tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
namei: make permission helpers idmapped mount aware
The two helpers inode_permission() and generic_permission() are used by
the vfs to perform basic permission checking by verifying that the
caller is privileged over an inode. In order to handle idmapped mounts
we extend the two helpers with an additional user namespace argument.
On idmapped mounts the two helpers will make sure to map the inode
according to the mount's user namespace and then peform identical
permission checks to inode_permission() and generic_permission(). If the
initial user namespace is passed nothing changes so non-idmapped mounts
will see identical behavior as before.
Link: https://lore.kernel.org/r/20210121131959.646623-6-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+164
-88
+2
-1
fs/attr.c
+2
-1
fs/attr.c
+1
-1
fs/btrfs/inode.c
+1
-1
fs/btrfs/inode.c
···
9889
9889
if (BTRFS_I(inode)->flags & BTRFS_INODE_READONLY)
9890
9890
return -EACCES;
9891
9891
}
9892
-
return generic_permission(inode, mask);
9892
+
return generic_permission(&init_user_ns, inode, mask);
9893
9893
}
9894
9894
9895
9895
static int btrfs_tmpfile(struct inode *dir, struct dentry *dentry, umode_t mode)
+7
-5
fs/btrfs/ioctl.c
+7
-5
fs/btrfs/ioctl.c
···
922
922
BUG_ON(d_inode(victim->d_parent) != dir);
923
923
audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
924
924
925
-
error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
925
+
error = inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC);
926
926
if (error)
927
927
return error;
928
928
if (IS_APPEND(dir))
···
951
951
return -EEXIST;
952
952
if (IS_DEADDIR(dir))
953
953
return -ENOENT;
954
-
return inode_permission(dir, MAY_WRITE | MAY_EXEC);
954
+
return inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC);
955
955
}
956
956
957
957
/*
···
2538
2538
ret = PTR_ERR(temp_inode);
2539
2539
goto out_put;
2540
2540
}
2541
-
ret = inode_permission(temp_inode, MAY_READ | MAY_EXEC);
2541
+
ret = inode_permission(&init_user_ns, temp_inode,
2542
+
MAY_READ | MAY_EXEC);
2542
2543
iput(temp_inode);
2543
2544
if (ret) {
2544
2545
ret = -EACCES;
···
3069
3068
if (root == dest)
3070
3069
goto out_dput;
3071
3070
3072
-
err = inode_permission(inode, MAY_WRITE | MAY_EXEC);
3071
+
err = inode_permission(&init_user_ns, inode,
3072
+
MAY_WRITE | MAY_EXEC);
3073
3073
if (err)
3074
3074
goto out_dput;
3075
3075
}
···
3141
3139
* running and allows defrag on files open in read-only mode.
3142
3140
*/
3143
3141
if (!capable(CAP_SYS_ADMIN) &&
3144
-
inode_permission(inode, MAY_WRITE)) {
3142
+
inode_permission(&init_user_ns, inode, MAY_WRITE)) {
3145
3143
ret = -EPERM;
3146
3144
goto out;
3147
3145
}
+1
-1
fs/ceph/inode.c
+1
-1
fs/ceph/inode.c
+1
-1
fs/cifs/cifsfs.c
+1
-1
fs/cifs/cifsfs.c
···
320
320
on the client (above and beyond ACL on servers) for
321
321
servers which do not support setting and viewing mode bits,
322
322
so allowing client to check permissions is useful */
323
-
return generic_permission(inode, mask);
323
+
return generic_permission(&init_user_ns, inode, mask);
324
324
}
325
325
326
326
static struct kmem_cache *cifs_inode_cachep;
+2
-1
fs/configfs/symlink.c
+2
-1
fs/configfs/symlink.c
···
197
197
if (dentry->d_inode || d_unhashed(dentry))
198
198
ret = -EEXIST;
199
199
else
200
-
ret = inode_permission(dir, MAY_WRITE | MAY_EXEC);
200
+
ret = inode_permission(&init_user_ns, dir,
201
+
MAY_WRITE | MAY_EXEC);
201
202
if (!ret)
202
203
ret = type->ct_item_ops->allow_link(parent_item, target_item);
203
204
if (!ret) {
+2
-1
fs/ecryptfs/inode.c
+2
-1
fs/ecryptfs/inode.c
+1
-1
fs/exec.c
+1
-1
fs/exec.c
···
1404
1404
void would_dump(struct linux_binprm *bprm, struct file *file)
1405
1405
{
1406
1406
struct inode *inode = file_inode(file);
1407
-
