From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A618DEB64DD
	for <linux-mm@archiver.kernel.org>; Thu, 20 Jul 2023 06:55:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E02442800B7; Thu, 20 Jul 2023 02:55:05 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id DB26828004C; Thu, 20 Jul 2023 02:55:05 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C78FC2800B7; Thu, 20 Jul 2023 02:55:05 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id B8DAD28004C
	for <linux-mm@kvack.org>; Thu, 20 Jul 2023 02:55:05 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id 8E6FA80187
	for <linux-mm@kvack.org>; Thu, 20 Jul 2023 06:55:05 +0000 (UTC)
X-FDA: 81031078170.07.F07581A
Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201])
	by imf27.hostedemail.com (Postfix) with ESMTP id DB0034000D
	for <linux-mm@kvack.org>; Thu, 20 Jul 2023 06:55:02 +0000 (UTC)
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=google.com header.s=20221208 header.b=B91pALtj;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf27.hostedemail.com: domain of 3Rdq4ZAMKCAoy53qyyqvo.mywvsx47-wwu5kmu.y1q@flex--ovt.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=3Rdq4ZAMKCAoy53qyyqvo.mywvsx47-wwu5kmu.y1q@flex--ovt.bounces.google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1689836102;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=6NrGsEHnDYLyNJqvwAEW/Qe4/fd0kz4NPjCMl8a0lCE=;
	b=rlM3+rnQzpbpJZt9Bv8LgL1NLQlN9THa8yUlQGhxZR28ltkm1q/LtS8kppaeHGnkewLx/N
	bX8DByzt/aKoWc6Y9N4R7i/M+wLSo5SR43HTjVFj7Eahxn5U2d+EuF7G1qF8CExTqB77+n
	G7GABNFE8Y319KOe/w/O63fPUBYbw0I=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=google.com header.s=20221208 header.b=B91pALtj;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf27.hostedemail.com: domain of 3Rdq4ZAMKCAoy53qyyqvo.mywvsx47-wwu5kmu.y1q@flex--ovt.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=3Rdq4ZAMKCAoy53qyyqvo.mywvsx47-wwu5kmu.y1q@flex--ovt.bounces.google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689836102; a=rsa-sha256;
	cv=none;
	b=4JiPUvNgFF6+Ft0Bhqne+tk33CAg/4AWmlF3gJqb8SgE3c+ugyKTTFt2d1bsjj4DgZ3ZGz
	km1JFYW+Kv5U48RjNXYn//5H7Vc6ny1LhoKcDPL4Jvj8tDRzlWXEj7rClQmhnyLOlgYXs6
	TylzF/0hNOoZQMWGuGMhLhlA97+/kpU=
Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-57745160c1dso5127807b3.2
        for <linux-mm@kvack.org>; Wed, 19 Jul 2023 23:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689836102; x=1690440902;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=6NrGsEHnDYLyNJqvwAEW/Qe4/fd0kz4NPjCMl8a0lCE=;
        b=B91pALtjxL5niF8zoPcxIastjU+J9gimCXkruBNCQgADWJtxA2+JER3zmkYzVkBBnk
         MvJwm/C0aEkPVxXfGRILNGsfW+DCjRvkN2GoXMuBDJFzxBMuOmkMPA6r1yjpFTrlLqV0
         5A857sKZKzdSJ1h8yoJs+rV8gU6iKSjZoLIIV06U9sHuVwsIyUZNtm/EUC+DqkMLS28C
         GtVj3AUgrHYm4Mr2CcyYGim3H+S8aBtZ+sIaEgyI66wwU5RR75WHtQ/E/FgOskhAT+B4
         ZQI80x8YwsoeL/4NBtHVERFqXesvL70UhpBOW1hV+yoU71HAb+FzGMlFAEJo1gRiVrLf
         LtFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689836102; x=1690440902;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=6NrGsEHnDYLyNJqvwAEW/Qe4/fd0kz4NPjCMl8a0lCE=;
        b=J5V/mLtOGAoVBhdYAygeBB+AzHCUGwDaalqU1b5Sk8VouNmcTXbdAetI19UDfYINSa
