tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
acl: handle idmapped mounts
The posix acl permission checking helpers determine whether a caller is
privileged over an inode according to the acls associated with the
inode. Add helpers that make it possible to handle acls on idmapped
mounts.
The vfs and the filesystems targeted by this first iteration make use of
posix_acl_fix_xattr_from_user() and posix_acl_fix_xattr_to_user() to
translate basic posix access and default permissions such as the
ACL_USER and ACL_GROUP type according to the initial user namespace (or
the superblock's user namespace) to and from the caller's current user
namespace. Adapt these two helpers to handle idmapped mounts whereby we
either map from or into the mount's user namespace depending on in which
direction we're translating.
Similarly, cap_convert_nscap() is used by the vfs to translate user
namespace and non-user namespace aware filesystem capabilities from the
superblock's user namespace to the caller's user namespace. Enable it to
handle idmapped mounts by accounting for the mount's user namespace.
In addition the fileystems targeted in the first iteration of this patch
series make use of the posix_acl_chmod() and, posix_acl_update_mode()
helpers. Both helpers perform permission checks on the target inode. Let
them handle idmapped mounts. These two helpers are called when posix
acls are set by the respective filesystems to handle this case we extend
the ->set() method to take an additional user namespace argument to pass
the mount's user namespace down.
Link: https://lore.kernel.org/r/20210121131959.646623-9-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+238
-85
+4
-3
Documentation/filesystems/locking.rst
+4
-3
Documentation/filesystems/locking.rst
···
126
126
int (*get)(const struct xattr_handler *handler, struct dentry *dentry,
127
127
struct inode *inode, const char *name, void *buffer,
128
128
size_t size);
129
-
int (*set)(const struct xattr_handler *handler, struct dentry *dentry,
130
-
struct inode *inode, const char *name, const void *buffer,
131
-
size_t size, int flags);
129
+
int (*set)(const struct xattr_handler *handler,
130
+
struct user_namespace *mnt_userns,
131
+
struct dentry *dentry, struct inode *inode, const char *name,
132
+
const void *buffer, size_t size, int flags);
132
133
133
134
locking rules:
134
135
all may block
+2
Documentation/filesystems/porting.rst
+2
Documentation/filesystems/porting.rst
···
717
717
**mandatory**
718
718
719
719
->setxattr() and xattr_handler.set() get dentry and inode passed separately.
720
+
The xattr_handler.set() gets passed the user namespace of the mount the inode
721
+
is seen from so filesystems can idmap the i_uid and i_gid accordingly.
720
722
dentry might be yet to be attached to inode, so do _not_ use its ->d_inode
721
723
in the instances. Rationale: !@#!@# security_d_instantiate() needs to be
722
724
called before we attach dentry to inode and !@#!@##!@$!$#!@#$!@$!@$ smack
+3
-1
fs/9p/acl.c
+3
-1
fs/9p/acl.c
···
239
239
}
240
240
241
241
static int v9fs_xattr_set_acl(const struct xattr_handler *handler,
242
+
struct user_namespace *mnt_userns,
242
243
struct dentry *dentry, struct inode *inode,
243
244
const char *name, const void *value,
244
245
size_t size, int flags)
···
280
279
struct iattr iattr = { 0 };
281
280
struct posix_acl *old_acl = acl;
282
281
283
-
retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
282
+
retval = posix_acl_update_mode(mnt_userns, inode,
283
+
&iattr.ia_mode, &acl);
284
284
if (retval)
285
285
goto err_out;
286
286
if (!acl) {
+1
fs/9p/xattr.c
+1
fs/9p/xattr.c
+2
fs/afs/xattr.c
+2
fs/afs/xattr.c
···
120
120
* Set a file's AFS3 ACL.
121
121
*/
122
122
static int afs_xattr_set_acl(const struct xattr_handler *handler,
123
+
struct user_namespace *mnt_userns,
123
124
struct dentry *dentry,
124
125
struct inode *inode, const char *name,
125
126
const void *buffer, size_t size, int flags)
···
249
248
* Set a file's YFS ACL.
