tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
inode: make init and permission helpers idmapped mount aware
The inode_owner_or_capable() helper determines whether the caller is the
owner of the inode or is capable with respect to that inode. Allow it to
handle idmapped mounts. If the inode is accessed through an idmapped
mount it according to the mount's user namespace. Afterwards the checks
are identical to non-idmapped mounts. If the initial user namespace is
passed nothing changes so non-idmapped mounts will see identical
behavior as before.
Similarly, allow the inode_init_owner() helper to handle idmapped
mounts. It initializes a new inode on idmapped mounts by mapping the
fsuid and fsgid of the caller from the mount's user namespace. If the
initial user namespace is passed nothing changes so non-idmapped mounts
will see identical behavior as before.
Link: https://lore.kernel.org/r/20210121131959.646623-7-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+112
-91
+1
-1
fs/9p/acl.c
+1
-1
fs/9p/acl.c
+1
-1
fs/9p/vfs_inode.c
+1
-1
fs/9p/vfs_inode.c
+3
-3
fs/attr.c
+3
-3
fs/attr.c
···
87
87
88
88
/* Make sure a caller can chmod. */
89
89
if (ia_valid & ATTR_MODE) {
90
-
if (!inode_owner_or_capable(inode))
90
+
if (!inode_owner_or_capable(&init_user_ns, inode))
91
91
return -EPERM;
92
92
/* Also check the setgid bit! */
93
93
if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
···
98
98
99
99
/* Check for setting the inode time. */
100
100
if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
101
-
if (!inode_owner_or_capable(inode))
101
+
if (!inode_owner_or_capable(&init_user_ns, inode))
102
102
return -EPERM;
103
103
}
104
104
···
243
243
if (IS_IMMUTABLE(inode))
244
244
return -EPERM;
245
245
246
-
if (!inode_owner_or_capable(inode)) {
246
+
if (!inode_owner_or_capable(&init_user_ns, inode)) {
247
247
error = inode_permission(&init_user_ns, inode,
248
248
MAY_WRITE);
249
249
if (error)
+1
-1
fs/bfs/dir.c
+1
-1
fs/bfs/dir.c
···
96
96
}
97
97
set_bit(ino, info->si_imap);
98
98
info->si_freei--;
99
-
inode_init_owner(inode, dir, mode);
99
+
inode_init_owner(&init_user_ns, inode, dir, mode);
100
100
inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
101
101
inode->i_blocks = 0;
102
102
inode->i_op = &bfs_file_inops;
+1
-1
fs/btrfs/inode.c
+1
-1
fs/btrfs/inode.c
+5
-5
fs/btrfs/ioctl.c
+5
-5
fs/btrfs/ioctl.c
···
213
213
const char *comp = NULL;
214
214
u32 binode_flags;
215
215
216
-
if (!inode_owner_or_capable(inode))
216
+
if (!inode_owner_or_capable(&init_user_ns, inode))
217
217
return -EPERM;
218
218
219
219
if (btrfs_root_readonly(root))
···
429
429
unsigned old_i_flags;
430
430
int ret = 0;
431
431
432
-
if (!inode_owner_or_capable(inode))
432
+
if (!inode_owner_or_capable(&init_user_ns, inode))
433
433
return -EPERM;
434
434
435
435
if (btrfs_root_readonly(root))
···
1862
1862
btrfs_info(BTRFS_I(file_inode(file))->root->fs_info,
1863
1863
"Snapshot src from another FS");
1864
1864
ret = -EXDEV;
1865
-
} else if (!inode_owner_or_capable(src_inode)) {
1865
+
} else if (!inode_owner_or_capable(&init_user_ns, src_inode)) {
1866
1866
/*
1867
1867
* Subvolume creation is not restricted, but snapshots
