oqSiQ+KhKGX5vi4s7hXECA+uIRFLqgZfgsuBoIokLmn0KsVR1p8kXZYZqesP1XLXpj NjPpJnOPGKXBg== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45A39C48BEB; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:40 -0600 Subject: [PATCH v2 09/25] commoncap: use is_fscaps_xattr() Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-9-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=972; i=sforshee@kernel.org; h=from:subject:message-id; bh=4t7VYe2pfzhO0kZ+94iPfJDYCD1vDaacDt9TOtFcBjg=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mogZOFLFrTJHOsqMGqEXCfSc?= =?utf-8?q?BiIf9AXwC8KoSVV_frhhLcCJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqIAAKCRBTA5mu5fQxyQbxCA_CB/noEJJlpI9g151/fViGjdeWOgiQrNeYPr?= =?utf-8?q?agty6p9bGZUks5yPjNApObB+aefC+H5tKHvGXzIrbEB_n9MzhIumjZYNHrsibS1d5?= =?utf-8?q?sAG1Bwqgggfi9Sx3VOvIsDip4pg6NtDhmVtW5+Yt20+5GnTd/jGezJryP_a1EhXCI?= =?utf-8?q?xhToqhCm8BjKwufrx88FED6FORWo9DmD92IwhJWEvf6SQrnn5DKY/aXw9kF7Fzdce?= =?utf-8?q?VCDrAw_kxY/MZXXVqwEedLkAlP4Q3sx8JCqZPzpoVZj2Q7z9g1oNDJDGWXr/KWOlB?= =?utf-8?q?YRxWFr5V1dFQ0WXy9iP4?= Ig0HUzkQv1L68QjY8iH4SVVE9ldej/ X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- security/commoncap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 289530e58c37..19affcfa3126 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1205,7 +1205,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, * For XATTR_NAME_CAPS the check will be done in * cap_convert_nscap(), called by setxattr() */ - if (strcmp(name, XATTR_NAME_CAPS) == 0) + if (is_fscaps_xattr(name)) return 0; if (!ns_capable(user_ns, CAP_SYS_ADMIN)) @@ -1242,7 +1242,7 @@ int cap_inode_removexattr(struct mnt_idmap *idmap, XATTR_SECURITY_PREFIX_LEN) != 0) return 0; - if (strcmp(name, XATTR_NAME_CAPS) == 0) { + if (is_fscaps_xattr(name)) { /* security.capability gets namespaced */ struct inode *inode = d_backing_inode(dentry); if (!inode) From patchwork Wed Feb 21 21:24:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566387 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BD851292FF; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=E3HFdt8o9s0cxvn/tY9H5AjLk0foBJB39WHHBnVIkgItBL4aMFO4gxsC0v7gOF0XUJrQp0Fq9fSxX6VWjBzPPlxYaP3QEwRfYsO6JJvL/llPPTQyw+tu1/jNHGX33ZDYAKrcMOPDJuAozHwjuD/Fncl4PQxI6ZZKQmDey3jJn+0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=lEHQXdLzM8XZmLEljh/ycw/4aa43YTvfIWETR64S7L4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Mq6PcSOuxWw2NQO20b2/ULW/n/9jdn0BsA82pLQdmuYptzVcDf8RMeBfOK65tR3jUeHL1SRHHCaLIfIj8WZ9IH7zFRL7Fv7qBhnMFdwzo3lLXXhOj6SsXIYdnffy1ZxsjXfCSeKowAxC6Hb8LPjbbGcDjAyVJYWzj+ookU6xsZY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=UC2BZrnh; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="UC2BZrnh" Received: by smtp.kernel.org (Postfix) with ESMTPS id 662C0C32784; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=lEHQXdLzM8XZmLEljh/ycw/4aa43YTvfIWETR64S7L4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=UC2BZrnh4lZXsjpnjx7aANMXeCVkZvoQtXOjOZOT8xxnq7bJsb0arNGCdzXPhB79M CRZgleKWNdeC+ZerEGDq2Q9NZr4JJau/CRBGKV0m/lNO/MgnJPlkC236U8Q1VUvwcE gekbp89+TKBF2TDd5vAbzCjWkLtYJE9MTac2VPDPKxvptO0t/JWF6u9r3k/XUCz/zU y9barmElKlj5vGlpuHAjm00yLb/7UoUvR3J0vRzDdrfJgiIw1WSmfltoAdvPvep33w BV2cIqgqZD2xLGRoYHm1KMpuySNQNViUrDL/TlyKPSYs655oBmI+NgnQJSxLLPR5/1 65LN77kcX4EuA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51D3BC54793; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:41 -0600 Subject: [PATCH v2 10/25] xattr: use is_fscaps_xattr() Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-10-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=597; i=sforshee@kernel.org; h=from:subject:message-id; bh=lEHQXdLzM8XZmLEljh/ycw/4aa43YTvfIWETR64S7L4=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mohq2XZVoBy8FgqIjMltMFNu?= =?utf-8?q?zAWaj/Pn1Cc2fiJ_PO+HZrOJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqIQAKCRBTA5mu5fQxyQ77B/_9KzJ+i0X5eDYLpwTJQmYMCRqYN6k0Iuk1pw?= =?utf-8?q?bpwXjF9ph8I+iLw/R/XYDD3yf025kbMHTCQC+Z0TYiw_Wh64DvoVlVS+FkNp+7sCJ?= =?utf-8?q?ETr3Lmx3gEs2vJNh+zIRRm9awNuEhnAezPVeOC9vXAOEB4vxQMJwWjjNG_apBxkgO?= =?utf-8?q?4CvmpusSXAZOJhK6Uo5XqCiEgjcl0DXRtnMbTph6y2KmqFVanvM1qba2HEXNFpL87?= =?utf-8?q?fAwpST_UDykJ5pSN8a964iteXDvWw/PLqFS33BKI9sLHcykFsgV4nTYUWM+hpTJJV?= =?utf-8?q?1rOFRiE2YRaSB35mPMvF?= 52ifUub/2VOnPAqvb376YvVerDPSZW X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- fs/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/xattr.c b/fs/xattr.c index 09d927603433..06290e4ebc03 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -310,7 +310,7 @@ vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const void *orig_value = value; int error; - if (size && strcmp(name, XATTR_NAME_CAPS) == 0) { + if (size && is_fscaps_xattr(name)) { error = cap_convert_nscap(idmap, dentry, &value, size); if (error < 0) return error; From patchwork Wed Feb 21 21:24:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566389 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B53DB12A159; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=Hhr/StRxHc3WsK2BxTkX0KRd+v3FRga5bJuGpWPjuU/aldbaUUz7WrcHeLO5+IHS1QkwzSz/ues9CHEKj8Kiwyz9h8hRy6GeGqphwY4qvDZ+kjdjKTC3XAqoRGlXEAArTy0Tv/IZWsydkqSEKRXXoBe3eo/PhI7g1WydDLRDx7w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=bU1CcTjoAErUmCcImLT8MBeG6twr7o4CKTQE5qVrAgQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=R98W8t02rueguCO9l1ED1Zjm15qEUJfB5zTXEQztggDkyLx9HjvMHiT/cH/tMSZkJzJrHfPhDSaUDdHO12F7sN9d2brJhL1kC83EYAW7lE7CHXMdxnu6MNYaWYiT73M5oQQpm2kK6mCmQcMaYpY4JQzHKH+VlgZx0r1DFF6+W90= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FcGjqVa6; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FcGjqVa6" Received: by smtp.kernel.org (Postfix) with ESMTPS id 787C8C32785; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=bU1CcTjoAErUmCcImLT8MBeG6twr7o4CKTQE5qVrAgQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=FcGjqVa6LFtv3wIisQX3ULDicQYa/7JUNgjsOxVOxVbBN2XRKtt4vccq6xj9Gg/UL 5W+QHPa31Tm++/4yeexKz1kIqJWieCefTCFEudO9BXLtaxfQ56UTNPEKKXwFOECfG0 zaxRPGXu6muDcX8/b2TWgdd++UA+Jv8tMmcuP7dZUhlshRqWZWnxUUceHir+xqAXNL /4Z/kBljMAkI3uBcjW2ihJRj0Z3WARjJKDXjYVmtXOC8oje28yVXhxoAoAEtkIumOt PkCru4mDI9qYc3RH/TkC/DUCv/G5BSkUKupMfd8XJszSZMRYhatK4ijIx3sWYNSG/1 rXQxNtC4NzCyA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64819C5478B; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:42 -0600 Subject: [PATCH v2 11/25] security: add hooks for set/get/remove of fscaps Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-11-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=6068; i=sforshee@kernel.org; h=from:subject:message-id; bh=bU1CcTjoAErUmCcImLT8MBeG6twr7o4CKTQE5qVrAgQ=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moiOmBWOkW3C2D6watYerA1n?= =?utf-8?q?6u6GpH/leMlBqw7_WLNKqEiJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqIgAKCRBTA5mu5fQxyX4hB/_4gHtUbOV115lPuC//xfy9D4S1XJ5dcZzKpX?= =?utf-8?q?27IoQgRAB8iadS9qTPZMY9JzN+fEAEJjKFFAFM94cF0_rLytBPDiTKSoKBhm83DGI?= =?utf-8?q?fLJyy9gdXXFGXFzmy5MzY4VkuLjCzBltyOieqCT8M64K49wiTDIWCrTku_mf3oZbj?= =?utf-8?q?kX8CKEyWzC5OjK08smBtBMLPrNQbDTlb5J2i75XOVmI2yrPuZMCJojB8IN39jKaJ8?= =?utf-8?q?UX3Hjc_HElICYbTk+WAYh9ZuZUpzzyo7IEH0c3YjbR8PLFH7Xg0ZTT5jPH6Ccksrf?= =?utf-8?q?7oNmjUcAAUf7e/S7Xd7K?= vW7wHQVxNqrw0G7gjCWEoB0nJW9wrt X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 In preparation for moving fscaps out of the xattr code paths, add new security hooks. These hooks are largely needed because common kernel code will pass around struct vfs_caps pointers, which EVM will need to convert to raw xattr data for verification and updates of its hashes. Signed-off-by: Seth Forshee (DigitalOcean) Acked-by: Paul Moore Reviewed-by: Christian Brauner --- include/linux/lsm_hook_defs.h | 7 +++++ include/linux/security.h | 33 +++++++++++++++++++++ security/security.c | 69 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 109 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 76458b6d53da..7b3c23f9e4a5 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -152,6 +152,13 @@ LSM_HOOK(int, 0, inode_get_acl, struct mnt_idmap *idmap, struct dentry *dentry, const char *acl_name) LSM_HOOK(int, 0, inode_remove_acl, struct mnt_idmap *idmap, struct dentry *dentry, const char *acl_name) +LSM_HOOK(int, 0, inode_set_fscaps, struct mnt_idmap *idmap, + struct dentry *dentry, const struct vfs_caps *caps, int flags); +LSM_HOOK(void, LSM_RET_VOID, inode_post_set_fscaps, struct mnt_idmap *idmap, + struct dentry *dentry, const struct vfs_caps *caps, int flags); +LSM_HOOK(int, 0, inode_get_fscaps, struct mnt_idmap *idmap, struct dentry *dentry); +LSM_HOOK(int, 0, inode_remove_fscaps, struct mnt_idmap *idmap, + struct dentry *dentry); LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry) LSM_HOOK(int, 0, inode_killpriv, struct mnt_idmap *idmap, struct dentry *dentry) diff --git a/include/linux/security.h b/include/linux/security.h index d0eb20f90b26..40be548e5e12 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -378,6 +378,13 @@ int security_inode_getxattr(struct dentry *dentry, const char *name); int security_inode_listxattr(struct dentry *dentry); int security_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *name); +int security_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int flags); +void security_inode_post_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, int flags); +int security_inode_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry); +int security_inode_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry); int security_inode_need_killpriv(struct dentry *dentry); int security_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry); int security_inode_getsecurity(struct mnt_idmap *idmap, @@ -935,6 +942,32 @@ static inline int security_inode_removexattr(struct mnt_idmap *idmap, return cap_inode_removexattr(idmap, dentry, name); } +static inline int security_inode_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, + int flags) +{ + return 0; +} +static void security_inode_post_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, + int flags) +{ +} + +static int security_inode_get_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry) +{ + return 0; +} + +static int security_inode_remove_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry) +{ + return 0; +} + static inline int security_inode_need_killpriv(struct dentry *dentry) { return cap_inode_need_killpriv(dentry); diff --git a/security/security.c b/security/security.c index 3aaad75c9ce8..0d210da9862c 100644 --- a/security/security.c +++ b/security/security.c @@ -2351,6 +2351,75 @@ int security_inode_remove_acl(struct mnt_idmap *idmap, return evm_inode_remove_acl(idmap, dentry, acl_name); } +/** + * security_inode_set_fscaps() - Check if setting fscaps is allowed + * @idmap: idmap of the mount + * @dentry: file + * @caps: fscaps to be written + * @flags: flags for setxattr + * + * Check permission before setting the file capabilities given in @vfs_caps. + * + * Return: Returns 0 if permission is granted. + */ +int security_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int flags) +{ + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return 0; + return call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); +} + +/** + * security_inode_post_set_fscaps() - Update the inode after setting fscaps + * @idmap: idmap of the mount + * @dentry: file + * @caps: fscaps to be written + * @flags: flags for setxattr + * + * Update inode security field after successfully setting fscaps. + * + */ +void security_inode_post_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, int flags) +{ + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return; + call_void_hook(inode_post_set_fscaps, idmap, dentry, caps, flags); +} + +/** + * security_inode_get_fscaps() - Check if reading fscaps is allowed + * @dentry: file + * + * Check permission before getting fscaps. + * + * Return: Returns 0 if permission is