250
249
*/
251
250
static int afs_xattr_set_yfs(const struct xattr_handler *handler,
251
+
struct user_namespace *mnt_userns,
252
252
struct dentry *dentry,
253
253
struct inode *inode, const char *name,
254
254
const void *buffer, size_t size, int flags)
+2
-1
fs/btrfs/acl.c
+2
-1
fs/btrfs/acl.c
+2
-1
fs/btrfs/inode.c
+2
-1
fs/btrfs/inode.c
+2
fs/btrfs/xattr.c
+2
fs/btrfs/xattr.c
···
362
362
}
363
363
364
364
static int btrfs_xattr_handler_set(const struct xattr_handler *handler,
365
+
struct user_namespace *mnt_userns,
365
366
struct dentry *unused, struct inode *inode,
366
367
const char *name, const void *buffer,
367
368
size_t size, int flags)
···
372
371
}
373
372
374
373
static int btrfs_xattr_handler_set_prop(const struct xattr_handler *handler,
374
+
struct user_namespace *mnt_userns,
375
375
struct dentry *unused, struct inode *inode,
376
376
const char *name, const void *value,
377
377
size_t size, int flags)
+2
-1
fs/ceph/acl.c
+2
-1
fs/ceph/acl.c
+1
-1
fs/ceph/inode.c
+1
-1
fs/ceph/inode.c
+1
fs/ceph/xattr.c
+1
fs/ceph/xattr.c
+1
fs/cifs/xattr.c
+1
fs/cifs/xattr.c
+1
fs/ecryptfs/inode.c
+1
fs/ecryptfs/inode.c
+2
-1
fs/ext2/acl.c
+2
-1
fs/ext2/acl.c
+1
-1
fs/ext2/inode.c
+1
-1
fs/ext2/inode.c
···
1691
1691
}
1692
1692
setattr_copy(&init_user_ns, inode, iattr);
1693
1693
if (iattr->ia_valid & ATTR_MODE)
1694
-
error = posix_acl_chmod(inode, inode->i_mode);
1694
+
error = posix_acl_chmod(&init_user_ns, inode, inode->i_mode);
1695
1695
mark_inode_dirty(inode);
1696
1696
1697
1697
return error;
+1
fs/ext2/xattr_security.c
+1
fs/ext2/xattr_security.c
+1
fs/ext2/xattr_trusted.c
+1
fs/ext2/xattr_trusted.c
+1
fs/ext2/xattr_user.c
+1
fs/ext2/xattr_user.c
+2
-1
fs/ext4/acl.c
+2
-1
fs/ext4/acl.c
···
245
245
ext4_fc_start_update(inode);
246
246
247
247
if ((type == ACL_TYPE_ACCESS) && acl) {
248
-
error = posix_acl_update_mode(inode, &mode, &acl);
248
+
error = posix_acl_update_mode(&init_user_ns, inode, &mode,
249
+
&acl);
249
250
if (error)
250
251
goto out_stop;
251
252
if (mode != inode->i_mode)
+1
-1
fs/ext4/inode.c
+1
-1
fs/ext4/inode.c
+1
fs/ext4/xattr_hurd.c
+1
fs/ext4/xattr_hurd.c
+1
fs/ext4/xattr_security.c
+1
fs/ext4/xattr_security.c
+1
fs/ext4/xattr_trusted.c
+1
fs/ext4/xattr_trusted.c
+1
fs/ext4/xattr_user.c
+1
fs/ext4/xattr_user.c
+2
-1
fs/f2fs/acl.c
+2
-1
fs/f2fs/acl.c
···
213
213
case ACL_TYPE_ACCESS:
214
214
name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
215
215
if (acl && !ipage) {
216
-
error = posix_acl_update_mode(inode, &mode, &acl);
216
+
error = posix_acl_update_mode(&init_user_ns, inode,
217
+
&mode, &acl);
217
218
if (error)
218
219
return error;
219
220
set_acl_inode(inode, mode);
+4
-3
fs/f2fs/file.c
+4
-3
fs/f2fs/file.c
···
831
831
}
832
832
833
833
#ifdef CONFIG_F2FS_FS_POSIX_ACL
834
-
static void __setattr_copy(struct user_namespace *mnt_userns, struct inode *inode,
835
-
const struct iattr *attr)
834
+
static void __setattr_copy(struct user_namespace *mnt_userns,
835
+
struct inode *inode, const struct iattr *attr)
836
836
{
837
837
unsigned int ia_valid = attr->ia_valid;
838
838
···
950
950
__setattr_copy(&init_user_ns, inode, attr);
951
951
952
952
if (attr->ia_valid & ATTR_MODE) {
953
-
err = posix_acl_chmod(inode, f2fs_get_inode_mode(inode));
953
+
err = posix_acl_chmod(&init_user_ns, inode,
954
+
f2fs_get_inode_mode(inode));
954
955
if (err || is_inode_flag_set(inode, FI_ACL_MODE)) {
955
956
inode->i_mode = F2FS_I(inode)->i_acl_mode;
956
957
clear_inode_flag(inode, FI_ACL_MODE);
+2
fs/f2fs/xattr.c
+2
fs/f2fs/xattr.c
···
64
64
}
65
65
66
66
static int f2fs_xattr_generic_set(const struct xattr_handler *handler,
67
+
struct user_namespace *mnt_userns,
67
68
struct dentry *unused, struct inode *inode,
68
69
const char *name, const void *value,
69
70
size_t size, int flags)
···
108
107
}
109
108
110
109
static int f2fs_xattr_advise_set(const struct xattr_handler *handler,
110
+
struct user_namespace *mnt_userns,
111
111
struct dentry *unused, struct inode *inode,
112
112
const char *name, const void *value,
113
113
size_t size, int flags)
+2
fs/fuse/xattr.c
+2
fs/fuse/xattr.c
···
188
188
}
189
189
190
190