1868
1868
* are limited to own subvolumes only
···
1982
1982
u64 flags;
1983
1983
int ret = 0;
1984
1984
1985
-
if (!inode_owner_or_capable(inode))
1985
+
if (!inode_owner_or_capable(&init_user_ns, inode))
1986
1986
return -EPERM;
1987
1987
1988
1988
ret = mnt_want_write_file(file);
···
4453
4453
int ret = 0;
4454
4454
int received_uuid_changed;
4455
4455
4456
-
if (!inode_owner_or_capable(inode))
4456
+
if (!inode_owner_or_capable(&init_user_ns, inode))
4457
4457
return -EPERM;
4458
4458
4459
4459
ret = mnt_want_write_file(file);
+1
-1
fs/btrfs/tests/btrfs-tests.c
+1
-1
fs/btrfs/tests/btrfs-tests.c
···
62
62
BTRFS_I(inode)->location.type = BTRFS_INODE_ITEM_KEY;
63
63
BTRFS_I(inode)->location.objectid = BTRFS_FIRST_FREE_OBJECTID;
64
64
BTRFS_I(inode)->location.offset = 0;
65
-
inode_init_owner(inode, NULL, S_IFREG);
65
+
inode_init_owner(&init_user_ns, inode, NULL, S_IFREG);
66
66
67
67
return inode;
68
68
}
+1
-1
fs/crypto/policy.c
+1
-1
fs/crypto/policy.c
+1
-1
fs/efivarfs/file.c
+1
-1
fs/efivarfs/file.c
+1
-1
fs/ext2/ialloc.c
+1
-1
fs/ext2/ialloc.c
+3
-3
fs/ext2/ioctl.c
+3
-3
fs/ext2/ioctl.c
···
39
39
if (ret)
40
40
return ret;
41
41
42
-
if (!inode_owner_or_capable(inode)) {
42
+
if (!inode_owner_or_capable(&init_user_ns, inode)) {
43
43
ret = -EACCES;
44
44
goto setflags_out;
45
45
}
···
84
84
case EXT2_IOC_SETVERSION: {
85
85
__u32 generation;
86
86
87
-
if (!inode_owner_or_capable(inode))
87
+
if (!inode_owner_or_capable(&init_user_ns, inode))
88
88
return -EPERM;
89
89
ret = mnt_want_write_file(filp);
90
90
if (ret)
···
117
117
if (!test_opt(inode->i_sb, RESERVATION) ||!S_ISREG(inode->i_mode))
118
118
return -ENOTTY;
119
119
120
-
if (!inode_owner_or_capable(inode))
120
+
if (!inode_owner_or_capable(&init_user_ns, inode))
121
121
return -EACCES;
122
122
123
123
if (get_user(rsv_window_size, (int __user *)arg))
+1
-1
fs/ext4/ialloc.c
+1
-1
fs/ext4/ialloc.c
···
972
972
inode->i_uid = current_fsuid();
973
973
inode->i_gid = dir->i_gid;
974
974
} else
975
-
inode_init_owner(inode, dir, mode);
975
+
inode_init_owner(&init_user_ns, inode, dir, mode);
976
976
977
977
if (ext4_has_feature_project(sb) &&
978
978
ext4_test_inode_flag(dir, EXT4_INODE_PROJINHERIT))
+8
-7
fs/ext4/ioctl.c
+8
-7
fs/ext4/ioctl.c
···
139
139
}
140
140
141
141
if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) ||
142
-
!inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) {
142
+
!inode_owner_or_capable(&init_user_ns, inode) ||
143
+
!capable(CAP_SYS_ADMIN)) {
143
144
err = -EPERM;
144
145
goto journal_err_out;
145
146
}
···
830
829
case FS_IOC_SETFLAGS: {
831
830
int err;
832
831
833
-
if (!inode_owner_or_capable(inode))
832
+
if (!inode_owner_or_capable(&init_user_ns, inode))
834
833
return -EACCES;
835
834
836
835
if (get_user(flags, (int __user *) arg))
···
872
871
__u32 generation;
873
872
int err;
874
873
875
-
if (!inode_owner_or_capable(inode))
874
+
if (!inode_owner_or_capable(&init_user_ns, inode))
876
875
return -EPERM;
877
876
878
877
if (ext4_has_metadata_csum(inode->i_sb)) {
···
1011
1010
case EXT4_IOC_MIGRATE:
1012
1011
{
1013
1012
int err;
1014
-
if (!inode_owner_or_capable(inode))
1013
+
