From: Yang Xu <xuyang2018.jy@fujitsu.com>
To: <david@fromorbit.com>, <brauner@kernel.org>, <djwong@kernel.org>
Cc: <linux-fsdevel@vger.kernel.org>, <fstests@vger.kernel.org>,
Yang Xu <xuyang2018.jy@fujitsu.com>
Subject: [PATCH v4 3/3] idmapped-mounts: Add open with O_TMPFILE operation in setgid test
Date: Sat, 7 May 2022 21:05:26 +0800 [thread overview]
Message-ID: <1651928726-2263-3-git-send-email-xuyang2018.jy@fujitsu.com> (raw)
In-Reply-To: <1651928726-2263-1-git-send-email-xuyang2018.jy@fujitsu.com>
Since we can create temp file by using O_TMPFILE flag and filesystem driver also
has this api, we should also check this operation whether strip S_ISGID.
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com>
---
v3->v4: use linkat with AT_EMPTY_PATH to make the temporary file permanent
instead of snprint and link with AT_SYMLINK_FOLLOW
src/idmapped-mounts/idmapped-mounts.c | 139 ++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
diff --git a/src/idmapped-mounts/idmapped-mounts.c b/src/idmapped-mounts/idmapped-mounts.c
index a1c22da2..8fe06408 100644
--- a/src/idmapped-mounts/idmapped-mounts.c
+++ b/src/idmapped-mounts/idmapped-mounts.c
@@ -51,6 +51,7 @@
#define FILE1_RENAME "file1_rename"
#define FILE2 "file2"
#define FILE2_RENAME "file2_rename"
+#define FILE3 "file3"
#define DIR1 "dir1"
#define DIR2 "dir2"
#define DIR3 "dir3"
@@ -340,6 +341,24 @@ out:
return fret;
}
+static bool openat_tmpfile_supported(int dirfd)
+{
+ int fd = -1;
+
+ fd = openat(dirfd, ".", O_TMPFILE | O_RDWR, S_IXGRP | S_ISGID);
+ if (fd == -1) {
+ if (errno == ENOTSUP)
+ return false;
+ else
+ return log_errno(false, "failure: create");
+ }
+
+ if (close(fd))
+ log_stderr("failure: close");
+
+ return true;
+}
+
/* __expected_uid_gid - check whether file is owned by the provided uid and gid */
static bool __expected_uid_gid(int dfd, const char *path, int flags,
uid_t expected_uid, gid_t expected_gid, bool log)
@@ -7844,7 +7863,9 @@ static int setgid_create(void)
{
int fret = -1;
int file1_fd = -EBADF;
+ int tmpfile_fd = -EBADF;
pid_t pid;
+ bool supported = false;
if (!caps_supported())
return 0;
@@ -7869,6 +7890,8 @@ static int setgid_create(void)
goto out;
}
+ supported = openat_tmpfile_supported(t_dir1_fd);
+
pid = fork();
if (pid < 0) {
log_stderr("failure: fork");
@@ -7932,6 +7955,24 @@ static int setgid_create(void)
if (unlinkat(t_dir1_fd, CHRDEV1, 0))
die("failure: delete");
+ /* create tmpfile via filesystem tmpfile api */
+ if (supported) {
+ tmpfile_fd = openat(t_dir1_fd, ".", O_TMPFILE | O_RDWR, S_IXGRP | S_ISGID);
+ if (tmpfile_fd < 0)
+ die("failure: create");
+ /* link the temporary file into the filesystem, making it permanent */
+ if (linkat(tmpfile_fd, "", t_dir1_fd, FILE3, AT_EMPTY_PATH))
+ die("failure: linkat");
+ if (close(tmpfile_fd))
+ die("failure: close");
+ if (!is_setgid(t_dir1_fd, FILE3, 0))
+ die("failure: is_setgid");
+ if (!expected_uid_gid(t_dir1_fd, FILE3, 0, 0, 0))
