From: Hanna Reitz <hreitz@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [PATCH v4 02/12] virtiofsd: Limit setxattr()'s creds-dropped region
Date: Wed, 20 Oct 2021 11:11:21 +0200 [thread overview]
Message-ID: <014cde63-06de-16d1-8e28-2471c8c7eb14@redhat.com> (raw)
In-Reply-To: <YW2s9+UQa0jozC7z@redhat.com>
On 18.10.21 19:20, Vivek Goyal wrote:
> On Thu, Sep 16, 2021 at 10:40:35AM +0200, Hanna Reitz wrote:
>> We only need to drop/switch our credentials for the (f)setxattr() call
>> alone, not for the openat() or fchdir() around it.
>>
>> (Right now, this may not be that big of a problem, but with inodes being
>> identified by file handles instead of an O_PATH fd, we will need
>> open_by_handle_at() calls here, which is really fickle when it comes to
>> credentials being dropped.)
>>
>> Signed-off-by: Hanna Reitz <hreitz@redhat.com>
>> ---
>> tools/virtiofsd/passthrough_ll.c | 34 +++++++++++++++++++++++---------
>> 1 file changed, 25 insertions(+), 9 deletions(-)
>>
>> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
>> index 6511a6acb4..b43afdfbd3 100644
>> --- a/tools/virtiofsd/passthrough_ll.c
>> +++ b/tools/virtiofsd/passthrough_ll.c
>> @@ -3123,6 +3123,7 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name,
>> bool switched_creds = false;
>> bool cap_fsetid_dropped = false;
>> struct lo_cred old = {};
>> + bool changed_cwd = false;
>>
>> if (block_xattr(lo, in_name)) {
>> fuse_reply_err(req, EOPNOTSUPP);
>> @@ -3158,6 +3159,24 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name,
>> ", name=%s value=%s size=%zd)\n", ino, name, value, size);
>>
>> sprintf(procname, "%i", inode->fd);
>> + /*
>> + * We can only open regular files or directories. If the inode is
>> + * something else, we have to enter /proc/self/fd and use
>> + * setxattr() on the link's filename there.
>> + */
>> + if (S_ISREG(inode->filetype) || S_ISDIR(inode->filetype)) {
>> + fd = openat(lo->proc_self_fd, procname, O_RDONLY);
>> + if (fd < 0) {
>> + saverr = errno;
>> + goto out;
>> + }
>> + } else {
>> + /* fchdir should not fail here */
>> + FCHDIR_NOFAIL(lo->proc_self_fd);
>> + /* Set flag so the clean-up path will chdir back */
>> + changed_cwd = true;
> Is there a need to move FCHDIR_NOFAIL() call earlier too? I am assuming
> this will not be impacted by file handle stuff. So we probably could
> leave it in place. Easier to read.
I wanted to limit the region where the creds are dropped to an absolute
minimum, i.e. just around (f)setxattr(). I prefer this in general, not
just because it breaks opening file handles, and so I wanted to pull out
not just the openat(), but the fchdir() as well.
Hanna
WARNING: multiple messages have this Message-ID (diff)
From: Hanna Reitz <hreitz@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org
Subject: Re: [Virtio-fs] [PATCH v4 02/12] virtiofsd: Limit setxattr()'s creds-dropped region
Date: Wed, 20 Oct 2021 11:11:21 +0200 [thread overview]
Message-ID: <014cde63-06de-16d1-8e28-2471c8c7eb14@redhat.com> (raw)
In-Reply-To: <YW2s9+UQa0jozC7z@redhat.com>
On 18.10.21 19:20, Vivek Goyal wrote:
> On Thu, Sep 16, 2021 at 10:40:35AM +0200, Hanna Reitz wrote:
>> We only need to drop/switch our credentials for the (f)setxattr() call
>> alone, not for the openat() or fchdir() around it.
>>
>> (Right now, this may not be that big of a problem, but with inodes being
>> identified by file handles instead of an O_PATH fd, we will need
>> open_by_handle_at() calls here, which is really fickle when it comes to
>> credentials being dropped.)
>>
>> Signed-off-by: Hanna Reitz <hreitz@redhat.com>
>> ---
>> tools/virtiofsd/passthrough_ll.c | 34 +++++++++++++++++++++++---------
>> 1 file changed, 25 insertions(+), 9 deletions(-)
>>
>> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
>> index 6511a6acb4..b43afdfbd3 100644
>> --- a/tools/virtiofsd/passthrough_ll.c
>> +++ b/tools/virtiofsd/passthrough_ll.c
>> @@ -3123,6 +3123,7 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name,
>> bool switched_creds = false;
>> bool cap_fsetid_dropped = false;
>> struct lo_cred old = {};
>> + bool changed_cwd = false;
>>
>> if (block_xattr(lo, in_name)) {
>> fuse_reply_err(req, EOPNOTSUPP);
>> @@ -3158,6 +3159,24 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name,
>> ", name=%s value=%s size=%zd)\n", ino, name, value, size);
>>
>> sprintf(procname, "%i", inode->fd);
>> + /*
>> + * We can only open regular files or directories. If the inode is
>> + * something else, we have to enter /proc/self/fd and use
>> + * setxattr() on the link's filename there.