if (!inode_owner_or_capable(&init_user_ns, inode))
1015
1014
return -EACCES;
1016
1015
1017
1016
err = mnt_want_write_file(filp);
···
1033
1032
case EXT4_IOC_ALLOC_DA_BLKS:
1034
1033
{
1035
1034
int err;
1036
-
if (!inode_owner_or_capable(inode))
1035
+
if (!inode_owner_or_capable(&init_user_ns, inode))
1037
1036
return -EACCES;
1038
1037
1039
1038
err = mnt_want_write_file(filp);
···
1218
1217
1219
1218
case EXT4_IOC_CLEAR_ES_CACHE:
1220
1219
{
1221
-
if (!inode_owner_or_capable(inode))
1220
+
if (!inode_owner_or_capable(&init_user_ns, inode))
1222
1221
return -EACCES;
1223
1222
ext4_clear_inode_es(inode);
1224
1223
return 0;
···
1264
1263
return -EFAULT;
1265
1264
1266
1265
/* Make sure caller has proper permission */
1267
-
if (!inode_owner_or_capable(inode))
1266
+
if (!inode_owner_or_capable(&init_user_ns, inode))
1268
1267
return -EACCES;
1269
1268
1270
1269
if (fa.fsx_xflags & ~EXT4_SUPPORTED_FS_XFLAGS)
+7
-7
fs/f2fs/file.c
+7
-7
fs/f2fs/file.c
···
1961
1961
u32 iflags;
1962
1962
int ret;
1963
1963
1964
-
if (!inode_owner_or_capable(inode))
1964
+
if (!inode_owner_or_capable(&init_user_ns, inode))
1965
1965
return -EACCES;
1966
1966
1967
1967
if (get_user(fsflags, (int __user *)arg))
···
2008
2008
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
2009
2009
int ret;
2010
2010
2011
-
if (!inode_owner_or_capable(inode))
2011
+
if (!inode_owner_or_capable(&init_user_ns, inode))
2012
2012
return -EACCES;
2013
2013
2014
2014
if (!S_ISREG(inode->i_mode))
···
2075
2075
struct inode *inode = file_inode(filp);
2076
2076
int ret;
2077
2077
2078
-
if (!inode_owner_or_capable(inode))
2078
+
if (!inode_owner_or_capable(&init_user_ns, inode))
2079
2079
return -EACCES;
2080
2080
2081
2081
ret = mnt_want_write_file(filp);
···
2117
2117
struct inode *inode = file_inode(filp);
2118
2118
int ret;
2119
2119
2120
-
if (!inode_owner_or_capable(inode))
2120
+
if (!inode_owner_or_capable(&init_user_ns, inode))
2121
2121
return -EACCES;
2122
2122
2123
2123
if (!S_ISREG(inode->i_mode))
···
2152
2152
struct inode *inode = file_inode(filp);
2153
2153
int ret;
2154
2154
2155
-
if (!inode_owner_or_capable(inode))
2155
+
if (!inode_owner_or_capable(&init_user_ns, inode))
2156
2156
return -EACCES;
2157
2157
2158
2158
ret = mnt_want_write_file(filp);
···
2181
2181
struct inode *inode = file_inode(filp);
2182
2182
int ret;
2183
2183
2184
-
if (!inode_owner_or_capable(inode))
2184
+
if (!inode_owner_or_capable(&init_user_ns, inode))
2185
2185
return -EACCES;
2186
2186
2187
2187
ret = mnt_want_write_file(filp);
···
3158
3158
return -EFAULT;
3159
3159
3160
3160
/* Make sure caller has proper permission */
3161
-
if (!inode_owner_or_capable(inode))
3161
+
if (!inode_owner_or_capable(&init_user_ns, inode))
3162
3162
return -EACCES;
3163
3163
3164
3164
if (fa.fsx_xflags & ~F2FS_SUPPORTED_XFLAGS)
+1
-1
fs/f2fs/namei.c
+1
-1
fs/f2fs/namei.c
+1
-1
fs/f2fs/xattr.c
+1
-1
fs/f2fs/xattr.c
+1
-1
fs/fcntl.c
+1
-1
fs/fcntl.c
···
46
46
47
47
/* O_NOATIME can only be set by the owner or superuser */
48
48
if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME))
49
-
if (!inode_owner_or_capable(inode))
49
+
if (!inode_owner_or_capable(&init_user_ns, inode))
