From: Christian Brauner <christian.brauner@ubuntu.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
linux-fsdevel@vger.kernel.org
Cc: Andy Lutomirski <luto@kernel.org>,
Mimi Zohar <zohar@linux.ibm.com>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
containers@lists.linux-foundation.org,
Christoph Hellwig <hch@lst.de>, Tycho Andersen <tycho@tycho.ws>,
Paul Moore <paul@paul-moore.com>,
Jonathan Corbet <corbet@lwn.net>,
smbarber@chromium.org, linux-ext4@vger.kernel.org,
Mrunal Patel <mpatel@redhat.com>,
Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
selinux@vger.kernel.org, Josh Triplett <josh@joshtriplett.org>,
Seth Forshee <seth.forshee@canonical.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Lennart Poettering <lennart@poettering.net>,
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>,
Geoffrey Thomas <geofft@ldpreload.com>,
David Howells <dhowells@redhat.com>,
John Johansen <john.johansen@canonical.com>,
Theodore Tso <tytso@mit.edu>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
fstests@vger.kernel.org, linux-security-module@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-api@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>,
Alban Crequy <alban@kinvolk.io>,
linux-integrity@vger.kernel.org, Todd Kjos <tkjos@google.com>
Subject: [PATCH v3 08/38] capability: handle idmapped mounts
Date: Sat, 28 Nov 2020 22:34:57 +0100 [thread overview]
Message-ID: <20201128213527.2669807-9-christian.brauner@ubuntu.com> (raw)
In-Reply-To: <20201128213527.2669807-1-christian.brauner@ubuntu.com>
In order to determine whether a caller holds privilege over a given inode the
capability framework exposes the two helpers privileged_wrt_inode_uidgid() and
capable_wrt_inode_uidgid(). The former verifies that the inode has a mapping in
the caller's user namespace and the latter additionally verifies that the caller
has the requested capability in their current user namespace.
If the inode is accessed through an idmapped mount we simply need to map it
according to the mount's user namespace. Afterwards the checks are identical to
non-idmapped inodes. If the initial user namespace is passed all operations are
a nop so non-idmapped mounts will not see a change in behavior and will also not
see any performance impact.
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
/* v2 */
- Christoph Hellwig <hch@lst.de>:
- Don't pollute the vfs with additional helpers simply extend the existing
helpers with an additional argument and switch all callers.
/* v3 */
unchanged
---
fs/attr.c | 8 ++++----
fs/exec.c | 2 +-
fs/inode.c | 2 +-
fs/namei.c | 13 ++++++++-----
fs/overlayfs/super.c | 2 +-
fs/posix_acl.c | 2 +-
fs/xfs/xfs_ioctl.c | 2 +-
include/linux/capability.h | 7 +++++--
kernel/capability.c | 14 +++++++++-----
security/commoncap.c | 5 +++--
10 files changed, 34 insertions(+), 23 deletions(-)
diff --git a/fs/attr.c b/fs/attr.c
index b4bbdbd4c8ca..d270f640a192 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -23,7 +23,7 @@ static bool chown_ok(const struct inode *inode, kuid_t uid)
if (uid_eq(current_fsuid(), inode->i_uid) &&
uid_eq(uid, inode->i_uid))
return true;
- if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_CHOWN))
return true;
if (uid_eq(inode->i_uid, INVALID_UID) &&
ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
@@ -36,7 +36,7 @@ static bool chgrp_ok(const struct inode *inode, kgid_t gid)
if (uid_eq(current_fsuid(), inode->i_uid) &&
(in_group_p(gid) || gid_eq(gid, inode->i_gid)))
return true;
- if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_CHOWN))
return true;
if (gid_eq(inode->i_gid, INVALID_GID) &&
ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
@@ -92,7 +92,7 @@ int setattr_prepare(struct dentry *dentry, struct iattr *attr)
/* Also check the setgid bit! */
if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
attr->ia_mode &= ~S_ISGID;
}
@@ -193,7 +193,7 @@ void setattr_copy(struct inode *inode, const struct iattr *attr)
umode_t mode = attr->ia_mode;
if (!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
mode &= ~S_ISGID;
inode->i_mode = mode;
}
diff --git a/fs/exec.c b/fs/exec.c
index 547a2390baf5..8e75d7a33514 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1398,7 +1398,7 @@ void would_dump(struct linux_binprm *bprm, struct file *file)