         JI4oqv+utv1gR6NezurUFVjqfV4O73ErIfH5iolIRY+b2Upey87StWjbmAERJ4eva10o
         Sz5FCC4GHEf04y+rb28o/Xk2d+fzi6gpRpvI1ht9+cV7jlOUi41qV92vsQ4HrjlDHjJg
         19hL6cZQAffvK1PDqyJseCyx5LB2EiFk+df5UxfDR1bug+iPK0IxxiX/AkygGb2JKqpn
         Ta8uj7NyJT5METGj6nzkHQLTRmA4lBSorGYJ9G8HrFRC85Llf9m6yQyeFAeVkQz/kk1t
         DBDA==
X-Gm-Message-State: ABy/qLamjDxLO13v7KPM4XTnrO8kQlZpIU1akDG1n3hJoI0Ev5tTR8N7
	ZIcHjMp/DACsOxNnxRacf72T0zI=
X-Google-Smtp-Source: APBJJlFhZw/NRj76MsfDecdVc5P9tSi1HtsFkfBgB68OTX2wk1VwPDXGlGw/6crZl26Lw5teVJQDgIc=
X-Received: from hmarynka.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:925])
 (user=ovt job=sendgmr) by 2002:a81:8d47:0:b0:573:8316:8d04 with SMTP id
 w7-20020a818d47000000b0057383168d04mr74936ywj.4.1689836101886; Wed, 19 Jul
 2023 23:55:01 -0700 (PDT)
Date: Thu, 20 Jul 2023 06:54:27 +0000
Mime-Version: 1.0
X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog
Message-ID: <20230720065430.2178136-1-ovt@google.com>
Subject: [PATCH] shmem: add support for user extended attributes
From: Oleksandr Tymoshenko <ovt@google.com>
To: Jonathan Corbet <corbet@lwn.net>, Hugh Dickins <hughd@google.com>, 
	Andrew Morton <akpm@linux-foundation.org>
Cc: ovt@google.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, 
	linux-mm@kvack.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: DB0034000D
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-Stat-Signature: idmbzgbhzje7i18aihb8ns96ps18eyq9
X-HE-Tag: 1689836102-75262
X-HE-Meta: U2FsdGVkX19SnjylvtePS5e0/tHOJji3EgGYgi+b6e42JZS0hygBkBGy9zo+Xc+QMnalcJsSEOFm5pxy4lBjeI1OwqTHlBmnBb8OPz3b4HjZmhe34Axk+C59puRRRv6i8VzTx7Oefv+aq+YFf84XTEc1Jl4E+mfJl1Q+uyWfGXJxan5f0vYA5thgzHwhe5IUImZNL/f+cz1xKG+UEC+Cbpns09yu2oI4GCDM6wgtHdn6zu2iqpmjRbtsV8I5waEKMNYkuWtQQLtIInUZNaFqbMhD1Z8LaKpniXUneVOE9nuPhEqheYAAN7F95Z0I7CecgLo8dBcYUJaBWtAl1+/bKQNTkSyPs3381LkrRCfxOfYF8sHiko2+3rO+g0hf3QPVprSNpyqo2OzeFJAdJvlYA5wAlevE/l5R6ouBW02qRXJIwKgsRJAI0PE3ATcuPDbEHZEzQFrF6VPrkv1oWV8zq6AFB1J8fVG27PRRp+FRyJd+Ue0cAqI0WCzZnZRFW8LZuoNqeSOziPM71gd8n4Ccbcb6SmmZnzfoIsievo2gylecY7kz8c2Cyo2D47myJSnJQ7SFiQko2GuCrR4vneszIXVF/AGmmhKFQtKmIgrs05lQCGEAOzid+mG4ccAbf0+WOy8TsdByKVnwHd1FT4yq0XrveReZ3piJI+PQYGFT6GYvlhvCrkvMqkU/YzB6m1YpC5iElPEdo4nj6Nusl4b8I6DzXA0An5/0qbQP5YysfnWGrQjkoo/49fcnXo0/g2neykGKJpESDg2G5O20+P9YldO5vqQdZKrzAN/Cm440SzPt1E+OiAV63YcsXyCSmuywqeUMF7xm6fpK/+7kh1J/41DTIHXYfeS/bWVIw/oBjHGszUIj6kf8ea2KArzhvH3wgZRbVF2cBNHhfmhBSxqsy4O9RfRWUqdjAhGFecBYD01npwBPnW9kNieLSXt3b42RdKaNX6YkptTn5Dccj10
 jmUE+Ud8
 5gkvAWGLCfcvWgBhhbbS2tsj9eoBa+w1QYiqQ2Isit7XoXQYsZDZG0dDyu6BRsgQ2LJblaGUSM29iCQfc9HS8wUckPfp2HNXFHM1/Io+dU4RzE4xOStZ0Q3xtYA4oGIdp30a5NiSMjeJojMuAlDXMs5+t97PFRoaZeuIE5OKZHxHAQ41k3MFKBteKFAvxkiJ6a096d6vYyrpw84G+qD9EI03pwQEJEKYuIIxQJE2JnBdJCFZaYXdoHGL+Mk3NSeSoKMk1p4pnHemscTnbs21UjiM+aeXbwh9U9hOzakudUBzNogUiGtqyebrvWa0F1RlMxoB+e+LBxbrhJX0szwsVOxQGU+VMQq2td863BQkpDIzUuxY+p6O7+AzymcXhLgQzqjSgsIr1bWrBM4DyLlM1VLx3Ca8MrXcIRR1+/C0TpkFHpX73vRfo01BVP6QT/bLr/hX3/OaNaF9bSDz63Cosggw1srUUFX3+AA/opXAlFdj3RfLIYVc7i/PhTPn2J/W1Efw9CgJngRLp5QEm/K2vze0eHI5xfoEhVaNGIcpb+DwC7Ev7UDIdkwCb3sAit6h8aPXkQg8dMakCGZMvmpuwRGDTN3t7eIvrD0tXf0vuFVDxVS0=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