50
50
return -EPERM;
51
51
52
52
/* required for strict SunOS emulation */
+1
-1
fs/gfs2/file.c
+1
-1
fs/gfs2/file.c
+1
-1
fs/hfsplus/inode.c
+1
-1
fs/hfsplus/inode.c
+1
-1
fs/hfsplus/ioctl.c
+1
-1
fs/hfsplus/ioctl.c
+1
-1
fs/hugetlbfs/inode.c
+1
-1
fs/hugetlbfs/inode.c
···
836
836
struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
837
837
838
838
inode->i_ino = get_next_ino();
839
-
inode_init_owner(inode, dir, mode);
839
+
inode_init_owner(&init_user_ns, inode, dir, mode);
840
840
lockdep_set_class(&inode->i_mapping->i_mmap_rwsem,
841
841
&hugetlbfs_i_mmap_rwsem_key);
842
842
inode->i_mapping->a_ops = &hugetlbfs_aops;
+26
-10
fs/inode.c
+26
-10
fs/inode.c
···
2130
2130
2131
2131
/**
2132
2132
* inode_init_owner - Init uid,gid,mode for new inode according to posix standards
2133
+
* @mnt_userns: User namespace of the mount the inode was created from
2133
2134
* @inode: New inode
2134
2135
* @dir: Directory inode
2135
2136
* @mode: mode of the new inode
2137
+
*
2138
+
* If the inode has been created through an idmapped mount the user namespace of
2139
+
* the vfsmount must be passed through @mnt_userns. This function will then take
2140
+
* care to map the inode according to @mnt_userns before checking permissions
2141
+
* and initializing i_uid and i_gid. On non-idmapped mounts or if permission
2142
+
* checking is to be performed on the raw inode simply passs init_user_ns.
2136
2143
*/
2137
-
void inode_init_owner(struct inode *inode, const struct inode *dir,
2138
-
umode_t mode)
2144
+
void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode,
2145
+
const struct inode *dir, umode_t mode)
2139
2146
{
2140
-
inode->i_uid = current_fsuid();
2147
+
inode->i_uid = fsuid_into_mnt(mnt_userns);
2141
2148
if (dir && dir->i_mode & S_ISGID) {
2142
2149
inode->i_gid = dir->i_gid;
2143
2150
···
2152
2145
if (S_ISDIR(mode))
2153
2146
mode |= S_ISGID;
2154
2147
else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
2155
-
!in_group_p(inode->i_gid) &&
2156
-
!capable_wrt_inode_uidgid(&init_user_ns, dir,
2157
-
CAP_FSETID))
2148
+
!in_group_p(i_gid_into_mnt(mnt_userns, dir)) &&
2149
+
!capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID))
2158
2150
mode &= ~S_ISGID;
2159
2151
} else
2160
-
inode->i_gid = current_fsgid();
2152
+
inode->i_gid = fsgid_into_mnt(mnt_userns);
2161
2153
inode->i_mode = mode;
2162
2154
}
2163
2155
EXPORT_SYMBOL(inode_init_owner);
2164
2156
2165
2157
/**
2166
2158
* inode_owner_or_capable - check current task permissions to inode
2159
+
* @mnt_userns: user namespace of the mount the inode was found from
2167
2160
* @inode: inode being checked
2168
2161
*
2169
2162
* Return true if current either has CAP_FOWNER in a namespace with the
2170
2163
* inode owner uid mapped, or owns the file.
2164
+
*
2165
+
* If the inode has been found through an idmapped mount the user namespace of
2166
+
* the vfsmount must be passed through @mnt_userns. This function will then take
2167
+
* care to map the inode according to @mnt_userns before checking permissions.
2168
+
* On non-idmapped mounts or if permission checking is to be performed on the
2169
+
* raw inode simply passs init_user_ns.