/* Ensure mm->user_ns contains the executable */
user_ns = old = bprm->mm->user_ns;
while ((user_ns != &init_user_ns) &&
- !privileged_wrt_inode_uidgid(user_ns, inode))
+ !privileged_wrt_inode_uidgid(user_ns, &init_user_ns, inode))
user_ns = user_ns->parent;
if (old != user_ns) {
diff --git a/fs/inode.c b/fs/inode.c
index 9d78c37b00b8..7a15372d9c2d 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -2147,7 +2147,7 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
mode |= S_ISGID;
else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(dir, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, dir, CAP_FSETID))
mode &= ~S_ISGID;
} else
inode->i_gid = current_fsgid();
diff --git a/fs/namei.c b/fs/namei.c
index d4a6dd772303..3f52730af6c5 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -357,10 +357,11 @@ int generic_permission(struct inode *inode, int mask)
if (S_ISDIR(inode->i_mode)) {
/* DACs are overridable for directories */
if (!(mask & MAY_WRITE))
- if (capable_wrt_inode_uidgid(inode,
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
CAP_DAC_READ_SEARCH))
return 0;
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_DAC_OVERRIDE))
return 0;
return -EACCES;
}
@@ -370,7 +371,8 @@ int generic_permission(struct inode *inode, int mask)
*/
mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
if (mask == MAY_READ)
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_DAC_READ_SEARCH))
return 0;
/*
* Read/write DACs are always overridable.
@@ -378,7 +380,8 @@ int generic_permission(struct inode *inode, int mask)
* at least one exec bit set.
*/
if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_DAC_OVERRIDE))
return 0;
return -EACCES;
@@ -2657,7 +2660,7 @@ int __check_sticky(struct inode *dir, struct inode *inode)
return 0;
if (uid_eq(dir->i_uid, fsuid))
return 0;
- return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
+ return !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FOWNER);
}
EXPORT_SYMBOL(__check_sticky);
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 290983bcfbb3..196fe3e3f02b 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -972,7 +972,7 @@ ovl_posix_acl_xattr_set(const struct xattr_handler *handler,
if (unlikely(inode->i_mode & S_ISGID) &&
handler->flags == ACL_TYPE_ACCESS &&
!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID)) {
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID)) {
struct iattr iattr = { .ia_valid = ATTR_KILL_SGID };
err = ovl_setattr(dentry, &iattr);
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 95882b3f5f62..4ca6d53c6f0a 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -656,7 +656,7 @@ int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
if (error == 0)
*acl = NULL;
if (!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
mode &= ~S_ISGID;
*mode_p = mode;
return 0;
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 3fbd98f61ea5..97bd29fc8c43 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1502,7 +1502,7 @@ xfs_ioctl_setattr(
*/
if ((VFS_I(ip)->i_mode & (S_ISUID|S_ISGID)) &&
- !capable_wrt_inode_uidgid(VFS_I(ip), CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, VFS_I(ip), CAP_FSETID))
VFS_I(ip)->i_mode &= ~(S_ISUID|S_ISGID);
/* Change the ownerships and register project quota modifications */
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 1e7fe311cabe..041e336f3369 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -247,8 +247,11 @@ static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
return true;
}
#endif /* CONFIG_MULTIUSER */
-extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode);
-extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
+extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
+ struct user_namespace *mnt_user_ns,
+ const struct inode *inode);
+extern bool capable_wrt_inode_uidgid(struct user_namespace *mnt_user_ns,
+ const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
static inline bool perfmon_capable(void)
diff --git a/kernel/capability.c b/kernel/capability.c
index de7eac903a2a..28e3a599ff7a 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -484,10 +484,12 @@ EXPORT_SYMBOL(file_ns_capable);
*
* Return true if the inode uid and gid are within the namespace.