static int fuse_xattr_set(const struct xattr_handler *handler,
191
+
struct user_namespace *mnt_userns,
191
192
struct dentry *dentry, struct inode *inode,
192
193
const char *name, const void *value, size_t size,
193
194
int flags)
···
215
214
}
216
215
217
216
static int no_xattr_set(const struct xattr_handler *handler,
217
+
struct user_namespace *mnt_userns,
218
218
struct dentry *dentry, struct inode *nodee,
219
219
const char *name, const void *value,
220
220
size_t size, int flags)
+1
-1
fs/gfs2/acl.c
+1
-1
fs/gfs2/acl.c
+2
-1
fs/gfs2/inode.c
+2
-1
fs/gfs2/inode.c
+1
fs/gfs2/xattr.c
+1
fs/gfs2/xattr.c
+1
fs/hfs/attr.c
+1
fs/hfs/attr.c
+1
fs/hfsplus/xattr.c
+1
fs/hfsplus/xattr.c
+1
fs/hfsplus/xattr_security.c
+1
fs/hfsplus/xattr_security.c
+1
fs/hfsplus/xattr_trusted.c
+1
fs/hfsplus/xattr_trusted.c
+1
fs/hfsplus/xattr_user.c
+1
fs/hfsplus/xattr_user.c
+2
-1
fs/jffs2/acl.c
+2
-1
fs/jffs2/acl.c
+1
-1
fs/jffs2/fs.c
+1
-1
fs/jffs2/fs.c
+1
fs/jffs2/security.c
+1
fs/jffs2/security.c
+1
fs/jffs2/xattr_trusted.c
+1
fs/jffs2/xattr_trusted.c
+1
fs/jffs2/xattr_user.c
+1
fs/jffs2/xattr_user.c
+1
-1
fs/jfs/acl.c
+1
-1
fs/jfs/acl.c
···
101
101
tid = txBegin(inode->i_sb, 0);
102
102
mutex_lock(&JFS_IP(inode)->commit_mutex);
103
103
if (type == ACL_TYPE_ACCESS && acl) {
104
-
rc = posix_acl_update_mode(inode, &mode, &acl);
104
+
rc = posix_acl_update_mode(&init_user_ns, inode, &mode, &acl);
105
105
if (rc)
106
106
goto end_tx;
107
107
if (mode != inode->i_mode)
+1
-1
fs/jfs/file.c
+1
-1
fs/jfs/file.c
+2
fs/jfs/xattr.c
+2
fs/jfs/xattr.c
···
932
932
}
933
933
934
934
static int jfs_xattr_set(const struct xattr_handler *handler,
935
+
struct user_namespace *mnt_userns,
935
936
struct dentry *unused, struct inode *inode,
936
937
const char *name, const void *value,
937
938
size_t size, int flags)
···
951
950
}
952
951
953
952
static int jfs_xattr_set_os2(const struct xattr_handler *handler,
953
+
struct user_namespace *mnt_userns,
954
954
struct dentry *unused, struct inode *inode,
955
955
const char *name, const void *value,
956
956
size_t size, int flags)
+2
fs/kernfs/inode.c
+2
fs/kernfs/inode.c
···
319
319
}
320
320
321
321
static int kernfs_vfs_xattr_set(const struct xattr_handler *handler,
322
+
struct user_namespace *mnt_userns,
322
323
struct dentry *unused, struct inode *inode,
323
324
const char *suffix, const void *value,
324
325
size_t size, int flags)
···
386
385
}
387
386
388
387
static int kernfs_vfs_user_xattr_set(const struct xattr_handler *handler,
388
+
struct user_namespace *mnt_userns,
389
389
struct dentry *unused, struct inode *inode,
390
390
const char *suffix, const void *value,
391
391
size_t size, int flags)
+3
fs/nfs/nfs4proc.c
+3
fs/nfs/nfs4proc.c
···
7491
7491
#define XATTR_NAME_NFSV4_ACL "system.nfs4_acl"
7492
7492
7493
7493
static int nfs4_xattr_set_nfs4_acl(const struct xattr_handler *handler,
7494
+
struct user_namespace *mnt_userns,
7494
7495
struct dentry *unused, struct inode *inode,
7495
7496
const char *key, const void *buf,
7496
7497
size_t buflen, int flags)
···
7514
7513
#ifdef CONFIG_NFS_V4_SECURITY_LABEL
7515
7514
7516
7515
static int nfs4_xattr_set_nfs4_label(const struct xattr_handler *handler,
7516
+
struct user_namespace *mnt_userns,
7517
7517
struct dentry *unused, struct inode *inode,
7518
7518
const char *key, const void *buf,
7519
7519
size_t buflen, int flags)
···
7565
7563
7566
7564
#ifdef CONFIG_NFS_V4_2
7567
7565
static int nfs4_xattr_set_nfs4_user(const struct xattr_handler *handler,
7566
+
struct user_namespace *mnt_userns,
7568
7567
struct dentry *unused, struct inode *inode,
7569
7568
const char *key, const void *buf,
7570
7569
size_t buflen, int flags)
+4
-2
fs/nfsd/nfs2acl.c
+4
-2
fs/nfsd/nfs2acl.c
···
113
113
114
114
fh_lock(fh);
115
115
116
-
error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
116
+
error = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS,
117
+
argp->acl_access);
117
118
if (error)
118
119
goto out_drop_lock;
119
-
error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
120
+
error = set_posix_acl(&init_user_ns, inode, ACL_TYPE_DEFAULT,
121
+
argp->acl_default);
120
122
if (error)
121
123