2171
2170
*/
2172
-
bool inode_owner_or_capable(const struct inode *inode)
2171
+
bool inode_owner_or_capable(struct user_namespace *mnt_userns,
2172
+
const struct inode *inode)
2173
2173
{
2174
+
kuid_t i_uid;
2174
2175
struct user_namespace *ns;
2175
2176
2176
-
if (uid_eq(current_fsuid(), inode->i_uid))
2177
+
i_uid = i_uid_into_mnt(mnt_userns, inode);
2178
+
if (uid_eq(current_fsuid(), i_uid))
2177
2179
return true;
2178
2180
2179
2181
ns = current_user_ns();
2180
-
if (kuid_has_mapping(ns, inode->i_uid) && ns_capable(ns, CAP_FOWNER))
2182
+
if (kuid_has_mapping(ns, i_uid) && ns_capable(ns, CAP_FOWNER))
2181
2183
return true;
2182
2184
return false;
2183
2185
}
+1
-1
fs/jfs/ioctl.c
+1
-1
fs/jfs/ioctl.c
+1
-1
fs/jfs/jfs_inode.c
+1
-1
fs/jfs/jfs_inode.c
+1
-1
fs/minix/bitmap.c
+1
-1
fs/minix/bitmap.c
+3
-2
fs/namei.c
+3
-2
fs/namei.c
···
1088
1088
/* Source inode owner (or CAP_FOWNER) can hardlink all they like,
1089
1089
* otherwise, it must be a safe source.
1090
1090
*/
1091
-
if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
1091
+
if (safe_hardlink_source(inode) ||
1092
+
inode_owner_or_capable(&init_user_ns, inode))
1092
1093
return 0;
1093
1094
1094
1095
audit_log_path_denied(AUDIT_ANOM_LINK, "linkat");
···
2941
2940
}
2942
2941
2943
2942
/* O_NOATIME can only be set by the owner or superuser */
2944
-
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
2943
+
if (flag & O_NOATIME && !inode_owner_or_capable(&init_user_ns, inode))
2945
2944
return -EPERM;
2946
2945
2947
2946
return 0;
+1
-1
fs/nilfs2/inode.c
+1
-1
fs/nilfs2/inode.c
···
348
348
/* reference count of i_bh inherits from nilfs_mdt_read_block() */
349
349
350
350
atomic64_inc(&root->inodes_count);
351
-
inode_init_owner(inode, dir, mode);
351
+
inode_init_owner(&init_user_ns, inode, dir, mode);
352
352
inode->i_ino = ino;
353
353
inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
354
354
+1
-1
fs/nilfs2/ioctl.c
+1
-1
fs/nilfs2/ioctl.c
+2
-2
fs/ocfs2/dlmfs/dlmfs.c
+2
-2
fs/ocfs2/dlmfs/dlmfs.c
···
329
329
330
330
if (inode) {
331
331
inode->i_ino = get_next_ino();
332
-
inode_init_owner(inode, NULL, mode);
332
+
inode_init_owner(&init_user_ns, inode, NULL, mode);
333
333
inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
334
334
inc_nlink(inode);
335
335
···
352
352
return NULL;
353
353
354
354
inode->i_ino = get_next_ino();
355
-
inode_init_owner(inode, parent, mode);
355
+
inode_init_owner(&init_user_ns, inode, parent, mode);
356
356
inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
357
357
358
358
ip = DLMFS_I(inode);
+1
-1
fs/ocfs2/ioctl.c
+1
-1
fs/ocfs2/ioctl.c
+1
-1
fs/ocfs2/namei.c
+1
-1
fs/ocfs2/namei.c
+1
-1
fs/omfs/inode.c
+1
-1
fs/omfs/inode.c
+1
-1
fs/overlayfs/dir.c
+1
-1
fs/overlayfs/dir.c
···
636
636
inode->i_state |= I_CREATING;
637
637
spin_unlock(&inode->i_lock);
638
638
639
-
inode_init_owner(inode, dentry->d_parent->d_inode, mode);
639
+
inode_init_owner(&init_user_ns, inode, dentry->d_parent->d_inode, mode);
640
640
attr.mode = inode->i_mode;
641
641
642
642
err = ovl_create_or_link(dentry, inode, &attr, false);
+2
-2
fs/overlayfs/file.c
+2
-2
fs/overlayfs/file.c
···
54
54
if (err) {
55
55
realfile = ERR_PTR(err);
56
56
} else {
57
-
if (!inode_owner_or_capable(realinode))
57
+
if (!inode_owner_or_capable(&init_user_ns, realinode))