if (inode_permission(inode, MAY_READ) < 0) {
1407
+
if (inode_permission(&init_user_ns, inode, MAY_READ) < 0) {
1408
1408
struct user_namespace *old, *user_ns;
1409
1409
bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
1410
1410
+3
-2
fs/fuse/dir.c
+3
-2
fs/fuse/dir.c
···
1280
1280
}
1281
1281
1282
1282
if (fc->default_permissions) {
1283
-
err = generic_permission(inode, mask);
1283
+
err = generic_permission(&init_user_ns, inode, mask);
1284
1284
1285
1285
/* If permission is denied, try to refresh file
1286
1286
attributes. This is also needed, because the root
···
1288
1288
if (err == -EACCES && !refreshed) {
1289
1289
err = fuse_perm_getattr(inode, mask);
1290
1290
if (!err)
1291
-
err = generic_permission(inode, mask);
1291
+
err = generic_permission(&init_user_ns,
1292
+
inode, mask);
1292
1293
}
1293
1294
1294
1295
/* Note: the opposite of the above test does not
+1
-1
fs/gfs2/inode.c
+1
-1
fs/gfs2/inode.c
···
1852
1852
if ((mask & MAY_WRITE) && IS_IMMUTABLE(inode))
1853
1853
error = -EPERM;
1854
1854
else
1855
-
error = generic_permission(inode, mask);
1855
+
error = generic_permission(&init_user_ns, inode, mask);
1856
1856
if (gfs2_holder_initialized(&i_gh))
1857
1857
gfs2_glock_dq_uninit(&i_gh);
1858
1858
+1
-1
fs/hostfs/hostfs_kern.c
+1
-1
fs/hostfs/hostfs_kern.c
+1
-1
fs/kernfs/inode.c
+1
-1
fs/kernfs/inode.c
+6
-1
fs/libfs.c
+6
-1
fs/libfs.c
···
1318
1318
return -EOPNOTSUPP;
1319
1319
}
1320
1320
1321
+
static int empty_dir_permission(struct inode *inode, int mask)
1322
+
{
1323
+
return generic_permission(&init_user_ns, inode, mask);
1324
+
}
1325
+
1321
1326
static const struct inode_operations empty_dir_inode_operations = {
1322
1327
.lookup = empty_dir_lookup,
1323
-
.permission = generic_permission,
1328
+
.permission = empty_dir_permission,
1324
1329
.setattr = empty_dir_setattr,
1325
1330
.getattr = empty_dir_getattr,
1326
1331
.listxattr = empty_dir_listxattr,
+86
-35
fs/namei.c
+86
-35
fs/namei.c
···
259
259
__putname(name);
260
260
}
261
261
262
-
static int check_acl(struct inode *inode, int mask)
262
+
/**
263
+
* check_acl - perform ACL permission checking
264
+
* @mnt_userns: user namespace of the mount the inode was found from
265
+
* @inode: inode to check permissions on
266
+
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC ...)
267
+
*
268
+
* This function performs the ACL permission checking. Since this function
269
+
* retrieve POSIX acls it needs to know whether it is called from a blocking or
270
+
* non-blocking context and thus cares about the MAY_NOT_BLOCK bit.
271
+
*
272
+
* If the inode has been found through an idmapped mount the user namespace of
273
+
* the vfsmount must be passed through @mnt_userns. This function will then take
274
+
* care to map the inode according to @mnt_userns before checking permissions.
275
+
* On non-idmapped mounts or if permission checking is to be performed on the
276
+
* raw inode simply passs init_user_ns.
277
+
*/
278
+
static int check_acl(struct user_namespace *mnt_userns,
279
+
struct inode *inode, int mask)
263
280
{
264
281
#ifdef CONFIG_FS_POSIX_ACL
265
282
struct posix_acl *acl;
···
288
271
/* no ->get_acl() calls in RCU mode... */
289
272
if (is_uncached_acl(acl))
290
273
return -ECHILD;
291
-
return posix_acl_permission(inode, acl, mask);
274
+
return posix_acl_permission(mnt_userns, inode, acl, mask);
292
275
}
293
276
294
277
acl = get_acl(inode, ACL_TYPE_ACCESS);
295
278
if (IS_ERR(acl))
296
279
return PTR_ERR(acl);
297
280
if (acl) {
298
-
int error = posix_acl_permission(inode, acl, mask);
281
+
int error = posix_acl_permission(mnt_userns, inode, acl, mask);
299
282
posix_acl_release(acl);
300
283
return error;
301
284
}
···
304
287
return -EAGAIN;
305
288
}
306
289
307
-
/*
308
-
* This does the basic UNIX permission checking.
