From patchwork Tue Apr 26 19:36:32 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 8944661 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 50DA0BF29F for ; Tue, 26 Apr 2016 20:14:00 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4095120138 for ; Tue, 26 Apr 2016 20:13:59 +0000 (UTC) Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B2301201EF for ; Tue, 26 Apr 2016 20:13:57 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.24,538,1454976000"; d="scan'208";a="15644217" IronPort-PHdr: =?us-ascii?q?9a23=3AZfSrhR+fGu1Nc/9uRHKM819IXTAuvvDOBiVQ1KB8?= =?us-ascii?q?0eIcTK2v8tzYMVDF4r011RmSDdWdtKMP0rGI+4nbGkU+or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?= =?us-ascii?q?f6KuSt6U0JX8jrvss7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYk7sb+sVBSaT3ebgjBfwdVWx+cjN92Mq+/zTZ?= =?us-ascii?q?TADH2T1UeGQbnhdSBgHDplmuU53wvyf3rO9VyCybJtb3SrZyUjOnueMjbR7rjC?= =?us-ascii?q?AcfwUr/Xvahs042KdaoxamvDRk0YPObY2UcvpjKPDzZ9QfEFFMQsYZeStbGYOx?= =?us-ascii?q?YsNbFOcdPaBWqJPmp1YDhRC3Aw6qBejmznlDgXqgjv5y6PgoDQyThF9oJNkJqn?= =?us-ascii?q?mB6YytbKo=3D?= X-IPAS-Result: =?us-ascii?q?A2EJBQBiyx9X/wHyM5BeHAGCcCuBULt6HIF2hUVMAQEBAQE?= =?us-ascii?q?BAgJiJ4ItfVs9AQEBAwECDxUTBgEBDCALAQIDCQEBFykICAMBLQMBBQELEQYBB?= =?us-ascii?q?wsFGAQBiAgBpVGBMT4xik+FKAEEjEcBCgEBARYGCoQNggqIWhEBhXQBh3iGVIl?= =?us-ascii?q?IgVWHHoUmgWWHRSUMhTRFjS0wgQ5iggUbgWlOAYd4gTUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Apr 2016 20:13:34 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QKDXH1022384; Tue, 26 Apr 2016 16:13:33 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3QJbHK2172336 for ; Tue, 26 Apr 2016 15:37:17 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QJak08011587 for ; Tue, 26 Apr 2016 15:37:17 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BABQD9wR9X/yUp0ApeHYJwK4FQt3CEDAUXhXgCgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBBQIBFwYKhA2CCotSC0CCQ4d5hlSJSIFVhx6FJoFlh0UxhTRFjS0wgQ5igXgNG4FpTgGJLQEBAQ X-IPAS-Result: A0BABQD9wR9X/yUp0ApeHYJwK4FQt3CEDAUXhXgCgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBBQIBFwYKhA2CCotSC0CCQ4d5hlSJSIFVhx6FJoFlh0UxhTRFjS0wgQ5igXgNG4FpTgGJLQEBAQ X-IronPort-AV: E=Sophos;i="5.24,537,1454994000"; d="scan'208";a="5410394" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 26 Apr 2016 15:37:17 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AvUiknBE5afo162QcOLrubp1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ74pcSwAkXT6L1XgUPTWs2DsrQf27qQ7PGrADdYqb+681k8M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?= =?us-ascii?q?K/jvHcaK1oLsh7D0pMyYOl4QzBOGIppMbzyO5T3LsccXhYYwYo0Q8TDu5kVyRu?= =?us-ascii?q?JN2GlzLkiSlRuvru25/Zpk7jgC86l5r50IeezAcq85Vb1VCig9eyBwvZWz9EqL?