58
58
flags &= ~O_NOATIME;
59
59
60
60
realfile = open_with_fake_path(&file->f_path, flags, realinode,
···
520
520
long ret;
521
521
struct inode *inode = file_inode(file);
522
522
523
-
if (!inode_owner_or_capable(inode))
523
+
if (!inode_owner_or_capable(&init_user_ns, inode))
524
524
return -EACCES;
525
525
526
526
ret = mnt_want_write_file(file);
+1
-1
fs/overlayfs/super.c
+1
-1
fs/overlayfs/super.c
+1
-1
fs/overlayfs/util.c
+1
-1
fs/overlayfs/util.c
···
484
484
return ERR_PTR(err);
485
485
486
486
/* O_NOATIME is an optimization, don't fail if not permitted */
487
-
if (inode_owner_or_capable(inode))
487
+
if (inode_owner_or_capable(&init_user_ns, inode))
488
488
flags |= O_NOATIME;
489
489
490
490
return dentry_open(path, flags, current_cred());
+1
-1
fs/posix_acl.c
+1
-1
fs/posix_acl.c
+1
-1
fs/ramfs/inode.c
+1
-1
fs/ramfs/inode.c
···
67
67
68
68
if (inode) {
69
69
inode->i_ino = get_next_ino();
70
-
inode_init_owner(inode, dir, mode);
70
+
inode_init_owner(&init_user_ns, inode, dir, mode);
71
71
inode->i_mapping->a_ops = &ramfs_aops;
72
72
mapping_set_gfp_mask(inode->i_mapping, GFP_HIGHUSER);
73
73
mapping_set_unevictable(inode->i_mapping);
+2
-2
fs/reiserfs/ioctl.c
+2
-2
fs/reiserfs/ioctl.c
···
59
59
if (err)
60
60
break;
61
61
62
-
if (!inode_owner_or_capable(inode)) {
62
+
if (!inode_owner_or_capable(&init_user_ns, inode)) {
63
63
err = -EPERM;
64
64
goto setflags_out;
65
65
}
···
101
101
err = put_user(inode->i_generation, (int __user *)arg);
102
102
break;
103
103
case REISERFS_IOC_SETVERSION:
104
-
if (!inode_owner_or_capable(inode)) {
104
+
if (!inode_owner_or_capable(&init_user_ns, inode)) {
105
105
err = -EPERM;
106
106
break;
107
107
}
+1
-1
fs/reiserfs/namei.c
+1
-1
fs/reiserfs/namei.c
+1
-1
fs/sysv/ialloc.c
+1
-1
fs/sysv/ialloc.c
···
163
163
*sbi->s_sb_fic_count = cpu_to_fs16(sbi, count);
164
164
fs16_add(sbi, sbi->s_sb_total_free_inodes, -1);
165
165
dirty_sb(sb);
166
-
inode_init_owner(inode, dir, mode);
166
+
inode_init_owner(&init_user_ns, inode, dir, mode);
167
167
inode->i_ino = fs16_to_cpu(sbi, ino);
168
168
inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
169
169
inode->i_blocks = 0;
+1
-1
fs/ubifs/dir.c
+1
-1
fs/ubifs/dir.c
+1
-1
fs/ubifs/ioctl.c
+1
-1
fs/ubifs/ioctl.c
+1
-1
fs/udf/ialloc.c
+1
-1
fs/udf/ialloc.c
+1
-1
fs/ufs/ialloc.c
+1
-1
fs/ufs/ialloc.c
···
289
289
ufs_mark_sb_dirty(sb);
290
290
291
291
inode->i_ino = cg * uspi->s_ipg + bit;
292
-
inode_init_owner(inode, dir, mode);
292
+
inode_init_owner(&init_user_ns, inode, dir, mode);
293
293
inode->i_blocks = 0;
294
294
inode->i_generation = 0;
295
295
inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
+2
-1
fs/xattr.c
+2
-1
fs/xattr.c
···
127
127
if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
128
128
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
129
129
if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
130
-
(mask & MAY_WRITE) && !inode_owner_or_capable(inode))
130
+
(mask & MAY_WRITE) &&
131
+
!inode_owner_or_capable(&init_user_ns, inode))
131
132
return -EPERM;
132
133
}
133
134
+1
-1
fs/xfs/xfs_ioctl.c
+1
-1
fs/xfs/xfs_ioctl.c
···
1300
1300
* The user ID of the calling process must be equal to the file owner
1301
1301
* ID, except in cases where the CAP_FSETID capability is applicable.