290
+
/**
291
+
* acl_permission_check - perform basic UNIX permission checking
292
+
* @mnt_userns: user namespace of the mount the inode was found from
293
+
* @inode: inode to check permissions on
294
+
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC ...)
309
295
*
310
-
* Note that the POSIX ACL check cares about the MAY_NOT_BLOCK bit,
311
-
* for RCU walking.
296
+
* This function performs the basic UNIX permission checking. Since this
297
+
* function may retrieve POSIX acls it needs to know whether it is called from a
298
+
* blocking or non-blocking context and thus cares about the MAY_NOT_BLOCK bit.
299
+
*
300
+
* If the inode has been found through an idmapped mount the user namespace of
301
+
* the vfsmount must be passed through @mnt_userns. This function will then take
302
+
* care to map the inode according to @mnt_userns before checking permissions.
303
+
* On non-idmapped mounts or if permission checking is to be performed on the
304
+
* raw inode simply passs init_user_ns.
312
305
*/
313
-
static int acl_permission_check(struct inode *inode, int mask)
306
+
static int acl_permission_check(struct user_namespace *mnt_userns,
307
+
struct inode *inode, int mask)
314
308
{
315
309
unsigned int mode = inode->i_mode;
310
+
kuid_t i_uid;
316
311
317
312
/* Are we the owner? If so, ACL's don't matter */
318
-
if (likely(uid_eq(current_fsuid(), inode->i_uid))) {
313
+
i_uid = i_uid_into_mnt(mnt_userns, inode);
314
+
if (likely(uid_eq(current_fsuid(), i_uid))) {
319
315
mask &= 7;
320
316
mode >>= 6;
321
317
return (mask & ~mode) ? -EACCES : 0;
···
336
306
337
307
/* Do we have ACL's? */
338
308
if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
339
-
int error = check_acl(inode, mask);
309
+
int error = check_acl(mnt_userns, inode, mask);
340
310
if (error != -EAGAIN)
341
311
return error;
342
312
}
···
350
320
* about? Need to check group ownership if so.
351
321
*/
352
322
if (mask & (mode ^ (mode >> 3))) {
353
-
if (in_group_p(inode->i_gid))
323
+
kgid_t kgid = i_gid_into_mnt(mnt_userns, inode);
324
+
if (in_group_p(kgid))
354
325
mode >>= 3;
355
326
}
356
327
···
361
330
362
331
/**
363
332
* generic_permission - check for access rights on a Posix-like filesystem
333
+
* @mnt_userns: user namespace of the mount the inode was found from
364
334
* @inode: inode to check access rights for
365
335
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC,
366
336
* %MAY_NOT_BLOCK ...)
···
374
342
* generic_permission is rcu-walk aware. It returns -ECHILD in case an rcu-walk
375
343
* request cannot be satisfied (eg. requires blocking or too much complexity).
376
344
* It would then be called again in ref-walk mode.
345
+
*
346
+
* If the inode has been found through an idmapped mount the user namespace of
347
+
* the vfsmount must be passed through @mnt_userns. This function will then take
348
+
* care to map the inode according to @mnt_userns before checking permissions.
349
+
* On non-idmapped mounts or if permission checking is to be performed on the
350
+
* raw inode simply passs init_user_ns.
377
351
*/
378
-
int generic_permission(struct inode *inode, int mask)
352
+
int generic_permission(struct user_namespace *mnt_userns, struct inode *inode,
353
+
int mask)
379
354
{
380
355
int ret;
381
356
382
357
/*
383
358
* Do the basic permission checks.
