From patchwork Tue Jan 10 11:26:48 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
X-Patchwork-Id: 9506963
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9AC50601E9 for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 10 Jan 2017 11:32:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8DA842818E
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 10 Jan 2017 11:32:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8270428538; Tue, 10 Jan 2017 11:32:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F214C2818E
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 10 Jan 2017 11:32:18 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965771AbdAJLcB (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Tue, 10 Jan 2017 06:32:01 -0500
Received: from forwardcorp1h.cmail.yandex.net ([87.250.230.216]:33160 "EHLO
	forwardcorp1h.cmail.yandex.net" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S932519AbdAJLcA (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 10 Jan 2017 06:32:00 -0500
X-Greylist: delayed 303 seconds by postgrey-1.27 at vger.kernel.org;
	Tue, 10 Jan 2017 06:31:59 EST
Received: from smtpcorp1o.mail.yandex.net (smtpcorp1o.mail.yandex.net
	[IPv6:2a02:6b8:0:1a2d::30])
	by forwardcorp1h.cmail.yandex.net (Yandex) with ESMTP id 9FF7C206C2;
	Tue, 10 Jan 2017 14:26:53 +0300 (MSK)
Received: from smtpcorp1o.mail.yandex.net (localhost.localdomain [127.0.0.1])
	by smtpcorp1o.mail.yandex.net (Yandex) with ESMTP id 97DA42440D85;
	Tue, 10 Jan 2017 14:26:53 +0300 (MSK)
Received: from unknown (unknown [2a02:6b8:0:40c:9673:49df:e573:ac6c])
	by smtpcorp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
	r49OoBIKlc-QrDKLsD6; Tue, 10 Jan 2017 14:26:53 +0300
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru;
	s=default;
	t=1484047613; bh=g2OsesK+7JTEAEn/y74/xOj8K4YAAQQVaGQNcWW8Kww=;
	h=Subject:From:To:Cc:Date:Message-ID;
	b=w62fEscn8gYcZ3cu3E2stT96R7dndhKKNsMWlhaAJY0Up+RYoOdYAzYx3SkZ1mONj
	OgCRBCgjivOMcMpGN+SQgUOSvdAkvXWjjFyS1VL0CEtvLFqrg7+pK86PgYdSc6UXA0
	wuj17AlpBUzquqY/cI8wBGxBO0nGe+yA0huPNe3w=
Authentication-Results: smtpcorp1o.mail.yandex.net;
	dkim=pass header.i=@yandex-team.ru
Subject: [PATCH] ovl: do not ignore disk quota if current task is not
	privileged
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-unionfs@vger.kernel.org
Cc: Vivek Goyal <vgoyal@redhat.com>, Miklos Szeredi <miklos@szeredi.hu>
Date: Tue, 10 Jan 2017 14:26:48 +0300
Message-ID: <148404760886.4400.14907571208759802396.stgit@buzz>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If overlay was mounted by root then quota set for upper layer does not work
because overlay now always use mounter's credentials for operations.

This patch adds second copy of credentials without CAP_SYS_RESOURCE and
use it if current task doesn't have this capability in mounter's user-ns.
This affects creation new files, whiteouts, and copy-up operations.

Now quota limits are ignored only if both mounter and current task have
capability CAP_SYS_RESOURCE in root user namespace.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes: 1175b6b8d963 ("ovl: do operations on underlying file system in mounter's context")
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/overlayfs/ovl_entry.h |    2 ++
 fs/overlayfs/super.c     |   13 ++++++++++++-
 fs/overlayfs/util.c      |   10 +++++++++-
 3 files changed, 23 insertions(+), 2 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
index d14bca1850d9..55eb3b08e292 100644
--- a/fs/overlayfs/ovl_entry.h
+++ b/fs/overlayfs/ovl_entry.h
@@ -27,6 +27,8 @@ struct ovl_fs {
 	struct ovl_config config;
 	/* creds of process who forced instantiation of super block */
 	const struct cred *creator_cred;
+	/* the same credentials without CAP_SYS_RESOURCE */
+	const struct cred *creator_cred_unpriv;
 };
 
 /* private information held for every overlayfs dentry */
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 20f48abbb82f..6a15693641e0 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -157,6 +157,7 @@ static void ovl_put_super(struct super_block *sb)
 	kfree(ufs->config.upperdir);
 	kfree(ufs->config.workdir);
 	put_cred(ufs->creator_cred);
+	put_cred(ufs->creator_cred_unpriv);
 	kfree(ufs);
 }
 
@@ -701,6 +702,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 	unsigned int stacklen = 0;
 	unsigned int i;
 	bool remote = false;
+	struct cred *cred;
 	int err;
 
 	err = -ENOMEM;
@@ -874,10 +876,17 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 	if (!ufs->creator_cred)
 		goto out_put_lower_mnt;
 
+	cred = prepare_creds();
+	if (!cred)
+		goto out_put_cred;
+
+	ufs->creator_cred_unpriv = cred;
+	cap_lower(cred->cap_effective, CAP_SYS_RESOURCE);
+
 	err = -ENOMEM;
 	oe = ovl_alloc_entry(numlower);
 	if (!oe)
-		goto out_put_cred;
+		goto out_put_cred_unpriv;
 
 	sb->s_magic = OVERLAYFS_SUPER_MAGIC;
 	sb->s_op = &ovl_super_operations;
@@ -914,6 +923,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 
 out_free_oe:
 	kfree(oe);
+out_put_cred_unpriv:
+	put_cred(ufs->creator_cred_unpriv);
 out_put_cred:
 	put_cred(ufs->creator_cred);
 out_put_lower_mnt:
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 952286f4826c..92f60096c5da 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -35,8 +35,16 @@ struct dentry *ovl_workdir(struct dentry *dentry)
 const struct cred *ovl_override_creds(struct super_block *sb)
 {
 	struct ovl_fs *ofs = sb->s_fs_info;
+	const struct cred *cred = ofs->creator_cred;
 
-	return override_creds(ofs->creator_cred);
+	/*
+	 * Do not override quota inode limit if current task is not
+	 * capable to do that in mounter's user namespace.
+	 */
+	if (!ns_capable_noaudit(cred->user_ns, CAP_SYS_RESOURCE))
+		cred = ofs->creator_cred_unpriv;
+
+	return override_creds(cred);
 }
 
 struct ovl_entry *ovl_alloc_entry(unsigned int numlower)