1302
1302
*/
1303
-
if (!inode_owner_or_capable(VFS_I(ip))) {
1303
+
if (!inode_owner_or_capable(&init_user_ns, VFS_I(ip))) {
1304
1304
error = -EPERM;
1305
1305
goto out_cancel;
1306
1306
}
+1
-1
fs/zonefs/super.c
+1
-1
fs/zonefs/super.c
···
1223
1223
struct super_block *sb = parent->i_sb;
1224
1224
1225
1225
inode->i_ino = blkdev_nr_zones(sb->s_bdev->bd_disk) + type + 1;
1226
-
inode_init_owner(inode, parent, S_IFDIR | 0555);
1226
+
inode_init_owner(&init_user_ns, inode, parent, S_IFDIR | 0555);
1227
1227
inode->i_op = &zonefs_dir_inode_operations;
1228
1228
inode->i_fop = &simple_dir_operations;
1229
1229
set_nlink(inode, 2);
+4
-4
include/linux/fs.h
+4
-4
include/linux/fs.h
···
1762
1762
return __sb_start_write_trylock(sb, SB_FREEZE_FS);
1763
1763
}
1764
1764
1765
-
1766
-
extern bool inode_owner_or_capable(const struct inode *inode);
1765
+
bool inode_owner_or_capable(struct user_namespace *mnt_userns,
1766
+
const struct inode *inode);
1767
1767
1768
1768
/*
1769
1769
* VFS helper functions..
···
1805
1805
/*
1806
1806
* VFS file helper functions.
1807
1807
*/
1808
-
extern void inode_init_owner(struct inode *inode, const struct inode *dir,
1809
-
umode_t mode);
1808
+
void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode,
1809
+
const struct inode *dir, umode_t mode);
1810
1810
extern bool may_open_dev(const struct path *path);
1811
1811
1812
1812
/*
+1
-1
kernel/bpf/inode.c
+1
-1
kernel/bpf/inode.c
+2
-1
mm/madvise.c
+2
-1
mm/madvise.c
···
539
539
* otherwise we'd be including shared non-exclusive mappings, which
540
540
* opens a side channel.
541
541
*/
542
-
return inode_owner_or_capable(file_inode(vma->vm_file)) ||
542
+
return inode_owner_or_capable(&init_user_ns,
543
+
file_inode(vma->vm_file)) ||
543
544
file_permission(vma->vm_file, MAY_WRITE) == 0;
544
545
}
545
546
+2
-1
mm/mincore.c
+2
-1
mm/mincore.c
···
166
166
* for writing; otherwise we'd be including shared non-exclusive
167
167
* mappings, which opens a side channel.
168
168
*/
169
-
return inode_owner_or_capable(file_inode(vma->vm_file)) ||
169
+
return inode_owner_or_capable(&init_user_ns,
170
+
file_inode(vma->vm_file)) ||
170
171
file_permission(vma->vm_file, MAY_WRITE) == 0;
171
172
}
172
173
+1
-1
mm/shmem.c
+1
-1
mm/shmem.c
···
2303
2303
inode = new_inode(sb);
2304
2304
if (inode) {
2305
2305
inode->i_ino = ino;
2306
-
inode_init_owner(inode, dir, mode);
2306
+
inode_init_owner(&init_user_ns, inode, dir, mode);
2307
2307
inode->i_blocks = 0;
2308
2308
inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
2309
2309
inode->i_generation = prandom_u32();
+2
-2
security/selinux/hooks.c
+2
-2
security/selinux/hooks.c
···
3140
3140
}
3141
3141
3142
3142
if (!selinux_initialized(&selinux_state))
3143
-
return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3143
+
return (inode_owner_or_capable(&init_user_ns, inode) ? 0 : -EPERM);
3144
3144
3145
3145
sbsec = inode->i_sb->s_security;
3146
3146
if (!(sbsec->flags & SBLABEL_MNT))
3147
3147
return -EOPNOTSUPP;
3148
3148
3149
-
if (!inode_owner_or_capable(inode))
3149
+
if (!inode_owner_or_capable(&init_user_ns, inode))
3150
3150
return -EPERM;
3151
3151
3152
3152
ad.type = LSM_AUDIT_DATA_DENTRY;