granted. + */ +int security_inode_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) +{ + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return 0; + return call_int_hook(inode_get_fscaps, 0, idmap, dentry); +} + +/** + * security_inode_remove_fscaps() - Check if removing fscaps is allowed + * @idmap: idmap of the mount + * @dentry: file + * + * Check permission before removing fscaps. + * + * Return: Returns 0 if permission is granted. + */ +int security_inode_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) +{ + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return 0; + return call_int_hook(inode_remove_fscaps, 0, idmap, dentry); +} + /** * security_inode_post_setxattr() - Update the inode after a setxattr operation * @dentry: file From patchwork Wed Feb 21 21:24:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566386 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9BA1129A8D; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=hlK3VS9pe3vS8yvfj6p1JgKAw1i++EvxUKM9r2uLCFfTawzXh1aUUYaxcEPaZtN8NDRjnFibz2GGFQ2bXtodeT4ciDAqwiKcCqdT+e/ffwwnZxNaGirOogw/ACLF/zusf48N+svsZwe6IbRVA9tEvFvTxfnVK/EudO6j+r1yjlc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=pUWNt9mRsWKZJ1yXibvTabhp6NyYRplMYf4ol2PV1qs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=myVhcc/Iz1ClZYr66H2sFLie8UTmCTDeYLHO1hr/dkFtGfOEcZS/XNdx+mdZrgR70f8Lrk8tG+fa9H9PIwC0fHG3aafF0Ju/vNWwx/GV9M9nfBIgOpp6TlJ/0Vua29DjZbxlKQ4m0WwL+As7HkdlNUY4K33S/feof2s/W/SHS40= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OE5GYKrN; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OE5GYKrN" Received: by smtp.kernel.org (Postfix) with ESMTPS id 88E21C3278A; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=pUWNt9mRsWKZJ1yXibvTabhp6NyYRplMYf4ol2PV1qs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=OE5GYKrNXbhCRoyzeq1Uxwh+7AvoyiVU4RFHWWAkBoyH2PSfR8louMEYypCkFSBHp /QK88SLmFCXh8vrQRwW+V2vYmQew9jhciIYuZIwtD6xTZjSIyY1SE3xc655mOeYw1K fw6eKTosn8jH4AMfW10Lsbdwxj/xat0kDSqrBjrzfKG+wqDiStz/Dt/Wvp0ddA9006 TWwXHU7e+0tqwxbmUtQi3P2onMllhLHQvTIIMzq1bttKhrawupE4GXNXfGp+rOVXV9 kheVg+z1IPObzaqroVcFaD9glXefaelF990s79FRkFSxhQabeAsHZZj5NNSuc2QG4P QLQVMHn9/W5BA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76D09C5478C; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:43 -0600 Subject: [PATCH v2 12/25] selinux: add hooks for fscaps operations Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-12-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=2028; i=sforshee@kernel.org; h=from:subject:message-id; bh=pUWNt9mRsWKZJ1yXibvTabhp6NyYRplMYf4ol2PV1qs=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mojvJhyZw9emud3TEu0eTTg0?= =?utf-8?q?ZvRpxQbx/wYTlv3_1foWLWqJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqIwAKCRBTA5mu5fQxyUwiB/_94Hwww+Nvwr2i0mm92V1m/muLDxNZ3ichSg?= =?utf-8?q?SbVTXRmFnGLWiqqjMZl3IjV8bIU9kY0uE4x7zfEpBpX_rTcdD3t9JeMPtm8WcBoFc?= =?utf-8?q?lqIlyRYkgBIkPLFiY2Vb+GmlW/HPp0p7gXrkdXLnqRb2JLOEGjY3ReRrm_gx2B15b?= =?utf-8?q?lpH1tEHAitlNwTMg6Wlt+MkUqvPIXsiYP4hseEFG3GRmrmtLK8VDfPFmy0HO4Mkay?= =?utf-8?q?GhMzDS_piT9CYjbYEIlnSpJFWwC7agQMDtzoUNqlU4zRIOSjOTGd+/O8lHnI0mqol?= =?utf-8?q?xe+jhCS0DXiQ3StnEUTj?= AJXJqyr0z/OYbUCf//HFYSGghhbxur X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Add hooks for set/get/remove fscaps operations which perform the same checks as the xattr hooks would have done for XATTR_NAME_CAPS. Signed-off-by: Seth Forshee (DigitalOcean) --- security/selinux/hooks.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6bf90ace84c..da129a387b34 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3367,6 +3367,29 @@ static int selinux_inode_removexattr(struct mnt_idmap *idmap, return -EACCES; } +static int selinux_inode_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, int flags) +{ + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + +static int selinux_inode_get_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry) +{ + return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); +} + +static int selinux_inode_remove_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry) +{ + int rc = cap_inode_removexattr(idmap, dentry, XATTR_NAME_CAPS); + if (rc) + return rc; + + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + static int selinux_path_notify(const struct path *path, u64 mask, unsigned int obj_type) { @@ -7165,6 +7188,9 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), + LSM_HOOK_INIT(inode_set_fscaps, selinux_inode_set_fscaps), + LSM_HOOK_INIT(inode_get_fscaps, selinux_inode_get_fscaps), + LSM_HOOK_INIT(inode_remove_fscaps, selinux_inode_remove_fscaps), LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), From patchwork Wed Feb 21 21:24:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566390 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C577212AACD; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; cv=none; b=IHNZD6d39L87TCy94cWelc33WtjygsZ0xr1PBrYKxK7if0yUx4JyzPKrinCJd4vh1l8IAw50RWqvPAb4L5wtGGLojCpv/g8881Qts1rXwR01C84mKsVJsJ+wCAdUXGKB+RQu3gNzokSxI7NIXSBTFKWkDvTTBzw+LfLaS6tlO6E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550706; c=relaxed/simple; bh=YiCWnmvB8338QqWiqSd4eJ/jOoBDPxjCWf8ETipJD0I=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=akAcypcQxT6ZiaFrOTP/g/cWCqiY7eFXCr5a5oNEHRT8HM99wRgr66l/vsepBhDAN+NtIAOROtw0RDx/l9IAPgBIz0R0ms5PzrXzMqRz0Wciw0QmaOBgBIxn+KRvTbzdZqyvqyzfVBcsblmDRsKBlsD69oHKKSOM0VI7leJTdg8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PDKdLcLA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PDKdLcLA" Received: by smtp.kernel.org (Postfix) with ESMTPS id 9CD28C3278C; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=YiCWnmvB8338QqWiqSd4eJ/jOoBDPxjCWf8ETipJD0I=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=PDKdLcLANpifEiadIoWlJMyghRFtRhfHhPnLCDlmoF9CpDfb3TjWhrTzGIU/Wpz9U lIrdLZr+Zm1PHC17yDX79paaM5tsJ7NiwiBNfLdHj1o94zBqB4JBXHMVMqPZagmkRE X5T5YIA58J1NPm32Q19UguByGYvoS31Pif76BDl/jJgbUKjljzVqzDwEWuGIj7z0JE Q0uYK7UhKkAuFddDuuBrsjjZ+xRqcN+64ggZh8XRl7Fk/Nxuu0foiy8jn8w/+M89CX Uc+8vcTLrl7Ws+2GJAyH9cgg4J2tFXM0JkhaJAQ97zLf495Cb/p2ioXvFr8VjIocKu DE4eLm26q/HyA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89496C48BEB; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:44 -0600 Subject: [PATCH v2 13/25] smack: add hooks for fscaps operations Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-13-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=3419; i=sforshee@kernel.org; h=from:subject:message-id; bh=YiCWnmvB8338QqWiqSd4eJ/jOoBDPxjCWf8ETipJD0I=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mokwpT6Wd5LYVT0NdW4vUmGJ?= =?utf-8?q?H9U+1d+cLjm5vxy_ILld6IGJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqJAAKCRBTA5mu5fQxyRbFB/_99rEgJl1COtBpH35uJRkwXLKAW2bI3ehYcq?= =?utf-8?q?wDZaWHYMV9allq0ZPBy2JON08GqXpiydvLVO/Ln9mCh_rrBTyNabTPZ5+6inOHWHz?= =?utf-8?q?Yen+5m4e//T+aD3C35Iu+fYOp1VWDMreKV9CBPDc+o7smjDrcwTT5U3HU_T+MiwUE?= =?utf-8?q?lmV0hrCl9mx1x6ZQ+OZDxR0wxJWjByWHuSobI8LpfwHLfOtNvETMAFmzDNRcoKxdH?= =?utf-8?q?lFIdgb_mLUONM0sKkjjuohgodnMIV64F6StQ4LkZuRqT/sMkNOSOPTPg69udW4Cj0?= =?utf-8?q?fS+JLVxodaQqo5+IAO07?= HkN+gK7eFDKtfF0Q+djswLOfkjsTiZ X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Add hooks for set/get/remove fscaps operations which perform the same checks as the xattr hooks would have done for XATTR_NAME_CAPS. Signed-off-by: Seth Forshee (DigitalOcean) --- security/smack/smack_lsm.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0fdbf04cc258..1eaa89dede6b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1530,6 +1530,74 @@ static int smack_inode_remove_acl(struct mnt_idmap *idmap, return rc; } +/** + * smack_inode_set_fscaps - Smack check for setting file capabilities + * @mnt_userns: the userns attached to the source mnt for this request + * @detry: the object + * @caps: the file capabilities + * @flags: unused + * + * Returns 0 if the access is permitted, or an error code otherwise. + */ +static int smack_inode_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, int flags) +{ + struct smk_audit_info ad; + int rc; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); + return rc; +} + +/** + * smack_inode_get_fscaps - Smack check for getting file capabilities + * @dentry: the object + * + * Returns 0 if access is permitted, an error code otherwise + */ +static int smack_inode_get_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry) +{ + struct smk_audit_info ad; + int rc; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); + rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); + return rc; +} + +/** + * smack_inode_remove_acl - Smack check for removing file capabilities + * @idmap: idmap of the mnt this request came from + * @dentry: the object + * + * Returns 0 if access is permitted, an error code otherwise + */ +static int smack_inode_remove_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry) +{ + struct smk_audit_info ad; + int rc; + + rc = cap_inode_removexattr(idmap, dentry, XATTR_NAME_CAPS); + if (rc != 0) + return rc; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); + return rc; +} + /** * smack_inode_getsecurity - get smack xattrs * @idmap: idmap of the mount @@ -5045,6 +5113,9 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), + LSM_HOOK_INIT(inode_set_fscaps, smack_inode_set_fscaps), + LSM_HOOK_INIT(inode_get_fscaps, smack_inode_get_fscaps), + LSM_HOOK_INIT(inode_remove_fscaps, smack_inode_remove_fscaps), LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), From patchwork Wed Feb 21 21:24:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566391 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D598712AAE2; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=bxM94GCzQ6Qi8Oqgyl3TXv3uJYZ9iMhg/RGGlvSPa+TAp14XczAA2Ous2lD0nBlkzGMnR497dyekF3NdkT/FhSNMTs6NzHzN9r8izkAS/bWt3W0IPYYHdjlUCecZV/BorsvcGPMMLAXfAPTxnRi9GDSowapVC60YNn9Y/qDM0V4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=Yr3ph0XCYOXrp9CXWdQMd7IWQbhJjbtCnaMZrcY53gY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bw/i2eZcirMgisYTFexaGG9ezqUkiUYSYFEU+WtPovHo4VU8V3IqA05fTFXLS+DN4TvL2cEnJLSvjX0TOWdEzpSuz5fHhCvBZaJx7MfK8b9lM00FIad3Jy99EUTXQrsRps9bBdoc4YQaaye80Lw9V9zYqnj0ga/oJN3aFUq5ljw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lzqK00wH; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lzqK00wH" Received: by smtp.kernel.org (Postfix) with ESMTPS id B5D8FC32790; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=Yr3ph0XCYOXrp9CXWdQMd7IWQbhJjbtCnaMZrcY53gY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=lzqK00wHaspxkj8s4YixHYBHO5uRXAEZjNOy9Tt0Z+zVFhBNoRvYu/G86zief0nKx DOC8vrh8C8IjEHbdu7wwreh1NNB3LwwbqMH0XaZWH+IykU6H5BTj1w/GUbwEY07O5Z pvwC+B2b6olS/XcTYKLHEbL6kmg/L1ovWhiGt+wN7z3/EUgIDJm5CNvALRd0UvLCPr YN7WDcK0FDtDVAfriM9B0F3WsZlZvlWdTcQPII7bNMfNd41fGQdq/VjOUrAZzeTnvH ZJaeZRN5maBuF9hI2NOJ5ijYh2cBqpS/xIahdqiP82EiiWzznvttVF2LXIWeD/RRi7 EhxIDDDI3G5bw== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E1A0C54791; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:45 -0600 Subject: [PATCH v2 14/25] evm: add support for fscaps security hooks Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-14-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=4327; i=sforshee@kernel.org; h=from:subject:message-id; bh=Yr3ph0XCYOXrp9CXWdQMd7IWQbhJjbtCnaMZrcY53gY=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mol25TRgD1iHEn0O+Lzt/PUv?= =?utf-8?q?oaNtWltRiGhhXzf_m3QV75SJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqJQAKCRBTA5mu5fQxyS9CB/_9kSIwlWp/cTH5n9oXEiY7IRY7QctvMWegFy?= =?utf-8?q?imx7di5G0HHXG0GkFzYw+GCyZNDCVL5R5AuZIagZMKH_cytRQKwJZdn+UxoBt7VxR?= =?utf-8?q?cVA0NXxcM5vRXXYDzuNpVQNmbfH5HvHaFvaIDzOEYFmJqsIW/jaxzfWVB_RjglGLz?= =?utf-8?q?pDryq2M/ZCsQx9KBTGmEwTBnxzalQNyrtvXgG4UHhg2ZBqBAWhD3SNXDCf7Ii95JG?= =?utf-8?q?mya1vE_xyBqVMzbjM3/l+t7NBgQWvLHaHz7A3od4uGdwyYRfroyU95TFJcCTgcv4b?= =?utf-8?q?gK682Ja2e9Zo3X4dw5Wp?