From patchwork Tue Apr 26 19:36:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 8944601 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6EAFBBF29F for ; Tue, 26 Apr 2016 20:13:44 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8C0C320138 for ; Tue, 26 Apr 2016 20:13:43 +0000 (UTC) Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) by mail.kernel.org (Postfix) with ESMTP id 278B32014A for ; Tue, 26 Apr 2016 20:13:41 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.24,538,1454976000"; d="scan'208";a="15644132" IronPort-PHdr: =?us-ascii?q?9a23=3AANcX4hbYXwT8pm+zRswnMRf/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpM++bnLW6fgltlLVR4KTs6sC0LqG9f+xEjVbv96oizMrTt9lb1c9k8?= =?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?= =?us-ascii?q?HOnpAIma153xjLDivcKCKFwT2nKUWvBbElaflU3prM4YgI9veO4a6yDihT92Qd?= =?us-ascii?q?lQ3n5iPlmJnhzxtY+a9Z9n9DlM6bp6r5YTGY2zRakzTKRZATI6KCh1oZSz7ViQ?= =?us-ascii?q?BTeIszExSGQd2iUOSyLE4R33RJL4tGGy4ud32SSWMNfzZaAxWC+57qBtDhTvjX?= =?us-ascii?q?FDfxc9/XHejMB9luploQim70hhwpTTSJOYMvtgOKfce84KA21bUYBMVHoSLJm7?= =?us-ascii?q?at40AvYBdchftZL9qlZG+QCzGQnqCuT10T9Fi1f91Ks91eUqGAWA1wslSYFd+E?= =?us-ascii?q?/Ipcn4Yf9BGdu+y7PFmHCaN6tb?= X-IPAS-Result: =?us-ascii?q?A2EJBQBiyx9X/wHyM5BeHAGCcCuBULt3H4F2hUVMAQEBAQE?= =?us-ascii?q?BAgJiJ4ItfVs9AQEBAwECDxUTBgEBDCALAQIDCQEBFykICAMBLQMBBQELEQYBB?= =?us-ascii?q?wsFGAQBiAgBpVGBMT4xik+FKAEEjEcBAQEHAQEBARYGCoQNggqIWhEBhXQBh3i?= =?us-ascii?q?FYHSJSIFVjESBZYdFJYVARYVfh04wgQ5iggUbgWlOAYd4gTUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Apr 2016 20:13:08 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QKD7NY022156; Tue, 26 Apr 2016 16:13:08 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3QJb8K8172318 for ; Tue, 26 Apr 2016 15:37:08 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QJak02011587 for ; Tue, 26 Apr 2016 15:37:08 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BABQD9wR9X/yQp0ApeHYJwK4FQt3CECQgXhXgCgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBAQEDAgEXBgqEDYIKi1ILQIJDh3mFYHSJSIFVjESBZYdFhWVFhV+HTjCBDmKBeA0bgWlOAYktAQEB X-IPAS-Result: A0BABQD9wR9X/yQp0ApeHYJwK4FQt3CECQgXhXgCgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBAQEDAgEXBgqEDYIKi1ILQIJDh3mFYHSJSIFVjESBZYdFhWVFhV+HTjCBDmKBeA0bgWlOAYktAQEB X-IronPort-AV: E=Sophos;i="5.24,537,1454994000"; d="scan'208";a="5410388" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 26 Apr 2016 15:37:08 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AppDkaB8F8qTq6P9uRHKM819IXTAuvvDOBiVQ1KB8?= =?us-ascii?q?0O4cTK2v8tzYMVDF4r011RmSDdWdtKMP0rGO+4nbGkU+or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?= =?us-ascii?q?f6KuSt6U0JX8jrvqs7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYk7sb+sVBSaT3ebgjBfwdVWx+cjN92Mq+/zTZ?= =?us-ascii?q?TADH2T1UeGQbnhdSBgHDplmuU53wvyf3rO9VyCybJtb3SrZyUjOnueMjYRvlmC?= =?us-ascii?q?4BOzMjuF/WkMs42LxauhWJtRF5wpCSZICTKeo4ebnSO84ZEzlvRMFUAhdMHoP0?= =?us-ascii?q?QYwVFOoMMK4MtIThpx0AqgGlBQShLOjmzDhOh3T/2esx1OF3QlKO5xApA99b6C?= =?us-ascii?q?ecl97yLqpHFLntlKQ=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HzAAC5wh9Xj7XfVdFeHYJwgXu3cIQJC?= =?us-ascii?q?BeBdoQCAoFATAEBAQEBAQICDwEBAQEHCwsJIS+CLX1bPQEBAQMSFRkBATcBD1E?= =?us-ascii?q?0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBAQEDAgEXBgqEDYIKi1ILQ?= =?us-ascii?q?IJDh3mFYHSJSIFVjESBZYdFhWVFhV+HTjCBDoJaDREKgWlOAYktAQEB?= X-IPAS-Result: =?us-ascii?q?A0HzAAC5wh9Xj7XfVdFeHYJwgXu3cIQJCBeBdoQCAoFATAE?= =?us-ascii?q?BAQEBAQICDwEBAQEHCwsJIS+CLX1bPQEBAQMSFRkBATcBD1E0AQUBHAYBEiKIC?= =?us-ascii?q?AGlV4ExPjGKT4UoAQSMSgEBAQEBAQEDAgEXBgqEDYIKi1ILQIJDh3mFYHSJSIF?= =?us-ascii?q?VjESBZYdFhWVFhV+HTjCBDoJaDREKgWlOAYktAQEB?