From: Christian Brauner <christian.brauner@ubuntu.com> To: Alexander Viro <viro@zeniv.linux.org.uk>, Christoph Hellwig <hch@infradead.org>, linux-fsdevel@vger.kernel.org Cc: Andy Lutomirski <luto@kernel.org>, Mimi Zohar <zohar@linux.ibm.com>, James Bottomley <James.Bottomley@hansenpartnership.com>, Andreas Dilger <adilger.kernel@dilger.ca>, containers@lists.linux-foundation.org, Christoph Hellwig <hch@lst.de>, Tycho Andersen <tycho@tycho.ws>, Paul Moore <paul@paul-moore.com>, Jonathan Corbet <corbet@lwn.net>, smbarber@chromium.org, linux-ext4@vger.kernel.org, Mrunal Patel <mpatel@redhat.com>, Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>, selinux@vger.kernel.org, Josh Triplett <josh@joshtriplett.org>, Seth Forshee <seth.forshee@canonical.com>, Aleksa Sarai <cyphar@cyphar.com>, Lennart Poettering <lennart@poettering.net>, OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>, Geoffrey Thomas <geofft@ldpreload.com>, David Howells <dhowells@redhat.com>, John Johansen <john.johansen@canonical.com>, Theodore Tso <tytso@mit.edu>, Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Stephen Smalley <stephen.smalley.work@gmail.com>, fstests@vger.kernel.org, linux-security-module@vger.kernel.org, "Eric W. Biederman" <ebiederm@xmission.com>, linux-api@vger.kernel.org, Casey Schaufler <casey@schaufler-ca.com>, Alban Crequy <alban@kinvolk.io>, linux-integrity@vger.kernel.org, Todd Kjos <tkjos@google.com> Subject: [PATCH v3 16/38] namei: handle idmapped mounts in may_*() helpers Date: Sat, 28 Nov 2020 22:35:05 +0100 [thread overview] Message-ID: <20201128213527.2669807-17-christian.brauner@ubuntu.com> (raw) In-Reply-To: <20201128213527.2669807-1-christian.brauner@ubuntu.com> The may_follow_link(), may_linkat(), may_lookup(), may_open(), may_o_create(), may_create_in_sticky(), may_delete(), and may_create() helpers determine whether the caller is privileged enough to perform the associated operations. Let them handle idmapped mounts by mappings the inode and fsids according to the mount's user namespace. Afterwards the checks are identical to non-idmapped inodes. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> --- /* v2 */ unchanged /* v3 */ unchanged --- fs/btrfs/ioctl.c | 5 +- fs/inode.c | 2 +- fs/namei.c | 121 +++++++++++++++++++++++++++------------------ fs/xattr.c | 2 +- include/linux/fs.h | 13 +++-- 5 files changed, 86 insertions(+), 57 deletions(-) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index f5d3ebca4c5f..114bd15304f2 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -915,8 +915,9 @@ static int btrfs_may_delete(struct inode *dir, struct dentry *victim, int isdir) return error; if (IS_APPEND(dir)) return -EPERM; - if (check_sticky(dir, d_inode(victim)) || IS_APPEND(d_inode(victim)) || - IS_IMMUTABLE(d_inode(victim)) || IS_SWAPFILE(d_inode(victim))) + if (check_sticky(&init_user_ns, dir, d_inode(victim)) || + IS_APPEND(d_inode(victim)) || IS_IMMUTABLE(d_inode(victim)) || + IS_SWAPFILE(d_inode(victim))) return -EPERM; if (isdir) { if (!d_is_dir(victim)) diff --git a/fs/inode.c b/fs/inode.c index 66d3f7397d86..75c64f003c45 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1797,7 +1797,7 @@ bool atime_needs_update(const struct path *path, struct inode *inode) /* Atime updates will likely cause i_uid and i_gid to be written * back improprely if their true value is unknown to the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(mnt_user_ns(mnt), inode)) return false; if (IS_NOATIME(inode)) diff --git a/fs/namei.c b/fs/namei.c index 35952c28ee29..4dc842d1cd3a 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -465,7 +465,7 @@ int inode_permission(struct user_namespace *user_ns, * written back improperly if their true value is unknown * to the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(user_ns, inode)) return -EACCES; } @@ -963,11 +963,16 @@ int sysctl_protected_regular __read_mostly; */ static inline int may_follow_link(struct nameidata *nd, const struct inode *inode) { + struct user_namespace *user_ns; + kuid_t i_uid; + if (!sysctl_protected_symlinks) return 0; + user_ns = mnt_user_ns(nd->path.mnt); + i_uid = i_uid_into_mnt(user_ns, inode); /* Allowed if owner and follower match. */ - if (uid_eq(current_cred()->fsuid, inode->i_uid)) + if (uid_eq(current_cred()->fsuid, i_uid)) return 0; /* Allowed if parent directory not sticky and world-writable. */ @@ -975,7 +980,7 @@ static inline int may_follow_link(struct nameidata *nd, const struct inode *inod return 0; /* Allowed if parent directory and link owner match. */ - if (uid_valid(nd->dir_uid) && uid_eq(nd->dir_uid, inode->i_uid)) + if (uid_valid(nd->dir_uid) && uid_eq(nd->dir_uid, i_uid)) return 0; if (nd->flags & LOOKUP_RCU) @@ -998,7 +1003,7 @@ static inline int may_follow_link(struct nameidata *nd, const struct inode *inod * * Otherwise returns true. */ -static bool safe_hardlink_source(struct inode *inode) +static bool safe_hardlink_source(struct user_namespace *user_ns, struct inode *inode) { umode_t mode = inode->i_mode; @@ -1015,7 +1020,7 @@ static bool safe_hardlink_source(struct inode *inode) return false; /* Hardlinking to unreadable or unwritable sources is dangerous. */ - if (inode_permission(&init_user_ns, inode, MAY_READ | MAY_WRITE)) + if (inode_permission(user_ns, inode, MAY_READ | MAY_WRITE)) return false; return true; @@ -1036,9 +1041,12 @@ static bool safe_hardlink_source(struct inode *inode) int may_linkat(struct path *link) { struct inode *inode = link->dentry->d_inode; + struct user_namespace *user_ns; /* Inode writeback is not safe when the uid or gid are invalid. */ - if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + user_ns = mnt_user_ns(link->mnt); + if (!uid_valid(i_uid_into_mnt(user_ns, inode)) || + !gid_valid(i_gid_into_mnt(user_ns, inode))) return -EOVERFLOW; if (!sysctl_protected_hardlinks) @@ -1047,7 +1055,8 @@ int may_linkat(struct path *link) /* Source inode owner (or CAP_FOWNER) can hardlink all they like, * otherwise, it must be a safe source. */ - if (safe_hardlink_source(inode) || inode_owner_or_capable(&init_user_ns, inode)) + if (safe_hardlink_source(user_ns, inode) || + inode_owner_or_capable(user_ns, inode)) return 0; audit_log_path_denied(AUDIT_ANOM_LINK, "linkat"); @@ -1075,14 +1084,18 @@ int may_linkat(struct path *link) * * Returns 0 if the open is allowed, -ve on error. */ -static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid, - struct inode * const inode) +static int may_create_in_sticky(struct nameidata *nd, struct inode *const inode) { + struct user_namespace *user_ns; + umode_t dir_mode = nd->dir_mode; + kuid_t dir_uid = nd->dir_uid; + + user_ns = mnt_user_ns(nd->path.mnt); if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || likely(!(dir_mode & S_ISVTX)) || - uid_eq(inode->i_uid, dir_uid) || - uid_eq(current_fsuid(), inode->i_uid)) + uid_eq(i_uid_into_mnt(user_ns, inode), dir_uid) || + uid_eq(current_fsuid(), i_uid_into_mnt(user_ns, inode))) return 0; if (likely(dir_mode & 0002) || @@ -1574,15 +1587,16 @@ static struct dentry *lookup_slow(const struct qstr *name, static inline int may_lookup(struct nameidata *nd) { + struct user_namespace *user_ns = mnt_user_ns(nd->path.mnt); + if (nd->flags & LOOKUP_RCU) { - int err = inode_permission(&init_user_ns, nd->inode, - MAY_EXEC | MAY_NOT_BLOCK); + int err = inode_permission(user_ns, nd->inode, MAY_EXEC|MAY_NOT_BLOCK); if (err != -ECHILD) return err; if (unlazy_walk(nd)) return -ECHILD; } - return inode_permission(&init_user_ns, nd->inode, MAY_EXEC); + return inode_permission(user_ns, nd->inode, MAY_EXEC); } static int reserve_stack(struct nameidata *nd, struct path *link, unsigned seq) @@ -2181,7 +2195,10 @@ static int link_path_walk(const char *name, struct nameidata *nd) OK: /* pathname or trailing symlink, done */ if (!depth) { - nd->dir_uid = nd->inode->i_uid; + struct user_namespace *user_ns; + + user_ns = mnt_user_ns(nd->path.mnt); + nd->dir_uid = i_uid_into_mnt(user_ns, nd->inode); nd->dir_mode = nd->inode->i_mode; nd->flags &= ~LOOKUP_PARENT; return 0; @@ -2659,15 +2676,16 @@ int user_path_at_empty(int dfd, const char __user *name, unsigned flags, } EXPORT_SYMBOL(user_path_at_empty); -int __check_sticky(struct inode *dir, struct inode *inode) +int __check_sticky(struct user_namespace *user_ns, struct inode *dir, + struct inode *inode) { kuid_t fsuid = current_fsuid(); - if (uid_eq(inode->i_uid, fsuid)) + if (uid_eq(i_uid_into_mnt(user_ns, inode), fsuid)) return 0; - if (uid_eq(dir->i_uid, fsuid)) + if (uid_eq(i_uid_into_mnt(user_ns, dir), fsuid)) return 0; - return !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FOWNER); + return !capable_wrt_inode_uidgid(user_ns, inode, CAP_FOWNER); } EXPORT_SYMBOL(__check_sticky); @@ -2691,7 +2709,7 @@ EXPORT_SYMBOL(__check_sticky); * 11. We don't allow removal of NFS sillyrenamed files; it's handled by * nfs_async_unlink(). */ -static int may_delete(struct inode *dir, struct dentry *victim, bool isdir) +static int may_delete(struct user_namespace *user_ns, struct inode *dir, struct dentry *victim, bool isdir) { struct inode *inode = d_backing_inode(victim); int error; @@ -2703,19 +2721,21 @@ static int may_delete(struct inode *dir, struct dentry *victim, bool isdir) BUG_ON(victim->d_parent->d_inode != dir); /* Inode writeback is not safe when the uid or gid are invalid. */ - if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + if (!uid_valid(i_uid_into_mnt(user_ns, inode)) || + !gid_valid(i_gid_into_mnt(user_ns, inode))) return -EOVERFLOW; audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE); - error = inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC); + error = inode_permission(user_ns, dir, MAY_WRITE | MAY_EXEC); if (error) return error; if (IS_APPEND(dir)) return -EPERM; - if (check_sticky(dir, inode) || IS_APPEND(inode) || - IS_IMMUTABLE(inode) || IS_SWAPFILE(inode) || HAS_UNMAPPED_ID(inode)) + if (check_sticky(user_ns, dir, inode) || IS_APPEND(inode) || + IS_IMMUTABLE(inode) || IS_SWAPFILE(inode) || + HAS_UNMAPPED_ID(user_ns, inode)) return -EPERM; if (isdir) { if (!d_is_dir(victim)) @@ -2740,7 +2760,8 @@ static int may_delete(struct inode *dir, struct dentry *victim, bool isdir) * 4. We should have write and exec permissions on dir * 5. We can't do it if dir is immutable (done in permission()) */ -static inline int may_create(struct inode *dir, struct dentry *child) +static inline int may_create(struct user_namespace *user_ns, struct inode *dir, + struct dentry *child) { struct user_namespace *s_user_ns; audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE); @@ -2749,10 +2770,10 @@ static inline int may_create(struct inode *dir, struct dentry *child) if (IS_DEADDIR(dir)) return -ENOENT; s_user_ns = dir->i_sb->s_user_ns; - if (!kuid_has_mapping(s_user_ns, current_fsuid()) || - !kgid_has_mapping(s_user_ns, current_fsgid())) + if (!kuid_has_mapping(s_user_ns, fsuid_into_mnt(user_ns)) || + !kgid_has_mapping(s_user_ns, fsgid_into_mnt(user_ns))) return -EOVERFLOW; - return inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC); + return inode_permission(user_ns, dir, MAY_WRITE | MAY_EXEC); } /* @@ -2802,7 +2823,7 @@ EXPORT_SYMBOL(unlock_rename); int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, bool