= Ka5r0Q2dpUgYDHMm+pijpjRjRaNrcP X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Support the new fscaps security hooks by converting the vfs_caps to raw xattr data and then handling them the same as other xattrs. Signed-off-by: Seth Forshee (DigitalOcean) --- include/linux/evm.h | 39 +++++++++++++++++++++++++ security/integrity/evm/evm_main.c | 60 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) diff --git a/include/linux/evm.h b/include/linux/evm.h index 36ec884320d9..aeb9ff52ad22 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -57,6 +57,20 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, { return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); } +extern int evm_inode_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, int flags); +static inline int evm_inode_remove_fscaps(struct dentry *dentry) +{ + return evm_inode_set_fscaps(&nop_mnt_idmap, dentry, NULL, XATTR_REPLACE); +} +extern void evm_inode_post_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, int flags); +static inline void evm_inode_post_remove_fscaps(struct dentry *dentry) +{ + return evm_inode_post_set_fscaps(&nop_mnt_idmap, dentry, NULL, 0); +} int evm_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, @@ -164,6 +178,31 @@ static inline void evm_inode_post_set_acl(struct dentry *dentry, return; } +static inline int evm_inode_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, int flags) +{ + return 0; +} + +static inline int evm_inode_remove_fscaps(struct dentry *dentry) +{ + return 0; +} + +static inline void evm_inode_post_set_fscaps(struct mnt_idmap *idmap, + struct dentry *dentry, + const struct vfs_caps *caps, + int flags) +{ + return; +} + +static inline void evm_inode_post_remove_fscaps(struct dentry *dentry) +{ + return; +} + static inline int evm_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index cc7956d7878b..ecf4634a921a 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -805,6 +805,66 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) evm_update_evmxattr(dentry, xattr_name, NULL, 0); } +int evm_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int flags) +{ + struct inode *inode = d_inode(dentry); + struct vfs_ns_cap_data nscaps; + const void *xattr_data = NULL; + int size = 0; + + /* Policy permits modification of the protected xattrs even though + * there's no HMAC key loaded + */ + if (evm_initialized & EVM_ALLOW_METADATA_WRITES) + return 0; + + if (caps) { + size = vfs_caps_to_xattr(idmap, i_user_ns(inode), caps, &nscaps, + sizeof(nscaps)); + if (size < 0) + return size; + xattr_data = &nscaps; + } + + return evm_protect_xattr(idmap, dentry, XATTR_NAME_CAPS, xattr_data, size); +} + +void evm_inode_post_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int flags) +{ + struct inode *inode = d_inode(dentry); + struct vfs_ns_cap_data nscaps; + const void *xattr_data = NULL; + int size = 0; + + if (!evm_revalidate_status(XATTR_NAME_CAPS)) + return; + + evm_reset_status(dentry->d_inode); + + if (!(evm_initialized & EVM_INIT_HMAC)) + return; + + if (is_unsupported_fs(dentry)) + return; + + if (caps) { + size = vfs_caps_to_xattr(idmap, i_user_ns(inode), caps, &nscaps, + sizeof(nscaps)); + /* + * The fscaps here should have been converted to an xattr by + * evm_inode_set_fscaps() already, so a failure to convert + * here is a bug. + */ + if (WARN_ON_ONCE(size < 0)) + return; + xattr_data = &nscaps; + } + + evm_update_evmxattr(dentry, XATTR_NAME_CAPS, xattr_data, size); +} + static int evm_attr_change(struct mnt_idmap *idmap, struct dentry *dentry, struct iattr *attr) { From patchwork Wed Feb 21 21:24:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566398 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EEBFF12B176; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=nvK7NW0t3P35Ozc+byRM6qG0k1I5fm0Mx+SAORJbtZu31DwFeafs+K0A3k5hf3825pWO0QKtLMuwGqP/EU+sLopTb7FncyGKPcSdNUDhdB/KC5KKA1ygK7Wf7lh0Wx3uSQFPFzS8NuybOHRChlGlcFB38LLSSMIJsjJglr1BZC0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=CJx4jVGIRqQ1qdmTj2y9zLMKH38BdGpPQGSp5yBCQqY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=RsSjfPSZE4aHzTEE1oVRx7CuTu3dE7UH05dTc66Nh9j45hHpH8G3mnn3MC0dnM1hDJnxQhgR0IsJcCDjD2vVyAGXoUZK/zbVpptTfPypISd4uoVcayc5zsIu8xRSJ+DdI4QGc2wUWoEPgYrZktaZD8ZaX122lO8gwihHQJ1NUJM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ScFEMz6F; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ScFEMz6F" Received: by smtp.kernel.org (Postfix) with ESMTPS id CB04AC32795; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=CJx4jVGIRqQ1qdmTj2y9zLMKH38BdGpPQGSp5yBCQqY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=ScFEMz6FlokZomeuAvsLqnXQTflRHEh6BIQBe96Ib9pULn8Wj4+DpC7Xfs8aTexs7 qTiVdQUGtX+RU3zggTNkWmIrVpcMUO6N+cwr43fGo9nWV/a5PLS4ItLlRmU9FbrqIB 5Fqw36ofvD0sLbq9fFeIkUSaRu2bFetOjiQk+SpXaVH/bo3+jCjulvqWK0vKRULblx 2LRZiCwub+3/tki2vXE72U2ySzZt7yQa0Fh+FnnVf6+9pIJpgArXMkOTlvYnR1Yx2p pMyEmo3Yf/KuwhCrM2ulibMDJ6mZDj1XgQCNFQHu4B3b7bRKxg/Rx4wNmsitGS/MvI AzKnC3SypEVcw== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7938C48BEB; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:46 -0600 Subject: [PATCH v2 15/25] security: call evm fscaps hooks from generic security hooks Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-15-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1658; i=sforshee@kernel.org; h=from:subject:message-id; bh=CJx4jVGIRqQ1qdmTj2y9zLMKH38BdGpPQGSp5yBCQqY=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1molI6sVtDD31t+ZdHf1WoPke?= =?utf-8?q?0imykwNoYOzlcEa_MLxxYsqJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqJQAKCRBTA5mu5fQxyUmKB/_sG1SON2b9GiN9agwuQ8lNxw2IHmhmbxgz33?= =?utf-8?q?hhQ2tViUIItDAJSIkNy5i0HyqiJgPzP/w1VR+NSBYZ3_rze6gn/V7wNsI6T4BHcLg?= =?utf-8?q?Xfr/PP7enV45rcBxOGWDoeBgrvhVY2RIIRwv0+5nKw+ZUUoxMJyIXsguH_AQe19vJ?= =?utf-8?q?zujrIFbKdZ5VySsugJ5uN9keqsl3z8Qth5BpJ4cml1+ab/U3rPxAwFa/t2OH6DxBK?= =?utf-8?q?RvYF0c_GVb+YvhlZ+LDNcy1vbiuUqcuEeEatxNwdefLfn1dBPKNGW6/nY86XhjMB6?= =?utf-8?q?6KBqJqPp/VEC20A/hPcB?= ne6Sf/61X39xbpD+uZnRFwaVm9Ag8L X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Signed-off-by: Seth Forshee (DigitalOcean) --- security/security.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/security/security.c b/security/security.c index 0d210da9862c..f515d8430318 100644 --- a/security/security.c +++ b/security/security.c @@ -2365,9 +2365,14 @@ int security_inode_remove_acl(struct mnt_idmap *idmap, int security_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, const struct vfs_caps *caps, int flags) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); + ret = call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); + if (ret) + return ret; + return evm_inode_set_fscaps(idmap, dentry, caps, flags); } /** @@ -2387,6 +2392,7 @@ void security_inode_post_set_fscaps(struct mnt_idmap *idmap, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return; call_void_hook(inode_post_set_fscaps, idmap, dentry, caps, flags); + evm_inode_post_set_fscaps(idmap, dentry, caps, flags); } /** @@ -2415,9 +2421,14 @@ int security_inode_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) */ int security_inode_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_remove_fscaps, 0, idmap, dentry); + ret = call_int_hook(inode_remove_fscaps, 0, idmap, dentry); + if (ret) + return ret; + return evm_inode_remove_fscaps(dentry); } /** From patchwork Wed Feb 21 21:24:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566399 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D3AD12BF0F; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=pdajl6wYkBzPyiMzyffaAdo2a2g4HoGH4SggB5dArf1PsR5hnZvRwNkMLBMYOV55ZMMSx4C+q3X2qMRMxcT6Ww/32YCpZczYGKDIhjXYl7evJb2IWhlgnaSUuorSzEjvBGlXO2MN2LNTBMk1orMmf7B2gCf48hYsx9qLueksybk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=yjTkC6GQSOdkd/yofwHxTRqqG6BMoKBOmSs9mRH3lD0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XTpGiLNixfm/+/KN9pL+Qc6kLBPkX7Ro9C22ZGcFlN+FuPBr2G6xm7SNzTlu6l6t7BalBmU4Je9ZVnEezJR8QUUyjyKDQdNqAFeOPC8H2V7pDjZOT9zDaYaUP45YrGEkT6lwdm04uHT/W246SLhO/VGgq3PqKyuBOAPWfM8h3LU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=P7RtPOwF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="P7RtPOwF" Received: by smtp.kernel.org (Postfix) with ESMTPS id DF4CFC32794; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550706; bh=yjTkC6GQSOdkd/yofwHxTRqqG6BMoKBOmSs9mRH3lD0=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=P7RtPOwFXQfE4KiawGw7UD+AwPubpqVY0iIJcNPerSUBJL36yOifCmQi+HqGF16Cp A8ZpZ/BFTcBqXIpcRIh7IFE+n9k72v3i2I00Un+TNBvYxin8X7EwdZJogNd0QQqMed WOMMpToeKNHRSt6dAAHWUWllAjzc9dEGVP2P3TzYw+HIps3qPMPCs7VJ6MQ+Fb3Moi OBtqAV/6HFxUjipd3IewCctX792BSLaICcJijN/K3cYuNOSR8rJekeaofXqNh+qrJI B6f8RWwZX+YIXmYzLi0QFAkgzTE44Wji71wP7ulDPF6PXLzGKTTrJkLnWJlQSLwaTn au2a08gbKlnPQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9FD7C5478C; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:47 -0600 Subject: [PATCH v2 16/25] fs: add inode operations to get/set/remove fscaps Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-16-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=3842; i=sforshee@kernel.org; h=from:subject:message-id; bh=yjTkC6GQSOdkd/yofwHxTRqqG6BMoKBOmSs9mRH3lD0=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1momcOrJrmhhvfSlvseUc5Zkz?= =?utf-8?q?jX47oXe/xbCoMiA_8Fhev46JATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqJgAKCRBTA5mu5fQxyTg8B/_4pdFVXDzplj+s5uQiNwRqie7BpHWe3tIOvD?= =?utf-8?q?iVGDv576tfzBZUMOtKIm4/hiistj+rni3+bxxxwy1bZ_h2v2QzDZVJACen4oBtiHh?= =?utf-8?q?n0ushKMMxAvjSU7gdjX2S93lwm7Zohpkq/zf/lVpj4tqQyk0Y8m+qcThW_YSWAFw6?= =?utf-8?q?66PemdoaOc3QKfeORxCuCimtGEScFebmaQXGK/fwUz6wQxVfIG+BzsMs4ZMK32RRt?= =?utf-8?q?T8y+cI_uKeQCrUVe1DzsTGff5EIdRfwgo5m+3LEV/8lmR4ZceA2pKeEJfJ0OuFbvh?= =?utf-8?q?f3JV0P3lbi/mcCDdcZdT?= SZkQ1U89qyGJRlXpcGom2dKvclDCVV X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Add inode operations for getting, setting and removing filesystem capabilities rather than passing around raw xattr data. This provides better type safety for ids contained within xattrs. Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- Documentation/filesystems/locking.rst | 4 ++++ Documentation/filesystems/vfs.rst | 17 +++++++++++++++++ include/linux/fs.h | 4 ++++ 3 files changed, 25 insertions(+) diff --git a/Documentation/filesystems/locking.rst b/Documentation/filesystems/locking.rst index d5bf4b6b7509..d208dd9f75ae 100644 --- a/Documentation/filesystems/locking.rst +++ b/Documentation/filesystems/locking.rst @@ -81,6 +81,8 @@ prototypes:: umode_t create_mode); int (*tmpfile) (struct mnt_idmap *, struct inode *, struct file *, umode_t); + int (*get_fscaps)(struct mnt_idmap *, struct dentry *, struct vfs_caps *); + int (*set_fscaps)(struct mnt_idmap *, struct dentry *, const struct vfs_caps *, int setxattr_flags); int (*fileattr_set)(struct mnt_idmap *idmap, struct dentry *dentry, struct fileattr *fa); int (*fileattr_get)(struct dentry *dentry, struct fileattr *fa); @@ -114,6 +116,8 @@ fiemap: no update_time: no atomic_open: shared (exclusive if O_CREAT is set in open flags) tmpfile: no +get_fscaps: no +set_fscaps: exclusive fileattr_get: no or exclusive fileattr_set: exclusive get_offset_ctx no diff --git a/Documentation/filesystems/vfs.rst b/Documentation/filesystems/vfs.rst index eebcc0f9e2bc..ed1cb03f271e 100644 --- a/Documentation/filesystems/vfs.rst +++ b/Documentation/filesystems/vfs.rst @@ -514,6 +514,8 @@ As of kernel 2.6.22, the following members are defined: int (*tmpfile) (struct mnt_idmap *, struct inode *, struct file *, umode_t); struct posix_acl * (*get_acl)(struct mnt_idmap *, struct dentry *, int); int (*set_acl)(struct mnt_idmap *, struct dentry *, struct posix_acl *, int); + int (*get_fscaps)(struct mnt_idmap *, struct dentry *, struct vfs_caps *); + int (*set_fscaps)(struct mnt_idmap *, struct dentry *, const struct vfs_caps *, int setxattr_flags); int (*fileattr_set)(struct mnt_idmap *idmap, struct dentry *dentry, struct fileattr *fa); int (*fileattr_get)(struct