*/
-bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode)
+bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
+ struct user_namespace *mnt_user_ns,
+ const struct inode *inode)
{
- return kuid_has_mapping(ns, inode->i_uid) &&
- kgid_has_mapping(ns, inode->i_gid);
+ return kuid_has_mapping(ns, i_uid_into_mnt(mnt_user_ns, inode)) &&
+ kgid_has_mapping(ns, i_gid_into_mnt(mnt_user_ns, inode));
}
/**
@@ -499,11 +501,13 @@ bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *
* its own user namespace and that the given inode's uid and gid are
* mapped into the current user namespace.
*/
-bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
+bool capable_wrt_inode_uidgid(struct user_namespace *mnt_user_ns,
+ const struct inode *inode, int cap)
{
struct user_namespace *ns = current_user_ns();
- return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode);
+ return ns_capable(ns, cap) &&
+ privileged_wrt_inode_uidgid(ns, mnt_user_ns, inode);
}
EXPORT_SYMBOL(capable_wrt_inode_uidgid);
diff --git a/security/commoncap.c b/security/commoncap.c
index 59bf3c1674c8..4cd2bdfd0a8b 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -489,7 +489,7 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
return -EINVAL;
if (!validheader(size, cap))
return -EINVAL;
- if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
+ if (!capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_SETFCAP))
return -EPERM;
if (size == XATTR_CAPS_SZ_2)
if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
@@ -957,7 +957,8 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
struct inode *inode = d_backing_inode(dentry);
if (!inode)
return -EINVAL;
- if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
+ if (!capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_SETFCAP))
return -EPERM;
return 0;
}
--
2.29.2
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
WARNING: multiple messages have this Message-ID (diff)
From: Christian Brauner <christian.brauner@ubuntu.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
linux-fsdevel@vger.kernel.org
Cc: "John Johansen" <john.johansen@canonical.com>,
"James Morris" <jmorris@namei.org>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Andreas Dilger" <adilger.kernel@dilger.ca>,
"OGAWA Hirofumi" <hirofumi@mail.parknet.co.jp>,
"Geoffrey Thomas" <geofft@ldpreload.com>,
"Mrunal Patel" <mpatel@redhat.com>,
"Josh Triplett" <josh@joshtriplett.org>,
"Andy Lutomirski" <luto@kernel.org>,
"Theodore Tso" <tytso@mit.edu>, "Alban Crequy" <alban@kinvolk.io>,
"Tycho Andersen" <tycho@tycho.ws>,
"David Howells" <dhowells@redhat.com>,
"James Bottomley" <James.Bottomley@hansenpartnership.com>,
"Seth Forshee" <seth.forshee@canonical.com>,
"Stéphane Graber" <stgraber@ubuntu.com>,
"Aleksa Sarai" <cyphar@cyphar.com>,
"Lennart Poettering" <lennart@poettering.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
smbarber@chromium.org, "Phil Estes" <estesp@gmail.com>,
"Serge Hallyn" <serge@hallyn.com>,
"Kees Cook" <keescook@chromium.org>,
"Todd Kjos" <tkjos@google.com>,
"Paul Moore" <paul@paul-moore.com>,
"Jonathan Corbet" <corbet@lwn.net>,
containers@lists.linux-foundation.org, fstests@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-api@vger.kernel.org,
linux-ext4@vger.kernel.org, linux-integrity@vger.kernel.org,
selinux@vger.kernel.org,
"Christian Brauner" <christian.brauner@ubuntu.com>,
"Christoph Hellwig" <hch@lst.de>
Subject: [PATCH v3 08/38] capability: handle idmapped mounts
Date: Sat, 28 Nov 2020 22:34:57 +0100 [thread overview]
Message-ID: <20201128213527.2669807-9-christian.brauner@ubuntu.com> (raw)
In-Reply-To: <20201128213527.2669807-1-christian.brauner@ubuntu.com>
In order to determine whether a caller holds privilege over a given inode the
capability framework exposes the two helpers privileged_wrt_inode_uidgid() and
capable_wrt_inode_uidgid(). The former verifies that the inode has a mapping in
the caller's user namespace and the latter additionally verifies that the caller
has the requested capability in their current user namespace.
