linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Christian Brauner <christian@brauner.io>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
	linux-fsdevel@vger.kernel.org,
	Seth Forshee <seth.forshee@canonical.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [REVIEW][PATCH v2 3/6] fs: Allow superblock owner to replace invalid owners of inodes
Date: Fri, 25 May 2018 00:30:08 +0200	[thread overview]
Message-ID: <20180524223008.GA17493@mailbox.org> (raw)
In-Reply-To: <87bmd6549i.fsf_-_@xmission.com>

On Wed, May 23, 2018 at 06:41:29PM -0500, Eric W. Biederman wrote:
> 
> Allow users with CAP_SYS_CHOWN over the superblock of a filesystem to
> chown files when inode owner is invalid.  Ordinarily the
> capable_wrt_inode_uidgid check is sufficient to allow access to files
> but when the underlying filesystem has uids or gids that don't map to
> the current user namespace it is not enough, so the chown permission
> checks need to be extended to allow this case.
> 
> Calling chown on filesystem nodes whose uid or gid don't map is
> necessary if those nodes are going to be modified as writing back
> inodes which contain uids or gids that don't map is likely to cause
> filesystem corruption of the uid or gid fields.
> 
> Once chown has been called the existing capable_wrt_inode_uidgid
> checks are sufficient to allow the owner of a superblock to do anything
> the global root user can do with an appropriate set of capabilities.
> 
> An ordinary filesystem mountable by a userns root will limit all uids
> and gids in s_user_ns or the INVALID_UID and INVALID_GID to flag all
> others.  So having this added permission limited to just INVALID_UID
> and INVALID_GID is sufficient to handle every case on an ordinary filesystem.
> 
> Of the virtual filesystems at least proc is known to set s_user_ns to
> something other than &init_user_ns, while at the same time presenting
> some files owned by GLOBAL_ROOT_UID.  Those files the mounter of proc
> in a user namespace should not be able to chown to get access to.
> Limiting the relaxation in permission to just the minimum of allowing
> changing INVALID_UID and INVALID_GID prevents problems with cases like
> that.
> 
> The original version of this patch was written by: Seth Forshee.  I
> have rewritten and rethought this patch enough so it's really not the
> same thing (certainly it needs a different description), but he
> deserves credit for getting out there and getting the conversation
> started, and finding the potential gotcha's and putting up with my
> semi-paranoid feedback.

Ok, took me a little longer to reason about this.

Acked-by: Christian Brauner <christian@brauner.io>

> 
> Inspired-by: Seth Forshee <seth.forshee@canonical.com>
> Acked-by: Seth Forshee <seth.forshee@canonical.com>
> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
> ---
> 
> Sigh.  In simplifying this change so it would not require a change to
> proc (or any other similar filesystem) I accidentally introduced some
> badly placed semicolons.  The kbuild test robot was very nice and found
> those for me.  Resend with those unnecessary semicolons removed.
> 
>  fs/attr.c | 36 ++++++++++++++++++++++++++++--------
>  1 file changed, 28 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/attr.c b/fs/attr.c
> index 12ffdb6fb63c..d0b4d34878fb 100644
> --- a/fs/attr.c
> +++ b/fs/attr.c
> @@ -18,6 +18,32 @@
>  #include <linux/evm.h>
>  #include <linux/ima.h>
>  
> +static bool chown_ok(const struct inode *inode, kuid_t uid)
> +{
> +	if (uid_eq(current_fsuid(), inode->i_uid) &&
> +	    uid_eq(uid, inode->i_uid))
> +		return true;
> +	if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> +		return true;
> +	if (uid_eq(inode->i_uid, INVALID_UID) &&
> +	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
> +		return true;
> +	return false;
> +}
> +
> +static bool chgrp_ok(const struct inode *inode, kgid_t gid)
> +{
> +	if (uid_eq(current_fsuid(), inode->i_uid) &&
> +	    (in_group_p(gid) || gid_eq(gid, inode->i_gid)))
> +		return true;
> +	if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> +		return true;
> +	if (gid_eq(inode->i_gid, INVALID_GID) &&
> +	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
> +		return true;
> +	return false;
> +}
> +
>  /**
>   * setattr_prepare - check if attribute changes to a dentry are allowed
>   * @dentry:	dentry to check
> @@ -52,17 +78,11 @@ int setattr_prepare(struct dentry *dentry, struct iattr *attr)
>  		goto kill_priv;
>  
>  	/* Make sure a caller can chown. */
> -	if ((ia_valid & ATTR_UID) &&
> -	    (!uid_eq(current_fsuid(), inode->i_uid) ||
> -	     !uid_eq(attr->ia_uid, inode->i_uid)) &&
> -	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> +	if ((ia_valid & ATTR_UID) && !chown_ok(inode, attr->ia_uid))
>  		return -EPERM;
>  
>  	/* Make sure caller can chgrp. */
> -	if ((ia_valid & ATTR_GID) &&
> -	    (!uid_eq(current_fsuid(), inode->i_uid) ||
> -	    (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
> -	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> +	if ((ia_valid & ATTR_GID) && !chgrp_ok(inode, attr->ia_gid))
>  		return -EPERM;
>  
>  	/* Make sure a caller can chmod. */

  reply	other threads:[~2018-05-24 22:30 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-23 23:22 [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts Eric W. Biederman
2018-05-23 23:25 ` [REVIEW][PATCH 1/6] vfs: Don't allow changing the link count of an inode with an invalid uid or gid Eric W. Biederman
2018-05-24 12:58   ` Seth Forshee
2018-05-24 22:30     ` Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 2/6] vfs: Allow userns root to call mknod on owned filesystems Eric W. Biederman
2018-05-24 13:55   ` Seth Forshee
2018-05-24 16:55     ` Eric W. Biederman
2018-05-24 17:22       ` Seth Forshee
2018-05-24 19:12   ` Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 3/6] fs: Allow superblock owner to replace invalid owners of inodes Eric W. Biederman
2018-05-23 23:41   ` [REVIEW][PATCH v2 " Eric W. Biederman
2018-05-24 22:30     ` Christian Brauner [this message]
2018-05-23 23:25 ` [REVIEW][PATCH 4/6] fs: Allow superblock owner to access do_remount_sb() Eric W. Biederman
2018-05-24 15:58   ` Christian Brauner
2018-05-24 16:45     ` Eric W. Biederman
2018-05-24 17:28       ` Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 5/6] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Eric W. Biederman
2018-05-24 15:57   ` Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 6/6] fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems Eric W. Biederman
2018-05-24 15:59   ` Christian Brauner
2018-05-24 21:46 ` [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts Theodore Y. Ts'o
2018-05-24 23:23   ` Eric W. Biederman
2018-05-25  3:57     ` Dave Chinner
2018-05-25  4:06       ` Darrick J. Wong
2018-05-29 13:12       ` Eric W. Biederman
2018-05-29 22:17         ` Dave Chinner
2018-05-30  2:34           ` Eric W. Biederman
2018-05-30  4:34             ` Dave Chinner
2018-05-29 15:40 ` Dongsu Park

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180524223008.GA17493@mailbox.org \
    --to=christian@brauner.io \
    --cc=containers@lists.linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=seth.forshee@canonical.com \
    --subject='Re: [REVIEW][PATCH v2 3/6] fs: Allow superblock owner to replace invalid owners of inodes' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).