want_excl) { - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -2825,7 +2846,7 @@ int vfs_mkobj(struct dentry *dentry, umode_t mode, void *arg) { struct inode *dir = dentry->d_parent->d_inode; - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -2849,6 +2870,7 @@ bool may_open_dev(const struct path *path) static int may_open(const struct path *path, int acc_mode, int flag) { + struct user_namespace *user_ns; struct dentry *dentry = path->dentry; struct inode *inode = dentry->d_inode; int error; @@ -2882,7 +2904,8 @@ static int may_open(const struct path *path, int acc_mode, int flag) break; } - error = inode_permission(&init_user_ns, inode, MAY_OPEN | acc_mode); + user_ns = mnt_user_ns(path->mnt); + error = inode_permission(user_ns, inode, MAY_OPEN | acc_mode); if (error) return error; @@ -2897,7 +2920,7 @@ static int may_open(const struct path *path, int acc_mode, int flag) } /* O_NOATIME can only be set by the owner or superuser */ - if (flag & O_NOATIME && !inode_owner_or_capable(&init_user_ns, inode)) + if (flag & O_NOATIME && !inode_owner_or_capable(user_ns, inode)) return -EPERM; return 0; @@ -2934,17 +2957,18 @@ static inline int open_to_namei_flags(int flag) static int may_o_create(const struct path *dir, struct dentry *dentry, umode_t mode) { - struct user_namespace *s_user_ns; + struct user_namespace *s_user_ns, *user_ns; int error = security_path_mknod(dir, dentry, mode, 0); if (error) return error; + user_ns = mnt_user_ns(dir->mnt); s_user_ns = dir->dentry->d_sb->s_user_ns; - if (!kuid_has_mapping(s_user_ns, current_fsuid()) || - !kgid_has_mapping(s_user_ns, current_fsgid())) + if (!kuid_has_mapping(s_user_ns, fsuid_into_mnt(user_ns)) || + !kgid_has_mapping(s_user_ns, fsgid_into_mnt(user_ns))) return -EOVERFLOW; - error = inode_permission(&init_user_ns, dir->dentry->d_inode, + error = inode_permission(user_ns, dir->dentry->d_inode, MAY_WRITE | MAY_EXEC); if (error) return error; @@ -3238,7 +3262,7 @@ static int do_open(struct nameidata *nd, return -EEXIST; if (d_is_dir(nd->path.dentry)) return -EISDIR; - error = may_create_in_sticky(nd->dir_mode, nd->dir_uid, + error = may_create_in_sticky(nd, d_backing_inode(nd->path.dentry)); if (unlikely(error)) return error; @@ -3540,7 +3564,7 @@ EXPORT_SYMBOL(user_path_create); int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { bool is_whiteout = S_ISCHR(mode) && dev == WHITEOUT_DEV; - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -3641,7 +3665,7 @@ SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, d int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) { - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); unsigned max_links = dir->i_sb->s_max_links; if (error) @@ -3702,7 +3726,7 @@ SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode) int vfs_rmdir(struct inode *dir, struct dentry *dentry) { - int error = may_delete(dir, dentry, 1); + int error = may_delete(&init_user_ns, dir, dentry, 1); if (error) return error; @@ -3824,7 +3848,7 @@ SYSCALL_DEFINE1(rmdir, const char __user *, pathname) int vfs_unlink(struct inode *dir, struct dentry *dentry, struct inode **delegated_inode) { struct inode *target = dentry->d_inode; - int error = may_delete(dir, dentry, 0); + int error = may_delete(&init_user_ns, dir, dentry, 0); if (error) return error; @@ -3956,7 +3980,7 @@ SYSCALL_DEFINE1(unlink, const char __user *, pathname) int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname) { - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -4045,7 +4069,7 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de if (!inode) return -ENOENT; - error = may_create(dir, new_dentry); + error = may_create(&init_user_ns, dir, new_dentry); if (error) return error; @@ -4062,7 +4086,7 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de * be writen back improperly if their true value is unknown to * the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(&init_user_ns, inode)) return -EPERM; if (!dir->i_op->link) return -EPERM; @@ -4237,6 +4261,7 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry, struct inode **delegated_inode, unsigned int flags) { int error; + struct user_namespace *user_ns = &init_user_ns; bool is_dir = d_is_dir(old_dentry); struct inode *source = old_dentry->d_inode; struct inode *target = new_dentry->d_inode; @@ -4247,19 +4272,19 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry, if (source == target) return 0; - error = may_delete(old_dir, old_dentry, is_dir); + error = may_delete(user_ns, old_dir, old_dentry, is_dir); if (error) return error; if (!target) { - error = may_create(new_dir, new_dentry); + error = may_create(user_ns, new_dir, new_dentry); } else { new_is_dir = d_is_dir(new_dentry); if (!(flags & RENAME_EXCHANGE)) - error = may_delete(new_dir, new_dentry, is_dir); + error = may_delete(user_ns, new_dir, new_dentry, is_dir); else - error = may_delete(new_dir, new_dentry, new_is_dir); + error = may_delete(user_ns, new_dir, new_dentry, new_is_dir); } if (error) return error; diff --git a/fs/xattr.c b/fs/xattr.c index 8c50b2a935e4..20376592dad6 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -98,7 +98,7 @@ xattr_permission(struct user_namespace *user_ns, struct inode *inode, * to be writen back improperly if their true value is * unknown to the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(user_ns, inode)) return -EPERM; } diff --git a/include/linux/fs.h b/include/linux/fs.h index 696ad3e0df03..38aabad8f2aa 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2081,9 +2081,10 @@ static inline bool sb_rdonly(const struct super_block *sb) { return sb->s_flags #define