If the inode is accessed through an idmapped mount we simply need to map it
according to the mount's user namespace. Afterwards the checks are identical to
non-idmapped inodes. If the initial user namespace is passed all operations are
a nop so non-idmapped mounts will not see a change in behavior and will also not
see any performance impact.
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
/* v2 */
- Christoph Hellwig <hch@lst.de>:
- Don't pollute the vfs with additional helpers simply extend the existing
helpers with an additional argument and switch all callers.
/* v3 */
unchanged
---
fs/attr.c | 8 ++++----
fs/exec.c | 2 +-
fs/inode.c | 2 +-
fs/namei.c | 13 ++++++++-----
fs/overlayfs/super.c | 2 +-
fs/posix_acl.c | 2 +-
fs/xfs/xfs_ioctl.c | 2 +-
include/linux/capability.h | 7 +++++--
kernel/capability.c | 14 +++++++++-----
security/commoncap.c | 5 +++--
10 files changed, 34 insertions(+), 23 deletions(-)
diff --git a/fs/attr.c b/fs/attr.c
index b4bbdbd4c8ca..d270f640a192 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -23,7 +23,7 @@ static bool chown_ok(const struct inode *inode, kuid_t uid)
if (uid_eq(current_fsuid(), inode->i_uid) &&
uid_eq(uid, inode->i_uid))
return true;
- if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_CHOWN))
return true;
if (uid_eq(inode->i_uid, INVALID_UID) &&
ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
@@ -36,7 +36,7 @@ static bool chgrp_ok(const struct inode *inode, kgid_t gid)
if (uid_eq(current_fsuid(), inode->i_uid) &&
(in_group_p(gid) || gid_eq(gid, inode->i_gid)))
return true;
- if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_CHOWN))
return true;
if (gid_eq(inode->i_gid, INVALID_GID) &&
ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
@@ -92,7 +92,7 @@ int setattr_prepare(struct dentry *dentry, struct iattr *attr)
/* Also check the setgid bit! */
if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
attr->ia_mode &= ~S_ISGID;
}
@@ -193,7 +193,7 @@ void setattr_copy(struct inode *inode, const struct iattr *attr)
umode_t mode = attr->ia_mode;
if (!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
mode &= ~S_ISGID;
inode->i_mode = mode;
}
diff --git a/fs/exec.c b/fs/exec.c
index 547a2390baf5..8e75d7a33514 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1398,7 +1398,7 @@ void would_dump(struct linux_binprm *bprm, struct file *file)
/* Ensure mm->user_ns contains the executable */
user_ns = old = bprm->mm->user_ns;
while ((user_ns != &init_user_ns) &&
- !privileged_wrt_inode_uidgid(user_ns, inode))
+ !privileged_wrt_inode_uidgid(user_ns, &init_user_ns, inode))
user_ns = user_ns->parent;
if (old != user_ns) {
diff --git a/fs/inode.c b/fs/inode.c
index 9d78c37b00b8..7a15372d9c2d 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -2147,7 +2147,7 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
mode |= S_ISGID;
else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(dir, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, dir, CAP_FSETID))
mode &= ~S_ISGID;
} else
inode->i_gid = current_fsgid();
diff --git a/fs/namei.c b/fs/namei.c
index d4a6dd772303..3f52730af6c5 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -357,10 +357,11 @@ int generic_permission(struct inode *inode, int mask)
if (S_ISDIR(inode->i_mode)) {
/* DACs are overridable for directories */
if (!(mask & MAY_WRITE))
- if (capable_wrt_inode_uidgid(inode,
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
CAP_DAC_READ_SEARCH))
return 0;
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_DAC_OVERRIDE))
return 0;
return -EACCES;
}
@@ -370,7 +371,8 @@ int generic_permission(struct inode *inode, int mask)
*/
mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
if (mask == MAY_READ)
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_DAC_READ_SEARCH))
return 0;
/*
* Read/write DACs are always overridable.
