From: ebiederm@xmission.com (Eric W. Biederman)
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Amir Goldstein <amir73il@gmail.com>,
"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v3 1/6] vfs: create vfs helper vfs_tmpfile()
Date: Thu, 09 Mar 2017 11:31:08 -0600 [thread overview]
Message-ID: <87tw72fjc3.fsf@xmission.com> (raw)
In-Reply-To: <CAJfpegsLHq8qhv+nBrgF3f0tM_LDLoOk1vTxpsdnwnc78hcppA@mail.gmail.com> (Miklos Szeredi's message of "Thu, 9 Mar 2017 12:13:29 +0100")
Miklos Szeredi <miklos@szeredi.hu> writes:
> On Sun, Feb 19, 2017 at 4:27 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
>> On Mon, Jan 16, 2017 at 08:47:32PM +0100, Miklos Szeredi wrote:
>>
>>> > + umode_t mode, int open_flag)
>>> > +{
>>> > + static const struct qstr name = QSTR_INIT("/", 1);
>>> > + struct dentry *child = NULL;
>>> > + struct inode *inode;
>>> > + int error;
>>> > +
>>> > + /* we want directory to be writable */
>>> > + error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
>>>
>>> This is not in the scope of this patch, but shoudln't we be using
>>> may_create() here? Or at least a variant without the audit thing...
>>>
>>> Al?
>>
>> may_create() expects directory + child dentry; here we have only parent.
>> IS_DEADDIR is rather pointless here - directory is not locked, for
>> starters, so rmdir might happen right under you. Or right after you've
>> returned from your function, for that matter. userns checks...
>> FWIW, no such checks are done in ->atomic_open() paths, so I'm not sure
>> how much are those worth...
>
> Eric would know since he added those checks.
Unless I am missing something the atomic_open path was fixed this merge
window when may_o_create was fixed. Missing places any place where
we create files is an oversight.
The point of those checks is when we have a filesystem mounted by root
in a user namespace like tmpfs or hopefully soon fuse that it will let
the vfs filter out uids and gids that the filesystem does not know how
to map thus has no hope of understanding. Since the filesystem does not
care about the uids and gids odds are filesystems won't be bothered to
test or deal with that case and corruption will result. As far as I can
see not filtering out umappable uids and gids is just laying a trap for
filesystem developers.
Which means vfs_tmpfile is definitely something that needs to be patched
to verify that the current_fsuid and current_fsgid are valid from
the filesystems point of view.
At the same time this only matters for filesystems that set
FS_USERNS_MOUNT and implement tmpfile. Which right now is tmpfs. Given
that tmpfs actually only uses the vfs inode, there are no corruption or
other filesystem misbehaviors right now. So it won't kill us if we
don't fix this for 4.11.
I am hoping things are far enough along that we can merge the patches to
fuse that make it safe to set FS_USER_NS for 4.12-rc1, and have truly
unprivileged fuse mounts. At which point this will matter more.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Amir Goldstein <amir73il@gmail.com>,
"linux-unionfs\@vger.kernel.org" <linux-unionfs@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v3 1/6] vfs: create vfs helper vfs_tmpfile()
Date: Thu, 09 Mar 2017 11:31:08 -0600 [thread overview]
Message-ID: <87tw72fjc3.fsf@xmission.com> (raw)
In-Reply-To: <CAJfpegsLHq8qhv+nBrgF3f0tM_LDLoOk1vTxpsdnwnc78hcppA@mail.gmail.com> (Miklos Szeredi's message of "Thu, 9 Mar 2017 12:13:29 +0100")
Miklos Szeredi <miklos@szeredi.hu> writes:
> On Sun, Feb 19, 2017 at 4:27 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
>> On Mon, Jan 16, 2017 at 08:47:32PM +0100, Miklos Szeredi wrote:
>>
>>> > + umode_t mode, int open_flag)
>>> > +{
>>> > + static const struct qstr name = QSTR_INIT("/", 1);
>>> > + struct dentry *child = NULL;
>>> > + struct inode *inode;
>>> > + int error;
>>> > +
>>> > + /* we want directory to be writable */
>>> > + error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
>>>
>>> This is not in the scope of this patch, but shoudln't we be using
>>> may_create() here? Or at least a variant without the audit thing...
>>>
>>> Al?
>>
>> may_create() expects directory + child dentry; here we have only parent.
>> IS_DEADDIR is rather pointless here - directory is not locked, for
>> starters, so rmdir might happen right under you. Or right after you've
>> returned from your function, for that matter. userns checks...
>> FWIW, no such checks are done in ->atomic_open() paths, so I'm not sure
>> how much are those worth...
>
> Eric would know since he added those checks.
Unless I am missing something the atomic_open path was fixed this merge
window when may_o_create was fixed. Missing places any place where
we create files is an oversight.
The point of those checks is when we have a filesystem mounted by root
in a user namespace like tmpfs or hopefully soon fuse that it will let
the vfs filter out uids and gids that the filesystem does not know how
to map thus has no hope of understanding. Since the filesystem does not
care about the uids and gids odds are filesystems won't be bothered to
test or deal with that case and corruption will result. As far as I can
see not filtering out umappable uids and gids is just laying a trap for
filesystem developers.
Which means vfs_tmpfile is definitely something that needs to be patched
to verify that the current_fsuid and current_fsgid are valid from
the filesystems point of view.
At the same time this only matters for filesystems that set
FS_USERNS_MOUNT and implement tmpfile. Which right now is tmpfs. Given
that tmpfs actually only uses the vfs inode, there are no corruption or
other filesystem misbehaviors right now. So it won't kill us if we
don't fix this for 4.11.
I am hoping things are far enough along that we can merge the patches to
fuse that make it safe to set FS_USER_NS for 4.12-rc1, and have truly
unprivileged fuse mounts. At which point this will matter more.
Eric
next prev parent reply other threads:[~2017-03-09 18:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-16 17:45 [PATCH v3 0/6] ovl: concurrent copy up Amir Goldstein
2017-01-16 17:46 ` [PATCH v3 1/6] vfs: create vfs helper vfs_tmpfile() Amir Goldstein
2017-01-16 19:47 ` Miklos Szeredi
2017-02-19 3:27 ` Al Viro
2017-03-09 11:13 ` Miklos Szeredi
2017-03-09 17:31 ` Eric W. Biederman [this message]
2017-03-09 17:31 ` Eric W. Biederman
2017-01-16 17:46 ` [PATCH v3 2/6] ovl: check if upperdir fs supports O_TMPFILE Amir Goldstein
2017-01-16 17:46 ` [PATCH v3 3/6] ovl: rearrange code in ovl_copy_up_locked() Amir Goldstein
2017-01-16 17:46 ` [PATCH v3 4/6] ovl: copy up regular file using O_TMPFILE Amir Goldstein
2017-04-05 18:32 ` Amir Goldstein
2017-04-05 19:36 ` Vivek Goyal
2017-01-16 17:46 ` [PATCH v3 5/6] ovl: introduce copy up waitqueue Amir Goldstein
2017-01-16 17:46 ` [PATCH v3 6/6] ovl: concurrent copy up of regular files Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tw72fjc3.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=amir73il@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.