+ die("failure: check ownership");
+ if (unlinkat(t_dir1_fd, FILE3, 0))
+ die("failure: delete");
+ }
+
exit(EXIT_SUCCESS);
}
if (wait_for_pid(pid))
@@ -8021,6 +8062,24 @@ static int setgid_create(void)
if (unlinkat(t_dir1_fd, CHRDEV1, 0))
die("failure: delete");
+ /* create tmpfile via filesystem tmpfile api */
+ if (supported) {
+ tmpfile_fd = openat(t_dir1_fd, ".", O_TMPFILE | O_RDWR, S_IXGRP | S_ISGID);
+ if (tmpfile_fd < 0)
+ die("failure: create");
+ /* link the temporary file into the filesystem, making it permanent */
+ if (linkat(tmpfile_fd, "", t_dir1_fd, FILE3, AT_EMPTY_PATH))
+ die("failure: linkat");
+ if (close(tmpfile_fd))
+ die("failure: close");
+ if (is_setgid(t_dir1_fd, FILE3, 0))
+ die("failure: is_setgid");
+ if (!expected_uid_gid(t_dir1_fd, FILE3, 0, 0, 0))
+ die("failure: check ownership");
+ if (unlinkat(t_dir1_fd, FILE3, 0))
+ die("failure: delete");
+ }
+
exit(EXIT_SUCCESS);
}
if (wait_for_pid(pid))
@@ -8042,6 +8101,8 @@ static int setgid_create_idmapped(void)
.attr_set = MOUNT_ATTR_IDMAP,
};
pid_t pid;
+ int tmpfile_fd = -EBADF;
+ bool supported = false;
if (!caps_supported())
return 0;
@@ -8089,6 +8150,8 @@ static int setgid_create_idmapped(void)
goto out;
}
+ supported = openat_tmpfile_supported(open_tree_fd);
+
pid = fork();
if (pid < 0) {
log_stderr("failure: fork");
@@ -8171,6 +8234,24 @@ static int setgid_create_idmapped(void)
if (unlinkat(open_tree_fd, CHRDEV1, 0))
die("failure: delete");
+ /* create tmpfile via filesystem tmpfile api */
+ if (supported) {
+ tmpfile_fd = openat(open_tree_fd, ".", O_TMPFILE | O_RDWR, S_IXGRP | S_ISGID);
+ if (tmpfile_fd < 0)
+ die("failure: create");
+ /* link the temporary file into the filesystem, making it permanent */
+ if (linkat(tmpfile_fd, "", t_dir1_fd, FILE3, AT_EMPTY_PATH))
+ die("failure: linkat");
+ if (close(tmpfile_fd))
+ die("failure: close");
+ if (is_setgid(open_tree_fd, FILE3, 0))
+ die("failure: is_setgid");
+ if (!expected_uid_gid(open_tree_fd, FILE3, 0, 10000, 10000))
+ die("failure: check ownership");
+ if (unlinkat(open_tree_fd, FILE3, 0))
+ die("failure: delete");
+ }
+
exit(EXIT_SUCCESS);
}
if (wait_for_pid(pid))
@@ -8194,6 +8275,8 @@ static int setgid_create_idmapped_in_userns(void)
.attr_set = MOUNT_ATTR_IDMAP,
};
pid_t pid;
+ int tmpfile_fd = -EBADF;
+ bool supported = false;
if (!caps_supported())
return 0;
@@ -8241,6 +8324,8 @@ static int setgid_create_idmapped_in_userns(void)
goto out;
}
+ supported = openat_tmpfile_supported(open_tree_fd);
+
pid = fork();
if (pid < 0) {
log_stderr("failure: fork");
@@ -8307,6 +8392,24 @@ static int setgid_create_idmapped_in_userns(void)
if (unlinkat(open_tree_fd, CHRDEV1, 0))
die("failure: delete");
+ /* create tmpfile via filesystem tmpfile api */
+ if (supported) {
+ tmpfile_fd = openat(open_tree_fd, ".", O_TMPFILE | O_RDWR, S_IXGRP | S_ISGID);
+ if (tmpfile_fd < 0)
+ die("failure: create");