IS_WHITEOUT(inode) (S_ISCHR(inode->i_mode) && \ (inode)->i_rdev == WHITEOUT_DEV) -static inline bool HAS_UNMAPPED_ID(struct inode *inode) +static inline bool HAS_UNMAPPED_ID(struct user_namespace *user_ns, struct inode *inode) { - return !uid_valid(inode->i_uid) || !gid_valid(inode->i_gid); + return !uid_valid(i_uid_into_mnt(user_ns, inode)) || + !gid_valid(i_gid_into_mnt(user_ns, inode)); } static inline enum rw_hint file_write_hint(struct file *file) @@ -2807,7 +2808,8 @@ extern int notify_change(struct user_namespace *, struct dentry *, struct iattr *, struct inode **); extern int inode_permission(struct user_namespace *, struct inode *, int); extern int generic_permission(struct user_namespace *, struct inode *, int); -extern int __check_sticky(struct inode *dir, struct inode *inode); +extern int __check_sticky(struct user_namespace *user_ns, struct inode *dir, + struct inode *inode); static inline bool execute_ok(struct inode *inode) { @@ -3428,12 +3430,13 @@ static inline bool is_sxid(umode_t mode) return (mode & S_ISUID) || ((mode & S_ISGID) && (mode & S_IXGRP)); } -static inline int check_sticky(struct inode *dir, struct inode *inode) +static inline int check_sticky(struct user_namespace *user_ns, + struct inode *dir, struct inode *inode) { if (!(dir->i_mode & S_ISVTX)) return 0; - return __check_sticky(dir, inode); + return __check_sticky(user_ns, dir, inode); } static inline void inode_has_no_xattr(struct inode *inode) -- 2.29.2 _______________________________________________ Containers mailing list Containers@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/containers
WARNING: multiple messages have this Message-ID (diff)
From: Christian Brauner <christian.brauner@ubuntu.com> To: Alexander Viro <viro@zeniv.linux.org.uk>, Christoph Hellwig <hch@infradead.org>, linux-fsdevel@vger.kernel.org Cc: "John Johansen" <john.johansen@canonical.com>, "James Morris" <jmorris@namei.org>, "Mimi Zohar" <zohar@linux.ibm.com>, "Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>, "Stephen Smalley" <stephen.smalley.work@gmail.com>, "Casey Schaufler" <casey@schaufler-ca.com>, "Arnd Bergmann" <arnd@arndb.de>, "Andreas Dilger" <adilger.kernel@dilger.ca>, "OGAWA Hirofumi" <hirofumi@mail.parknet.co.jp>, "Geoffrey Thomas" <geofft@ldpreload.com>, "Mrunal Patel" <mpatel@redhat.com>, "Josh Triplett" <josh@joshtriplett.org>, "Andy Lutomirski" <luto@kernel.org>, "Theodore Tso" <tytso@mit.edu>, "Alban Crequy" <alban@kinvolk.io>, "Tycho Andersen" <tycho@tycho.ws>, "David Howells" <dhowells@redhat.com>, "James Bottomley" <James.Bottomley@hansenpartnership.com>, "Seth Forshee" <seth.forshee@canonical.com>, "Stéphane Graber" <stgraber@ubuntu.com>, "Aleksa Sarai" <cyphar@cyphar.com>, "Lennart Poettering" <lennart@poettering.net>, "Eric W. Biederman" <ebiederm@xmission.com>, smbarber@chromium.org, "Phil Estes" <estesp@gmail.com>, "Serge Hallyn" <serge@hallyn.com>, "Kees Cook" <keescook@chromium.org>, "Todd Kjos" <tkjos@google.com>, "Paul Moore" <paul@paul-moore.com>, "Jonathan Corbet" <corbet@lwn.net>, containers@lists.linux-foundation.org, fstests@vger.kernel.org, linux-security-module@vger.kernel.org, linux-api@vger.kernel.org, linux-ext4@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, "Christian Brauner" <christian.brauner@ubuntu.com>, "Christoph Hellwig" <hch@lst.de> Subject: [PATCH v3 16/38] namei: handle idmapped mounts in may_*() helpers Date: Sat, 28 Nov 2020 22:35:05 +0100 [thread overview] Message-ID: <20201128213527.2669807-17-christian.brauner@ubuntu.com> (raw) In-Reply-To: <20201128213527.2669807-1-christian.brauner@ubuntu.com> The may_follow_link(), may_linkat(), may_lookup(), may_open(), may_o_create(), may_create_in_sticky(), may_delete(), and may_create() helpers determine whether the caller is privileged enough to perform the associated operations. Let them handle idmapped mounts by mappings the inode and fsids according to the mount's user namespace. Afterwards the checks are identical to non-idmapped inodes. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> --- /* v2 */ unchanged /* v3 */ unchanged --- fs/btrfs/ioctl.c | 5 +- fs/inode.c | 2 +- fs/namei.c | 121 +++++++++++++++++++++++++++------------------ fs/xattr.c | 2 +- include/linux/fs.h | 13 +++-- 5 files changed, 86 insertions(+), 57 deletions(-) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index f5d3ebca4c5f..114bd15304f2 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -915,8 +915,9 @@ static int btrfs_may_delete(struct inode *dir, struct dentry *victim, int isdir) return error; if (IS_APPEND(dir)) return -EPERM; - if (check_sticky(dir, d_inode(victim)) || IS_APPEND(d_inode(victim)) || - IS_IMMUTABLE(d_inode(victim)) || IS_SWAPFILE(d_inode(victim))) + if (check_sticky(&init_user_ns, dir, d_inode(victim)) || + IS_APPEND(d_inode(victim)) || IS_IMMUTABLE(d_inode(victim)) || + IS_SWAPFILE(d_inode(victim))) return -EPERM; if (isdir) { if (!d_is_dir(victim)) diff --git a/fs/inode.c b/fs/inode.c index 66d3f7397d86..75c64f003c45 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1797,7 +1797,7 @@ bool atime_needs_update(const struct path *path, struct inode *inode) /* Atime updates will likely cause i_uid and i_gid to be written * back improprely if their true value is unknown to the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(mnt_user_ns(mnt), inode)) return false; if (IS_NOATIME(inode)) diff --git a/fs/namei.c b/fs/namei.c index 35952c28ee29..4dc842d1cd3a 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -465,7 +465,7 @@ int inode_permission(struct user_namespace *user_ns, * written back improperly