dentry *dentry, struct fileattr *fa); @@ -667,6 +669,21 @@ otherwise noted. open; this can be done by calling finish_open_simple() right at the end. +``get_fscaps`` + + called to get filesystem capabilites of an inode. If unset, + xattr handlers will be used to get the raw xattr data. Most + filesystems can rely on the generic handler. + +``set_fscaps`` + + called to set filesystem capabilites of an inode. If unset, + xattr handlers will be used to set the raw xattr data. Most + filesystems can rely on the generic handler. + + If the new fscaps value is NULL the filesystem must remove any + fscaps from the inode. + ``fileattr_get`` called on ioctl(FS_IOC_GETFLAGS) and ioctl(FS_IOC_FSGETXATTR) to retrieve miscellaneous file flags and attributes. Also called diff --git a/include/linux/fs.h b/include/linux/fs.h index ed5966a70495..89163e0f7aad 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2067,6 +2067,10 @@ struct inode_operations { int); int (*set_acl)(struct mnt_idmap *, struct dentry *, struct posix_acl *, int); + int (*get_fscaps)(struct mnt_idmap *, struct dentry *, + struct vfs_caps *); + int (*set_fscaps)(struct mnt_idmap *, struct dentry *, + const struct vfs_caps *, int setxattr_flags); int (*fileattr_set)(struct mnt_idmap *idmap, struct dentry *dentry, struct fileattr *fa); int (*fileattr_get)(struct dentry *dentry, struct fileattr *fa); From patchwork Wed Feb 21 21:24:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566400 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 282F812D74B; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=p8SP/J9uTz7ZS2ZIDmXjYEOb3R9d38Ibf2WmNxkTE/bRM4ntO5SL8uDvdpospfqJAWIJwFIHFXrBBM/REuf3xOcvUkqROF4yvNBtSm9JRmdy96IhuYF6GYWAwEtmJxXO1DgZJFDQ61eonGRyjc3iEg4yVn8CE+7ntDe2e759vsA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=DaMtiOZBeQDVEion4ZN4zKQprvyExzuJ8doVlQBSc+c=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=RjSNYF8NpgIB/xDj6rEN5phSVtjRwUI1lgnDI8Z91JgtnFDStDoHrcfrYh7lNmMUdYWUqozlvq8aMp8N/g93ZEGp2jsFQo+LTyQ6xhRQM7cDdmZ33wDp3OmPu+7C9ioM9BkwY1JEvksImR36q93D1O5n3YEgPRMhyHwudT1hJgk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=DvVoVQef; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="DvVoVQef" Received: by smtp.kernel.org (Postfix) with ESMTPS id EF0F6C3279A; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=DaMtiOZBeQDVEion4ZN4zKQprvyExzuJ8doVlQBSc+c=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=DvVoVQefCHkO2csohbS3+DfA7v+LfDjn3ihNeo+F5RWTo/d+i+POCZfKnpVl/aq2+ EFlacb9HtfXWmP2h8D8rTfy8DhkMQ0l/b+lImzLz2lC7FDWdgCYnEjxIqIlVIViRJ6 EL2T3qf+BkYg0yboVvr8ooXGcvyAPGpgWHa3rPGYSxypgLadkoUgY0Pa2F10wqPip9 uAKFzt8IhkOFxlo7jHWzeydHasZEdd/inkcYudHEDGW8QI6pZK9FK6eO8unzGvpL9A 5YIAbQU/4f52rFo4iwf2/O4khZjPzsjNcxw2AdJwMLs2eRhEtG27fEWXe3Kc8bGHTA g43F4co1z154Q== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB15EC54793; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:48 -0600 Subject: [PATCH v2 17/25] fs: add vfs_get_fscaps() Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-17-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=3594; i=sforshee@kernel.org; h=from:subject:message-id; bh=DaMtiOZBeQDVEion4ZN4zKQprvyExzuJ8doVlQBSc+c=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1monpM9wsGSZSvppxhKtdjKe8?= =?utf-8?q?E/VR1Wssga6IW1B_2+E5+u6JATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqJwAKCRBTA5mu5fQxyb00B/_9W4Ogzb7YrK4uooki+F6O5V/u8cnm14dQIt?= =?utf-8?q?C1D1/LcKAxqObtAO+ncDERx5iTwUlrSxVUYHuaHFboa_4Inr3IZy5FL7oDPg9k1hg?= =?utf-8?q?Nlxs/lpczEboUlQdrR0avbXapmFGjvnjVS6aC6M8QKTxhnoUliZVEwjyI_QwyQzL4?= =?utf-8?q?T+7xdZm5xpYnuqlhLTZe0Ir54jV5FO08fcbevSq0ccjxzGD6QUD9sn9Px3PbQrbCI?= =?utf-8?q?Ai8J/V_9BQ9D5Hmqt4o/K33RmONq0GUG2E/pgbLJynIiMrPtQsaMRx/J4gtt89H8G?= =?utf-8?q?j9HULnOCsoy8UvVzJw6r?= kKjfHaJw+PgLCgqMO8rXVQNmIrkzhG X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Provide a type-safe interface for retrieving filesystem capabilities and a generic implementation suitable for most filesystems. Also add an internal interface, vfs_get_fscaps_nosec(), which skips security checks for later use from the capability code. Signed-off-by: Seth Forshee (DigitalOcean) Reviewed-by: Christian Brauner --- fs/xattr.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/fs.h | 4 ++++ 2 files changed, 68 insertions(+) diff --git a/fs/xattr.c b/fs/xattr.c index 06290e4ebc03..10d1b1f78fc2 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -181,6 +181,70 @@ xattr_supports_user_prefix(struct inode *inode) } EXPORT_SYMBOL(xattr_supports_user_prefix); +static int generic_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + struct vfs_caps *caps) +{ + struct inode *inode = d_inode(dentry); + struct vfs_ns_cap_data nscaps; + int ret; + + ret = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, &nscaps, sizeof(nscaps)); + + if (ret >= 0) + ret = vfs_caps_from_xattr(idmap, i_user_ns(inode), caps, &nscaps, ret); + + return ret; +} + +/** + * vfs_get_fscaps_nosec - get filesystem capabilities without security checks + * @idmap: idmap of the mount the inode was found from + * @dentry: the dentry from which to get filesystem capabilities + * @caps: storage in which to return the filesystem capabilities + * + * This function gets the filesystem capabilities for the dentry and returns + * them in @caps. It does not perform security checks. + * + * Return: 0 on success, a negative errno on error. + */ +int vfs_get_fscaps_nosec(struct mnt_idmap *idmap, struct dentry *dentry, + struct vfs_caps *caps) +{ + struct inode *inode = d_inode(dentry); + + if (inode->i_op->get_fscaps) + return inode->i_op->get_fscaps(idmap, dentry, caps); + return generic_get_fscaps(idmap, dentry, caps); +} + +/** + * vfs_get_fscaps - get filesystem capabilities + * @idmap: idmap of the mount the inode was found from + * @dentry: the dentry from which to get filesystem capabilities + * @caps: storage in which to return the filesystem capabilities + * + * This function gets the filesystem capabilities for the dentry and returns + * them in @caps. + * + * Return: 0 on success, a negative errno on error. + */ +int vfs_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + struct vfs_caps *caps) +{ + int error; + + /* + * The VFS has no restrictions on reading security.* xattrs, so + * xattr_permission() isn't needed. Only LSMs get a say. + */ + error = security_inode_get_fscaps(idmap, dentry); + if (error) + return error; + + return vfs_get_fscaps_nosec(idmap, dentry, caps); +} +EXPORT_SYMBOL(vfs_get_fscaps); + int __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, struct inode *inode, const char *name, const void *value, diff --git a/include/linux/fs.h b/include/linux/fs.h index 89163e0f7aad..d7cd2467e1ea 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2116,6 +2116,10 @@ extern int vfs_dedupe_file_range(struct file *file, extern loff_t vfs_dedupe_file_range_one(struct file *src_file, loff_t src_pos, struct file *dst_file, loff_t dst_pos, loff_t len, unsigned int remap_flags); +extern int vfs_get_fscaps_nosec(struct mnt_idmap *idmap, struct dentry *dentry, + struct vfs_caps *caps); +extern int vfs_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + struct vfs_caps *caps); /** * enum freeze_holder - holder of the freeze From patchwork Wed Feb 21 21:24:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566393 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3628B12D76A; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=fYBu4JDuTHzs7IVZa9hmYI/sybpJSLPG1hgkWgsUB1dw/XqqR4YiNDlIyhdrpG7Ndz61wEY/Y0AIdl+ZaOvoefkGOt2CZqtzRVqgCYxYwGKeYHDwDBjSS6k2dtJJKcGP4Q4b+R6pLZD/KVfQVqjbLkQLZ9oQ9a3lG/eNQnQS41w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=+wh5MLx6qw22a4Y5hCQZNo83AwcQ+EWK6GdCRZ0V+nQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=KRIZAaYoNEo2S9kCPhZWLMj0yXE75go2vwP28dMuNv+ElH4/9QI5x34+I7AqRDSHrJykGpLhDCJvslEOja4Kwtq8OGfCyVGSwS3fY3UuU13w72ArLrvPTMi6KlNaisGmaKYiyTJBhFzXC77EbFOMJJkFn+uUCDLyNoYonszVDp4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AK2yECFZ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AK2yECFZ" Received: by smtp.kernel.org (Postfix) with ESMTPS id 0B327C341C0; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=+wh5MLx6qw22a4Y5hCQZNo83AwcQ+EWK6GdCRZ0V+nQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=AK2yECFZ23ei6Bxl7F8aU4RQFm0YNyCmD5DcPDYqym9xF7gaxYzUJ2X5OzxtyZ0Hw jPUD9OW85WtWmTmE6K2tld1wGbO2HH6O5MD688xPMXAjBVi4ya8mKxsVHOo779FDGV lRw2fvbhrPwugd44qEaOW8vEtMXx58eIHpkKUSZOaTRPoc58KcCScAZVwfupFGcWlX nkizFJHHKDqDwA4QMrPvtj0C1d55a4KCB/ohfrVyv7j5lzaDxLUoDXeFAtXCNDtgeN Nq7ynBMpMFENnCjJi7IdAuahdWZMWMT2NqQLBvoemxpz+mdl2HFCa007AGoS6/7zSY ziChLdNXv1sOQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ECE24C54791; Wed, 21 Feb 2024 21:25:06 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:49 -0600 Subject: [PATCH v2 18/25] fs: add vfs_set_fscaps() Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-18-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=3582; i=sforshee@kernel.org; h=from:subject:message-id; bh=+wh5MLx6qw22a4Y5hCQZNo83AwcQ+EWK6GdCRZ0V+nQ=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mooRK6GQBMSPSNeq9TIC5Eyp?= =?utf-8?q?s87cR1e+jRyO5IO_L9tbqdiJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqKAAKCRBTA5mu5fQxybD1B/_9c/EK+CWeOAxlDfTdwJDnyY4A/3nNMB6EGt?= =?utf-8?q?r5LZ4F2yneQa64m4QIo+ZrLzxwRuKvGPtIkZCsgv3Wb_6VqtJ33/oxBPXedXR/8tZ?= =?utf-8?q?F8LC3tHmVHZfMcJiWkgNH1vM/2hjC3leSEQ3Srb60sYUy2gPEfXPlhWpe_h/pci4h?= =?utf-8?q?nVsUsdxdKrZxVZVwxFBuorxCAFi/1o0mLPD9pAPePer6DS5+YEVd3E+OgW7bBhAyD?= =?utf-8?q?biQacI_Rs7+v+o8JqU+YEueRgm1Wmn00s+iF4/Rr+LY78hTjMrqWSXqxGiaZhctJh?= =?utf-8?q?fft1eTDgbM1jEEsoYH6B?= N1daNdaH5CVnSWpjKxBb1/q+bBht8s X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Provide a type-safe interface for setting filesystem capabilities and a generic implementation suitable for most filesystems. Signed-off-by: Seth Forshee (DigitalOcean) --- fs/xattr.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/fs.h | 2 ++ 2 files changed, 81 insertions(+) diff --git a/fs/xattr.c b/fs/xattr.c index 10d1b1f78fc2..96de43928a51 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -245,6 +245,85 @@ int vfs_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, } EXPORT_SYMBOL(vfs_get_fscaps); +static int generic_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int setxattr_flags) +{ + struct inode *inode = d_inode(dentry); + struct vfs_ns_cap_data nscaps; + int size; + + size = vfs_caps_to_xattr(idmap, i_user_ns(inode), caps, + &nscaps, sizeof(nscaps)); + if (size < 0) + return size; + + return __vfs_setxattr_noperm(idmap, dentry, XATTR_NAME_CAPS, + &nscaps, size, setxattr_flags); +} + +/** + * vfs_set_fscaps - set filesystem capabilities + * @idmap: idmap of the mount the inode was found from + * @dentry: the dentry on which to set filesystem capabilities + * @caps: the filesystem capabilities to be written + * @setxattr_flags: setxattr flags to use when writing the capabilities xattr + * + * This function writes the supplied filesystem capabilities to the dentry. + * + * Return: 0 on success, a negative errno on error. + */ +int vfs_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int setxattr_flags) +{ + struct inode *inode = d_inode(dentry); + struct inode *delegated_inode = NULL; + int error; + +retry_deleg: + inode_lock(inode); + + error = xattr_permission(idmap, inode, XATTR_NAME_CAPS, MAY_WRITE); + if (error) + goto out_inode_unlock; + error = security_inode_set_fscaps(idmap, dentry, caps, setxattr_flags); + if (error) + goto out_inode_unlock; + + error = try_break_deleg(inode, &delegated_inode); + if (error) + goto out_inode_unlock; + + if (inode->i_opflags & IOP_XATTR) { + if (inode->i_op->set_fscaps) + error = inode->i_op->set_fscaps(idmap, dentry, caps, + setxattr_flags); + else + error = generic_set_fscaps(idmap, dentry, caps, + setxattr_flags); + if (!error) { + fsnotify_xattr(dentry); + security_inode_post_set_fscaps(idmap, dentry, caps, + setxattr_flags); + } + } else if (unlikely(is_bad_inode(inode))) { + error = -EIO; + } else { + error = -EOPNOTSUPP; + } + +out_inode_unlock: + inode_unlock(inode); + + if (delegated_inode) { + error = break_deleg_wait(&delegated_inode); + if (!error) + goto retry_deleg; + } + + return error; +} +EXPORT_SYMBOL(vfs_set_fscaps); + int __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, struct inode *inode, const char *name, const void *value, diff --git a/include/linux/fs.h b/include/linux/fs.h index d7cd2467e1ea..4f5d7ed44644 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2120,6 +2120,8 @@ extern int vfs_get_fscaps_nosec(struct mnt_idmap *idmap, struct dentry *dentry, struct vfs_caps *caps); extern int vfs_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, struct vfs_caps *caps); +extern int vfs_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int setxattr_flags); /** * enum freeze_holder - holder of the freeze From patchwork Wed Feb 21 21:24:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566394 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4256612D76C; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=B/CsYQYNHbSOJiInIRVP223U1MWPXzeclsZpg+n9bDkFeCKPW/odObBMo1dyIM5ei6QTPJTrCKoEDHa7u7MxdyPWz0Vy9E28LCgQaHrsza1LRW8HntHnyw7Sz/+wpZeQx1FKXQ8nod9fIxl4x8Ezwkj2AZkr3O6SLwHlkY+UsJ8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=a3ugvMhATksPxV+a7Wcb3fojtkXnejQOJKEmfG2Au6A=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fVZbFFSKr9s7lQxC0+6OGi+CmzxMkIp8ql6XcMui2hcGRToosIR+EsDA10Yg0U00waGtVw8hfzGwKO4a6Fg1mXaR4RI9f6FPv4/nzKC1OoqeKYWv1AH1Vr4N2M82k/ZKr7JgjULAryw8/fcDqsG3OuRzo/svc9VFUv9/puQJ8/E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fyOX9ubk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fyOX9ubk" Received: by smtp.kernel.org (Postfix) with ESMTPS id 1873CC43141; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=a3ugvMhATksPxV+a7Wcb3fojtkXnejQOJKEmfG2Au6A=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=fyOX9ubkNP7PgYk94oDhtYGquf+vSSCFPMucQ0Dq2rCZQXUB/iZqjXl8cMzOrCk81 80q9tpt7qDd2z033II1TkZorVEAtmK0acy7UCkqNZjpwQo5rZOvnLyQRhHwCSFky1v 1jFcJfZggb8rW0E+8V/yJk/JwS3iFdRQaCXJ6iiVKM7PfETwcKRcQyTcumymYdfA9w oLL4R5CZ9n0TaZTpjw22Tf0CGQBQK69IAh6Zaa681oK6Uh5Dn7qu8EzdsqcH1dFUKE gAT9G4DKCvPMTrv2Id/QAPjwz/fbRyzcOPsTzafuZ+DQKzK7P9rdfqZ76hK4MxMJAe KtZ7d8bEGLS1w== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0511CC48BEB; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:50 -0600 Subject: [PATCH v2 19/25] fs: add vfs_remove_fscaps() Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-19-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=3779; i=sforshee@kernel.org; h=from:subject:message-id; bh=a3ugvMhATksPxV+a7Wcb3fojtkXnejQOJKEmfG2Au6A=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mopgDVenhi3VLPaPvFwxM95t?= =?utf-8?q?qNAaxCLXvBKa+2y_76GFlFmJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqKQAKCRBTA5mu5fQxyQftB/_0eV/oZCodcvmT2NzrSTKkvLIWCpVU5YGKGF?= =?utf-8?q?ugW3HG3lJRUuGtO+t+A3RwZKzOSWbtk1CkbGAetJWXa_aqqprqjsUstKaAApbpfZo?= =?utf-8?q?Z+eK6TN/rCUWHcGfXJrwsSbxogu7GRc2n0qYaSlu+qA3xEzF8z6c/Ddpr_k/Dc7FV?= =?utf-8?q?T0eukTELGcPFhqthrQZQwUPUa27SB4BCSgNW5nS3MQFGNmL3komWpIDaUw1t7zzje?= =?utf-8?q?PB3Q8p_Sd6mViD54RmlcUD/RuxaNacNOjFHyQ0gXUwF/iAQuoi0uwi4vkFeECAIEt?= =?utf-8?q?6niPSkeZ/0OqmUxINUBZ?= jM1eqVetaMefnRdsKXRtEreKVXPamw X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Provide a type-safe interface for removing filesystem capabilities and a generic implementation suitable for most filesystems. Also add an internal interface, vfs_remove_fscaps_nosec(), which is called with the inode lock held and skips security checks for later use from the capability code. Signed-off-by: Seth Forshee (DigitalOcean) --- fs/xattr.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/fs.h | 2 ++ 2 files changed, 83 insertions(+) diff --git a/fs/xattr.c b/fs/xattr.c index 96de43928a51..8b0f7384cbc9 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -324,6 +324,87 @@ int vfs_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, } EXPORT_SYMBOL(vfs_set_fscaps); +static int generic_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) +{ + return __vfs_removexattr(idmap, dentry, XATTR_NAME_CAPS); +} + +/** + * vfs_remove_fscaps_nosec - remove filesystem capabilities without + * security checks + * @idmap: idmap of the mount the inode was found from + * @dentry: the dentry from which to remove filesystem capabilities + * + * This function removes any filesystem capabilities from the specified + * dentry. Does not perform any security checks, and callers must hold the + * inode lock. + * + * Return: 0 on success, a negative errno on error. + */ +int vfs_remove_fscaps_nosec(struct mnt_idmap *idmap, struct dentry *dentry) +{ + struct inode *inode = dentry->d_inode; + int error; + + if (inode->i_op->set_fscaps) + error = inode->i_op->set_fscaps(idmap, dentry, NULL, + XATTR_REPLACE); + else + error = generic_remove_fscaps(idmap, dentry); + + return error; +} + +/** + * vfs_remove_fscaps - remove filesystem capabilities + * @idmap: idmap of the mount the inode was found from + * @dentry: the dentry from which to remove filesystem capabilities + * + * This function removes any filesystem capabilities from the specified + * dentry. + * + * Return: 0 on success, a negative errno on error. + */ +int vfs_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) +{ + struct inode *inode = dentry->d_inode; + struct inode *delegated_inode = NULL; + int error; + +retry_deleg: + inode_lock(inode); + + error = xattr_permission(idmap, inode, XATTR_NAME_CAPS, MAY_WRITE); + if (error) + goto out_inode_unlock; + + error = security_inode_remove_fscaps(idmap, dentry); + if (error) + goto out_inode_unlock; + + error = try_break_deleg(inode, &delegated_inode); + if (error) + goto out_inode_unlock; + + error = vfs_remove_fscaps_nosec(idmap, dentry); + if (!error) { + fsnotify_xattr(dentry); + evm_inode_post_remove_fscaps(dentry); + } + +out_inode_unlock: + inode_unlock(inode); + + if (delegated_inode) { + error = break_deleg_wait(&delegated_inode); + if (!error) + goto retry_deleg; + } + + return error; +} +EXPORT_SYMBOL(vfs_remove_fscaps); + int __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, struct inode *inode, const char *name, const void *value, diff --git a/include/linux/fs.h b/include/linux/fs.h index 4f5d7ed44644..c07427d2fc71 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2122,6 +2122,8 @@ extern int vfs_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, struct vfs_caps *caps); extern int vfs_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, const struct vfs_caps *caps, int setxattr_flags); +extern int vfs_remove_fscaps_nosec(struct mnt_idmap *idmap, struct dentry *dentry); +extern int vfs_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry); /** * enum freeze_holder - holder of the freeze From patchwork Wed Feb 21 21:24:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566392 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54C3112DD91; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=KBrQYCzsHdOYqYU4eWLWaZOFrqcy/Pk5s92zfKWQ/36X3QtA2ruGu6RJxaaHn4e4kEmBTnJ8adhdY2e7RrIMbjTirsvME/vE95WR3n4lCBqr5DLMA1IFuOwnVJ1GWEJCs6TLJAo5EiO/JSFnZrhsgUHH1T0m+sfRJ6polOxLZjA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=ttWdljGV2VOOVlmLs8ch4F+B9OPu/3AJrV4l738gSBE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=pw2v80WMhiGpLtqu9x5KB0I6HV5bC3+f6CIL7sKWUZlOQcY5EHaoPXuUx4Rfl/QvAjXVPuWSFB3OTZleUDoj0s/14Ah5RACKokbSzY7tKF2hWDnVrOQbokj+/lxK51PURSP0Ji+YSMGOTNuBX8bEmzbvxmh2dbT3oRjwJUyp9Z0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uqHKBP3J; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uqHKBP3J" Received: by smtp.kernel.org (Postfix) with ESMTPS id 2E595C36AEE; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=ttWdljGV2VOOVlmLs8ch4F+B9OPu/3AJrV4l738gSBE=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=uqHKBP3J4IPMX2ack7XXoakPLKGIQWPInhHuqQcEsbokp77sYp+0fBwH7WFmzz1X2 ero9AJeBQJrkHPwe/FaDYck/ACfEJoZgUAzc+Op7aBaIdJVi+6Lzw4u8juhNq9HlAI d5uFcA29Z3Co9rw30F5W2vCC/31QIThKoHnAnPAm6qF/9vI23uOeyQzIUwbAy5b9yS 8ED4KrNbstsfd3mEjSxKkKHw8kexLcNnGqaCFJr0SLSHC5JmdRu8KmLnpjcEU9XLIB nLmaJqBWTTb8vtExN0sZ3E47+JhPHp+5Y064Qlix3nBNp+LkLqh5ccHEWk5KuYwf5V wGjCyip2arhWg== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17B9FC5478C; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:51 -0600 Subject: [PATCH v2 20/25] ovl: add fscaps handlers Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-20-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=4817; i=sforshee@kernel.org; h=from:subject:message-id; bh=ttWdljGV2VOOVlmLs8ch4F+B9OPu/3AJrV4l738gSBE=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moqr1C0o66vju1JEhWEhxdjP?= =?utf-8?q?9MjLsg75RZLdJMz_EGbaqxmJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqKgAKCRBTA5mu5fQxyasXB/_0ck2MmFB/6xo9OUk9n0uU1WV1hFMVoAQcMt?= =?utf-8?q?qmhIQz/2o92A+LSQK3qhijWqisOM+8FwP0mq2qJxzMN_vIR8aLOcS0thGDP0hfR39?= =?utf-8?q?KgwnIBaHRd/nB/r7IdYiRO+hJmxzhiWNUp1IIYYbAlGvxeD7YKcQaPI6w_ujDpQ/1?= =?utf-8?q?BRMFLG/aUZlWxGKGWcvTaun5znDQgPzJy2O4WmnYgB0YdN+3H+qKej3XIqL5cxd9t?= =?utf-8?q?pymr8a_HVtkrcMynShyHq7SIhQ1Hshd+ebeNCgKfG4XE3neYdZrCQjNHAcwys74za?= =?utf-8?q?Z8osEiqTuT5wf1p4sORt?= V1GcnFZzEQHrTdJSCnsZ7y7llnM8zr X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Add handlers which read fs caps from the lower or upper filesystem and write/remove fs caps to the upper filesystem, performing copy-up as necessary. While fscaps only really make sense on regular files, the general policy is to allow most xattr namespaces on all different inode types, so fscaps handlers are installed in the inode operations for all types of inodes. Signed-off-by: Seth Forshee (DigitalOcean) --- fs/overlayfs/dir.c | 2 ++ fs/overlayfs/inode.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++ fs/overlayfs/overlayfs.h | 5 ++++ 3 files changed, 79 insertions(+) diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index 0f8b4a719237..4ff360fe10c9 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -1307,6 +1307,8 @@ const struct inode_operations ovl_dir_inode_operations = { .get_inode_acl = ovl_get_inode_acl, .get_acl = ovl_get_acl, .set_acl = ovl_set_acl, + .get_fscaps = ovl_get_fscaps, + .set_fscaps = ovl_set_fscaps, .update_time = ovl_update_time, .fileattr_get = ovl_fileattr_get, .fileattr_set = ovl_fileattr_set, diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index c63b31a460be..7a8978ea6fe1 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -568,6 +568,72 @@ int ovl_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, } #endif +int ovl_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + struct vfs_caps *caps) +{ + int err; + const struct cred *old_cred; + struct path realpath; + + ovl_path_real(dentry, &realpath); + old_cred = ovl_override_creds(dentry->d_sb); + err = vfs_get_fscaps(mnt_idmap(realpath.mnt), realpath.dentry, caps); + revert_creds(old_cred); + return err; +} + +int ovl_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int setxattr_flags) +{ + int err; + struct ovl_fs *ofs = OVL_FS(dentry->d_sb); + struct dentry *upperdentry = ovl_dentry_upper(dentry); + struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry); + const struct cred *old_cred; + + /* + * If the fscaps are to be remove from a lower file, check that they + * exist before copying up. + */ + if (!caps && !upperdentry) { + struct path realpath; + struct vfs_caps lower_caps; + + ovl_path_lower(dentry, &realpath); + old_cred = ovl_override_creds(dentry->d_sb); + err = vfs_get_fscaps(mnt_idmap(realpath.mnt), realdentry, + &lower_caps); + revert_creds(old_cred); + if (err) + goto out; + } + + err = ovl_want_write(dentry); + if (err) + goto out; + + err = ovl_copy_up(dentry); + if (err) + goto