User extended attributes are not enabled in tmpfs because
the size of the value is not limited and the memory allocated
for it is not counted against any limit. Malicious
non-privileged user can exhaust kernel memory by creating
user.* extended attribute with very large value.

There are still situations when enabling suport for extended
user attributes on tmpfs is required and the attack vector
is not applicable, for instance batch jobs with trusted binaries.

This patch introduces two mount options to enable/disable
support for user.* extended attributes on tmpfs:

user_xattr    enable support for user extended aatributes
nouser_xattr  disable support for user extended attributes

The default behavior of the filesystem is not changed.

Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
---
 Documentation/filesystems/tmpfs.rst | 12 ++++++++
 include/linux/shmem_fs.h            |  1 +
 mm/shmem.c                          | 45 +++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/Documentation/filesystems/tmpfs.rst b/Documentation/filesystems/tmpfs.rst
index f18f46be5c0c..5700ba72d095 100644
--- a/Documentation/filesystems/tmpfs.rst
+++ b/Documentation/filesystems/tmpfs.rst
@@ -215,6 +215,16 @@ will give you tmpfs instance on /mytmpfs which can allocate 10GB
 RAM/SWAP in 10240 inodes and it is only accessible by root.
 
 
+tmpfs, when compiled with CONFIG_TMPFS_XATTR, does not support
+Extended User Attributes for security reasons. The support can be
+enabled/disabled by two mount options:
+
+============  ===========================================
+user_xattr    Enable support for Extended User Attributes
+nouser_xattr  Disable upport for Extended User Attributes
+============  ===========================================
+
+
 :Author:
    Christoph Rohland <cr@sap.com>, 1.12.01
 :Updated:
@@ -223,3 +233,5 @@ RAM/SWAP in 10240 inodes and it is only accessible by root.
    KOSAKI Motohiro, 16 Mar 2010
 :Updated:
    Chris Down, 13 July 2020
+:Updated:
+   Oleksandr Tymoshenko, 19 July 2023
diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
index 9029abd29b1c..f06d18b9041c 100644
--- a/include/linux/shmem_fs.h
+++ b/include/linux/shmem_fs.h
@@ -53,6 +53,7 @@ struct shmem_sb_info {
 	spinlock_t shrinklist_lock;   /* Protects shrinklist */
 	struct list_head shrinklist;  /* List of shinkable inodes */
 	unsigned long shrinklist_len; /* Length of shrinklist */
+	bool user_xattr;	      /* user.* xattrs are allowed */
 };
 
 static inline struct shmem_inode_info *SHMEM_I(struct inode *inode)
diff --git a/mm/shmem.c b/mm/shmem.c
index 2f2e0e618072..4f7d46d65494 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -85,6 +85,7 @@ static struct vfsmount *shm_mnt;
 
 #define BLOCKS_PER_PAGE  (PAGE_SIZE/512)
 #define VM_ACCT(size)    (PAGE_ALIGN(size) >> PAGE_SHIFT)
+#define TMPFS_USER_XATTR_INDEX 1
 