goto out_drop_lock;
122
124
+4
-2
fs/nfsd/nfs3acl.c
+4
-2
fs/nfsd/nfs3acl.c
···
103
103
104
104
fh_lock(fh);
105
105
106
-
error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
106
+
error = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS,
107
+
argp->acl_access);
107
108
if (error)
108
109
goto out_drop_lock;
109
-
error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
110
+
error = set_posix_acl(&init_user_ns, inode, ACL_TYPE_DEFAULT,
111
+
argp->acl_default);
110
112
111
113
out_drop_lock:
112
114
fh_unlock(fh);
+3
-2
fs/nfsd/nfs4acl.c
+3
-2
fs/nfsd/nfs4acl.c
···
781
781
782
782
fh_lock(fhp);
783
783
784
-
host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl);
784
+
host_error = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, pacl);
785
785
if (host_error < 0)
786
786
goto out_drop_lock;
787
787
788
788
if (S_ISDIR(inode->i_mode)) {
789
-
host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl);
789
+
host_error = set_posix_acl(&init_user_ns, inode,
790
+
ACL_TYPE_DEFAULT, dpacl);
790
791
}
791
792
792
793
out_drop_lock:
+2
-1
fs/ocfs2/acl.c
+2
-1
fs/ocfs2/acl.c
+3
fs/ocfs2/xattr.c
+3
fs/ocfs2/xattr.c
···
7249
7249
}
7250
7250
7251
7251
static int ocfs2_xattr_security_set(const struct xattr_handler *handler,
7252
+
struct user_namespace *mnt_userns,
7252
7253
struct dentry *unused, struct inode *inode,
7253
7254
const char *name, const void *value,
7254
7255
size_t size, int flags)
···
7322
7321
}
7323
7322
7324
7323
static int ocfs2_xattr_trusted_set(const struct xattr_handler *handler,
7324
+
struct user_namespace *mnt_userns,
7325
7325
struct dentry *unused, struct inode *inode,
7326
7326
const char *name, const void *value,
7327
7327
size_t size, int flags)
···
7353
7351
}
7354
7352
7355
7353
static int ocfs2_xattr_user_set(const struct xattr_handler *handler,
7354
+
struct user_namespace *mnt_userns,
7356
7355
struct dentry *unused, struct inode *inode,
7357
7356
const char *name, const void *value,
7358
7357
size_t size, int flags)
+2
-1
fs/orangefs/acl.c
+2
-1
fs/orangefs/acl.c
···
132
132
* and "mode" to the new desired value. It is up to
133
133
* us to propagate the new mode back to the server...
134
134
*/
135
-
error = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
135
+
error = posix_acl_update_mode(&init_user_ns, inode,
136
+
&iattr.ia_mode, &acl);
136
137
if (error) {
137
138
gossip_err("%s: posix_acl_update_mode err: %d\n",
138
139
__func__,
+1
-1
fs/orangefs/inode.c
+1
-1
fs/orangefs/inode.c
+1
fs/orangefs/xattr.c
+1
fs/orangefs/xattr.c
+3
fs/overlayfs/super.c
+3
fs/overlayfs/super.c
···
980
980
981
981
static int __maybe_unused
982
982
ovl_posix_acl_xattr_set(const struct xattr_handler *handler,
983
+
struct user_namespace *mnt_userns,
983
984
struct dentry *dentry, struct inode *inode,
984
985
const char *name, const void *value,
985
986
size_t size, int flags)
···
1045
1044
}
1046
1045
1047
1046
static int ovl_own_xattr_set(const struct xattr_handler *handler,
1047
+
struct user_namespace *mnt_userns,
1048
1048
struct dentry *dentry, struct inode *inode,
1049
1049
const char *name, const void *value,
1050
1050
size_t size, int flags)
···
1061
1059
}
1062
1060
1063
1061
static int ovl_other_xattr_set(const struct xattr_handler *handler,
1062
+
struct user_namespace *mnt_userns,
1064
1063
struct dentry *dentry, struct inode *inode,
1065
1064
const char *name, const void *value,
1066
1065
size_t size, int flags)
+58
-21
fs/posix_acl.c
+58
-21
fs/posix_acl.c
···
558
558
}
559
559
EXPORT_SYMBOL(__posix_acl_chmod);
560
560
561
+
/**
562
+
* posix_acl_chmod - chmod a posix acl
563
+
*
564
+
* @mnt_userns: user namespace of the mount @inode was found from
565
+
* @inode: inode to check permissions on
566
+
* @mode: the new mode of @inode
567
+
*
568
+
* If the inode has been found through an idmapped mount the user namespace of
569
+
* the vfsmount must be passed through @mnt_userns. This function will then
570
+
* take care to map the inode according to @mnt_userns before checking
571
+
* permissions. On non-idmapped mounts or if permission checking is to be
572
+
* performed on the raw inode simply passs init_user_ns.
