| Message ID | 20200924131318.2654747-3-balsini@android.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fuse: Add support for passthrough read/write | expand |
On Thu, Sep 24, 2020 at 3:13 PM Alessio Balsini <balsini@android.com> wrote: > > Add a reference to the FUSE daemon credentials, so that they can be used to > temporarily raise the user credentials when accessing lower file system > files in passthrough. Hmm, I think it would be better to store the creds of the ioctl() caller together with the open file. The mounter may deliberately have different privileges from the process doing the actual I/O. Thanks, Miklos
On 9/30/2020 2:45 PM, Miklos Szeredi wrote: > On Thu, Sep 24, 2020 at 3:13 PM Alessio Balsini <balsini@android.com> wrote: >> Add a reference to the FUSE daemon credentials, so that they can be used to >> temporarily raise the user credentials when accessing lower file system >> files in passthrough. > Hmm, I think it would be better to store the creds of the ioctl() > caller together with the open file. The mounter may deliberately > have different privileges from the process doing the actual I/O. > > Thanks, > Miklos In my usecase I'm changing euid/egid of the thread to whichever the uid/gid was passed to the server which is otherwise running as root.
On Wed, Sep 30, 2020 at 03:16:20PM -0400, Antonio SJ Musumeci wrote: > On 9/30/2020 2:45 PM, Miklos Szeredi wrote: > > On Thu, Sep 24, 2020 at 3:13 PM Alessio Balsini <balsini@android.com> wrote: > > > Add a reference to the FUSE daemon credentials, so that they can be used to > > > temporarily raise the user credentials when accessing lower file system > > > files in passthrough. > > Hmm, I think it would be better to store the creds of the ioctl() > > caller together with the open file. The mounter may deliberately > > have different privileges from the process doing the actual I/O. > > > > Thanks, > > Miklos > > > In my usecase I'm changing euid/egid of the thread to whichever the uid/gid > was passed to the server which is otherwise running as root. > Ack, in the next patch set I will store the creds of the ioctl() caller. Thanks, Alessio
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index 6c5166447905..67bf5919f8d6 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -524,6 +524,9 @@ struct fuse_conn { /** The group id for this mount */ kgid_t group_id; + /** Creds of process which created this mount point */ + const struct cred *creator_cred; + /** The pid namespace for this mount */ struct pid_namespace *pid_ns; diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index eb223130a917..d22407bfa959 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -654,6 +654,8 @@ void fuse_conn_put(struct fuse_conn *fc) fiq->ops->release(fiq); put_pid_ns(fc->pid_ns); put_user_ns(fc->user_ns); + if (fc->creator_cred) + put_cred(fc->creator_cred); fc->release(fc); } } @@ -1203,6 +1205,12 @@ int fuse_fill_super_common(struct super_block *sb, struct fuse_fs_context *ctx) fc->allow_other = ctx->allow_other; fc->user_id = ctx->user_id; fc->group_id = ctx->group_id; + fc->creator_cred = prepare_creds(); + if (!fc->creator_cred) { + err = -ENOMEM; + goto err_dev_free; + } + fc->max_read = max_t(unsigned, 4096, ctx->max_read); fc->destroy = ctx->destroy; fc->no_control = ctx->no_control;
Add a reference to the FUSE daemon credentials, so that they can be used to temporarily raise the user credentials when accessing lower file system files in passthrough. When using FUSE passthrough, read/write operations are directly forwarded to the lower file system file, but there is no guarantee that the process that is triggering the request has the right permissions to access the lower file system. By default, in the non-passthrough use case, it is the daemon that handles the read/write operations, that can be performed to the lower file system with the daemon privileges. When passthrough is active, instead, the read/write operation is directly applied to the lower file system, so to keep the same behavior as before, the calling process temporarily receives the same credentials as the daemon, that should be removed as soon as the operation completes. Signed-off-by: Alessio Balsini <balsini@android.com> --- fs/fuse/fuse_i.h | 3 +++ fs/fuse/inode.c | 8 ++++++++ 2 files changed, 11 insertions(+)