@@ -2376,12 +2376,24 @@ static long fuse_dev_ioctl_backing_close(struct file *file, __u32 __user *argp)
return fuse_backing_close(fud->fc, backing_id);
}
+static inline bool fuse_device_attach_permissible(struct fuse_conn *fc)
+{
+ const struct cred *cred = current_cred();
+
+ return (uid_eq(cred->euid, fc->rescue_uid) &&
+ uid_eq(cred->suid, fc->rescue_uid) &&
+ uid_eq(cred->uid, fc->rescue_uid));
+}
+
static inline bool fuse_device_attach_match(struct fuse_conn *fc,
const char *tag)
{
if (!fc->recovery)
return false;
+ if (!fuse_device_attach_permissible(fc))
+ return false;
+
return !strncmp(fc->tag, tag, FUSE_TAG_NAME_MAX);
}
@@ -560,6 +560,7 @@ struct fuse_fs_context {
unsigned int rootmode;
kuid_t user_id;
kgid_t group_id;
+ kuid_t rescue_uid;
bool is_bdev:1;
bool fd_present:1;
bool rootmode_present:1;
@@ -571,6 +572,7 @@ struct fuse_fs_context {
bool no_control:1;
bool no_force_umount:1;
bool legacy_opts_show:1;
+ bool rescue_uid_present:1;
enum fuse_dax_mode dax_mode;
unsigned int max_read;
unsigned int blksize;
@@ -616,6 +618,9 @@ struct fuse_conn {
/** The group id for this mount */
kgid_t group_id;
+ /* The expected user id of the fuse server */
+ kuid_t rescue_uid;
+
/** The pid namespace for this mount */
struct pid_namespace *pid_ns;
@@ -864,6 +869,9 @@ struct fuse_conn {
/** Support for fuse server recovery */
unsigned int recovery:1;
+ /** Is rescue_uid specified? */
+ unsigned int rescue_uid_present:1;
+
/** Maximum stack depth for passthrough backing files */
int max_stack_depth;
@@ -734,6 +734,7 @@ enum {
OPT_MAX_READ,
OPT_BLKSIZE,
OPT_TAG,
+ OPT_RESCUE_UID,
OPT_ERR
};
@@ -749,6 +750,7 @@ static const struct fs_parameter_spec fuse_fs_parameters[] = {
fsparam_u32 ("blksize", OPT_BLKSIZE),
fsparam_string ("subtype", OPT_SUBTYPE),
fsparam_string ("tag", OPT_TAG),
+ fsparam_u32 ("rescue_uid", OPT_RESCUE_UID),
{}
};
@@ -841,6 +843,13 @@ static int fuse_parse_param(struct fs_context *fsc, struct fs_parameter *param)
param->string = NULL;
return 0;
+ case OPT_RESCUE_UID:
+ ctx->rescue_uid = make_kuid(fsc->user_ns, result.uint_32);
+ if (!uid_valid(ctx->rescue_uid))
+ return invalfc(fsc, "Invalid rescue_uid");
+ ctx->rescue_uid_present = true;
+ break;
+
default:
return -EINVAL;
}
@@ -1344,7 +1353,7 @@ static void process_init_reply(struct fuse_mount *fm, struct fuse_args *args,
}
if (flags & FUSE_NO_EXPORT_SUPPORT)
fm->sb->s_export_op = &fuse_export_fid_operations;
- if (flags & FUSE_HAS_RECOVERY)
+ if (flags & FUSE_HAS_RECOVERY && fc->rescue_uid_present)
fc->recovery = 1;
} else {
ra_pages = fc->max_read / PAGE_SIZE;
@@ -1753,6 +1762,8 @@ int fuse_fill_super_common(struct super_block *sb, struct fuse_fs_context *ctx)
fc->destroy = ctx->destroy;
fc->no_control = ctx->no_control;
fc->no_force_umount = ctx->no_force_umount;
+ fc->rescue_uid = ctx->rescue_uid;
+ fc->rescue_uid_present = ctx->rescue_uid_present;
fc->tag = ctx->tag;
ctx->tag = NULL;
Offer a uid-based security enhancement for the fuse server recovery mechanism. Otherwise any malicious attacker could kill the fuse server and take the filesystem service over with the recovery mechanism. Introduce a new "rescue_uid=" mount option specifying the expected uid of the legal process running the fuse server. Then only the process with the matching uid is permissible to retrieve the fuse connection with the server recovery mechanism. Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com> --- fs/fuse/dev.c | 12 ++++++++++++ fs/fuse/fuse_i.h | 8 ++++++++ fs/fuse/inode.c | 13 ++++++++++++- 3 files changed, 32 insertions(+), 1 deletion(-)