573
+
*/
561
574
int
562
-
posix_acl_chmod(struct inode *inode, umode_t mode)
575
+
posix_acl_chmod(struct user_namespace *mnt_userns, struct inode *inode,
576
+
umode_t mode)
563
577
{
564
578
struct posix_acl *acl;
565
579
int ret = 0;
···
652
638
653
639
/**
654
640
* posix_acl_update_mode - update mode in set_acl
655
-
* @inode: target inode
656
-
* @mode_p: mode (pointer) for update
657
-
* @acl: acl pointer
641
+
* @mnt_userns: user namespace of the mount @inode was found from
642
+
* @inode: target inode
643
+
* @mode_p: mode (pointer) for update
644
+
* @acl: acl pointer
658
645
*
659
646
* Update the file mode when setting an ACL: compute the new file permission
660
647
* bits based on the ACL. In addition, if the ACL is equivalent to the new
···
664
649
* As with chmod, clear the setgid bit if the caller is not in the owning group
665
650
* or capable of CAP_FSETID (see inode_change_ok).
666
651
*
652
+
* If the inode has been found through an idmapped mount the user namespace of
653
+
* the vfsmount must be passed through @mnt_userns. This function will then
654
+
* take care to map the inode according to @mnt_userns before checking
655
+
* permissions. On non-idmapped mounts or if permission checking is to be
656
+
* performed on the raw inode simply passs init_user_ns.
657
+
*
667
658
* Called from set_acl inode operations.
668
659
*/
669
-
int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
660
+
int posix_acl_update_mode(struct user_namespace *mnt_userns,
661
+
struct inode *inode, umode_t *mode_p,
670
662
struct posix_acl **acl)
671
663
{
672
664
umode_t mode = inode->i_mode;
···
684
662
return error;
685
663
if (error == 0)
686
664
*acl = NULL;
687
-
if (!in_group_p(inode->i_gid) &&
688
-
!capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
665
+
if (!in_group_p(i_gid_into_mnt(mnt_userns, inode)) &&
666
+
!capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID))
689
667
mode &= ~S_ISGID;
690
668
*mode_p = mode;
691
669
return 0;
···
697
675
*/
698
676
static void posix_acl_fix_xattr_userns(
699
677
struct user_namespace *to, struct user_namespace *from,
700
-
void *value, size_t size)
678
+
struct user_namespace *mnt_userns,
679
+
void *value, size_t size, bool from_user)
701
680
{
702
681
struct posix_acl_xattr_header *header = value;
703
682
struct posix_acl_xattr_entry *entry = (void *)(header + 1), *end;
···
723
700
switch(le16_to_cpu(entry->e_tag)) {
724
701
case ACL_USER:
725
702
uid = make_kuid(from, le32_to_cpu(entry->e_id));
703
+
if (from_user)
704
+
uid = kuid_from_mnt(mnt_userns, uid);
705
+
else
706
+
uid = kuid_into_mnt(mnt_userns, uid);
726
707
entry->e_id = cpu_to_le32(from_kuid(to, uid));
727
708
break;
728
709
case ACL_GROUP:
729
710
gid = make_kgid(from, le32_to_cpu(entry->e_id));
711
+
if (from_user)
712
+
gid = kgid_from_mnt(mnt_userns, gid);
713
+
else
714
+
gid = kgid_into_mnt(mnt_userns, gid);
730
715
entry->e_id = cpu_to_le32(from_kgid(to, gid));
731
716
break;
732
717
default:
···
743
712
}
744
713
}
745
714
746
-
void posix_acl_fix_xattr_from_user(void *value, size_t size)
715
+
void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns,
716
+
void *value, size_t size)
747
717
{
748
718
struct user_namespace *user_ns = current_user_ns();
749
-
if (user_ns == &init_user_ns)
719
+
if ((user_ns == &init_user_ns) && (mnt_userns == &init_user_ns))
750
720
return;
751
-
posix_acl_fix_xattr_userns(&init_user_ns, user_ns, value, size);
721
+
posix_acl_fix_xattr_userns(&init_user_ns, user_ns, mnt_userns, value,
722
+
size, true);
752
723
}
753
724
754
-
void posix_acl_fix_xattr_to_user(void *value, size_t size)
725
+
void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns,
726
+
void *value, size_t size)
755
727
{
756
728
struct user_namespace *user_ns = current_user_ns();
757
-
if (user_ns == &init_user_ns)
729
+
if ((user_ns == &init_user_ns) && (mnt_userns == &init_user_ns))
758
730
return;
759
-
posix_acl_fix_xattr_userns(user_ns, &init_user_ns, value, size);
731
+
posix_acl_fix_xattr_userns(user_ns, &init_user_ns, mnt_userns, value,
732
+
size, false);
760
733
}
761
734
762
735
/*
···
900
865
}
901
866
902
867
int
903
-
set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
868
+
