From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f47.google.com ([74.125.82.47]:37072 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753095AbcEDO3v (ORCPT ); Wed, 4 May 2016 10:29:51 -0400 From: Djalal Harouni To: Alexander Viro , Chris Mason , , Serge Hallyn , Josh Triplett , "Eric W. Biederman" , Andy Lutomirski , Seth Forshee , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Dongsu Park , David Herrmann , Miklos Szeredi , Alban Crequy Cc: Djalal Harouni , Djalal Harouni Subject: [RFC v2 PATCH 6/8] VFS:userns: shift UID/GID to on-disk view before any write to disk Date: Wed, 4 May 2016 16:26:52 +0200 Message-Id: <1462372014-3786-7-git-send-email-tixxdz@gmail.com> In-Reply-To: <1462372014-3786-1-git-send-email-tixxdz@gmail.com> References: <1462372014-3786-1-git-send-email-tixxdz@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: If both the mount namespace and the mount point support UID/GID shifts, then during inode creation or during a chown call on an inode, make sure that kuid and kgid that will be used to set inode->{i_uid|i_gid} are in on-disk view. Perform the shift to on-disk view during inode initialization or during notify_change() calls. Usually in this case inode's uid/gid will contain a kuid and kgid that are valid in the context of the caller and its view inside the global init_user_ns user namespace. They will always end up either with current_fsuid() value or the attr->ia_uid of the struct iattr. inode->{i_uid|i_gid} on-disk writes inside user_ns_X ---------------------------------------------------- Without this Patch: ------------------------------------------------------------ user_ns_X uid | init_user_ns uid | inode->i_uid on-disk ------------------------------------------------------------ 0 | 1000000 | 1000000 ------------------------------------------------------------ 999 | 1000999 | 1000999 ------------------------------------------------------------ 1000 | 1001000 | 1001000 ------------------------------------------------------------ inode->{i_uid|i_gid} always end up with global kuid/kgid of the caller in the init_user_ns. With this patch: ------------------------------------------------------------ user_ns_X uid | init_user_ns uid | inode->i_uid on-disk ------------------------------------------------------------ 0 | 1000000 | 0 ------------------------------------------------------------ 999 | 1000999 | 999 ------------------------------------------------------------ 1000 | 1001000 | 1000 ------------------------------------------------------------ inode->{i_uid|i_gid} will have the values of the uid_t and gid_t that are shown inside the user namespace of the caller. Of course this works only on mounts that support VFS UID/GID shift and are inside a mount namespace that also supports the above. The shift into on-disk is done inside notify_change() to give a chance to notify_change_ok() to catch permissions access. At the same time we adapt notify_change_ok() and make the necessary translation when it's needed from virtual ot on-disk and vice versa. The approach is to always keep inode->{i_uid|i_gid} even in memory with on-disk values. The virtual translation is only done when needed for permission access or stat() calls. Signed-off-by: Dongsu Park Signed-off-by: Djalal Harouni --- fs/attr.c | 44 +++++++++++++++++++++++++++++++++----------- fs/inode.c | 4 ++-- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index 25b24d0..c476257 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -47,26 +47,38 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr) return 0; /* Make sure a caller can chown. */ - if ((ia_valid & ATTR_UID) && - (!uid_eq(current_fsuid(), inode->i_uid) || - !uid_eq(attr->ia_uid, inode->i_uid)) && - !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) - return -EPERM; + if (ia_valid & ATTR_UID) { + /* Shift to virtual if necessary */ + kuid_t i_uid = vfs_shift_i_uid_to_virtual(inode); + + if ((!uid_eq(current_fsuid(), i_uid) || + !uid_eq(attr->ia_uid, inode->i_uid)) && + !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) + return -EPERM; + } /* Make sure caller can chgrp. */ - if ((ia_valid & ATTR_GID) && - (!uid_eq(current_fsuid(), inode->i_uid) || - (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) && - !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) + if (ia_valid & ATTR_GID) { + /* Shift to virtual if ncessary */ + kuid_t i_uid = vfs_shift_i_uid_to_virtual(inode); + /* Shift it back to virtual if necessary */ + kgid_t ia_gid = vfs_kgid_disk_to_virtual(inode, attr->ia_gid); + + if ((!uid_eq(current_fsuid(), i_uid) || + (!in_group_p(ia_gid) && + !gid_eq(attr->ia_gid, inode->i_gid))) && + !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) return -EPERM; + } /* Make sure a caller can chmod. */ if (ia_valid & ATTR_MODE) { if (!inode_owner_or_capable(inode)) return -EPERM; /* Also check the setgid bit! */ - if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid : - inode->i_gid) && + if (!in_group_p((ia_valid & ATTR_GID) ? + vfs_kgid_disk_to_virtual(inode, attr->ia_gid) : + vfs_shift_i_gid_to_virtual(inode)) && !capable_wrt_inode_uidgid(inode, CAP_FSETID)) attr->ia_mode &= ~S_ISGID; } @@ -209,6 +221,16 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de inode->i_flags &= ~S_NOSEC; } + /* + * Shift if necessary the UID and GID that are mean to be written + * into inodes's uid/gid to on-disk view. Do that as early as + * possible. + */ + if ((ia_valid & ATTR_UID)) + attr->ia_uid = vfs_shift_kuid_to_disk(inode, attr->ia_uid); + if ((ia_valid & ATTR_GID)) + attr->ia_gid = vfs_shift_kgid_to_disk(inode, attr->ia_gid); + now = current_fs_time(inode->i_sb); attr->ia_ctime = now; diff --git a/fs/inode.c b/fs/inode.c index 07daf5f..e6ee56a 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1940,13 +1940,13 @@ EXPORT_SYMBOL(init_special_inode); void inode_init_owner(struct inode *inode, const struct inode *dir, umode_t mode) { - inode->i_uid = current_fsuid(); + inode->i_uid = vfs_shift_kuid_to_disk(inode, current_fsuid()); if (dir && dir->i_mode & S_ISGID) { inode->i_gid = dir->i_gid; if (S_ISDIR(mode)) mode |= S_ISGID; } else - inode->i_gid = current_fsgid(); + inode->i_gid = vfs_shift_kgid_to_disk(inode, current_fsgid()); inode->i_mode = mode; } EXPORT_SYMBOL(inode_init_owner); -- 2.5.5