diff mbox series

[V9,2/4] fuse: Trace daemon creds

Message ID 20200924131318.2654747-3-balsini@android.com
State New
Headers show
Series fuse: Add support for passthrough read/write | expand

Commit Message

Alessio Balsini Sept. 24, 2020, 1:13 p.m. UTC
Add a reference to the FUSE daemon credentials, so that they can be used to
temporarily raise the user credentials when accessing lower file system
files in passthrough.

When using FUSE passthrough, read/write operations are directly forwarded
to the lower file system file, but there is no guarantee that the process
that is triggering the request has the right permissions to access the
lower file system.
By default, in the non-passthrough use case, it is the daemon that handles
the read/write operations, that can be performed to the lower file system
with the daemon privileges.
When passthrough is active, instead, the read/write operation is directly
applied to the lower file system, so to keep the same behavior as before,
the calling process temporarily receives the same credentials as the
daemon, that should be removed as soon as the operation completes.

Signed-off-by: Alessio Balsini <balsini@android.com>
---
 fs/fuse/fuse_i.h | 3 +++
 fs/fuse/inode.c  | 8 ++++++++
 2 files changed, 11 insertions(+)

Comments

Miklos Szeredi Sept. 30, 2020, 6:45 p.m. UTC | #1
On Thu, Sep 24, 2020 at 3:13 PM Alessio Balsini <balsini@android.com> wrote:
>
> Add a reference to the FUSE daemon credentials, so that they can be used to
> temporarily raise the user credentials when accessing lower file system
> files in passthrough.

Hmm, I think it would be better to store the creds of the ioctl()
caller together with the open file.   The mounter may deliberately
have different privileges from the process doing the actual I/O.

Thanks,
Miklos
Antonio SJ Musumeci Sept. 30, 2020, 7:16 p.m. UTC | #2
On 9/30/2020 2:45 PM, Miklos Szeredi wrote:
> On Thu, Sep 24, 2020 at 3:13 PM Alessio Balsini <balsini@android.com> wrote:
>> Add a reference to the FUSE daemon credentials, so that they can be used to
>> temporarily raise the user credentials when accessing lower file system
>> files in passthrough.
> Hmm, I think it would be better to store the creds of the ioctl()
> caller together with the open file.   The mounter may deliberately
> have different privileges from the process doing the actual I/O.
>
> Thanks,
> Miklos


In my usecase I'm changing euid/egid of the thread to whichever the 
uid/gid was passed to the server which is otherwise running as root.
Alessio Balsini Oct. 22, 2020, 4:14 p.m. UTC | #3
On Wed, Sep 30, 2020 at 03:16:20PM -0400, Antonio SJ Musumeci wrote:
> On 9/30/2020 2:45 PM, Miklos Szeredi wrote:
> > On Thu, Sep 24, 2020 at 3:13 PM Alessio Balsini <balsini@android.com> wrote:
> > > Add a reference to the FUSE daemon credentials, so that they can be used to
> > > temporarily raise the user credentials when accessing lower file system
> > > files in passthrough.
> > Hmm, I think it would be better to store the creds of the ioctl()
> > caller together with the open file.   The mounter may deliberately
> > have different privileges from the process doing the actual I/O.
> > 
> > Thanks,
> > Miklos
> 
> 
> In my usecase I'm changing euid/egid of the thread to whichever the uid/gid
> was passed to the server which is otherwise running as root.
> 

Ack, in the next patch set I will store the creds of the ioctl() caller.

Thanks,
Alessio
diff mbox series

Patch

diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 6c5166447905..67bf5919f8d6 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -524,6 +524,9 @@  struct fuse_conn {
 	/** The group id for this mount */
 	kgid_t group_id;
 
+	/** Creds of process which created this mount point */
+	const struct cred *creator_cred;
+
 	/** The pid namespace for this mount */
 	struct pid_namespace *pid_ns;
 
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index eb223130a917..d22407bfa959 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -654,6 +654,8 @@  void fuse_conn_put(struct fuse_conn *fc)
 			fiq->ops->release(fiq);
 		put_pid_ns(fc->pid_ns);
 		put_user_ns(fc->user_ns);
+		if (fc->creator_cred)
+			put_cred(fc->creator_cred);
 		fc->release(fc);
 	}
 }
@@ -1203,6 +1205,12 @@  int fuse_fill_super_common(struct super_block *sb, struct fuse_fs_context *ctx)
 	fc->allow_other = ctx->allow_other;
 	fc->user_id = ctx->user_id;
 	fc->group_id = ctx->group_id;
+	fc->creator_cred = prepare_creds();
+	if (!fc->creator_cred) {
+		err = -ENOMEM;
+		goto err_dev_free;
+	}
+
 	fc->max_read = max_t(unsigned, 4096, ctx->max_read);
 	fc->destroy = ctx->destroy;
 	fc->no_control = ctx->no_control;