384
359
*/
385
-
ret = acl_permission_check(inode, mask);
360
+
ret = acl_permission_check(mnt_userns, inode, mask);
386
361
if (ret != -EACCES)
387
362
return ret;
388
363
389
364
if (S_ISDIR(inode->i_mode)) {
390
365
/* DACs are overridable for directories */
391
366
if (!(mask & MAY_WRITE))
392
-
if (capable_wrt_inode_uidgid(&init_user_ns, inode,
367
+
if (capable_wrt_inode_uidgid(mnt_userns, inode,
393
368
CAP_DAC_READ_SEARCH))
394
369
return 0;
395
-
if (capable_wrt_inode_uidgid(&init_user_ns, inode,
370
+
if (capable_wrt_inode_uidgid(mnt_userns, inode,
396
371
CAP_DAC_OVERRIDE))
397
372
return 0;
398
373
return -EACCES;
···
410
371
*/
411
372
mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
412
373
if (mask == MAY_READ)
413
-
if (capable_wrt_inode_uidgid(&init_user_ns, inode,
374
+
if (capable_wrt_inode_uidgid(mnt_userns, inode,
414
375
CAP_DAC_READ_SEARCH))
415
376
return 0;
416
377
/*
···
419
380
* at least one exec bit set.
420
381
*/
421
382
if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
422
-
if (capable_wrt_inode_uidgid(&init_user_ns, inode,
383
+
if (capable_wrt_inode_uidgid(mnt_userns, inode,
423
384
CAP_DAC_OVERRIDE))
424
385
return 0;
425
386
···
427
388
}
428
389
EXPORT_SYMBOL(generic_permission);
429
390
430
-
/*
391
+
/**
392
+
* do_inode_permission - UNIX permission checking
393
+
* @mnt_userns: user namespace of the mount the inode was found from
394
+
* @inode: inode to check permissions on
395
+
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC ...)
396
+
*
431
397
* We _really_ want to just do "generic_permission()" without
432
398
* even looking at the inode->i_op values. So we keep a cache
433
399
* flag in inode->i_opflags, that says "this has not special
434
400
* permission function, use the fast case".
435
401
*/
436
-
static inline int do_inode_permission(struct inode *inode, int mask)
402
+
static inline int do_inode_permission(struct user_namespace *mnt_userns,
403
+
struct inode *inode, int mask)
437
404
{
438
405
if (unlikely(!(inode->i_opflags & IOP_FASTPERM))) {
439
406
if (likely(inode->i_op->permission))
···
450
405
inode->i_opflags |= IOP_FASTPERM;
451
406
spin_unlock(&inode->i_lock);
452
407
}
453
-
return generic_permission(inode, mask);
408
+
return generic_permission(mnt_userns, inode, mask);
454
409
}
455
410
456
411
/**
···
475
430
476
431
/**
477
432
* inode_permission - Check for access rights to a given inode
478
-
* @inode: Inode to check permission on
479
-
* @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
433
+
* @mnt_userns: User namespace of the mount the inode was found from
434
+
* @inode: Inode to check permission on
435
+
* @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
480
436
*
481
437
* Check for read/write/execute permissions on an inode. We use fs[ug]id for
482
438
* this, letting us set arbitrary permissions for filesystem access without
···
485
439
*
486
440
* When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
487
441
*/
488
-
int inode_permission(struct inode *inode, int mask)
442
+
int inode_permission(struct user_namespace *mnt_userns,
443
+
struct inode *inode, int mask)
489
444
{
490
445
int retval;
491
446
···
510
463
return -EACCES;
511
464
}
512
465
513
-
retval = do_inode_permission(inode, mask);
466
+
retval = do_inode_permission(mnt_userns, inode, mask);
514
467
if (retval)
515
468
return retval;
516
469
···
1056
1009
return false;
1057
1010
1058
1011
/* Hardlinking to unreadable or unwritable sources is dangerous. */
1059
-
if (inode_permission(inode, MAY_READ | MAY_WRITE))
1012
+
if (inode_permission(&init_user_ns, inode, MAY_READ | MAY_WRITE))
1060
1013
return false;
1061
1014
1062
1015
return true;
···
1616
1569
static inline int may_lookup(struct nameidata *nd)
1617
1570
{
1618
1571
if (nd->flags & LOOKUP_RCU) {
1619
-
int err = inode_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK);
1572
+
int err = inode_permission(&init_user_ns, nd->inode,
1573
+
MAY_EXEC | MAY_NOT_BLOCK);
1620
1574
if (err != -ECHILD)
1621
1575
return err;
1622
1576
if (unlazy_walk(nd))
1623
1577