@@ -378,7 +380,8 @@ int generic_permission(struct inode *inode, int mask)
* at least one exec bit set.
*/
if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+ if (capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_DAC_OVERRIDE))
return 0;
return -EACCES;
@@ -2657,7 +2660,7 @@ int __check_sticky(struct inode *dir, struct inode *inode)
return 0;
if (uid_eq(dir->i_uid, fsuid))
return 0;
- return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
+ return !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FOWNER);
}
EXPORT_SYMBOL(__check_sticky);
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 290983bcfbb3..196fe3e3f02b 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -972,7 +972,7 @@ ovl_posix_acl_xattr_set(const struct xattr_handler *handler,
if (unlikely(inode->i_mode & S_ISGID) &&
handler->flags == ACL_TYPE_ACCESS &&
!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID)) {
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID)) {
struct iattr iattr = { .ia_valid = ATTR_KILL_SGID };
err = ovl_setattr(dentry, &iattr);
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 95882b3f5f62..4ca6d53c6f0a 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -656,7 +656,7 @@ int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
if (error == 0)
*acl = NULL;
if (!in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
mode &= ~S_ISGID;
*mode_p = mode;
return 0;
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 3fbd98f61ea5..97bd29fc8c43 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1502,7 +1502,7 @@ xfs_ioctl_setattr(
*/
if ((VFS_I(ip)->i_mode & (S_ISUID|S_ISGID)) &&
- !capable_wrt_inode_uidgid(VFS_I(ip), CAP_FSETID))
+ !capable_wrt_inode_uidgid(&init_user_ns, VFS_I(ip), CAP_FSETID))
VFS_I(ip)->i_mode &= ~(S_ISUID|S_ISGID);
/* Change the ownerships and register project quota modifications */
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 1e7fe311cabe..041e336f3369 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -247,8 +247,11 @@ static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
return true;
}
#endif /* CONFIG_MULTIUSER */
-extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode);
-extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
+extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
+ struct user_namespace *mnt_user_ns,
+ const struct inode *inode);
+extern bool capable_wrt_inode_uidgid(struct user_namespace *mnt_user_ns,
+ const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
static inline bool perfmon_capable(void)
diff --git a/kernel/capability.c b/kernel/capability.c
index de7eac903a2a..28e3a599ff7a 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -484,10 +484,12 @@ EXPORT_SYMBOL(file_ns_capable);
*
* Return true if the inode uid and gid are within the namespace.
*/
-bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode)
+bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
+ struct user_namespace *mnt_user_ns,
+ const struct inode *inode)
{
- return kuid_has_mapping(ns, inode->i_uid) &&
- kgid_has_mapping(ns, inode->i_gid);
+ return kuid_has_mapping(ns, i_uid_into_mnt(mnt_user_ns, inode)) &&
+ kgid_has_mapping(ns, i_gid_into_mnt(mnt_user_ns, inode));
}
/**
@@ -499,11 +501,13 @@ bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *
* its own user namespace and that the given inode's uid and gid are
* mapped into the current user namespace.