if their true value is unknown * to the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(user_ns, inode)) return -EACCES; } @@ -963,11 +963,16 @@ int sysctl_protected_regular __read_mostly; */ static inline int may_follow_link(struct nameidata *nd, const struct inode *inode) { + struct user_namespace *user_ns; + kuid_t i_uid; + if (!sysctl_protected_symlinks) return 0; + user_ns = mnt_user_ns(nd->path.mnt); + i_uid = i_uid_into_mnt(user_ns, inode); /* Allowed if owner and follower match. */ - if (uid_eq(current_cred()->fsuid, inode->i_uid)) + if (uid_eq(current_cred()->fsuid, i_uid)) return 0; /* Allowed if parent directory not sticky and world-writable. */ @@ -975,7 +980,7 @@ static inline int may_follow_link(struct nameidata *nd, const struct inode *inod return 0; /* Allowed if parent directory and link owner match. */ - if (uid_valid(nd->dir_uid) && uid_eq(nd->dir_uid, inode->i_uid)) + if (uid_valid(nd->dir_uid) && uid_eq(nd->dir_uid, i_uid)) return 0; if (nd->flags & LOOKUP_RCU) @@ -998,7 +1003,7 @@ static inline int may_follow_link(struct nameidata *nd, const struct inode *inod * * Otherwise returns true. */ -static bool safe_hardlink_source(struct inode *inode) +static bool safe_hardlink_source(struct user_namespace *user_ns, struct inode *inode) { umode_t mode = inode->i_mode; @@ -1015,7 +1020,7 @@ static bool safe_hardlink_source(struct inode *inode) return false; /* Hardlinking to unreadable or unwritable sources is dangerous. */ - if (inode_permission(&init_user_ns, inode, MAY_READ | MAY_WRITE)) + if (inode_permission(user_ns, inode, MAY_READ | MAY_WRITE)) return false; return true; @@ -1036,9 +1041,12 @@ static bool safe_hardlink_source(struct inode *inode) int may_linkat(struct path *link) { struct inode *inode = link->dentry->d_inode; + struct user_namespace *user_ns; /* Inode writeback is not safe when the uid or gid are invalid. */ - if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + user_ns = mnt_user_ns(link->mnt); + if (!uid_valid(i_uid_into_mnt(user_ns, inode)) || + !gid_valid(i_gid_into_mnt(user_ns, inode))) return -EOVERFLOW; if (!sysctl_protected_hardlinks) @@ -1047,7 +1055,8 @@ int may_linkat(struct path *link) /* Source inode owner (or CAP_FOWNER) can hardlink all they like, * otherwise, it must be a safe source. */ - if (safe_hardlink_source(inode) || inode_owner_or_capable(&init_user_ns, inode)) + if (safe_hardlink_source(user_ns, inode) || + inode_owner_or_capable(user_ns, inode)) return 0; audit_log_path_denied(AUDIT_ANOM_LINK, "linkat"); @@ -1075,14 +1084,18 @@ int may_linkat(struct path *link) * * Returns 0 if the open is allowed, -ve on error. */ -static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid, - struct inode * const inode) +static int may_create_in_sticky(struct nameidata *nd, struct inode *const inode) { + struct user_namespace *user_ns; + umode_t dir_mode = nd->dir_mode; + kuid_t dir_uid = nd->dir_uid; + + user_ns = mnt_user_ns(nd->path.mnt); if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || likely(!(dir_mode & S_ISVTX)) || - uid_eq(inode->i_uid, dir_uid) || - uid_eq(current_fsuid(), inode->i_uid)) + uid_eq(i_uid_into_mnt(user_ns, inode), dir_uid) || + uid_eq(current_fsuid(), i_uid_into_mnt(user_ns, inode))) return 0; if (likely(dir_mode & 0002) || @@ -1574,15 +1587,16 @@ static struct dentry *lookup_slow(const struct qstr *name, static inline int may_lookup(struct nameidata *nd) { + struct user_namespace *user_ns = mnt_user_ns(nd->path.mnt); + if (nd->flags & LOOKUP_RCU) { - int err = inode_permission(&init_user_ns, nd->inode, - MAY_EXEC | MAY_NOT_BLOCK); + int err = inode_permission(user_ns, nd->inode, MAY_EXEC|MAY_NOT_BLOCK); if (err != -ECHILD) return err; if (unlazy_walk(nd)) return -ECHILD; } - return inode_permission(&init_user_ns, nd->inode, MAY_EXEC); + return inode_permission(user_ns, nd->inode, MAY_EXEC); } static int reserve_stack(struct nameidata *nd, struct path *link, unsigned seq) @@ -2181,7 +2195,10 @@ static int link_path_walk(const char *name, struct nameidata *nd) OK: /* pathname or trailing symlink, done */ if (!depth) { - nd->dir_uid = nd->inode->i_uid; + struct user_namespace *user_ns; + + user_ns = mnt_user_ns(nd->path.mnt); + nd->dir_uid = i_uid_into_mnt(user_ns, nd->inode); nd->dir_mode = nd->inode->i_mode; nd->flags &= ~LOOKUP_PARENT; return 0; @@ -2659,15 +2676,16 @@ int user_path_at_empty(int dfd, const char __user *name, unsigned flags, } EXPORT_SYMBOL(user_path_at_empty); -int __check_sticky(struct inode *dir, struct inode *inode) +int __check_sticky(struct user_namespace *user_ns, struct inode *dir, + struct inode *inode) { kuid_t fsuid = current_fsuid(); - if (uid_eq(inode->i_uid, fsuid)) + if (uid_eq(i_uid_into_mnt(user_ns, inode), fsuid)) return 0; - if (uid_eq(dir->i_uid, fsuid)) + if (uid_eq(i_uid_into_mnt(user_ns, dir), fsuid)) return 0; - return !