out_drop_write; + upperdentry = ovl_dentry_upper(dentry); + + old_cred = ovl_override_creds(dentry->d_sb); + if (!caps) + err = vfs_remove_fscaps(ovl_upper_mnt_idmap(ofs), upperdentry); + else + err = vfs_set_fscaps(ovl_upper_mnt_idmap(ofs), upperdentry, + caps, setxattr_flags); + revert_creds(old_cred); + + /* copy c/mtime */ + ovl_copyattr(d_inode(dentry)); + +out_drop_write: + ovl_drop_write(dentry); +out: + return err; +} + int ovl_update_time(struct inode *inode, int flags) { if (flags & S_ATIME) { @@ -747,6 +813,8 @@ static const struct inode_operations ovl_file_inode_operations = { .get_inode_acl = ovl_get_inode_acl, .get_acl = ovl_get_acl, .set_acl = ovl_set_acl, + .get_fscaps = ovl_get_fscaps, + .set_fscaps = ovl_set_fscaps, .update_time = ovl_update_time, .fiemap = ovl_fiemap, .fileattr_get = ovl_fileattr_get, @@ -758,6 +826,8 @@ static const struct inode_operations ovl_symlink_inode_operations = { .get_link = ovl_get_link, .getattr = ovl_getattr, .listxattr = ovl_listxattr, + .get_fscaps = ovl_get_fscaps, + .set_fscaps = ovl_set_fscaps, .update_time = ovl_update_time, }; @@ -769,6 +839,8 @@ static const struct inode_operations ovl_special_inode_operations = { .get_inode_acl = ovl_get_inode_acl, .get_acl = ovl_get_acl, .set_acl = ovl_set_acl, + .get_fscaps = ovl_get_fscaps, + .set_fscaps = ovl_set_fscaps, .update_time = ovl_update_time, }; diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index ee949f3e7c77..4f948749ee02 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -781,6 +781,11 @@ static inline struct posix_acl *ovl_get_acl_path(const struct path *path, } #endif +int ovl_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + struct vfs_caps *caps); +int ovl_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, + const struct vfs_caps *caps, int setxattr_flags); + int ovl_update_time(struct inode *inode, int flags); bool ovl_is_private_xattr(struct super_block *sb, const char *name); From patchwork Wed Feb 21 21:24:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566395 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FB6512E1DF; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=T8C5TPl4zhOxwfGQSJyTtViA5Q9VIk3mdKsUoADRqMHqFQz8fFjTp4Gd9Logi3hRR06zr/ZkPiX1LZnrqpXFUy/fSXwN/HgXxJj5LU3Lb29+uNe9rBcXk9QHkJSh4RV9SJ/5kqxxc/ZVII49/EbqzOzpSHsmLDHail5+xPBnSj0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=zODK8f1Oy6szXpHeADRTdhogMg3GAwHuizUWMJpE3DE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=QruHK1h+evfwFcpkYp0fAKRp5bLv5ksY5MUhVuu5Q7O591me5f+3UGo6ZuZEmRtJc25C38C9WIid9iOECUiBjhRl4+zLUQd1r9lNKNLZf4xAcNGyTj511GjHB/zAAosQFifCLyf1A/F+KdDvQkoOPQqy8YwGy04u/MSPXWWvHes= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=EZqTenVf; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="EZqTenVf" Received: by smtp.kernel.org (Postfix) with ESMTPS id 3AB51C4AF75; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=zODK8f1Oy6szXpHeADRTdhogMg3GAwHuizUWMJpE3DE=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=EZqTenVf4PLgedTk1rJ753Y6K4Dpv0W+PXOQ+O6XztyKcvNh1FE7lHIrpUjKps0FB BE8fgzu2nqU0fm1hvmeCWrNIJXyeigiIA6CJtIBy0CeExigttHfIPUNoIReHEj91rS n8dSratBFnSdVJt4+CPzym1SwMREEyF9g1MKfOPrU/LrBhfXNWZMyADs12eTMKAnZn JPBthukiLEhLl/cAkGrEOwLc2PLLboFdudLK5fawpg3Lx45Wnw0Ji1YrBH7/j5jjsS Hyay/OR1tYUESoA6X/0MZ4CH4+tgI4RMh75woXvMMb8jM9tQz/5WP5m4qdMQTxyAgZ FWCPpe1pXmGIQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A073C54791; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:52 -0600 Subject: [PATCH v2 21/25] ovl: use vfs_{get,set}_fscaps() for copy-up Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-21-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=4041; i=sforshee@kernel.org; h=from:subject:message-id; bh=zODK8f1Oy6szXpHeADRTdhogMg3GAwHuizUWMJpE3DE=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1moryy7rWCDyCKYhTErtw9reV?= =?utf-8?q?BQghynbKThrJ7UB_cXmkPrOJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqKwAKCRBTA5mu5fQxyVGuB/_98YVYzC3rmVA+s5SJScrnZ4Y5tk6TMC1IC3?= =?utf-8?q?m8QqEF/wR9kN8x37EMkdEPDIonp4yWwKAp6jK5PHooi_f/TDfrw9dyMvPoFu1mtHO?= =?utf-8?q?k7vcZiK+5YhYlIWrGhaRNAhn89fEQAq8U0XJc0QZMBWZX3zC/JjGALUIe_AXfYqoT?= =?utf-8?q?kymSa8cturCezE9r8NumhzW5fw2Xeam38vDff9hJEQnZdTqoORMKGVWyvWlcy0o7g?= =?utf-8?q?1kEuga_GwQcCqZY7BooJEggxTGYotp66PNUyX0oamXw/4QROT9Cldpj8wp9PrlATv?= =?utf-8?q?F94aP27wamFYLAmAwztP?= 1sjZ5ZJP6nJXzabi+skNTzn9983WmN X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Using vfs_{get,set}xattr() for fscaps will be blocked in a future commit, so convert ovl to use the new interfaces. Also remove the now unused ovl_getxattr_value(). Reviewed-by: Amir Goldstein Signed-off-by: Seth Forshee (DigitalOcean) --- fs/overlayfs/copy_up.c | 72 ++++++++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index b8e25ca51016..d7c8d76e2394 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -73,6 +73,23 @@ static int ovl_copy_acl(struct ovl_fs *ofs, const struct path *path, return err; } +static int ovl_copy_fscaps(struct ovl_fs *ofs, const struct path *oldpath, + struct dentry *new) +{ + struct vfs_caps capability; + int err; + + err = vfs_get_fscaps(mnt_idmap(oldpath->mnt), oldpath->dentry, + &capability); + if (err) { + if (err == -ENODATA || err == -EOPNOTSUPP) + return 0; + return err; + } + + return vfs_set_fscaps(ovl_upper_mnt_idmap(ofs), new, &capability, 0); +} + int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct dentry *new) { struct dentry *old = oldpath->dentry; @@ -130,6 +147,14 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de break; } + if (is_fscaps_xattr(name)) { + error = ovl_copy_fscaps(OVL_FS(sb), oldpath, new); + if (!error) + continue; + /* fs capabilities must be copied */ + break; + } + retry: size = ovl_do_getxattr(oldpath, name, value, value_size); if (size == -ERANGE) @@ -1039,61 +1064,40 @@ static bool ovl_need_meta_copy_up(struct dentry *dentry, umode_t mode, return true; } -static ssize_t ovl_getxattr_value(const struct path *path, char *name, char **value) -{ - ssize_t res; - char *buf; - - res = ovl_do_getxattr(path, name, NULL, 0); - if (res == -ENODATA || res == -EOPNOTSUPP) - res = 0; - - if (res > 0) { - buf = kzalloc(res, GFP_KERNEL); - if (!buf) - return -ENOMEM; - - res = ovl_do_getxattr(path, name, buf, res); - if (res < 0) - kfree(buf); - else - *value = buf; - } - return res; -} - /* Copy up data of an inode which was copied up metadata only in the past. */ static int ovl_copy_up_meta_inode_data(struct ovl_copy_up_ctx *c) { struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb); struct path upperpath; int err; - char *capability = NULL; - ssize_t cap_size; + struct vfs_caps capability; + bool has_capability = false; ovl_path_upper(c->dentry, &upperpath); if (WARN_ON(upperpath.dentry == NULL)) return -EIO; if (c->stat.size) { - err = cap_size = ovl_getxattr_value(&upperpath, XATTR_NAME_CAPS, - &capability); - if (cap_size < 0) + err = vfs_get_fscaps(mnt_idmap(upperpath.mnt), upperpath.dentry, + &capability); + if (!err) + has_capability = 1; + else if (err != -ENODATA && err != EOPNOTSUPP) goto out; } err = ovl_copy_up_data(c, &upperpath); if (err) - goto out_free; + goto out; /* * Writing to upper file will clear security.capability xattr. We * don't want that to happen for normal copy-up operation. */ ovl_start_write(c->dentry); - if (capability) { - err = ovl_do_setxattr(ofs, upperpath.dentry, XATTR_NAME_CAPS, - capability, cap_size, 0); + if (has_capability) { + err = vfs_set_fscaps(mnt_idmap(upperpath.mnt), upperpath.dentry, + &capability, 0); } if (!err) { err = ovl_removexattr(ofs, upperpath.dentry, @@ -1101,13 +1105,11 @@ static int ovl_copy_up_meta_inode_data(struct ovl_copy_up_ctx *c) } ovl_end_write(c->dentry); if (err) - goto out_free; + goto out; ovl_clear_flag(OVL_HAS_DIGEST, d_inode(c->dentry)); ovl_clear_flag(OVL_VERIFIED_DIGEST, d_inode(c->dentry)); ovl_set_upperdata(d_inode(c->dentry)); -out_free: - kfree(capability); out: return err; } From patchwork Wed Feb 21 21:24:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566397 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8485412E1E8; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=dseJqO9nVSpov9Srg1XmV/laayeeRhiBmTUAwUz0HAHvYL68s0K2quPuJ2Z/60QqBZYqIpX7WX/uct1bWFtBorquXOtwIiPbkGaNDsPGsl782h0XJVVJNs+/SVB+EJ7YZ4TlSbHl92pfh7EXoNtX/pUzj2i48Pzo/TZeDii8LqE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=RQFtdcZgDrf45vR2XiLoEkCPweXmO4ZdGDXy9B9n38k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZtfBuVHrXmTD87yDgF+ldZY87NqvSgHzUWCiWADHbeyxfflQpnPattt7A9kYnTapEc8R7B5jaESXZ1XEyjJkUSvsNsuqN4n0oQ3d8bUdcoM2/SCytjbuxElEO9yo1kujPzRCK0ZfBfCA5IWWa556Na+j0fhIQSZonrrf1HR+khY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=a/DrHt2k; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="a/DrHt2k" Received: by smtp.kernel.org (Postfix) with ESMTPS id 4B21FC341C8; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=RQFtdcZgDrf45vR2XiLoEkCPweXmO4ZdGDXy9B9n38k=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=a/DrHt2kmlpWdSvlfpEqoT+ztdgYDFlQx+ciof4tYe7LF1KVF37Ba0B1z/zcyF//n s/dlkzoyTrW/XbIz6ACIbJMaJDxL0HYAp3dFFCwBDQ7am4xSVN6FUDOLsMqbmX9cZY aAJ6QYC9tQ1u54O1o8ca7yjXn1UXn3Wf1oe4DdekQxO04Vb4vMi8wqF71bscivyze5 x12nGIE5ZVRLGAa9NKLmtCvOH9Yo+uNjkqPPBzdqQeiTytcs5MBMnRSG1VXyPmkoEr +1dq6dIcfoeKPPFybfp7hf1Do4+6+Im1/z/ONhjKneEdbOzK77kI1L3Xbn2PJ5yURn 5wMgcIUYJh90g== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38EA8C54798; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:53 -0600 Subject: [PATCH v2 22/25] fs: use vfs interfaces for capabilities xattrs Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-22-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=8472; i=sforshee@kernel.org; h=from:subject:message-id; bh=RQFtdcZgDrf45vR2XiLoEkCPweXmO4ZdGDXy9B9n38k=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mosKTAjMWeC0JwdcAIeT/V7q?= =?utf-8?q?bWgZMaWg9RP69NM_lVsgG1+JATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqLAAKCRBTA5mu5fQxyYsNB/_9Y4IU7+FdOu481pv/83xdJkuv3HJDQ0OP6d?= =?utf-8?q?PEatAyIagnNoameoxxxOXPAJKIj5Q4CkEed978+mLU2_kAgoUny2gWC/i4OaBfuMH?= =?utf-8?q?hHIX/npJMtYubeIoEdBcvSEMwkUj8HT7HP0Ximcmuy/CiumUMSn1i8uyI_6q6X5c1?= =?utf-8?q?Bamvez+8NIfJ9Dh+OUk4jDZgWUc0rOzf5WprMEmBnUKNDF5R0erPvqoJ2wgO2BbCx?= =?utf-8?q?6eErI4_s++SjtCrwT16me5yj5VUN+2Ix7qkRevh08dpk06QcqYJENzMHW9hkJmy5g?= =?utf-8?q?/XjN3HtxwEWdW7qnUJ05?