*/
-bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
+bool capable_wrt_inode_uidgid(struct user_namespace *mnt_user_ns,
+ const struct inode *inode, int cap)
{
struct user_namespace *ns = current_user_ns();
- return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode);
+ return ns_capable(ns, cap) &&
+ privileged_wrt_inode_uidgid(ns, mnt_user_ns, inode);
}
EXPORT_SYMBOL(capable_wrt_inode_uidgid);
diff --git a/security/commoncap.c b/security/commoncap.c
index 59bf3c1674c8..4cd2bdfd0a8b 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -489,7 +489,7 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
return -EINVAL;
if (!validheader(size, cap))
return -EINVAL;
- if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
+ if (!capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_SETFCAP))
return -EPERM;
if (size == XATTR_CAPS_SZ_2)
if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
@@ -957,7 +957,8 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
struct inode *inode = d_backing_inode(dentry);
if (!inode)
return -EINVAL;
- if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
+ if (!capable_wrt_inode_uidgid(&init_user_ns, inode,
+ CAP_SETFCAP))
return -EPERM;
return 0;
}
--
2.29.2
next prev parent reply other threads:[~2020-11-28 21:46 UTC|newest]
Thread overview: 150+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-28 21:34 [PATCH v3 00/38] idmapped mounts Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-11-28 21:34 ` [PATCH v3 01/38] namespace: take lock_mount_hash() directly when changing flags Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-12-01 10:31 ` Christoph Hellwig
2020-12-01 10:31 ` Christoph Hellwig
2020-12-02 9:09 ` Christian Brauner
2020-12-02 9:09 ` Christian Brauner
2020-11-28 21:34 ` [PATCH v3 02/38] mount: make {lock,unlock}_mount_hash() static Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-12-01 10:32 ` Christoph Hellwig
2020-12-01 10:32 ` Christoph Hellwig
2020-12-02 9:11 ` Christian Brauner
2020-12-02 9:11 ` Christian Brauner
2020-11-28 21:34 ` [PATCH v3 03/38] namespace: only take read lock in do_reconfigure_mnt() Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-12-01 10:32 ` Christoph Hellwig
2020-12-01 10:32 ` Christoph Hellwig
2020-12-02 9:14 ` Christian Brauner
2020-12-02 9:14 ` Christian Brauner
2020-11-28 21:34 ` [PATCH v3 04/38] fs: add mount_setattr() Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-12-01 10:49 ` Christoph Hellwig
2020-12-01 10:49 ` Christoph Hellwig
2020-12-02 9:42 ` Christian Brauner
2020-12-02 9:42 ` Christian Brauner
2020-12-02 9:47 ` Christoph Hellwig
2020-12-02 9:47 ` Christoph Hellwig
2020-12-02 9:55 ` Christoph Hellwig
2020-12-02 9:55 ` Christoph Hellwig
2020-12-02 9:57 ` Christian Brauner
2020-12-02 9:57 ` Christian Brauner
2020-12-02 10:01 ` Christoph Hellwig
2020-12-02 10:01 ` Christoph Hellwig
2020-11-28 21:34 ` [PATCH v3 05/38] tests: add mount_setattr() selftests Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-11-28 21:34 ` [PATCH v3 06/38] fs: add id translation helpers Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-12-01 10:49 ` Christoph Hellwig
2020-12-01 10:49 ` Christoph Hellwig
2020-12-02 9:16 ` Christian Brauner
2020-12-02 9:16 ` Christian Brauner
2020-11-28 21:34 ` [PATCH v3 07/38] mount: attach mappings to mounts Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-12-01 10:50 ` Christoph Hellwig
2020-12-01 10:50 ` Christoph Hellwig
2020-12-01 13:25 ` Tycho Andersen
2020-12-01 13:25 ` Tycho Andersen
2020-12-02 9:24 ` Christian Brauner
2020-12-02 9:24 ` Christian Brauner
2020-11-28 21:34 ` Christian Brauner [this message]
2020-11-28 21:34 ` [PATCH v3 08/38] capability: handle idmapped mounts Christian Brauner
2020-11-28 22:34 ` Serge E. Hallyn
2020-11-28 22:34 ` Serge E. Hallyn
2020-11-28 21:34 ` [PATCH v3 09/38] namei: add idmapped mount aware permission helpers Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-11-28 22:47 ` Serge E. Hallyn
2020-11-28 22:47 ` Serge E. Hallyn
2020-12-01 10:58 ` Christian Brauner
2020-12-01 10:58 ` Christian Brauner
2020-12-01 10:51 ` Christoph Hellwig
2020-12-01 10:51 ` Christoph Hellwig
2020-12-01 10:58 ` Christian Brauner
2020-12-01 10:58 ` Christian Brauner
2020-11-28 21:34 ` [PATCH v3 10/38] inode: add idmapped mount aware init and " Christian Brauner
2020-11-28 21:34 ` Christian Brauner
2020-12-01 10:51 ` Christoph Hellwig