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FOWNER); + return !capable_wrt_inode_uidgid(user_ns, inode, CAP_FOWNER); } EXPORT_SYMBOL(__check_sticky); @@ -2691,7 +2709,7 @@ EXPORT_SYMBOL(__check_sticky); * 11. We don't allow removal of NFS sillyrenamed files; it's handled by * nfs_async_unlink(). */ -static int may_delete(struct inode *dir, struct dentry *victim, bool isdir) +static int may_delete(struct user_namespace *user_ns, struct inode *dir, struct dentry *victim, bool isdir) { struct inode *inode = d_backing_inode(victim); int error; @@ -2703,19 +2721,21 @@ static int may_delete(struct inode *dir, struct dentry *victim, bool isdir) BUG_ON(victim->d_parent->d_inode != dir); /* Inode writeback is not safe when the uid or gid are invalid. */ - if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + if (!uid_valid(i_uid_into_mnt(user_ns, inode)) || + !gid_valid(i_gid_into_mnt(user_ns, inode))) return -EOVERFLOW; audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE); - error = inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC); + error = inode_permission(user_ns, dir, MAY_WRITE | MAY_EXEC); if (error) return error; if (IS_APPEND(dir)) return -EPERM; - if (check_sticky(dir, inode) || IS_APPEND(inode) || - IS_IMMUTABLE(inode) || IS_SWAPFILE(inode) || HAS_UNMAPPED_ID(inode)) + if (check_sticky(user_ns, dir, inode) || IS_APPEND(inode) || + IS_IMMUTABLE(inode) || IS_SWAPFILE(inode) || + HAS_UNMAPPED_ID(user_ns, inode)) return -EPERM; if (isdir) { if (!d_is_dir(victim)) @@ -2740,7 +2760,8 @@ static int may_delete(struct inode *dir, struct dentry *victim, bool isdir) * 4. We should have write and exec permissions on dir * 5. We can't do it if dir is immutable (done in permission()) */ -static inline int may_create(struct inode *dir, struct dentry *child) +static inline int may_create(struct user_namespace *user_ns, struct inode *dir, + struct dentry *child) { struct user_namespace *s_user_ns; audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE); @@ -2749,10 +2770,10 @@ static inline int may_create(struct inode *dir, struct dentry *child) if (IS_DEADDIR(dir)) return -ENOENT; s_user_ns = dir->i_sb->s_user_ns; - if (!kuid_has_mapping(s_user_ns, current_fsuid()) || - !kgid_has_mapping(s_user_ns, current_fsgid())) + if (!kuid_has_mapping(s_user_ns, fsuid_into_mnt(user_ns)) || + !kgid_has_mapping(s_user_ns, fsgid_into_mnt(user_ns))) return -EOVERFLOW; - return inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC); + return inode_permission(user_ns, dir, MAY_WRITE | MAY_EXEC); } /* @@ -2802,7 +2823,7 @@ EXPORT_SYMBOL(unlock_rename); int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, bool want_excl) { - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -2825,7 +2846,7 @@ int vfs_mkobj(struct dentry *dentry, umode_t mode, void *arg) { struct inode *dir = dentry->d_parent->d_inode; - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -2849,6 +2870,7 @@ bool may_open_dev(const struct path *path) static int may_open(const struct path *path, int acc_mode, int flag) { + struct user_namespace *user_ns; struct dentry *dentry = path->dentry; struct inode *inode = dentry->d_inode; int error; @@ -2882,7 +2904,8 @@ static int may_open(const struct path *path, int acc_mode, int flag) break; } - error = inode_permission(&init_user_ns, inode, MAY_OPEN | acc_mode); + user_ns = mnt_user_ns(path->mnt); + error = inode_permission(user_ns, inode, MAY_OPEN | acc_mode); if (error) return error; @@ -2897,7 +2920,7 @@ static int may_open(const struct path *path, int acc_mode, int flag) } /* O_NOATIME can only be set by the owner or superuser */ - if (flag & O_NOATIME && !inode_owner_or_capable(&init_user_ns, inode)) + if (flag & O_NOATIME && !inode_owner_or_capable(user_ns, inode)) return -EPERM; return 0; @@ -2934,17 +2957,18 @@ static inline int open_to_namei_flags(int flag) static int may_o_create(const struct path *dir, struct dentry *dentry, umode_t mode) { - struct user_namespace *s_user_ns; + struct user_namespace *s_user_ns, *user_ns; int error = security_path_mknod(dir, dentry, mode, 0); if (error) return error; + user_ns = mnt_user_ns(dir->mnt); s_user_ns = dir->dentry->d_sb->s_user_ns; - if (!kuid_has_mapping(s_user_ns, current_fsuid()) || - !kgid_has_mapping(s_user_ns, current_fsgid())) + if (!kuid_has_mapping(s_user_ns, fsuid_into_mnt(user_ns)) || + !kgid_has_mapping(s_user_ns, fsgid_into_mnt(user_ns))) return -EOVERFLOW; - error = inode_permission(&init_user_ns, dir->dentry->d_inode, + error = inode_permission(user_ns, dir->dentry->d_inode, MAY_WRITE | MAY_EXEC); if (error) return error; @@ -3238,7 +3262,7 @@ static int do_open(struct nameidata *nd, return -EEXIST; if (d_is_dir(nd->path.dentry)) return -EISDIR; - error = may_create_in_sticky(nd->dir_mode, nd->dir_uid, + error = may_create_in_sticky(nd, d_backing_inode(nd->path.dentry)); if (unlikely(error)) return error; @@ -3540,7 +3564,7 @@ EXPORT_SYMBOL(user_path_create); int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { bool is_whiteout = S_ISCHR(mode) && dev == WHITEOUT_DEV; - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -3641,7 +3665,7 @@ SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, d int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) { - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); unsigned max_links = dir->i_sb->s_max_links; if (error) @@ -3702,7 +3726,7 @@ SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode) int vfs_rmdir(struct inode *dir, struct dentry *dentry) { - int error = may_delete(dir, dentry, 1); + int error = may_delete(&init_user_ns, dir, dentry, 1); if (error) return error; @@ -3824,7 +3848,7 @@ SYSCALL_DEFINE1(rmdir, const char __user *, pathname) int vfs_unlink(struct inode *dir, struct dentry *dentry, struct inode **delegated_inode) { struct inode *target = dentry->d_inode; - int error = may_delete(dir, dentry, 0); + int error = may_delete(&init_user_ns, dir, dentry, 0); if (error) return error; @@ -3956,7 +3980,7 @@ SYSCALL_DEFINE1(unlink, const char __user *, pathname) int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname) { - int error = may_create(dir, dentry); + int error = may_create(&init_user_ns, dir, dentry); if (error) return error; @@ -4045,7 +4069,7 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de if (!inode) return -ENOENT; - error = may_create(dir, new_dentry); + error = may_create(&init_user_ns, dir, new_dentry); if (error) return error; @@ -4062,7 +4086,7 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de * be writen back improperly if their true value is unknown to * the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(&init_user_ns, inode)) return -EPERM; if (!dir->i_op->link) return -EPERM; @@ -4237,6 +4261,7 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry, struct inode **delegated_inode, unsigned int flags) { int error; + struct user_namespace *user_ns = &init_user_ns; bool is_dir = d_is_dir(old_dentry); struct inode *source = old_dentry->d_inode; struct inode *target = new_dentry->d_inode; @@ -4247,19 +4272,19 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry, if (source == target) return 0; - error = may_delete(old_dir, old_dentry, is_dir); + error = may_delete(user_ns, old_dir, old_dentry, is_dir); if (error) return error; if (!target) { - error = may_create(new_dir, new_dentry); + error = may_create(user_ns, new_dir, new_dentry); } else { new_is_dir = d_is_dir(new_dentry); if (!(flags & RENAME_EXCHANGE)) - error = may_delete(new_dir, new_dentry, is_dir); + error = may_delete(user_ns, new_dir, new_dentry, is_dir); else - error = may_delete(new_dir, new_dentry, new_is_dir); + error = may_delete(user_ns, new_dir, new_dentry, new_is_dir); } if (error) return error; diff --git a/fs/xattr.c b/fs/xattr.c index 8c50b2a935e4..20376592dad6 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -98,7 +98,7 @@ xattr_permission(struct user_namespace *user_ns, struct inode *inode, * to be writen back improperly if their true value is * unknown to the vfs. */ - if (HAS_UNMAPPED_ID(inode)) + if (HAS_UNMAPPED_ID(user_ns, inode)) return -EPERM; } diff --git a/include/linux/fs.h b/include/linux/fs.h index 696ad3e0df03..38aabad8f2aa 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2081,9 +2081,10 @@ static inline bool sb_rdonly(const struct super_block *sb) { return sb->s_flags #define IS_WHITEOUT(inode) (S_ISCHR(inode->i_mode) && \ (inode)->i_rdev == WHITEOUT_DEV) -static inline bool HAS_UNMAPPED_ID(struct inode *inode) +static inline bool HAS_UNMAPPED_ID(struct user_namespace *user_ns, struct inode *inode) { - return !uid_valid(inode->i_uid) || !gid_valid(inode->i_gid); + return !uid_valid(i_uid_into_mnt(user_ns, inode)) || + !gid_valid(i_gid_into_mnt(user_ns, inode)); } static inline enum rw_hint file_write_hint(struct file *file) @@ -2807,7 +2808,8 @@ extern int notify_change(struct user_namespace *, struct dentry *, struct iattr *, struct inode **); extern int inode_permission(struct user_namespace *, struct inode *, int); extern int generic_permission(struct user_namespace *, struct inode *, int); -extern int __check_sticky(struct inode *dir, struct inode *inode); +extern int __check_sticky(struct user_namespace *user_ns, struct inode *dir, + struct inode *inode); static inline bool execute_ok(struct inode *inode) { @@ -3428,12 +3430,13 @@ static inline bool is_sxid(umode_t mode) return (mode & S_ISUID) || ((mode & S_ISGID) && (mode & S_IXGRP)); } -static inline int check_sticky(struct inode *dir, struct inode *inode) +static inline int check_sticky(struct user_namespace *user_ns, + struct inode *dir, struct inode *inode) { if (!(dir->i_mode & S_ISVTX)) return 0; - return __check_sticky(dir, inode); + return __check_sticky(user_ns, dir, inode); } static inline void inode_has_no_xattr(struct inode *inode) -- 2.29.2
next prev parent reply other threads:[~2020-11-28 21:47 UTC|newest] Thread overview: 150+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-11-28 21:34 [PATCH v3 00/38] idmapped mounts Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 01/38] namespace: take lock_mount_hash() directly when changing flags Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-12-01 10:31 ` Christoph Hellwig 2020-12-01 10:31 ` Christoph Hellwig 2020-12-02 9:09 ` Christian Brauner 2020-12-02 9:09 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 02/38] mount: make {lock,unlock}_mount_hash() static Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-12-01 10:32 ` Christoph Hellwig 2020-12-01 10:32 ` Christoph Hellwig 2020-12-02 9:11 ` Christian Brauner 2020-12-02 9:11 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 03/38] namespace: only take read lock in do_reconfigure_mnt() Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-12-01 10:32 ` Christoph Hellwig 2020-12-01 10:32 ` Christoph Hellwig 2020-12-02 9:14 ` Christian Brauner 2020-12-02 9:14 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 04/38] fs: add mount_setattr() Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-12-01 10:49 ` Christoph Hellwig 2020-12-01 10:49 ` Christoph Hellwig 2020-12-02 9:42 ` Christian Brauner 2020-12-02 9:42 ` Christian Brauner 2020-12-02 9:47 ` Christoph Hellwig 2020-12-02 9:47 ` Christoph Hellwig 2020-12-02 9:55 ` Christoph Hellwig 2020-12-02 9:55 ` Christoph Hellwig 2020-12-02 9:57 ` Christian Brauner 2020-12-02 9:57 ` Christian Brauner 2020-12-02 10:01 ` Christoph Hellwig 2020-12-02 10:01 ` Christoph Hellwig 2020-11-28 21:34 ` [PATCH v3 05/38] tests: add mount_setattr() selftests Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 06/38] fs: add id translation helpers Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-12-01 10:49 ` Christoph Hellwig 2020-12-01 10:49 ` Christoph Hellwig 2020-12-02 9:16 ` Christian Brauner 2020-12-02 9:16 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 07/38] mount: attach mappings to mounts Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-12-01 10:50 ` Christoph Hellwig 2020-12-01 10:50 ` Christoph Hellwig 2020-12-01 13:25 ` Tycho Andersen 2020-12-01 13:25 ` Tycho Andersen 2020-12-02 9:24 ` Christian Brauner 2020-12-02 9:24 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 08/38] capability: handle idmapped mounts Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-11-28 22:34 ` Serge E. Hallyn 2020-11-28 22:34 ` Serge E. Hallyn 2020-11-28 21:34 ` [PATCH v3 09/38] namei: add idmapped mount aware permission helpers Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-11-28 22:47 ` Serge E. Hallyn 2020-11-28 22:47 ` Serge E. Hallyn 2020-12-01 10:58 ` Christian Brauner 2020-12-01 10:58 ` Christian Brauner 2020-12-01 10:51 ` Christoph Hellwig 2020-12-01 10:51 ` Christoph Hellwig 2020-12-01 10:58 ` Christian Brauner 2020-12-01 10:58 ` Christian Brauner 2020-11-28 21:34 ` [PATCH v3 10/38] inode: add idmapped mount aware init and " Christian Brauner 2020-11-28 21:34 ` Christian Brauner 2020-12-01 10:51 ` Christoph Hellwig 2020-12-01 10:51 ` Christoph Hellwig 2020-12-02 9:17 ` Christian Brauner 2020-12-02 9:17 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 11/38] attr: handle idmapped mounts Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 12/38] acl: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 13/38] xattr: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 14/38] commoncap: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 15/38] stat: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` Christian Brauner [this message] 2020-11-28 21:35 ` [PATCH v3 16/38] namei: handle idmapped mounts in may_*() helpers Christian Brauner 2020-11-28 21:35 ` [PATCH v3 17/38] namei: introduce struct renamedata Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-12-01 10:53 ` Christoph Hellwig 2020-12-01 10:53 ` Christoph Hellwig 2020-12-02 9:18 ` Christian Brauner 2020-12-02 9:18 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 18/38] namei: prepare for idmapped mounts Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 19/38] open: handle idmapped mounts in do_truncate() Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 20/38] open: handle idmapped mounts Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 21/38] af_unix: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 22/38] utimes: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 23/38] fcntl: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 24/38] notify: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 25/38] init: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 26/38] ioctl: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 27/38] would_dump: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 28/38] exec: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 29/38] fs: add helpers for idmap mounts Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 30/38] apparmor: handle idmapped mounts Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 31/38] ima: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 32/38] fat: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-30 22:50 ` Mauricio Vásquez Bernal 2020-11-30 22:50 ` Mauricio Vásquez Bernal 2020-12-01 10:24 ` Christian Brauner 2020-12-01 10:24 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 33/38] ext4: support " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-30 22:52 ` Mauricio Vásquez Bernal 2020-11-30 22:52 ` Mauricio Vásquez Bernal 2020-12-01 10:28 ` Christian Brauner 2020-12-01 10:28 ` Christian Brauner 2020-12-01 10:54 ` Christoph Hellwig 2020-12-01 10:54 ` Christoph Hellwig 2020-12-01 11:02 ` Christian Brauner 2020-12-01 11:02 ` Christian Brauner 2020-12-01 11:13 ` Christoph Hellwig 2020-12-01 11:13 ` Christoph Hellwig 2020-12-01 11:14 ` Christian Brauner 2020-12-01 11:14 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 34/38] ecryptfs: do not mount on top of " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 35/38] overlayfs: " Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 36/38] fs: introduce MOUNT_ATTR_IDMAP Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 37/38] tests: extend mount_setattr tests Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 21:35 ` [PATCH v3 38/38] generic/618: add fstests for idmapped mounts Christian Brauner 2020-11-28 21:35 ` Christian Brauner 2020-11-28 22:54 ` [PATCH v3 00/38] " Serge E. Hallyn 2020-11-28 22:54 ` Serge E. Hallyn 2020-12-01 10:18 ` Christian Brauner 2020-12-01 10:18 ` Christian Brauner
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20201128213527.2669807-17-christian.brauner@ubuntu.com \ --to=christian.brauner@ubuntu.com \ --cc=James.Bottomley@hansenpartnership.com \ --cc=adilger.kernel@dilger.ca \ --cc=alban@kinvolk.io \ --cc=arnd@arndb.de \ --cc=casey@schaufler-ca.com \ --cc=containers@lists.linux-foundation.org \ --cc=corbet@lwn.net \ --cc=cyphar@cyphar.com \ --cc=dhowells@redhat.com \ --cc=dmitry.kasatkin@gmail.com \ --cc=ebiederm@xmission.com \ --cc=fstests@vger.kernel.org \ --cc=geofft@ldpreload.com \ --cc=hch@infradead.org \ --cc=hch@lst.de \ --cc=hirofumi@mail.parknet.co.jp \ --cc=john.johansen@canonical.com \ --cc=josh@joshtriplett.org \ --cc=keescook@chromium.org \ --cc=lennart@poettering.net \ --cc=linux-api@vger.kernel.org \ --cc=linux-ext4@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mpatel@redhat.com \ --cc=paul@paul-moore.com \ --cc=selinux@vger.kernel.org \ --cc=seth.forshee@canonical.com \ --cc=smbarber@chromium.org \ --cc=stephen.smalley.work@gmail.com \ --cc=tkjos@google.com \ --cc=tycho@tycho.ws \ --cc=tytso@mit.edu \ --cc=viro@zeniv.linux.org.uk \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.