From: "Ahelenia Ziemiańska" <nabijaczleweli@nabijaczleweli.xyz>
Cc: Jens Axboe <axboe@kernel.dk>,
Christian Brauner <brauner@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
Miklos Szeredi <miklos@szeredi.hu>,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 10/11] fuse: allow splicing from filesystems mounted by real root
Date: Thu, 21 Dec 2023 04:09:15 +0100 [thread overview]
Message-ID: <7a160b52d8fa53a9257a2383021a5279d2628edb.1703126594.git.nabijaczleweli@nabijaczleweli.xyz> (raw)
In-Reply-To: <cover.1703126594.git.nabijaczleweli@nabijaczleweli.xyz>
[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]
FUSE tends to be installed suid 0: this allows normal users to mount
anything, including a program whose read implementation consists
of for(;;) sleep(1);, which, if splice were allowed, would sleep
forever with the pipe lock held.
Normal filesystems can only be mounted by root, and are thus deemed
safe. Extend this to when root mounts a FUSE filesystem with an
explicit check.
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
---
fs/fuse/fuse_i.h | 1 +
fs/fuse/inode.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 463c5d4ad8b4..a9ceaf10c1d2 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -532,6 +532,7 @@ struct fuse_fs_context {
bool no_control:1;
bool no_force_umount:1;
bool legacy_opts_show:1;
+ bool trusted:1;
enum fuse_dax_mode dax_mode;
unsigned int max_read;
unsigned int blksize;
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 2a6d44f91729..91108ba9acec 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1779,6 +1779,7 @@ static int fuse_get_tree(struct fs_context *fsc)
fuse_conn_init(fc, fm, fsc->user_ns, &fuse_dev_fiq_ops, NULL);
fc->release = fuse_free_conn;
+ fc->trusted = ctx->trusted;
fsc->s_fs_info = fm;
@@ -1840,6 +1841,7 @@ static int fuse_init_fs_context(struct fs_context *fsc)
ctx->max_read = ~0;
ctx->blksize = FUSE_DEFAULT_BLKSIZE;
ctx->legacy_opts_show = true;
+ ctx->trusted = uid_eq(current_uid(), GLOBAL_ROOT_UID);
#ifdef CONFIG_BLOCK
if (fsc->fs_type == &fuseblk_fs_type) {
--
2.39.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-12-21 3:09 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-21 3:08 [PATCH v2 00/11] Avoid unprivileged splice(file->)/(->socket) pipe exclusion Ahelenia Ziemiańska
2023-12-21 3:08 ` [PATCH v2 01/11] splice: copy_splice_read: do the I/O with IOCB_NOWAIT Ahelenia Ziemiańska
2023-12-21 8:27 ` Christoph Hellwig
2023-12-21 16:30 ` Ahelenia Ziemiańska
2023-12-21 3:08 ` [PATCH v2 02/11] af_unix: unix_stream_splice_read: always request MSG_DONTWAIT Ahelenia Ziemiańska
2023-12-21 3:08 ` [PATCH v2 03/11] fuse: fuse_dev_splice_read: use nonblocking I/O Ahelenia Ziemiańska
2023-12-21 3:09 ` [PATCH v2 04/11] net/smc: smc_splice_read: always request MSG_DONTWAIT Ahelenia Ziemiańska
2023-12-21 3:09 ` [PATCH v2 05/11] kcm: kcm_splice_read: " Ahelenia Ziemiańska
2023-12-21 3:09 ` [PATCH v2 06/11] tls/sw: tls_sw_splice_read: always request non-blocking I/O Ahelenia Ziemiańska
2023-12-21 3:09 ` [PATCH v2 07/11] net/tcp: tcp_splice_read: always do non-blocking reads Ahelenia Ziemiańska
2023-12-21 3:09 ` [PATCH v2 08/11] tty: splice_read: disable Ahelenia Ziemiańska
2023-12-21 8:10 ` Greg Kroah-Hartman
2024-01-03 11:36 ` Jiri Slaby
2024-01-03 19:14 ` Linus Torvalds
2024-01-03 21:34 ` Oliver Giles
2024-01-03 21:57 ` Linus Torvalds
2023-12-21 3:09 ` [PATCH v2 09/11] fuse: file: limit splice_read to virtiofs Ahelenia Ziemiańska
2024-01-10 13:43 ` Miklos Szeredi
2024-01-10 15:19 ` Ahelenia Ziemiańska
2024-01-10 15:47 ` Miklos Szeredi
2023-12-21 3:09 ` Ahelenia Ziemiańska [this message]
2023-12-21 3:09 ` [PATCH v2 11/11] splice: splice_to_socket: always request MSG_DONTWAIT Ahelenia Ziemiańska
2023-12-21 3:09 ` [PATCH v2 12/11 man-pages] splice.2: document 6.8 blocking behaviour Ahelenia Ziemiańska
2023-12-24 5:01 ` [PATCH v2 13/11] tty: splice_write: disable Ahelenia Ziemiańska
2023-12-24 5:01 ` [PATCH v2 14/11] fuse: allow splicing to trusted mounts only Ahelenia Ziemiańska
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a160b52d8fa53a9257a2383021a5279d2628edb.1703126594.git.nabijaczleweli@nabijaczleweli.xyz \
--to=nabijaczleweli@nabijaczleweli.xyz \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.