= E9Boh3G9Ai9l4Tn+77y40mzF1cubex X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Now that all the plumbing is in place, switch over to using the new inode operations to get/set fs caps. This pushes all mapping of ids into the caller's user ns to above the vfs_*() level, making this consistent with other vfs_*() interfaces. cap_convert_nscap() is updated to return vfs_caps and moved to be called from the new code path for setting fscaps. This means that use of vfs_setxattr() will no longer remap ids in fscap xattrs, but all code which used vfs_setxattr() for fscaps xattrs has been converted to the new interfaces. Removing the mapping of fscaps rootids from vfs_getxattr() is more invovled and will be addressed in a later commit. Signed-off-by: Seth Forshee (DigitalOcean) --- fs/xattr.c | 49 ++++++++++++++++++++++++---- include/linux/capability.h | 2 +- security/commoncap.c | 79 +++++++++++++++------------------------------- 3 files changed, 69 insertions(+), 61 deletions(-) diff --git a/fs/xattr.c b/fs/xattr.c index 8b0f7384cbc9..30eff6bc4f6d 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -534,13 +534,6 @@ vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const void *orig_value = value; int error; - if (size && is_fscaps_xattr(name)) { - error = cap_convert_nscap(idmap, dentry, &value, size); - if (error < 0) - return error; - size = error; - } - retry_deleg: inode_lock(inode); error = __vfs_setxattr_locked(idmap, dentry, name, value, size, @@ -851,6 +844,24 @@ int do_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, return do_set_acl(idmap, dentry, ctx->kname->name, ctx->kvalue, ctx->size); + if (is_fscaps_xattr(ctx->kname->name)) { + struct vfs_caps caps; + int ret; + + /* + * rootid is already in the mount idmap, so pass nop_mnt_idmap + * so that it won't be mapped. + */ + ret = vfs_caps_from_xattr(&nop_mnt_idmap, current_user_ns(), + &caps, ctx->kvalue, ctx->size); + if (ret) + return ret; + ret = cap_convert_nscap(idmap, dentry, &caps); + if (ret) + return ret; + return vfs_set_fscaps(idmap, dentry, &caps, ctx->flags); + } + return vfs_setxattr(idmap, dentry, ctx->kname->name, ctx->kvalue, ctx->size, ctx->flags); } @@ -949,6 +960,27 @@ do_getxattr(struct mnt_idmap *idmap, struct dentry *d, ssize_t error; char *kname = ctx->kname->name; + if (is_fscaps_xattr(kname)) { + struct vfs_caps caps; + struct vfs_ns_cap_data data; + int ret; + + ret = vfs_get_fscaps(idmap, d, &caps); + if (ret) + return ret; + /* + * rootid is already in the mount idmap, so pass nop_mnt_idmap + * so that it won't be mapped. + */ + ret = vfs_caps_to_user_xattr(&nop_mnt_idmap, current_user_ns(), + &caps, &data, ctx->size); + if (ret < 0) + return ret; + if (ctx->size && copy_to_user(ctx->value, &data, ret)) + return -EFAULT; + return ret; + } + if (ctx->size) { if (ctx->size > XATTR_SIZE_MAX) ctx->size = XATTR_SIZE_MAX; @@ -1139,6 +1171,9 @@ removexattr(struct mnt_idmap *idmap, struct dentry *d, if (is_posix_acl_xattr(kname)) return vfs_remove_acl(idmap, d, kname); + if (is_fscaps_xattr(kname)) + return vfs_remove_fscaps(idmap, d); + return vfs_removexattr(idmap, d, kname); } diff --git a/include/linux/capability.h b/include/linux/capability.h index eb06d7c6224b..5e7cbf07e3a7 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -229,6 +229,6 @@ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, struct vfs_caps *cpu_caps); int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry, - const void **ivalue, size_t size); + struct vfs_caps *caps); #endif /* !_LINUX_CAPABILITY_H */ diff --git a/security/commoncap.c b/security/commoncap.c index 19affcfa3126..4254e5e46024 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -485,27 +485,21 @@ int cap_inode_getsecurity(struct mnt_idmap *idmap, } /** - * rootid_from_xattr - translate root uid of vfs caps + * rootid_from_vfs_caps - translate root uid of vfs caps * - * @value: vfs caps value which may be modified by this function - * @size: size of @ivalue + * @caps: vfs caps value which may be modified by this function * @task_ns: user namespace of the caller + * + * Return the rootid from a v3 fs cap, or the id of root in the task's user + * namespace for v1 and v2 fs caps. */ -static vfsuid_t rootid_from_xattr(const void *value, size_t size, - struct user_namespace *task_ns) +static vfsuid_t rootid_from_vfs_caps(const struct vfs_caps *caps, + struct user_namespace *task_ns) { - const struct vfs_ns_cap_data *nscap = value; - uid_t rootid = 0; - - if (size == XATTR_CAPS_SZ_3) - rootid = le32_to_cpu(nscap->rootid); - - return VFSUIDT_INIT(make_kuid(task_ns, rootid)); -} + if ((caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_3) + return caps->rootid; -static bool validheader(size_t size, const struct vfs_cap_data *cap) -{ - return is_v2header(size, cap) || is_v3header(size, cap); + return VFSUIDT_INIT(make_kuid(task_ns, 0)); } /** @@ -513,11 +507,10 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap) * * @idmap: idmap of the mount the inode was found from * @dentry: used to retrieve inode to check permissions on - * @ivalue: vfs caps value which may be modified by this function - * @size: size of @ivalue + * @caps: vfs caps which may be modified by this function * - * User requested a write of security.capability. If needed, update the - * xattr to change from v2 to v3, or to fixup the v3 rootid. + * User requested a write of security.capability. Check permissions, and if + * needed, update the xattr to change from v2 to v3. * * If the inode has been found through an idmapped mount the idmap of * the vfsmount must be passed through @idmap. This function will then @@ -525,59 +518,39 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap) * permissions. On non-idmapped mounts or if permission checking is to be * performed on the raw inode simply pass @nop_mnt_idmap. * - * Return: On success, return the new size; on error, return < 0. + * Return: On success, return 0; on error, return < 0. */ int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry, - const void **ivalue, size_t size) + struct vfs_caps *caps) { - struct vfs_ns_cap_data *nscap; - uid_t nsrootid; - const struct vfs_cap_data *cap = *ivalue; - __u32 magic, nsmagic; struct inode *inode = d_backing_inode(dentry); struct user_namespace *task_ns = current_user_ns(), *fs_ns = inode->i_sb->s_user_ns; - kuid_t rootid; vfsuid_t vfsrootid; - size_t newsize; + __u32 revision; - if (!*ivalue) - return -EINVAL; - if (!validheader(size, cap)) + revision = sansflags(caps->magic_etc); + if (revision != VFS_CAP_REVISION_2 && revision != VFS_CAP_REVISION_3) return -EINVAL; if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP)) return -EPERM; - if (size == XATTR_CAPS_SZ_2 && (idmap == &nop_mnt_idmap)) + if (revision == VFS_CAP_REVISION_2 && (idmap == &nop_mnt_idmap)) if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP)) /* user is privileged, just write the v2 */ - return size; + return 0; - vfsrootid = rootid_from_xattr(*ivalue, size, task_ns); + vfsrootid = rootid_from_vfs_caps(caps, task_ns); if (!vfsuid_valid(vfsrootid)) return -EINVAL; - rootid = from_vfsuid(idmap, fs_ns, vfsrootid); - if (!uid_valid(rootid)) + if (!vfsuid_has_fsmapping(idmap, fs_ns, vfsrootid)) return -EINVAL; - nsrootid = from_kuid(fs_ns, rootid); - if (nsrootid == -1) - return -EINVAL; + caps->rootid = vfsrootid; + caps->magic_etc = VFS_CAP_REVISION_3 | + (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE); - newsize = sizeof(struct vfs_ns_cap_data); - nscap = kmalloc(newsize, GFP_ATOMIC); - if (!nscap) - return -ENOMEM; - nscap->rootid = cpu_to_le32(nsrootid); - nsmagic = VFS_CAP_REVISION_3; - magic = le32_to_cpu(cap->magic_etc); - if (magic & VFS_CAP_FLAGS_EFFECTIVE) - nsmagic |= VFS_CAP_FLAGS_EFFECTIVE; - nscap->magic_etc = cpu_to_le32(nsmagic); - memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); - - *ivalue = nscap; - return newsize; + return 0; } /* From patchwork Wed Feb 21 21:24:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566396 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 847E312E1E7; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=uxswRoY6a9h+sDixW7Pt1mYRxg0Vnp8kifLUEMMHRfpHEifAPFtrYNGUqojykFZgJz76jdPHAcYvUSDRavNrTTCLS1Y4Iid+L4UfwSfntrabIBf43hWSHpMvxaCyx4CV8zad+n1qL60vt0S2q3mRvtXXn+RNbaf+87kSh631dxY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=1TYsrROC+3Gbnk0WZAJOXwUVYboiTmQbZsKMb1rgvU8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ffk2NP2tSw+zmurJgjP4mVQu63yM3LJYP78LqKS40NgiifxYqip9tGr4+4YUS3KdW7Zj1nB6Iyf+tC1jIgPCL3LSAZs8KHPfdXyJB53svG02tP5naxD0FQ4G3F00rz8xzXMtnBxd0xM85sane+la+Yi1IJjxIiuOiSRkOJFya5Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=MucllrXh; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="MucllrXh" Received: by smtp.kernel.org (Postfix) with ESMTPS id 5BCE7C43399; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=1TYsrROC+3Gbnk0WZAJOXwUVYboiTmQbZsKMb1rgvU8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=MucllrXhQ6r7FsX+38fnZ1aUg5j9bgZ9FERXnXaWlK+CdSrY6t8Z33IjHZFmA7LF8 cP59OvY345sKFw5R1EHoi6RhHdZKkN90srP7istMzXTcNq+ErR4m+h0cnn8awp2rC+ 2pAKWkB3H5JVZ/3xoIXQj7/kR56fY2BXt622InZC/q/D+i7m8mXddO60lkZkIivWLi ABc4JnFdJ2wis5xnr8c5VUEWxTJ0gcfvWRxuBQtse/a1jn75SqJ0ktoGAQCTpdfiOW WEeNLQ+o3/ul7xKCk+Sn+uy5JMv5ZOSm+sE+MYd3miXOfLvmay6AEM8ZyC7D4Djlkb xabQ7ECfdfLuw== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46830C5479F; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:54 -0600 Subject: [PATCH v2 23/25] commoncap: remove cap_inode_getsecurity() Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-23-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=6353; i=sforshee@kernel.org; h=from:subject:message-id; bh=1TYsrROC+3Gbnk0WZAJOXwUVYboiTmQbZsKMb1rgvU8=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1motCgsTy90LeHpbc+1t508RR?= =?utf-8?q?XtO5Tr7ynwS2xU5_yQgyIXmJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqLQAKCRBTA5mu5fQxyQ9cB/_9MkVi0GeoZBdDB2ESik5DH2lKt0/HCAcGaH?= =?utf-8?q?hI2z5p4iKB9cR3qimVKy6AeRQZfs0uvL4bMpX25vrN3_vkSxeQd54+0Yi2B2vbiVY?= =?utf-8?q?4RcQdgOgGdROsu4Gb1qFojTTV1755axxStzIFUMmgnl5YeRHN+23qBTLL_IxEOnql?= =?utf-8?q?duM5TIE0uA6dNQ0PUxLJ0qJCQr37gIq2p+3sAtcmseSnVzD+t6LOujXssQqvrMEqi?= =?utf-8?q?levLgY_HJYwxlHlhQFsf4GXMGNvncW/+2qM8tkzBoNYP3lDU//O6orY9JA3BXJ5MY?= =?utf-8?q?rARhiuq4ID02RQF65O6C?= Yae6GRpnBH1D3evacGuX1iUEaVptSk X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Reading of fscaps xattrs is now done via vfs_get_fscaps(), so there is no longer any need to do it from security_inode_getsecurity(). Remove cap_inode_getsecurity() and its associated helpers which are now unused. We don't allow reading capabilities xattrs this way anyomre, so remove the handler and associated helpers. Acked-by: Paul Moore Signed-off-by: Seth Forshee (DigitalOcean) --- include/linux/security.h | 5 +- security/commoncap.c | 132 ----------------------------------------------- 2 files changed, 1 insertion(+), 136 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 40be548e5e12..599d665eac71 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -162,9 +162,6 @@ int cap_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *name); int cap_inode_need_killpriv(struct dentry *dentry); int cap_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry); -int cap_inode_getsecurity(struct mnt_idmap *idmap, - struct inode *inode, const char *name, void **buffer, - bool alloc); extern int cap_mmap_addr(unsigned long addr); extern int cap_mmap_file(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags); @@ -984,7 +981,7 @@ static inline int security_inode_getsecurity(struct mnt_idmap *idmap, const char *name, void **buffer, bool alloc) { - return cap_inode_getsecurity(idmap, inode, name, buffer, alloc); + return -EOPNOTSUPP; } static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) diff --git a/security/commoncap.c b/security/commoncap.c index 4254e5e46024..a0ff7e6092e0 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -353,137 +353,6 @@ static __u32 sansflags(__u32 m) return m & ~VFS_CAP_FLAGS_EFFECTIVE; } -static bool is_v2header(int size, const struct vfs_cap_data *cap) -{ - if (size != XATTR_CAPS_SZ_2) - return false; - return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2; -} - -static bool is_v3header(int size, const struct vfs_cap_data *cap) -{ - if (size != XATTR_CAPS_SZ_3) - return false; - return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3; -} - -/* - * getsecurity: We are called for security.