>> + */
>> + if (S_ISREG(inode->filetype) || S_ISDIR(inode->filetype)) {
>> + fd = openat(lo->proc_self_fd, procname, O_RDONLY);
>> + if (fd < 0) {
>> + saverr = errno;
>> + goto out;
>> + }
>> + } else {
>> + /* fchdir should not fail here */
>> + FCHDIR_NOFAIL(lo->proc_self_fd);
>> + /* Set flag so the clean-up path will chdir back */
>> + changed_cwd = true;
> Is there a need to move FCHDIR_NOFAIL() call earlier too? I am assuming
> this will not be impacted by file handle stuff. So we probably could
> leave it in place. Easier to read.
I wanted to limit the region where the creds are dropped to an absolute
minimum, i.e. just around (f)setxattr(). I prefer this in general, not
just because it breaks opening file handles, and so I wanted to pull out
not just the openat(), but the fchdir() as well.
Hanna
next prev parent reply other threads:[~2021-10-20 9:12 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-16 8:40 [PATCH v4 00/12] virtiofsd: Allow using file handles instead of O_PATH FDs Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 01/12] virtiofsd: Keep /proc/self/mountinfo open Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-10-18 17:07 ` Vivek Goyal
2021-10-18 17:07 ` [Virtio-fs] " Vivek Goyal
2021-10-20 9:04 ` Hanna Reitz
2021-10-20 9:04 ` [Virtio-fs] " Hanna Reitz
2021-10-20 18:25 ` Vivek Goyal
2021-10-20 18:25 ` [Virtio-fs] " Vivek Goyal
2021-09-16 8:40 ` [PATCH v4 02/12] virtiofsd: Limit setxattr()'s creds-dropped region Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-10-18 17:20 ` Vivek Goyal
2021-10-18 17:20 ` [Virtio-fs] " Vivek Goyal
2021-10-20 9:11 ` Hanna Reitz [this message]
2021-10-20 9:11 ` Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 03/12] virtiofsd: Add TempFd structure Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 04/12] virtiofsd: Use lo_inode_open() instead of openat() Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 05/12] virtiofsd: Add lo_inode_fd() helper Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 06/12] virtiofsd: Let lo_fd() return a TempFd Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 07/12] virtiofsd: Let lo_inode_open() " Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-10-18 19:18 ` Vivek Goyal
2021-10-18 19:18 ` [Virtio-fs] " Vivek Goyal
2021-10-20 9:15 ` Hanna Reitz
2021-10-20 9:15 ` [Virtio-fs] " Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 08/12] virtiofsd: Pass lo_data to lo_inode_{fd,open}() Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] [PATCH v4 08/12] virtiofsd: Pass lo_data to lo_inode_{fd, open}() Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 09/12] virtiofsd: Add lo_inode.fhandle Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-09-16 8:40 ` [PATCH v4 10/12] virtiofsd: Add inodes_by_handle hash table Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-10-19 20:02 ` Vivek Goyal
2021-10-19 20:02 ` [Virtio-fs] " Vivek Goyal
2021-10-20 10:02 ` Hanna Reitz
2021-10-20 10:02 ` [Virtio-fs] " Hanna Reitz
2021-10-20 12:29 ` Vivek Goyal
2021-10-20 12:29 ` [Virtio-fs] " Vivek Goyal
2021-10-20 14:10 ` Hanna Reitz
2021-10-20 14:10 ` [Virtio-fs] " Hanna Reitz
2021-10-20 18:06 ` Vivek Goyal
2021-10-20 18:06 ` [Virtio-fs] " Vivek Goyal
2021-10-20 12:53 ` Vivek Goyal
2021-10-20 12:53 ` [Virtio-fs] " Vivek Goyal
2021-09-16 8:40 ` [PATCH v4 11/12] virtiofsd: Optionally fill lo_inode.fhandle Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-10-19 18:57 ` Vivek Goyal
2021-10-19 18:57 ` [Virtio-fs] " Vivek Goyal
2021-10-20 10:00 ` Hanna Reitz
2021-10-20 10:00 ` [Virtio-fs] " Hanna Reitz
2021-10-20 18:53 ` Vivek Goyal
2021-10-20 18:53 ` [Virtio-fs] " Vivek Goyal
2021-09-16 8:40 ` [PATCH v4 12/12] virtiofsd: Add lazy lo_do_find() Hanna Reitz
2021-09-16 8:40 ` [Virtio-fs] " Hanna Reitz
2021-10-18 18:08 ` [PATCH v4 00/12] virtiofsd: Allow using file handles instead of O_PATH FDs Vivek Goyal
2021-10-18 18:08 ` [Virtio-fs] " Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=014cde63-06de-16d1-8e28-2471c8c7eb14@redhat.com \
--to=hreitz@redhat.com \
--cc=dgilbert@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.