+ /* link the temporary file into the filesystem, making it permanent */
+ if (linkat(tmpfile_fd, "", t_dir1_fd, FILE3, AT_EMPTY_PATH))
+ die("failure: linkat");
+ if (close(tmpfile_fd))
+ die("failure: close");
+ if (!is_setgid(open_tree_fd, FILE3, 0))
+ die("failure: is_setgid");
+ if (!expected_uid_gid(open_tree_fd, FILE3, 0, 0, 0))
+ die("failure: check ownership");
+ if (unlinkat(open_tree_fd, FILE3, 0))
+ die("failure: delete");
+ }
+
exit(EXIT_SUCCESS);
}
if (wait_for_pid(pid))
@@ -8415,6 +8518,24 @@ static int setgid_create_idmapped_in_userns(void)
if (unlinkat(open_tree_fd, CHRDEV1, 0))
die("failure: delete");
+ /* create tmpfile via filesystem tmpfile api */
+ if (supported) {
+ tmpfile_fd = openat(open_tree_fd, ".", O_TMPFILE | O_RDWR, S_IXGRP | S_ISGID);
+ if (tmpfile_fd < 0)
+ die("failure: create");
+ /* link the temporary file into the filesystem, making it permanent */
+ if (linkat(tmpfile_fd, "", t_dir1_fd, FILE3, AT_EMPTY_PATH))
+ die("failure: linkat");
+ if (close(tmpfile_fd))
+ die("failure: close");
+ if (is_setgid(open_tree_fd, FILE3, 0))
+ die("failure: is_setgid");
+ if (!expected_uid_gid(open_tree_fd, FILE3, 0, 0, 1000))
+ die("failure: check ownership");
+ if (unlinkat(open_tree_fd, FILE3, 0))
+ die("failure: delete");
+ }
+
exit(EXIT_SUCCESS);
}
if (wait_for_pid(pid))
@@ -8511,6 +8632,24 @@ static int setgid_create_idmapped_in_userns(void)
if (unlinkat(open_tree_fd, CHRDEV1, 0))
die("failure: delete");
+ /* create tmpfile via filesystem tmpfile api */
+ if (supported) {
+ tmpfile_fd = openat(open_tree_fd, ".", O_TMPFILE | O_RDWR, S_IXGRP | S_ISGID);
+ if (tmpfile_fd < 0)
+ die("failure: create");
+ /* link the temporary file into the filesystem, making it permanent */
+ if (linkat(tmpfile_fd, "", t_dir1_fd, FILE3, AT_EMPTY_PATH))
+ die("failure: linkat");
+ if (close(tmpfile_fd))
+ die("failure: close");
+ if (is_setgid(open_tree_fd, FILE3, 0))
+ die("failure: is_setgid");
+ if (!expected_uid_gid(open_tree_fd, FILE3, 0, 0, 0))
+ die("failure: check ownership");
+ if (unlinkat(open_tree_fd, FILE3, 0))
+ die("failure: delete");
+ }
+
exit(EXIT_SUCCESS);
}
if (wait_for_pid(pid))
--
2.31.1
next prev parent reply other threads:[~2022-05-07 12:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-07 13:05 [PATCH v4 1/3] idmapped-mounts: Reset errno to zero before run_test Yang Xu
2022-05-07 13:05 ` [PATCH v4 2/3] idmapped-mounts: Add mknodat operation in setgid test Yang Xu
2022-05-07 13:05 ` Yang Xu [this message]
2022-05-07 13:33 ` [PATCH v4 1/3] idmapped-mounts: Reset errno to zero before run_test Zorro Lang
2022-05-07 13:56 ` xuyang2018.jy
2022-05-07 14:23 ` xuyang2018.jy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1651928726-2263-3-git-send-email-xuyang2018.jy@fujitsu.com \
--to=xuyang2018.jy@fujitsu.com \
--cc=brauner@kernel.org \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=fstests@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.