set_posix_acl(struct user_namespace *mnt_userns, struct inode *inode,
869
+
int type, struct posix_acl *acl)
904
870
{
905
871
if (!IS_POSIXACL(inode))
906
872
return -EOPNOTSUPP;
···
910
874
911
875
if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
912
876
return acl ? -EACCES : 0;
913
-
if (!inode_owner_or_capable(&init_user_ns, inode))
877
+
if (!inode_owner_or_capable(mnt_userns, inode))
914
878
return -EPERM;
915
879
916
880
if (acl) {
···
924
888
925
889
static int
926
890
posix_acl_xattr_set(const struct xattr_handler *handler,
927
-
struct dentry *unused, struct inode *inode,
928
-
const char *name, const void *value,
929
-
size_t size, int flags)
891
+
struct user_namespace *mnt_userns,
892
+
struct dentry *unused, struct inode *inode,
893
+
const char *name, const void *value, size_t size,
894
+
int flags)
930
895
{
931
896
struct posix_acl *acl = NULL;
932
897
int ret;
···
937
900
if (IS_ERR(acl))
938
901
return PTR_ERR(acl);
939
902
}
940
-
ret = set_posix_acl(inode, handler->flags, acl);
903
+
ret = set_posix_acl(mnt_userns, inode, handler->flags, acl);
941
904
posix_acl_release(acl);
942
905
return ret;
943
906
}
···
971
934
int error;
972
935
973
936
if (type == ACL_TYPE_ACCESS) {
974
-
error = posix_acl_update_mode(inode,
937
+
error = posix_acl_update_mode(&init_user_ns, inode,
975
938
&inode->i_mode, &acl);
976
939
if (error)
977
940
return error;
+3
-2
fs/reiserfs/xattr_acl.c
+3
-2
fs/reiserfs/xattr_acl.c
···
40
40
reiserfs_write_unlock(inode->i_sb);
41
41
if (error == 0) {
42
42
if (type == ACL_TYPE_ACCESS && acl) {
43
-
error = posix_acl_update_mode(inode, &mode, &acl);
43
+
error = posix_acl_update_mode(&init_user_ns, inode,
44
+
&mode, &acl);
44
45
if (error)
45
46
goto unlock;
46
47
update_mode = 1;
···
400
399
!reiserfs_posixacl(inode->i_sb))
401
400
return 0;
402
401
403
-
return posix_acl_chmod(inode, inode->i_mode);
402
+
return posix_acl_chmod(&init_user_ns, inode, inode->i_mode);
404
403
}
+2
-1
fs/reiserfs/xattr_security.c
+2
-1
fs/reiserfs/xattr_security.c
···
21
21
}
22
22
23
23
static int
24
-
security_set(const struct xattr_handler *handler, struct dentry *unused,
24
+
security_set(const struct xattr_handler *handler,
25
+
struct user_namespace *mnt_userns, struct dentry *unused,
25
26
struct inode *inode, const char *name, const void *buffer,
26
27
size_t size, int flags)
27
28
{
+2
-1
fs/reiserfs/xattr_trusted.c
+2
-1
fs/reiserfs/xattr_trusted.c
···
20
20
}
21
21
22
22
static int
23
-
trusted_set(const struct xattr_handler *handler, struct dentry *unused,
23
+
trusted_set(const struct xattr_handler *handler,
24
+
struct user_namespace *mnt_userns, struct dentry *unused,
24
25
struct inode *inode, const char *name, const void *buffer,
25
26
size_t size, int flags)
26
27
{
+2
-1
fs/reiserfs/xattr_user.c
+2
-1
fs/reiserfs/xattr_user.c
···
18
18
}
19
19
20
20
static int
21
-
user_set(const struct xattr_handler *handler, struct dentry *unused,
21
+
user_set(const struct xattr_handler *handler, struct user_namespace *mnt_userns,
22
+
struct dentry *unused,
22
23
struct inode *inode, const char *name, const void *buffer,
23
24
size_t size, int flags)
24
25
{
+1
fs/ubifs/xattr.c
+1
fs/ubifs/xattr.c
+9
-5
fs/xattr.c
+9
-5
fs/xattr.c
···
175
175
return -EOPNOTSUPP;
176
176
if (size == 0)
177
177
value = ""; /* empty EA, do not remove */
178
-
return handler->set(handler, dentry, inode, name, value, size, flags);
178
+
return handler->set(handler, &init_user_ns, dentry, inode, name, value,
179
+
size, flags);
179
180
}
180
181
EXPORT_SYMBOL(__vfs_setxattr);
181
182
···
282
281
int error;
283
282
284
283
if (size && strcmp(name, XATTR_NAME_CAPS) == 0) {
285
-
error = cap_convert_nscap(dentry, &value, size);
284
+
error = cap_convert_nscap(&init_user_ns, dentry, &value, size);
286
285
if (error < 0)
287
286
return error;
288
287
size = error;
···
451
450
return PTR_ERR(handler);
452
451
if (!handler->set)
453
452
return -EOPNOTSUPP;
454
-
return handler->set(handler, dentry, inode, name, NULL, 0, XATTR_REPLACE);
453
+
return handler->set(handler, &init_user_ns, dentry, inode, name, NULL,
454
+
0, XATTR_REPLACE);
455
455
}
456
456
EXPORT_SYMBOL(__vfs_removexattr);
457
457
···
550
548
}
551
549
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