return -ECHILD;
1624
1578
}
1625
-
return inode_permission(nd->inode, MAY_EXEC);
1579
+
return inode_permission(&init_user_ns, nd->inode, MAY_EXEC);
1626
1580
}
1627
1581
1628
1582
static int reserve_stack(struct nameidata *nd, struct path *link, unsigned seq)
···
2557
2509
return err;
2558
2510
}
2559
2511
2560
-
return inode_permission(base->d_inode, MAY_EXEC);
2512
+
return inode_permission(&init_user_ns, base->d_inode, MAY_EXEC);
2561
2513
}
2562
2514
2563
2515
/**
···
2751
2703
2752
2704
audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
2753
2705
2754
-
error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
2706
+
error = inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC);
2755
2707
if (error)
2756
2708
return error;
2757
2709
if (IS_APPEND(dir))
···
2795
2747
if (!kuid_has_mapping(s_user_ns, current_fsuid()) ||
2796
2748
!kgid_has_mapping(s_user_ns, current_fsgid()))
2797
2749
return -EOVERFLOW;
2798
-
return inode_permission(dir, MAY_WRITE | MAY_EXEC);
2750
+
return inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC);
2799
2751
}
2800
2752
2801
2753
/*
···
2925
2877
break;
2926
2878
}
2927
2879
2928
-
error = inode_permission(inode, MAY_OPEN | acc_mode);
2880
+
error = inode_permission(&init_user_ns, inode, MAY_OPEN | acc_mode);
2929
2881
if (error)
2930
2882
return error;
2931
2883
···
2987
2939
!kgid_has_mapping(s_user_ns, current_fsgid()))
2988
2940
return -EOVERFLOW;
2989
2941
2990
-
error = inode_permission(dir->dentry->d_inode, MAY_WRITE | MAY_EXEC);
2942
+
error = inode_permission(&init_user_ns, dir->dentry->d_inode,
2943
+
MAY_WRITE | MAY_EXEC);
2991
2944
if (error)
2992
2945
return error;
2993
2946
···
3325
3276
int error;
3326
3277
3327
3278
/* we want directory to be writable */
3328
-
error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
3279
+
error = inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC);
3329
3280
if (error)
3330
3281
goto out_err;
3331
3282
error = -EOPNOTSUPP;
···
4316
4267
*/
4317
4268
if (new_dir != old_dir) {
4318
4269
if (is_dir) {
4319
-
error = inode_permission(source, MAY_WRITE);
4270
+
error = inode_permission(&init_user_ns, source,
4271
+
MAY_WRITE);
4320
4272
if (error)
4321
4273
return error;
4322
4274
}
4323
4275
if ((flags & RENAME_EXCHANGE) && new_is_dir) {
4324
-
error = inode_permission(target, MAY_WRITE);
4276
+
error = inode_permission(&init_user_ns, target,
4277
+
MAY_WRITE);
4325
4278
if (error)
4326
4279
return error;
4327
4280
}
+1
-1
fs/nfs/dir.c
+1
-1
fs/nfs/dir.c
+2
-1
fs/nfsd/nfsfh.c
+2
-1
fs/nfsd/nfsfh.c
+3
-2
fs/nfsd/vfs.c
+3
-2
fs/nfsd/vfs.c
···
2391
2391
return 0;
2392
2392
2393
2393
/* This assumes NFSD_MAY_{READ,WRITE,EXEC} == MAY_{READ,WRITE,EXEC} */
2394
-
err = inode_permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC));
2394
+
err = inode_permission(&init_user_ns, inode,
2395
+
acc & (MAY_READ | MAY_WRITE | MAY_EXEC));
2395
2396
2396
2397
/* Allow read access to binaries even when mode 111 */
2397
2398
if (err == -EACCES && S_ISREG(inode->i_mode) &&
2398
2399
(acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE) ||
2399
2400
acc == (NFSD_MAY_READ | NFSD_MAY_READ_IF_EXEC)))
2400
-
err = inode_permission(inode, MAY_EXEC);
2401
+
err = inode_permission(&init_user_ns, inode, MAY_EXEC);
2401
2402
2402
2403
return err? nfserrno(err) : 0;
2403
2404
}
+1
-1
fs/nilfs2/inode.c
+1
-1
fs/nilfs2/inode.c
···
851
851
root->cno != NILFS_CPTREE_CURRENT_CNO)
852
852
return -EROFS; /* snapshot is not writable */
853
853
854
-
return generic_permission(inode, mask);
854
+
return generic_permission(&init_user_ns, inode, mask);
855
855
}
856
856
857
857
int nilfs_load_inode_block(struct inode *inode, struct buffer_head **pbh)
+1
-1
fs/ocfs2/file.c
+1
-1
fs/ocfs2/file.c
+2
-2
fs/ocfs2/refcounttree.c
+2
-2
fs/ocfs2/refcounttree.c
···
4346
4346
return -EEXIST;
4347
4347
if (IS_DEADDIR(dir))
4348
4348
return -ENOENT;
4349
-
return inode_permission(dir, MAY_WRITE | MAY_EXEC);
4349
+
return inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC);
4350
4350
}
4351
4351
4352
4352
/**
···
4400
4400
* file.