= X-IronPort-AV: E=Sophos;i="5.24,537,1454976000"; d="scan'208";a="13051018" Received: from mail-io0-f181.google.com ([209.85.223.181]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 26 Apr 2016 19:37:07 +0000 Received: by mail-io0-f181.google.com with SMTP id 190so20532030iow.1 for ; Tue, 26 Apr 2016 12:37:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2E0VoJF/ExWKPUkUD6OQauklR/etRVxTBqNKD6CAktw=; b=1H5wXsGjIgNnaq2YI6mxvZSLjhcUqbHV82szmeRm8Ipn2tJFaqxcqezCkBOd71RxDf DPhreKosFwYhlpJ8Lk5UCQexNP56ScpDdPSG6otktkIBANmjb84wqYepfFk6WpmtYiuC RKRC+SNsBAj25Ikffp+9ft0CrXPw+kgSJU3jP//Td1ad5duJH49pD4HWsiEAkzl9nz9o JCKjGqt58iMSvuLwBDuYL/79Ol6Y8A2gSbAKhM9MQV6RW4SG2aqkO8Zv/Ar93s/huQVJ pljIyofpWN1Gzx6L95OrRNJknbz++0PsXW1IhC8n/IQ6h8dMT0YPnYPWfgebvkkzvmq8 e1WA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2E0VoJF/ExWKPUkUD6OQauklR/etRVxTBqNKD6CAktw=; b=H0IT5YQNr4h9e7e+qVKGUVp1zJ77SCXcvbM8TU5cMTm5/svA4maPYPUpA2eOCXF7bq A+hmH1q/0lrTUMr8cGEFM2GBiKli2FZQXHFRspwXdnk26LLOmtpN8wRV3KVccTS/QLG+ 4gZ6ehGW02sm7H1Rjf3Yr32r8zH8hiL6MoOOTHf7KYu0tvJgN6kDMtf/G/yPRHiKlwr6 Y1Q/2rn+v+WfBU6ZTtpRW612yMi4Nye6lM17DJPDwM8U9xvmhY1HSUQf+QYzEqF59Zo7 3HjATXBUzRTD566wLCJndD+nLsrPt2jsEDYfwxtKz3ksFUbUg8t+qnEaGkPxA96q4ONl oDSg== X-Gm-Message-State: AOPr4FUC/1yKqoDgufq7UbANhMg/pIYcUA0LBD+wQktmXglNsHKSCr3QllzQft5OiXWyVtIV X-Received: by 10.107.17.19 with SMTP id z19mr6524987ioi.43.1461699426775; Tue, 26 Apr 2016 12:37:06 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00]) by smtp.gmail.com with ESMTPSA id b9sm4080444igv.6.2016.04.26.12.37.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Apr 2016 12:37:06 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro Subject: [PATCH v4 13/21] fs: Update posix_acl support to handle user namespace mounts Date: Tue, 26 Apr 2016 14:36:26 -0500 Message-Id: <1461699396-33000-14-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> X-Mailman-Approved-At: Tue, 26 Apr 2016 16:11:02 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, Serge Hallyn , Seth Forshee , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP ids in on-disk ACLs should be converted to s_user_ns instead of init_user_ns as is done now. This introduces the possibility for id mappings to fail, and when this happens syscalls will return EOVERFLOW. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- fs/posix_acl.c | 67 ++++++++++++++++++++++++++--------------- fs/xattr.c | 19 +++++++++--- include/linux/posix_acl_xattr.h | 17 ++++++++--- 3 files changed, 70 insertions(+), 33 deletions(-) diff --git a/fs/posix_acl.c b/fs/posix_acl.c index 711dd5170376..dac2842dd4cb 100644 --- a/fs/posix_acl.c +++ b/fs/posix_acl.c @@ -595,59 +595,77 @@ EXPORT_SYMBOL_GPL(posix_acl_create); /* * Fix up the uids and gids in posix acl extended attributes in place. */ -static void posix_acl_fix_xattr_userns( +static int posix_acl_fix_xattr_userns( struct user_namespace *to, struct user_namespace *from, void *value, size_t size) { posix_acl_xattr_header *header = (posix_acl_xattr_header *)value; posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end; int count; - kuid_t uid; - kgid_t gid; + kuid_t kuid; + uid_t uid; + kgid_t kgid; + gid_t gid; if (!value) - return; + return 0; if (size < sizeof(posix_acl_xattr_header)) - return; + return 0; if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) - return; + return 0; count = posix_acl_xattr_count(size); if (count < 0) - return; + return 0; if (count == 0) - return; + return 0; for (end = entry + count; entry != end; entry++) { switch(le16_to_cpu(entry->e_tag)) { case ACL_USER: - uid = make_kuid(from, le32_to_cpu(entry->e_id)); - entry->e_id = cpu_to_le32(from_kuid(to, uid)); + kuid = make_kuid(from, le32_to_cpu(entry->e_id)); + if (!uid_valid(kuid)) + return -EOVERFLOW; + uid = from_kuid(to, kuid); + if (uid == (uid_t)-1) + return -EOVERFLOW; + entry->e_id = cpu_to_le32(uid); break; case ACL_GROUP: - gid = make_kgid(from, le32_to_cpu(entry->e_id)); - entry->e_id = cpu_to_le32(from_kgid(to, gid)); + kgid = make_kgid(from, le32_to_cpu(entry->e_id)); + if (!gid_valid(kgid)) + return -EOVERFLOW; + gid = from_kgid(to, kgid); + if (gid == (gid_t)-1) + return -EOVERFLOW; + entry->e_id = cpu_to_le32(gid); break; default: break; } } + + return 0; } -void posix_acl_fix_xattr_from_user(void *value, size_t size) +int +posix_acl_fix_xattr_from_user(struct user_namespace *target_ns, void *value, + size_t size) { - struct user_namespace *user_ns = current_user_ns(); - if (user_ns == &init_user_ns) - return; - posix_acl_fix_xattr_userns(&init_user_ns, user_ns, value, size); + struct user_namespace *source_ns = current_user_ns(); + if (source_ns == target_ns) + return 0; + return posix_acl_fix_xattr_userns(target_ns, source_ns, value, size); } -void posix_acl_fix_xattr_to_user(void *value, size_t size) +int +posix_acl_fix_xattr_to_user(struct user_namespace *source_ns, void *value, + size_t size) { - struct user_namespace *user_ns = current_user_ns(); - if (user_ns == &init_user_ns) - return; - posix_acl_fix_xattr_userns(user_ns, &init_user_ns, value, size); + struct user_namespace *target_ns = current_user_ns(); + if (target_ns == source_ns) + return 0; + return posix_acl_fix_xattr_userns(target_ns, source_ns, value, size); } /* @@ -780,7 +798,7 @@ posix_acl_xattr_get(const struct xattr_handler *handler, if (acl == NULL) return -ENODATA; - error = posix_acl_to_xattr(&init_user_ns, acl, value, size); + error = posix_acl_to_xattr(dentry->d_sb->s_user_ns, acl, value, size); posix_acl_release(acl); return error; @@ -806,7 +824,8 @@ posix_acl_xattr_set(const struct xattr_handler *handler, return -EPERM; if (value) { - acl = posix_acl_from_xattr(&init_user_ns, value, size); + acl = posix_acl_from_xattr(dentry->d_sb->s_user_ns, value, + size); if (IS_ERR(acl)) return PTR_ERR(acl); diff --git a/fs/xattr.c b/fs/xattr.c index 4861322e28e8..c541121945cd 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -330,8 +330,12 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value, goto out; } if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || - (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) - posix_acl_fix_xattr_from_user(kvalue, size); + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) { + error = posix_acl_fix_xattr_from_user(d->d_sb->s_user_ns, + kvalue, size); + if (error) + goto out; + } } error = vfs_setxattr(d, kname, kvalue, size, flags); @@ -427,9 +431,14 @@ getxattr(struct dentry *d, const char __user *name, void __user *value, error = vfs_getxattr(d, kname, kvalue, size); if (error > 0) { if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || - (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) - posix_acl_fix_xattr_to_user(kvalue, size); - if (size && copy_to_user(value, kvalue, error)) + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) { + int ret; + ret = posix_acl_fix_xattr_to_user(d->d_sb->s_user_ns, + kvalue, size); + if (ret) + error = ret; + } + if (error > 0 && size && copy_to_user(value, kvalue, error)) error = -EFAULT; } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) { /* The file system tried to returned a value bigger diff --git a/include/linux/posix_acl_xattr.h b/include/linux/posix_acl_xattr.h index e5e8ec40278d..5dec6b10951a 100644 --- a/include/linux/posix_acl_xattr.h +++ b/include/linux/posix_acl_xattr.h @@ -49,14 +49,23 @@ posix_acl_xattr_count(size_t size) } #ifdef CONFIG_FS_POSIX_ACL -void posix_acl_fix_xattr_from_user(void *value, size_t size); -void posix_acl_fix_xattr_to_user(void *value, size_t size); +int posix_acl_fix_xattr_from_user(struct user_namespace *target_ns, + void *value, size_t size); +int posix_acl_fix_xattr_to_user(struct user_namespace *source_ns, void *value, + size_t size); #else -static inline void posix_acl_fix_xattr_from_user(void *value, size_t size) +static inline int +posix_acl_fix_xattr_from_user(struct user_namespace *target_ns, void *value, + size_t size) { + return 0; } -static inline void posix_acl_fix_xattr_to_user(void *value, size_t size) + +static inline int +posix_acl_fix_xattr_to_user(struct user_namespace *source_ns, void *value, + size_t size) { + return 0; } #endif