552
550
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
553
-
posix_acl_fix_xattr_from_user(kvalue, size);
551
+
posix_acl_fix_xattr_from_user(&init_user_ns, kvalue,
552
+
size);
554
553
}
555
554
556
555
error = vfs_setxattr(d, kname, kvalue, size, flags);
···
645
642
if (error > 0) {
646
643
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
647
644
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
648
-
posix_acl_fix_xattr_to_user(kvalue, error);
645
+
posix_acl_fix_xattr_to_user(&init_user_ns, kvalue,
646
+
error);
649
647
if (size && copy_to_user(value, kvalue, error))
650
648
error = -EFAULT;
651
649
} else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
+2
-1
fs/xfs/xfs_acl.c
+2
-1
fs/xfs/xfs_acl.c
+1
-1
fs/xfs/xfs_iops.c
+1
-1
fs/xfs/xfs_iops.c
+4
-3
fs/xfs/xfs_xattr.c
+4
-3
fs/xfs/xfs_xattr.c
···
38
38
}
39
39
40
40
static int
41
-
xfs_xattr_set(const struct xattr_handler *handler, struct dentry *unused,
42
-
struct inode *inode, const char *name, const void *value,
43
-
size_t size, int flags)
41
+
xfs_xattr_set(const struct xattr_handler *handler,
42
+
struct user_namespace *mnt_userns, struct dentry *unused,
43
+
struct inode *inode, const char *name, const void *value,
44
+
size_t size, int flags)
44
45
{
45
46
struct xfs_da_args args = {
46
47
.dp = XFS_I(inode),
+2
-1
include/linux/capability.h
+2
-1
include/linux/capability.h
···
273
273
/* audit system wants to get cap info from files as well */
274
274
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
275
275
276
-
extern int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size);
276
+
int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
277
+
const void **ivalue, size_t size);
277
278
278
279
#endif /* !_LINUX_CAPABILITY_H */
+7
-4
include/linux/posix_acl.h
+7
-4
include/linux/posix_acl.h
···
69
69
extern int __posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
70
70
71
71
extern struct posix_acl *get_posix_acl(struct inode *, int);
72
-
extern int set_posix_acl(struct inode *, int, struct posix_acl *);
72
+
extern int set_posix_acl(struct user_namespace *, struct inode *, int,
73
+
struct posix_acl *);
73
74
74
75
#ifdef CONFIG_FS_POSIX_ACL
75
-
extern int posix_acl_chmod(struct inode *, umode_t);
76
+
int posix_acl_chmod(struct user_namespace *, struct inode *, umode_t);
76
77
extern int posix_acl_create(struct inode *, umode_t *, struct posix_acl **,
77
78
struct posix_acl **);
78
-
extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
79
+
int posix_acl_update_mode(struct user_namespace *, struct inode *, umode_t *,
80
+
struct posix_acl **);
79
81
80
82
extern int simple_set_acl(struct inode *, struct posix_acl *, int);
81
83
extern int simple_acl_create(struct inode *, struct inode *);
···
97
95
inode->i_default_acl = NULL;
98
96
}
99
97
#else
100
-
static inline int posix_acl_chmod(struct inode *inode, umode_t mode)
98
+
static inline int posix_acl_chmod(struct user_namespace *mnt_userns,
99
+
struct inode *inode, umode_t mode)
101
100
{
102
101
return 0;
103
102
}
+8
-4
include/linux/posix_acl_xattr.h
+8
-4
include/linux/posix_acl_xattr.h
···
33
33
}
34
34
35
35
#ifdef CONFIG_FS_POSIX_ACL
36
-
void posix_acl_fix_xattr_from_user(void *value, size_t size);
37
-
void posix_acl_fix_xattr_to_user(void *value, size_t size);
36
+
void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns,
37
+
void *value, size_t size);
38
+
void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns,
39
+
void *value, size_t size);
38
40
#else
39
-
static inline void posix_acl_fix_xattr_from_user(void *value, size_t size)
41
+
static inline void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns,
42
+
void *value, size_t size)
40
43
{
41
44
}
42
-
static inline void posix_acl_fix_xattr_to_user(void *value, size_t size)
45
+
static inline void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns,
46
+
void *value, size_t size)
43
47
{
44
48
}
45
49
#endif
+2
-1
include/linux/xattr.h
+2
-1
include/linux/xattr.h
···
34
34
int (*get)(const struct xattr_handler *, struct dentry *dentry,
35
35
struct inode *inode, const char *name, void *buffer,
36
36
size_t size);
37
-
int (*set)(const struct xattr_handler *, struct dentry *dentry,
37
+