4401
4401
*/
4402
4402
if (!preserve) {
4403
-
error = inode_permission(inode, MAY_READ);
4403
+
error = inode_permission(&init_user_ns, inode, MAY_READ);
4404
4404
if (error)
4405
4405
return error;
4406
4406
}
+2
-2
fs/open.c
+2
-2
fs/open.c
···
83
83
if (error)
84
84
goto out;
85
85
86
-
error = inode_permission(inode, MAY_WRITE);
86
+
error = inode_permission(&init_user_ns, inode, MAY_WRITE);
87
87
if (error)
88
88
goto mnt_drop_write_and_out;
89
89
···
436
436
goto out_path_release;
437
437
}
438
438
439
-
res = inode_permission(inode, mode | MAY_ACCESS);
439
+
res = inode_permission(&init_user_ns, inode, mode | MAY_ACCESS);
440
440
/* SuS v2 requires we report a read only fs too */
441
441
if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
442
442
goto out_path_release;
+1
-1
fs/orangefs/inode.c
+1
-1
fs/orangefs/inode.c
+1
-1
fs/overlayfs/file.c
+1
-1
fs/overlayfs/file.c
+2
-2
fs/overlayfs/inode.c
+2
-2
fs/overlayfs/inode.c
···
294
294
* Check overlay inode with the creds of task and underlying inode
295
295
* with creds of mounter
296
296
*/
297
-
err = generic_permission(inode, mask);
297
+
err = generic_permission(&init_user_ns, inode, mask);
298
298
if (err)
299
299
return err;
300
300
···
305
305
/* Make sure mounter can read file for copy up later */
306
306
mask |= MAY_READ;
307
307
}
308
-
err = inode_permission(realinode, mask);
308
+
err = inode_permission(&init_user_ns, realinode, mask);
309
309
revert_creds(old_cred);
310
310
311
311
return err;
+1
-1
fs/overlayfs/util.c
+1
-1
fs/overlayfs/util.c
+12
-5
fs/posix_acl.c
+12
-5
fs/posix_acl.c
···
345
345
* by the acl. Returns -E... otherwise.
346
346
*/
347
347
int
348
-
posix_acl_permission(struct inode *inode, const struct posix_acl *acl, int want)
348
+
posix_acl_permission(struct user_namespace *mnt_userns, struct inode *inode,
349
+
const struct posix_acl *acl, int want)
349
350
{
350
351
const struct posix_acl_entry *pa, *pe, *mask_obj;
351
352
int found = 0;
353
+
kuid_t uid;
354
+
kgid_t gid;
352
355
353
356
want &= MAY_READ | MAY_WRITE | MAY_EXEC;
354
357
···
359
356
switch(pa->e_tag) {
360
357
case ACL_USER_OBJ:
361
358
/* (May have been checked already) */
362
-
if (uid_eq(inode->i_uid, current_fsuid()))
359
+
uid = i_uid_into_mnt(mnt_userns, inode);
360
+
if (uid_eq(uid, current_fsuid()))
363
361
goto check_perm;
364
362
break;
365
363
case ACL_USER:
366
-
if (uid_eq(pa->e_uid, current_fsuid()))
364
+
uid = kuid_into_mnt(mnt_userns, pa->e_uid);
365
+
if (uid_eq(uid, current_fsuid()))
367
366
goto mask;
368
367
break;
369
368
case ACL_GROUP_OBJ:
370
-
if (in_group_p(inode->i_gid)) {
369
+
gid = i_gid_into_mnt(mnt_userns, inode);
370
+
if (in_group_p(gid)) {
371
371
found = 1;
372
372
if ((pa->e_perm & want) == want)
373
373
goto mask;
374
374
}
375
375
break;
376
376
case ACL_GROUP:
377
-
if (in_group_p(pa->e_gid)) {
377
+
gid = kgid_into_mnt(mnt_userns, pa->e_gid);
378
+
if (in_group_p(gid)) {
378
379
found = 1;
379
380
if ((pa->e_perm & want) == want)
380
381
goto mask;
+2
-2
fs/proc/base.c
+2
-2
fs/proc/base.c
···
751
751
752
752
return -EPERM;
753
753
}
754
-
return generic_permission(inode, mask);
754
+
return generic_permission(&init_user_ns, inode, mask);
755
755
}
756
756
757
757
···
3492
3492
return 0;
3493
3493
}
3494
3494
3495
-
return generic_permission(inode, mask);
3495
