From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965907AbdAJLcC (ORCPT <rfc822;w@1wt.eu>);
        Tue, 10 Jan 2017 06:32:02 -0500
Received: from forwardcorp1h.cmail.yandex.net ([87.250.230.216]:33160 "EHLO
        forwardcorp1h.cmail.yandex.net" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932519AbdAJLcA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Jan 2017 06:32:00 -0500
X-Greylist: delayed 303 seconds by postgrey-1.27 at vger.kernel.org; Tue, 10 Jan 2017 06:31:59 EST
Authentication-Results: smtpcorp1o.mail.yandex.net; dkim=pass header.i=@yandex-team.ru
Subject: [PATCH] ovl: do not ignore disk quota if current task is not
 privileged
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-unionfs@vger.kernel.org
Cc: Vivek Goyal <vgoyal@redhat.com>, Miklos Szeredi <miklos@szeredi.hu>
Date: Tue, 10 Jan 2017 14:26:48 +0300
Message-ID: <148404760886.4400.14907571208759802396.stgit@buzz>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

If overlay was mounted by root then quota set for upper layer does not work
because overlay now always use mounter's credentials for operations.

This patch adds second copy of credentials without CAP_SYS_RESOURCE and
use it if current task doesn't have this capability in mounter's user-ns.
This affects creation new files, whiteouts, and copy-up operations.

Now quota limits are ignored only if both mounter and current task have
capability CAP_SYS_RESOURCE in root user namespace.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes: 1175b6b8d963 ("ovl: do operations on underlying file system in mounter's context")
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/overlayfs/ovl_entry.h |    2 ++
 fs/overlayfs/super.c     |   13 ++++++++++++-
 fs/overlayfs/util.c      |   10 +++++++++-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
index d14bca1850d9..55eb3b08e292 100644
--- a/fs/overlayfs/ovl_entry.h
+++ b/fs/overlayfs/ovl_entry.h
@@ -27,6 +27,8 @@ struct ovl_fs {
 	struct ovl_config config;
 	/* creds of process who forced instantiation of super block */
 	const struct cred *creator_cred;
+	/* the same credentials without CAP_SYS_RESOURCE */
+	const struct cred *creator_cred_unpriv;
 };
 
 /* private information held for every overlayfs dentry */
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 20f48abbb82f..6a15693641e0 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -157,6 +157,7 @@ static void ovl_put_super(struct super_block *sb)
 	kfree(ufs->config.upperdir);
 	kfree(ufs->config.workdir);
 	put_cred(ufs->creator_cred);
+	put_cred(ufs->creator_cred_unpriv);
 	kfree(ufs);
 }
 
@@ -701,6 +702,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 	unsigned int stacklen = 0;
 	unsigned int i;
 	bool remote = false;
+	struct cred *cred;
 	int err;
 
 	err = -ENOMEM;
@@ -874,10 +876,17 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 	if (!ufs->creator_cred)
 		goto out_put_lower_mnt;
 
+	cred = prepare_creds();
+	if (!cred)
+		goto out_put_cred;
+
+	ufs->creator_cred_unpriv = cred;
+	cap_lower(cred->cap_effective, CAP_SYS_RESOURCE);
+
 	err = -ENOMEM;
 	oe = ovl_alloc_entry(numlower);
 	if (!oe)
-		goto out_put_cred;
+		goto out_put_cred_unpriv;
 
 	sb->s_magic = OVERLAYFS_SUPER_MAGIC;
 	sb->s_op = &ovl_super_operations;
@@ -914,6 +923,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 
 out_free_oe:
 	kfree(oe);
+out_put_cred_unpriv:
+	put_cred(ufs->creator_cred_unpriv);
 out_put_cred:
 	put_cred(ufs->creator_cred);
 out_put_lower_mnt:
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 952286f4826c..92f60096c5da 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -35,8 +35,16 @@ struct dentry *ovl_workdir(struct dentry *dentry)
 const struct cred *ovl_override_creds(struct super_block *sb)
 {
 	struct ovl_fs *ofs = sb->s_fs_info;
+	const struct cred *cred = ofs->creator_cred;
 
-	return override_creds(ofs->creator_cred);
+	/*
+	 * Do not override quota inode limit if current task is not
+	 * capable to do that in mounter's user namespace.
+	 */
+	if (!ns_capable_noaudit(cred->user_ns, CAP_SYS_RESOURCE))
+		cred = ofs->creator_cred_unpriv;
+
+	return override_creds(cred);
 }
 
 struct ovl_entry *ovl_alloc_entry(unsigned int numlower)