2020-12-01 10:51 ` Christoph Hellwig
2020-12-02 9:17 ` Christian Brauner
2020-12-02 9:17 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 11/38] attr: handle idmapped mounts Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 12/38] acl: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 13/38] xattr: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 14/38] commoncap: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 15/38] stat: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 16/38] namei: handle idmapped mounts in may_*() helpers Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 17/38] namei: introduce struct renamedata Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-12-01 10:53 ` Christoph Hellwig
2020-12-01 10:53 ` Christoph Hellwig
2020-12-02 9:18 ` Christian Brauner
2020-12-02 9:18 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 18/38] namei: prepare for idmapped mounts Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 19/38] open: handle idmapped mounts in do_truncate() Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 20/38] open: handle idmapped mounts Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 21/38] af_unix: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 22/38] utimes: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 23/38] fcntl: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 24/38] notify: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 25/38] init: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 26/38] ioctl: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 27/38] would_dump: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 28/38] exec: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 29/38] fs: add helpers for idmap mounts Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 30/38] apparmor: handle idmapped mounts Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 31/38] ima: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 32/38] fat: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-30 22:50 ` Mauricio Vásquez Bernal
2020-11-30 22:50 ` Mauricio Vásquez Bernal
2020-12-01 10:24 ` Christian Brauner
2020-12-01 10:24 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 33/38] ext4: support " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-30 22:52 ` Mauricio Vásquez Bernal
2020-11-30 22:52 ` Mauricio Vásquez Bernal
2020-12-01 10:28 ` Christian Brauner
2020-12-01 10:28 ` Christian Brauner
2020-12-01 10:54 ` Christoph Hellwig
2020-12-01 10:54 ` Christoph Hellwig
2020-12-01 11:02 ` Christian Brauner
2020-12-01 11:02 ` Christian Brauner
2020-12-01 11:13 ` Christoph Hellwig
2020-12-01 11:13 ` Christoph Hellwig
2020-12-01 11:14 ` Christian Brauner
2020-12-01 11:14 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 34/38] ecryptfs: do not mount on top of " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 35/38] overlayfs: " Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 36/38] fs: introduce MOUNT_ATTR_IDMAP Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 37/38] tests: extend mount_setattr tests Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 21:35 ` [PATCH v3 38/38] generic/618: add fstests for idmapped mounts Christian Brauner
2020-11-28 21:35 ` Christian Brauner
2020-11-28 22:54 ` [PATCH v3 00/38] " Serge E. Hallyn
2020-11-28 22:54 ` Serge E. Hallyn
2020-12-01 10:18 ` Christian Brauner
2020-12-01 10:18 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201128213527.2669807-9-christian.brauner@ubuntu.com \
--to=christian.brauner@ubuntu.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=adilger.kernel@dilger.ca \
--cc=alban@kinvolk.io \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=containers@lists.linux-foundation.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=fstests@vger.kernel.org \
--cc=geofft@ldpreload.com \
--cc=hch@infradead.org \
--cc=hch@lst.de \
--cc=hirofumi@mail.parknet.co.jp \
--cc=john.johansen@canonical.com \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=lennart@poettering.net \
--cc=linux-api@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mpatel@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=seth.forshee@canonical.com \
--cc=smbarber@chromium.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tkjos@google.com \
--cc=tycho@tycho.ws \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.