Message ID | 1446723580-3747-4-git-send-email-agruenba@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Nov 5, 2015, at 4:39 AM, Andreas Gruenbacher <agruenba@redhat.com> wrote: > > Normally, deleting a file requires MAY_WRITE access to the parent > directory. With richacls, a file may be deleted with MAY_DELETE_CHILD access > to the parent directory or with MAY_DELETE_SELF access to the file. > > To support that, pass the MAY_DELETE_CHILD mask flag to inode_permission() > when checking for delete access inside a directory, and MAY_DELETE_SELF > when checking for delete access to a file itelf. > > The MAY_DELETE_SELF permission overrides the sticky directory check. > > Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> > Reviewed-by: J. Bruce Fields <bfields@redhat.com> > --- > fs/namei.c | 21 ++++++++++++--------- > include/linux/fs.h | 2 ++ > 2 files changed, 14 insertions(+), 9 deletions(-) > > diff --git a/fs/namei.c b/fs/namei.c > index 0259392..2eab19e 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -453,9 +453,9 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask) > * this, letting us set arbitrary permissions for filesystem access without > * changing the "normal" UIDs which are used for other things. > * > - * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, or > - * MAY_CREATE_DIR are set. That way, file systems that don't support these > - * permissions will check for MAY_WRITE instead. > + * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, > + * MAY_CREATE_DIR, or MAY_DELETE_CHILD are set. That way, file systems that > + * don't support these permissions will check for MAY_WRITE instead. > */ > int inode_permission(struct inode *inode, int mask) > { > @@ -2555,7 +2555,7 @@ static int may_delete(struct inode *dir, struct dentry *victim, > bool isdir, bool replace) > { > struct inode *inode = d_backing_inode(victim); > - int error, mask = MAY_WRITE | MAY_EXEC; > + int error, mask = MAY_EXEC; > > if (d_is_negative(victim)) > return -ENOENT; > @@ -2565,15 +2565,18 @@ static int may_delete(struct inode *dir, struct dentry *victim, > audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE); > > if (replace) > - mask |= isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE; > - error = inode_permission(dir, mask); > + mask |= MAY_WRITE | (isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE); > + error = inode_permission(dir, mask | MAY_WRITE | MAY_DELETE_CHILD); > + if (!error && check_sticky(dir, inode)) > + error = -EPERM; > + if (error && IS_RICHACL(inode) && > + inode_permission(inode, MAY_DELETE_SELF) == 0) > + error = 0; This looks like a serious bug, as it is overriding other errors returned from inode_permission() such as -EROFS from sb_permission() or even from generic_permission->acl_permission_check(). Clearing the error returned by an earlier check doesn't seem safe, only new errors should be added. The call to inode_permission(inode) is also duplicating the sb_permission() check from inode_permission(dir), so at most should be __inode_permission(). It looks like this would be correct if you check MAY_DELETE_SELF together with check_sticky(): if (!error && check_sticky(dir, inode) && !__inode_permission(inode, MAY_DELETE_SELF)) error = -EPERM; I ommitted the IS_RICHACL() check here, since that should probably be in __inode_permission() when MAY_DELETE_SELF is passed? Cheers, Andreas > if (error) > return error; > if (IS_APPEND(dir)) > return -EPERM; > - > - if (check_sticky(dir, inode) || IS_APPEND(inode) || > - IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) > + if (IS_APPEND(inode) || IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) > return -EPERM; > if (isdir) { > if (!d_is_dir(victim)) > diff --git a/include/linux/fs.h b/include/linux/fs.h > index d6e2330..402acd7 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -84,6 +84,8 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); > #define MAY_NOT_BLOCK 0x00000080 > #define MAY_CREATE_FILE 0x00000100 > #define MAY_CREATE_DIR 0x00000200 > +#define MAY_DELETE_CHILD 0x00000400 > +#define MAY_DELETE_SELF 0x00000800 > > /* > * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond > -- > 2.5.0 > Cheers, Andreas
On Nov 5, 2015, at 4:39 AM, Andreas Gruenbacher <agruenba@redhat.com> wrote: > > Normally, deleting a file requires MAY_WRITE access to the parent > directory. With richacls, a file may be deleted with MAY_DELETE_CHILD access > to the parent directory or with MAY_DELETE_SELF access to the file. > > To support that, pass the MAY_DELETE_CHILD mask flag to inode_permission() > when checking for delete access inside a directory, and MAY_DELETE_SELF > when checking for delete access to a file itelf. > > The MAY_DELETE_SELF permission overrides the sticky directory check. > > Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> > Reviewed-by: J. Bruce Fields <bfields@redhat.com> > --- > fs/namei.c | 21 ++++++++++++--------- > include/linux/fs.h | 2 ++ > 2 files changed, 14 insertions(+), 9 deletions(-) > > diff --git a/fs/namei.c b/fs/namei.c > index 0259392..2eab19e 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -453,9 +453,9 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask) > * this, letting us set arbitrary permissions for filesystem access without > * changing the "normal" UIDs which are used for other things. > * > - * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, or > - * MAY_CREATE_DIR are set. That way, file systems that don't support these > - * permissions will check for MAY_WRITE instead. > + * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, > + * MAY_CREATE_DIR, or MAY_DELETE_CHILD are set. That way, file systems that > + * don't support these permissions will check for MAY_WRITE instead. > */ > int inode_permission(struct inode *inode, int mask) > { > @@ -2555,7 +2555,7 @@ static int may_delete(struct inode *dir, struct dentry *victim, > bool isdir, bool replace) > { > struct inode *inode = d_backing_inode(victim); > - int error, mask = MAY_WRITE | MAY_EXEC; > + int error, mask = MAY_EXEC; > > if (d_is_negative(victim)) > return -ENOENT; > @@ -2565,15 +2565,18 @@ static int may_delete(struct inode *dir, struct dentry *victim, > audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE); > > if (replace) > - mask |= isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE; > - error = inode_permission(dir, mask); > + mask |= MAY_WRITE | (isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE); > + error = inode_permission(dir, mask | MAY_WRITE | MAY_DELETE_CHILD); > + if (!error && check_sticky(dir, inode)) > + error = -EPERM; > + if (error && IS_RICHACL(inode) && > + inode_permission(inode, MAY_DELETE_SELF) == 0) > + error = 0; This looks like a serious bug, as it is overriding other errors returned from inode_permission() such as -EROFS from sb_permission() or even from generic_permission->acl_permission_check(). Clearing the error returned by an earlier check doesn't seem safe, only new errors should be added. The call to inode_permission(inode) is also duplicating the sb_permission() check from inode_permission(dir), so at most should be __inode_permission(). It looks like this would be correct if you check MAY_DELETE_SELF together with check_sticky(): if (!error && check_sticky(dir, inode) && !__inode_permission(inode, MAY_DELETE_SELF)) error = -EPERM; I ommitted the IS_RICHACL() check here, since that should probably be in __inode_permission() when MAY_DELETE_SELF is passed? Cheers, Andreas > if (error) > return error; > if (IS_APPEND(dir)) > return -EPERM; > - > - if (check_sticky(dir, inode) || IS_APPEND(inode) || > - IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) > + if (IS_APPEND(inode) || IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) > return -EPERM; > if (isdir) { > if (!d_is_dir(victim)) > diff --git a/include/linux/fs.h b/include/linux/fs.h > index d6e2330..402acd7 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -84,6 +84,8 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); > #define MAY_NOT_BLOCK 0x00000080 > #define MAY_CREATE_FILE 0x00000100 > #define MAY_CREATE_DIR 0x00000200 > +#define MAY_DELETE_CHILD 0x00000400 > +#define MAY_DELETE_SELF 0x00000800 > > /* > * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond > -- > 2.5.0 > Cheers, Andreas
On Fri, Nov 6, 2015 at 10:26 PM, Andreas Dilger <adilger@dilger.ca> wrote: > On Nov 5, 2015, at 4:39 AM, Andreas Gruenbacher <agruenba@redhat.com> wrote: >> >> Normally, deleting a file requires MAY_WRITE access to the parent >> directory. With richacls, a file may be deleted with MAY_DELETE_CHILD access >> to the parent directory or with MAY_DELETE_SELF access to the file. >> >> To support that, pass the MAY_DELETE_CHILD mask flag to inode_permission() >> when checking for delete access inside a directory, and MAY_DELETE_SELF >> when checking for delete access to a file itelf. >> >> The MAY_DELETE_SELF permission overrides the sticky directory check. >> >> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> >> Reviewed-by: J. Bruce Fields <bfields@redhat.com> >> --- >> fs/namei.c | 21 ++++++++++++--------- >> include/linux/fs.h | 2 ++ >> 2 files changed, 14 insertions(+), 9 deletions(-) >> >> diff --git a/fs/namei.c b/fs/namei.c >> index 0259392..2eab19e 100644 >> --- a/fs/namei.c >> +++ b/fs/namei.c >> @@ -453,9 +453,9 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask) >> * this, letting us set arbitrary permissions for filesystem access without >> * changing the "normal" UIDs which are used for other things. >> * >> - * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, or >> - * MAY_CREATE_DIR are set. That way, file systems that don't support these >> - * permissions will check for MAY_WRITE instead. >> + * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, >> + * MAY_CREATE_DIR, or MAY_DELETE_CHILD are set. That way, file systems that >> + * don't support these permissions will check for MAY_WRITE instead. >> */ >> int inode_permission(struct inode *inode, int mask) >> { >> @@ -2555,7 +2555,7 @@ static int may_delete(struct inode *dir, struct dentry *victim, >> bool isdir, bool replace) >> { >> struct inode *inode = d_backing_inode(victim); >> - int error, mask = MAY_WRITE | MAY_EXEC; >> + int error, mask = MAY_EXEC; >> >> if (d_is_negative(victim)) >> return -ENOENT; >> @@ -2565,15 +2565,18 @@ static int may_delete(struct inode *dir, struct dentry *victim, >> audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE); >> >> if (replace) >> - mask |= isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE; >> - error = inode_permission(dir, mask); >> + mask |= MAY_WRITE | (isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE); >> + error = inode_permission(dir, mask | MAY_WRITE | MAY_DELETE_CHILD); >> + if (!error && check_sticky(dir, inode)) >> + error = -EPERM; >> + if (error && IS_RICHACL(inode) && >> + inode_permission(inode, MAY_DELETE_SELF) == 0) >> + error = 0; > > This looks like a serious bug, as it is overriding other errors returned > from inode_permission() such as -EROFS from sb_permission() or even from > generic_permission->acl_permission_check(). Clearing the error returned > by an earlier check doesn't seem safe, only new errors should be added. See further below ... > The call to inode_permission(inode) is also duplicating the sb_permission() > check from inode_permission(dir), so at most should be __inode_permission(). This could be optimized, but that would make the code harder to read. I don't think it really matters: this only affects file with the MAY_DELETE_SELF permission, and sb_permissions is really cheap anyway. > It looks like this would be correct if you check MAY_DELETE_SELF together > with check_sticky(): > > if (!error && check_sticky(dir, inode) && > !__inode_permission(inode, MAY_DELETE_SELF)) > error = -EPERM; Nope, this version would deny users with MAY_DELETE_SELF access to a file and MAY_EXEC access to the directory the right to delete the file because @error would already be set then. You are right that the check for MAY_DELETE_SELF overrides too much here though; we need an additional inode_permission(dir, ...) check in there. I've pushed a fixed version here that I will do some more testing on before reposting: git://git.kernel.org/pub/scm/linux/kernel/git/agruen/linux-richacl.git richacl-wip > I ommitted the IS_RICHACL() check here, since that should probably be in > __inode_permission() when MAY_DELETE_SELF is passed? The IS_RICHACL() check is indeed done in inode_permission -> __inode_permission -> do_inode_permission -> generic_permission -> acl_permission_check. I've duplicated that check here to avoid slowing down may_delete in the common case where the filesystem doesn't support richacls. Thanks, Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/namei.c b/fs/namei.c index 0259392..2eab19e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -453,9 +453,9 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask) * this, letting us set arbitrary permissions for filesystem access without * changing the "normal" UIDs which are used for other things. * - * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, or - * MAY_CREATE_DIR are set. That way, file systems that don't support these - * permissions will check for MAY_WRITE instead. + * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, + * MAY_CREATE_DIR, or MAY_DELETE_CHILD are set. That way, file systems that + * don't support these permissions will check for MAY_WRITE instead. */ int inode_permission(struct inode *inode, int mask) { @@ -2555,7 +2555,7 @@ static int may_delete(struct inode *dir, struct dentry *victim, bool isdir, bool replace) { struct inode *inode = d_backing_inode(victim); - int error, mask = MAY_WRITE | MAY_EXEC; + int error, mask = MAY_EXEC; if (d_is_negative(victim)) return -ENOENT; @@ -2565,15 +2565,18 @@ static int may_delete(struct inode *dir, struct dentry *victim, audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE); if (replace) - mask |= isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE; - error = inode_permission(dir, mask); + mask |= MAY_WRITE | (isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE); + error = inode_permission(dir, mask | MAY_WRITE | MAY_DELETE_CHILD); + if (!error && check_sticky(dir, inode)) + error = -EPERM; + if (error && IS_RICHACL(inode) && + inode_permission(inode, MAY_DELETE_SELF) == 0) + error = 0; if (error) return error; if (IS_APPEND(dir)) return -EPERM; - - if (check_sticky(dir, inode) || IS_APPEND(inode) || - IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) + if (IS_APPEND(inode) || IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) return -EPERM; if (isdir) { if (!d_is_dir(victim)) diff --git a/include/linux/fs.h b/include/linux/fs.h index d6e2330..402acd7 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -84,6 +84,8 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); #define MAY_NOT_BLOCK 0x00000080 #define MAY_CREATE_FILE 0x00000100 #define MAY_CREATE_DIR 0x00000200 +#define MAY_DELETE_CHILD 0x00000400 +#define MAY_DELETE_SELF 0x00000800 /* * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond