From patchwork Sat Oct 21 13:43:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Belouin X-Patchwork-Id: 10021413 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4087E60234 for ; Sat, 21 Oct 2017 13:51:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30DAB2847D for ; Sat, 21 Oct 2017 13:51:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 259F828AF0; Sat, 21 Oct 2017 13:51:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C92432847D for ; Sat, 21 Oct 2017 13:51:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932101AbdJUNvO (ORCPT ); Sat, 21 Oct 2017 09:51:14 -0400 Received: from smtp-sh2.infomaniak.ch ([128.65.195.6]:34951 "EHLO smtp-sh2.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932092AbdJUNvM (ORCPT ); Sat, 21 Oct 2017 09:51:12 -0400 Received: from smtp5.infomaniak.ch (smtp5.infomaniak.ch [83.166.132.18]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v9LDgluD030964 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sat, 21 Oct 2017 15:42:47 +0200 Received: from asteria.bifrost.heptaoctet.net (2a01cb0006599200ecc2fee554347e0f.ipv6.abo.wanadoo.fr [IPv6:2a01:cb00:659:9200:ecc2:fee5:5434:7e0f]) (authenticated bits=0) by smtp5.infomaniak.ch (8.14.5/8.14.5) with ESMTP id v9LDgabh014811; Sat, 21 Oct 2017 15:42:46 +0200 From: Nicolas Belouin To: David Howells , "Theodore Ts'o" , Andreas Dilger , Alexander Viro , Serge Hallyn , Paul Moore , Stephen Smalley , Eric Paris , James Morris , linux-cachefs@redhat.com, linux-kernel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-api@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: Nicolas Belouin Subject: [RFC PATCH 2/2] fs: add the possibility to use CAP_SYS_MOUNT to (u)mount a fs Date: Sat, 21 Oct 2017 15:43:03 +0200 Message-Id: <20171021134303.20685-2-nicolas@belouin.fr> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20171021134303.20685-1-nicolas@belouin.fr> References: <20171021134303.20685-1-nicolas@belouin.fr> X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Fulfill the purpose of CAP_SYS_MOUNT by adding it as a sufficient capability to mount and unmount filesystems. Signed-off-by: Nicolas Belouin --- fs/cachefiles/daemon.c | 2 +- fs/ext4/ioctl.c | 2 +- fs/namespace.c | 3 ++- fs/super.c | 14 +++++++++----- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c index 1ee54ffd3a24..fc53bdeacc8a 100644 --- a/fs/cachefiles/daemon.c +++ b/fs/cachefiles/daemon.c @@ -91,7 +91,7 @@ static int cachefiles_daemon_open(struct inode *inode, struct file *file) _enter(""); /* only the superuser may do this */ - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_MOUNT)) return -EPERM; /* the cachefiles device may only be open once at a time */ diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index afb66d4ab5cf..19d838e558e2 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -458,7 +458,7 @@ static int ext4_shutdown(struct super_block *sb, unsigned long arg) struct ext4_sb_info *sbi = EXT4_SB(sb); __u32 flags; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_MOUNT)) return -EPERM; if (get_user(flags, (__u32 __user *)arg)) diff --git a/fs/namespace.c b/fs/namespace.c index 3b601f115b6c..1eaa6a9f1631 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1661,7 +1661,8 @@ void __detach_mounts(struct dentry *dentry) */ static inline bool may_mount(void) { - return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN); + return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN) || + ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_MOUNT); } static inline bool may_mandlock(void) diff --git a/fs/super.c b/fs/super.c index 166c4ee0d0ed..1d84d8b87216 100644 --- a/fs/super.c +++ b/fs/super.c @@ -474,7 +474,7 @@ struct super_block *sget_userns(struct file_system_type *type, if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !(type->fs_flags & FS_USERNS_MOUNT) && - !capable(CAP_SYS_ADMIN)) + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_MOUNT)) return ERR_PTR(-EPERM); retry: spin_lock(&sb_lock); @@ -551,7 +551,9 @@ struct super_block *sget(struct file_system_type *type, user_ns = &init_user_ns; /* Ensure the requestor has permissions over the target filesystem */ - if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN)) + if (!(flags & (SB_KERNMOUNT | SB_SUBMOUNT)) && + !ns_capable(user_ns, CAP_SYS_ADMIN) && + !ns_capable(user_ns, CAP_SYS_MOUNT)) return ERR_PTR(-EPERM); return sget_userns(type, test, set, flags, user_ns, data); @@ -1020,10 +1022,12 @@ struct dentry *mount_ns(struct file_system_type *fs_type, { struct super_block *sb; - /* Don't allow mounting unless the caller has CAP_SYS_ADMIN - * over the namespace. + /* Don't allow mounting unless the caller has CAP_SYS_ADMIN (deprecated) + * or CAP_SYS_MOUNT over the namespace. */ - if (!(flags & SB_KERNMOUNT) && !ns_capable(user_ns, CAP_SYS_ADMIN)) + if (!(flags & SB_KERNMOUNT) && + !ns_capable(user_ns, CAP_SYS_ADMIN) && + !ns_capable(user_ns, CAP_SYS_MOUNT)) return ERR_PTR(-EPERM); sb = sget_userns(fs_type, ns_test_super, ns_set_super, flags,