int (*set)(const struct xattr_handler *,
38
+
struct user_namespace *mnt_userns, struct dentry *dentry,
38
39
struct inode *inode, const char *name, const void *buffer,
39
40
size_t size, int flags);
40
41
};
+2
-1
mm/shmem.c
+2
-1
mm/shmem.c
···
1143
1143
1144
1144
setattr_copy(&init_user_ns, inode, attr);
1145
1145
if (attr->ia_valid & ATTR_MODE)
1146
-
error = posix_acl_chmod(inode, inode->i_mode);
1146
+
error = posix_acl_chmod(&init_user_ns, inode, inode->i_mode);
1147
1147
return error;
1148
1148
}
1149
1149
···
3273
3273
}
3274
3274
3275
3275
static int shmem_xattr_handler_set(const struct xattr_handler *handler,
3276
+
struct user_namespace *mnt_userns,
3276
3277
struct dentry *unused, struct inode *inode,
3277
3278
const char *name, const void *value,
3278
3279
size_t size, int flags)
+1
net/socket.c
+1
net/socket.c
+38
-7
security/commoncap.c
+38
-7
security/commoncap.c
···
450
450
return size;
451
451
}
452
452
453
+
/**
454
+
* rootid_from_xattr - translate root uid of vfs caps
455
+
*
456
+
* @value: vfs caps value which may be modified by this function
457
+
* @size: size of @ivalue
458
+
* @task_ns: user namespace of the caller
459
+
* @mnt_userns: user namespace of the mount the inode was found from
460
+
*
461
+
* If the inode has been found through an idmapped mount the user namespace of
462
+
* the vfsmount must be passed through @mnt_userns. This function will then
463
+
* take care to map the inode according to @mnt_userns before checking
464
+
* permissions. On non-idmapped mounts or if permission checking is to be
465
+
* performed on the raw inode simply passs init_user_ns.
466
+
*/
453
467
static kuid_t rootid_from_xattr(const void *value, size_t size,
454
-
struct user_namespace *task_ns)
468
+
struct user_namespace *task_ns,
469
+
struct user_namespace *mnt_userns)
455
470
{
456
471
const struct vfs_ns_cap_data *nscap = value;
472
+
kuid_t rootkid;
457
473
uid_t rootid = 0;
458
474
459
475
if (size == XATTR_CAPS_SZ_3)
460
476
rootid = le32_to_cpu(nscap->rootid);
461
477
462
-
return make_kuid(task_ns, rootid);
478
+
rootkid = make_kuid(task_ns, rootid);
479
+
return kuid_from_mnt(mnt_userns, rootkid);
463
480
}
464
481
465
482
static bool validheader(size_t size, const struct vfs_cap_data *cap)
···
484
467
return is_v2header(size, cap) || is_v3header(size, cap);
485
468
}
486
469
487
-
/*
470
+
/**
471
+
* cap_convert_nscap - check vfs caps
472
+
*
473
+
* @mnt_userns: user namespace of the mount the inode was found from
474
+
* @dentry: used to retrieve inode to check permissions on
475
+
* @ivalue: vfs caps value which may be modified by this function
476
+
* @size: size of @ivalue
477
+
*
488
478
* User requested a write of security.capability. If needed, update the
489
479
* xattr to change from v2 to v3, or to fixup the v3 rootid.
490
480
*
481
+
* If the inode has been found through an idmapped mount the user namespace of
482
+
* the vfsmount must be passed through @mnt_userns. This function will then
483
+
* take care to map the inode according to @mnt_userns before checking
484
+
* permissions. On non-idmapped mounts or if permission checking is to be
485
+
* performed on the raw inode simply passs init_user_ns.
486
+
*
491
487
* If all is ok, we return the new size, on error return < 0.
492
488
*/
493
-
int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size)
489
+
int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
490
+
const void **ivalue, size_t size)
494
491
{
495
492
struct vfs_ns_cap_data *nscap;
496
493
uid_t nsrootid;
···
520
489
return -EINVAL;
521
490
if (!validheader(size, cap))
522
491
return -EINVAL;
523
-
if (!capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_SETFCAP))
492
+
if (!capable_wrt_inode_uidgid(mnt_userns, inode, CAP_SETFCAP))
524
493
return -EPERM;
525
-
if (size == XATTR_CAPS_SZ_2)
494
+
if (size == XATTR_CAPS_SZ_2 && (mnt_userns == &init_user_ns))
526
495
if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
527
496
/* user is privileged, just write the v2 */
528
497
return size;
529
498
530
-
rootid = rootid_from_xattr(*ivalue, size, task_ns);
499
+
rootid = rootid_from_xattr(*ivalue, size, task_ns, mnt_userns);
531
500
if (!uid_valid(rootid))
532
501
return -EINVAL;
533
502