* before any attempt to read the - * xattr from the inode itself. - * - * This gives us a chance to read the on-disk value and convert it. If we - * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler. - * - * Note we are not called by vfs_getxattr_alloc(), but that is only called - * by the integrity subsystem, which really wants the unconverted values - - * so that's good. - */ -int cap_inode_getsecurity(struct mnt_idmap *idmap, - struct inode *inode, const char *name, void **buffer, - bool alloc) -{ - int size; - kuid_t kroot; - vfsuid_t vfsroot; - u32 nsmagic, magic; - uid_t root, mappedroot; - char *tmpbuf = NULL; - struct vfs_cap_data *cap; - struct vfs_ns_cap_data *nscap = NULL; - struct dentry *dentry; - struct user_namespace *fs_ns; - - if (strcmp(name, "capability") != 0) - return -EOPNOTSUPP; - - dentry = d_find_any_alias(inode); - if (!dentry) - return -EINVAL; - size = vfs_getxattr_alloc(idmap, dentry, XATTR_NAME_CAPS, &tmpbuf, - sizeof(struct vfs_ns_cap_data), GFP_NOFS); - dput(dentry); - /* gcc11 complains if we don't check for !tmpbuf */ - if (size < 0 || !tmpbuf) - goto out_free; - - fs_ns = inode->i_sb->s_user_ns; - cap = (struct vfs_cap_data *) tmpbuf; - if (is_v2header(size, cap)) { - root = 0; - } else if (is_v3header(size, cap)) { - nscap = (struct vfs_ns_cap_data *) tmpbuf; - root = le32_to_cpu(nscap->rootid); - } else { - size = -EINVAL; - goto out_free; - } - - kroot = make_kuid(fs_ns, root); - - /* If this is an idmapped mount shift the kuid. */ - vfsroot = make_vfsuid(idmap, fs_ns, kroot); - - /* If the root kuid maps to a valid uid in current ns, then return - * this as a nscap. */ - mappedroot = from_kuid(current_user_ns(), vfsuid_into_kuid(vfsroot)); - if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) { - size = sizeof(struct vfs_ns_cap_data); - if (alloc) { - if (!nscap) { - /* v2 -> v3 conversion */ - nscap = kzalloc(size, GFP_ATOMIC); - if (!nscap) { - size = -ENOMEM; - goto out_free; - } - nsmagic = VFS_CAP_REVISION_3; - magic = le32_to_cpu(cap->magic_etc); - if (magic & VFS_CAP_FLAGS_EFFECTIVE) - nsmagic |= VFS_CAP_FLAGS_EFFECTIVE; - memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); - nscap->magic_etc = cpu_to_le32(nsmagic); - } else { - /* use allocated v3 buffer */ - tmpbuf = NULL; - } - nscap->rootid = cpu_to_le32(mappedroot); - *buffer = nscap; - } - goto out_free; - } - - if (!rootid_owns_currentns(vfsroot)) { - size = -EOVERFLOW; - goto out_free; - } - - /* This comes from a parent namespace. Return as a v2 capability */ - size = sizeof(struct vfs_cap_data); - if (alloc) { - if (nscap) { - /* v3 -> v2 conversion */ - cap = kzalloc(size, GFP_ATOMIC); - if (!cap) { - size = -ENOMEM; - goto out_free; - } - magic = VFS_CAP_REVISION_2; - nsmagic = le32_to_cpu(nscap->magic_etc); - if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE) - magic |= VFS_CAP_FLAGS_EFFECTIVE; - memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32); - cap->magic_etc = cpu_to_le32(magic); - } else { - /* use unconverted v2 */ - tmpbuf = NULL; - } - *buffer = cap; - } -out_free: - kfree(tmpbuf); - return size; -} - /** * rootid_from_vfs_caps - translate root uid of vfs caps * @@ -1633,7 +1502,6 @@ static struct security_hook_list capability_hooks[] __ro_after_init = { LSM_HOOK_INIT(bprm_creds_from_file, cap_bprm_creds_from_file), LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv), LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv), - LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity), LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), LSM_HOOK_INIT(mmap_file, cap_mmap_file), LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid), From patchwork Wed Feb 21 21:24:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566402 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B1C9F12F5B3; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=hCfJhxaFG5Tfcfr1kq1ZVLI8znJ1I9RlfwmnwyVIz+ZRmCTNFWiI/2xDU11RPmDK2QRUXgwW3tOBIPeeZE0mlR5bvBgQJWHXyA8ZOeUs2vOZWNJocxJKESkoF3bFoIhlLWRSaPGjvi4OfpQfXsi8sDbWafWpjGGuY4okn47xoY4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=zvbUblF/TCnxaSxVn34c8qD/M35GRlC4hQ2KeRAG42o=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=pwPR5pnB80Y05/NSyV+T8CCBnRtFql7ZOv/ahG5Q9dq4JW8KOI24P7/Ef0uyEd3DXWUIxFiseOg7K7F7Iy2QWu6bbxszunBI3zOazP4WDlafHkzXNx9iQbBsA92GWNvisEuQunS2R5v/n1uuDlR96uAqJkoY9iL48humC5nlxec= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SKRsQRoc; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SKRsQRoc" Received: by smtp.kernel.org (Postfix) with ESMTPS id 68AF3C4160D; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=zvbUblF/TCnxaSxVn34c8qD/M35GRlC4hQ2KeRAG42o=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=SKRsQRocESZKds2vMmzDujSVC0SaK+TPB9iVo2XR4q47+NE6qs231rq9rzz933lJ5 oPVzUdevmGiNU9XRdwvvFnMaFD1ajdUz3cg/gsMYIk9Y4aVeS3vFCAjku65uyfG3Do su9OTtRzMfobX+5JdtwaJjMHr4k49WoRZY4SgkF52OWD63ZsSUUvHJwPlsmICJ0ahH 8fBe0zR8kwd0wtnJ+mqSGj9Nl2YRaen+lV7gGxd0aD7DA6IXBiQK4WRRkOw5QmwAUc jcxuZZAtzdHfaz3fHsCRfBb4H0Im2TZYioWp185DZbzBfKIhCVqwcm/1bwCa6TUEtB ePUEa8FJldjMA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53EA3C5478C; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:55 -0600 Subject: [PATCH v2 24/25] commoncap: use vfs fscaps interfaces Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-24-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=2792; i=sforshee@kernel.org; h=from:subject:message-id; bh=zvbUblF/TCnxaSxVn34c8qD/M35GRlC4hQ2KeRAG42o=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1motMsHmTPRzonCbUf17MUmkA?= =?utf-8?q?trgRQQP52t1limF_xnRCVamJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqLQAKCRBTA5mu5fQxySjhB/_9/xvaR6j6ROnXfKTxmKnKxnszhmNMXT1obo?= =?utf-8?q?WqLVttCDoIEShnCN3jNsyIpALo6DQpAxED7nadYlW2F_vDcaQlOVAqpLDZExtPdSn?= =?utf-8?q?IAd61AuZiTbo96dmmNv46xSZbKz4YFtYStNCCynSuEuJ6T5hDfXI8ZC7l_D++5+5X?= =?utf-8?q?5lQSz00p/UyCKeSsMVATo8TLtwEQ0z6Z+55owxbqadtCXLzeeT9jYnv43ixJny2K5?= =?utf-8?q?DFwAT/_ONWSTYt66Dh/JR/D5nJ8mlOrqPvXlnOYpONu68LvMfAd5c3IWAYp3NeQYi?= =?utf-8?q?6GFXjBbQuE0sXInhC7rb?= xFOguuTz0t3YgEiStWMwzbqX0R1zY8 X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Use the vfs interfaces for fetching file capabilities for killpriv checks and from get_vfs_caps_from_disk(). While there, update the kerneldoc for get_vfs_caps_from_disk() to explain how it is different from vfs_get_fscaps_nosec(). Signed-off-by: Seth Forshee (DigitalOcean) --- security/commoncap.c | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index a0ff7e6092e0..751bb26a06a6 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -296,11 +296,12 @@ int cap_capset(struct cred *new, */ int cap_inode_need_killpriv(struct dentry *dentry) { - struct inode *inode = d_backing_inode(dentry); + struct vfs_caps caps; int error; - error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0); - return error > 0; + /* Use nop_mnt_idmap for no mapping here as mapping is unimportant */ + error = vfs_get_fscaps_nosec(&nop_mnt_idmap, dentry, &caps); + return error == 0; } /** @@ -323,7 +324,7 @@ int cap_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry) { int error; - error = __vfs_removexattr(idmap, dentry, XATTR_NAME_CAPS); + error = vfs_remove_fscaps_nosec(idmap, dentry); if (error == -EOPNOTSUPP) error = 0; return error; @@ -719,6 +720,10 @@ ssize_t vfs_caps_to_user_xattr(struct mnt_idmap *idmap, * @cpu_caps: vfs capabilities * * Extract the on-exec-apply capability sets for an executable file. + * For version 3 capabilities xattrs, returns the capabilities only if + * they are applicable to current_user_ns() (i.e. that the rootid + * corresponds to an ID which maps to ID 0 in current_user_ns() or an + * ancestor), and returns -ENODATA otherwise. * * If the inode has been found through an idmapped mount the idmap of * the vfsmount must be passed through @idmap. This function will then @@ -731,25 +736,16 @@ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, struct vfs_caps *cpu_caps) { struct inode *inode = d_backing_inode(dentry); - int size, ret; - struct vfs_ns_cap_data data, *nscaps = &data; + int ret; if (!inode) return -ENODATA; - size = __vfs_getxattr((struct dentry *)dentry, inode, - XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ); - if (size == -ENODATA || size == -EOPNOTSUPP) + ret = vfs_get_fscaps_nosec(idmap, (struct dentry *)dentry, cpu_caps); + if (ret == -EOPNOTSUPP || ret == -EOVERFLOW) /* no data, that's ok */ - return -ENODATA; + ret = -ENODATA; - if (size < 0) - return size; - - ret = vfs_caps_from_xattr(idmap, inode->i_sb->s_user_ns, - cpu_caps, nscaps, size); - if (ret == -EOVERFLOW) - return -ENODATA; if (ret) return ret; From patchwork Wed Feb 21 21:24:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 13566401 X-Patchwork-Delegate: paul@paul-moore.com Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6B8A12FB30; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; cv=none; b=HboMgOmEtxyZzmQz11Tm7Lk3fo3OuwWTst9YoQPvjuqUbl1ovYXElMcqjWaFejy/0pUv0+5EApHPNM48ZUjBws14w5Mls7QdQs3v/XNUMXQmTaIxGc78Ld+sgw+BnS6RtN90fkGEZGsu8xD07qaLbi5Hh459XOZ1lbiqf02K6EM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708550707; c=relaxed/simple; bh=JkAYnCkvvJdZGpxH4b0zbmLDehUJl7XVpS/k3t/jU9U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=H6PhMTWwGgklOkwQJCKeHQcxiEedR+0GdGaerzK943HYZmQ6J6MP9aSW6RMmqCzXfH368n/FRkpQR74HO///+emAlOr5AjC0QoPvhUaIIAGoXFbMyW8xa6r9K35irZhu4cSmN9dLwNLs2+09gAkxMh3LThm1I+Q9UK3D6C8Qp7c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=BRSh2cwD; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="BRSh2cwD" Received: by smtp.kernel.org (Postfix) with ESMTPS id 73227C41679; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708550707; bh=JkAYnCkvvJdZGpxH4b0zbmLDehUJl7XVpS/k3t/jU9U=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=BRSh2cwDivQmO5cvnVkqxeC7Nu/3tUOtiCSGbP9nzwTtRBOai53XjC60y7iBHWVCL Dx94tHN+ntUevMHXYVUbAS96T3OzjNnBeM8g6bT+w0cgsa+m/9GIMoWSOpL3L109Dy p/jRXZVKK3Qjitov8q4GUy+frcJTU6YE5Ie3LnK3jmqZAXOJeDLPo4jOozcggPjlcT bz3P6FSFwLZzaSt/6n//M6/PaXd4R8vES39SkmRstrtljgGBEWOAKbkiv5Bhk6T9n2 Pw+aGyaiA2KT1m8IKWHDlgRepdSTF3fyENURSQ5hgUUZSI7XfpBd46oydQjBI3KyjM z/g84a8N8kCRQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6283CC48BEB; Wed, 21 Feb 2024 21:25:07 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Date: Wed, 21 Feb 2024 15:24:56 -0600 Subject: [PATCH v2 25/25] vfs: return -EOPNOTSUPP for fscaps from vfs_*xattr() Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240221-idmap-fscap-refactor-v2-25-3039364623bd@kernel.org> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> To: Christian Brauner , Seth Forshee , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1556; i=sforshee@kernel.org; h=from:subject:message-id; bh=JkAYnCkvvJdZGpxH4b0zbmLDehUJl7XVpS/k3t/jU9U=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1mouT6WPJX7a66eMZi03rVY0Q?= =?utf-8?q?ujcBq9Oshkq0LfM_Tuo4JCOJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZdZqLgAKCRBTA5mu5fQxyYCgB/_945jyUfmMhsxGudorl5vI3QR/Ixu+abEbAK?= =?utf-8?q?QoQWFIgQCflgI7lEzlE8Gpqk4PF6fP+Z4ZfP0ipIhZW_Hvcg61i4lw3bmENsZEOVv?= =?utf-8?q?ExwPI4miDqPaQYM5MgS72JjInytlPLdJ5J9YHHPBvYMhUlUJvF4NzVBC1_9E242eb?= =?utf-8?q?zj+LwCGygOgJWhED2lY/Hb6uyrRFm1Cz7HpnhwU6iLvmwzI2zV1OW2VbkuTMnKBAY?= =?utf-8?q?o6R6P4_c+pauDINbyl1S9IwKjV1/Nmp3njKa6CF4FcIE+hdhnDFMdvpB7KmRK/3vS?= =?utf-8?q?9yDqlhgFpDIuqkf8wNp7?= kOXGHoNmPjZ5soY0mZi+wE1d1xksOV X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 Now that the new vfs-level interfaces are fully supported and all code has been converted to use them, stop permitting use of the top-level vfs xattr interfaces for capabilities xattrs. Unlike with ACLs we still need to be able to work with fscaps xattrs using lower-level interfaces in a handful of places, so only use of the top-level xattr interfaces is restricted. Signed-off-by: Seth Forshee (DigitalOcean) --- fs/xattr.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/xattr.c b/fs/xattr.c index 30eff6bc4f6d..2b8214c9534f 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -534,6 +534,9 @@ vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const void *orig_value = value; int error; + if (WARN_ON_ONCE(is_fscaps_xattr(name))) + return -EOPNOTSUPP; + retry_deleg: inode_lock(inode); error = __vfs_setxattr_locked(idmap, dentry, name, value, size, @@ -649,6 +652,9 @@ vfs_getxattr(struct mnt_idmap *idmap, struct dentry *dentry, struct inode *inode = dentry->d_inode; int error; + if (WARN_ON_ONCE(is_fscaps_xattr(name))) + return -EOPNOTSUPP; + error = xattr_permission(idmap, inode, name, MAY_READ); if (error) return error; @@ -788,6 +794,9 @@ vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, struct inode *delegated_inode = NULL; int error; + if (WARN_ON_ONCE(is_fscaps_xattr(name))) + return -EOPNOTSUPP; + retry_deleg: inode_lock(inode); error = __vfs_removexattr_locked(idmap, dentry,