 /* Pretend that each entry is of this size in directory's i_size */
 #define BOGO_DIRENT_SIZE 20
@@ -116,11 +117,13 @@ struct shmem_options {
 	int huge;
 	int seen;
 	bool noswap;
+	bool user_xattr;
 #define SHMEM_SEEN_BLOCKS 1
 #define SHMEM_SEEN_INODES 2
 #define SHMEM_SEEN_HUGE 4
 #define SHMEM_SEEN_INUMS 8
 #define SHMEM_SEEN_NOSWAP 16
+#define SHMEM_SEEN_USER_XATTR 32
 };
 
 #ifdef CONFIG_TMPFS
@@ -3447,6 +3450,16 @@ static int shmem_xattr_handler_get(const struct xattr_handler *handler,
 				   const char *name, void *buffer, size_t size)
 {
 	struct shmem_inode_info *info = SHMEM_I(inode);
+	struct shmem_sb_info *sbinfo = SHMEM_SB(inode->i_sb);
+
+	switch (handler->flags) {
+	case TMPFS_USER_XATTR_INDEX:
+		if (!sbinfo->user_xattr)
+			return -EOPNOTSUPP;
+		break;
+	default:
+		break;
+	}
 
 	name = xattr_full_name(handler, name);
 	return simple_xattr_get(&info->xattrs, name, buffer, size);
@@ -3459,8 +3472,18 @@ static int shmem_xattr_handler_set(const struct xattr_handler *handler,
 				   size_t size, int flags)
 {
 	struct shmem_inode_info *info = SHMEM_I(inode);
+	struct shmem_sb_info *sbinfo = SHMEM_SB(inode->i_sb);
 	int err;
 
+	switch (handler->flags) {
+	case TMPFS_USER_XATTR_INDEX:
+		if (!sbinfo->user_xattr)
+			return -EOPNOTSUPP;
+		break;
+	default:
+		break;
+	}
+
 	name = xattr_full_name(handler, name);
 	err = simple_xattr_set(&info->xattrs, name, value, size, flags, NULL);
 	if (!err) {
@@ -3482,9 +3505,17 @@ static const struct xattr_handler shmem_trusted_xattr_handler = {
 	.set = shmem_xattr_handler_set,
 };
 
+static const struct xattr_handler shmem_user_xattr_handler = {
+	.prefix = XATTR_USER_PREFIX,
+	.flags = TMPFS_USER_XATTR_INDEX,
+	.get = shmem_xattr_handler_get,
+	.set = shmem_xattr_handler_set,
+};
+
 static const struct xattr_handler *shmem_xattr_handlers[] = {
 	&shmem_security_xattr_handler,
 	&shmem_trusted_xattr_handler,
+	&shmem_user_xattr_handler,
 	NULL
 };
 
@@ -3604,6 +3635,8 @@ enum shmem_param {
 	Opt_inode32,
 	Opt_inode64,
 	Opt_noswap,
+	Opt_user_xattr,
+	Opt_nouser_xattr,
 };
 
 static const struct constant_table shmem_param_enums_huge[] = {
@@ -3626,6 +3659,8 @@ const struct fs_parameter_spec shmem_fs_parameters[] = {
 	fsparam_flag  ("inode32",	Opt_inode32),
 	fsparam_flag  ("inode64",	Opt_inode64),
 	fsparam_flag  ("noswap",	Opt_noswap),
+	fsparam_flag  ("user_xattr",	Opt_user_xattr),
+	fsparam_flag  ("nouser_xattr",	Opt_nouser_xattr),
 	{}
 };
 
@@ -3717,6 +3752,14 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param)
 		ctx->noswap = true;
 		ctx->seen |= SHMEM_SEEN_NOSWAP;
 		break;
+	case Opt_user_xattr:
+		ctx->user_xattr = true;
+		ctx->seen |= SHMEM_SEEN_USER_XATTR;
+		break;
+	case Opt_nouser_xattr:
+		ctx->user_xattr = false;
+		ctx->seen |= SHMEM_SEEN_USER_XATTR;
+		break;
 	}
 	return 0;
 
@@ -3834,6 +3877,8 @@ static int shmem_reconfigure(struct fs_context *fc)
 		sbinfo->max_inodes  = ctx->inodes;
 		sbinfo->free_inodes = ctx->inodes - inodes;
 	}
+	if (ctx->seen & SHMEM_SEEN_USER_XATTR)
+		sbinfo->user_xattr = ctx->user_xattr;
 
 	/*
 	 * Preserve previous mempolicy unless mpol remount option was specified.
-- 
2.41.0.255.g8b1d071c50-goog