+
return generic_permission(&init_user_ns, inode, mask);
3496
3496
}
3497
3497
3498
3498
static const struct inode_operations proc_tid_comm_inode_operations = {
+1
-1
fs/proc/fd.c
+1
-1
fs/proc/fd.c
+1
-1
fs/reiserfs/xattr.c
+1
-1
fs/reiserfs/xattr.c
+1
-1
fs/remap_range.c
+1
-1
fs/remap_range.c
+1
-1
fs/xattr.c
+1
-1
fs/xattr.c
+6
-4
include/linux/fs.h
+6
-4
include/linux/fs.h
···
2810
2810
#endif
2811
2811
2812
2812
extern int notify_change(struct dentry *, struct iattr *, struct inode **);
2813
-
extern int inode_permission(struct inode *, int);
2814
-
extern int generic_permission(struct inode *, int);
2813
+
int inode_permission(struct user_namespace *, struct inode *, int);
2814
+
int generic_permission(struct user_namespace *, struct inode *, int);
2815
2815
static inline int file_permission(struct file *file, int mask)
2816
2816
{
2817
-
return inode_permission(file_inode(file), mask);
2817
+
return inode_permission(file_mnt_user_ns(file),
2818
+
file_inode(file), mask);
2818
2819
}
2819
2820
static inline int path_permission(const struct path *path, int mask)
2820
2821
{
2821
-
return inode_permission(d_inode(path->dentry), mask);
2822
+
return inode_permission(mnt_user_ns(path->mnt),
2823
+
d_inode(path->dentry), mask);
2822
2824
}
2823
2825
extern int __check_sticky(struct inode *dir, struct inode *inode);
2824
2826
+5
-2
include/linux/posix_acl.h
+5
-2
include/linux/posix_acl.h
···
15
15
#include <linux/refcount.h>
16
16
#include <uapi/linux/posix_acl.h>
17
17
18
+
struct user_namespace;
19
+
18
20
struct posix_acl_entry {
19
21
short e_tag;
20
22
unsigned short e_perm;
···
63
61
64
62
extern void posix_acl_init(struct posix_acl *, int);
65
63
extern struct posix_acl *posix_acl_alloc(int, gfp_t);
66
-
extern int posix_acl_valid(struct user_namespace *, const struct posix_acl *);
67
-
extern int posix_acl_permission(struct inode *, const struct posix_acl *, int);
68
64
extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
69
65
extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
70
66
extern int __posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
···
85
85
void set_cached_acl(struct inode *inode, int type, struct posix_acl *acl);
86
86
void forget_cached_acl(struct inode *inode, int type);
87
87
void forget_all_cached_acls(struct inode *inode);
88
+
int posix_acl_valid(struct user_namespace *, const struct posix_acl *);
89
+
int posix_acl_permission(struct user_namespace *, struct inode *,
90
+
const struct posix_acl *, int);
88
91
89
92
static inline void cache_no_acl(struct inode *inode)
90
93
{
+1
-1
ipc/mqueue.c
+1
-1
ipc/mqueue.c
···
873
873
if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY))
874
874
return -EINVAL;
875
875
acc = oflag2acc[oflag & O_ACCMODE];
876
-
return inode_permission(d_inode(dentry), acc);
876
+
return inode_permission(&init_user_ns, d_inode(dentry), acc);
877
877
}
878
878
879
879
static int do_mq_open(const char __user *u_name, int oflag, umode_t mode,
+1
-1
kernel/bpf/inode.c
+1
-1
kernel/bpf/inode.c
···
558
558
static struct bpf_prog *__get_prog_inode(struct inode *inode, enum bpf_prog_type type)
559
559
{
560
560
struct bpf_prog *prog;
561
-
int ret = inode_permission(inode, MAY_READ);
561
+
int ret = inode_permission(&init_user_ns, inode, MAY_READ);
562
562
if (ret)
563
563
return ERR_PTR(ret);
564
564