= =?us-ascii?q?cQzarFYGU25erVwAKQnI4BzgW573+GOuu+B81SWXJ8jeXbU1Qi+j6KEtQxjt3m?= =?us-ascii?q?NPEj869GbMwvdigbhWrBPp8xl+wIrTe6mOJvdkc6/cO9MHEzlvRMFUAhdMHoP0?= =?us-ascii?q?QYwVFOoMMK4MtIThpx0AqgGlBQShLOjmzDhOh3T/2esx1OF3QlKO5xApA99b6C?= =?us-ascii?q?ecl97yLqpHFLntlKQ=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HzAAD9wR9Xj7bfVdFeHYJwgXu3cIQMB?= =?us-ascii?q?ReBdoQCAoFATAEBAQEBAQICDwEBAQEHCwsJIS+CLX1bPQEBAQMSFRkBATcBD1E?= =?us-ascii?q?0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBBQIBFwYKhA2CCotSC0CCQ?= =?us-ascii?q?4d5hlSJSIFVhx6FJoFlh0UxhTRFjS0wgQ6CWg0RCoFpTgGJLQEBAQ?= X-IPAS-Result: =?us-ascii?q?A0HzAAD9wR9Xj7bfVdFeHYJwgXu3cIQMBReBdoQCAoFATAE?= =?us-ascii?q?BAQEBAQICDwEBAQEHCwsJIS+CLX1bPQEBAQMSFRkBATcBD1E0AQUBHAYBEiKIC?= =?us-ascii?q?AGlV4ExPjGKT4UoAQSMSgEBAQEBBQIBFwYKhA2CCotSC0CCQ4d5hlSJSIFVhx6?= =?us-ascii?q?FJoFlh0UxhTRFjS0wgQ6CWg0RCoFpTgGJLQEBAQ?= X-IronPort-AV: E=Sophos;i="5.24,537,1454976000"; d="scan'208";a="15642569" Received: from mail-io0-f182.google.com ([209.85.223.182]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 26 Apr 2016 19:37:16 +0000 Received: by mail-io0-f182.google.com with SMTP id d62so26322234iof.2 for ; Tue, 26 Apr 2016 12:37:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=HnGXqraaTwPaGk21VSmRvrQOkvzy08yxkxpxLpDX1iI=; b=1v+XqsPJEDpMHiMV3DV04soiIEJkSSWSW+YZc/j5wFJOyBHuXSkHASIE+fiNU8jaIC D82gIGbzNlY3IGUGvM6UuffRCYRu/F+LZdSeKbYoslJtRQ3OVG1tPwPlpeCkXI29h+2V M8FiyRUgIBwMWN7Mr8+JBfiPJ9+uNRcxWNSD1XG10ak1g5pJ1UHppPGhwiAx/RS3q2NN 2+O421HGjz4xvy0ntkIMUs8HY3sbiQvkBcrW7j5MN1mx1340zaLczCZN+Vgvv/rhMtMS g2nqFLLQEWMxwgKDGwAC0BwP4e0WB7tSYbo0htr7tGKfskSqtYmOcSNYejwl/hc/8zk3 OxVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=HnGXqraaTwPaGk21VSmRvrQOkvzy08yxkxpxLpDX1iI=; b=FS0/Up/1h/963uczWnxMUfAY8raz49W/ZquNizQHnLf100o6Fgdf5LdG3OlNnDApcj y1e9Co3yD1dIG+lns7PRmPG1EB+SjtvjSua30MA7BdtlEgQ8hODoBs7TmIF1euI3MA5Z sB79GRviLJmMivDK6ekj0Gzb3HeIvGmKagfmfP0DmsOyx7qUPV5y3WZMdoKQiwsWI70t KdY6O4buSo+RkgUlBnPmisWFKcZ9ghrbBXoyDCxOE+P84nAycc39vHSuw76OJYZNq37B kwfggo65exa9rb7mqtFlGExU1VF1eUVkRwRj+aiWFB97PWzCXvvWlT9iJlEf2WJBnA1p b6iQ== X-Gm-Message-State: AOPr4FUQmVKsqAHz+wUPE2ICGQABf/7L8EsKL0Ze+Io6c+29wnA0QNWpt58lVbWOQyJcqgnc X-Received: by 10.107.129.216 with SMTP id l85mr6330322ioi.170.1461699435599; Tue, 26 Apr 2016 12:37:15 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00]) by smtp.gmail.com with ESMTPSA id r81sm2359530ioe.36.2016.04.26.12.37.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Apr 2016 12:37:15 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Miklos Szeredi Subject: [PATCH v4 19/21] fuse: Support fuse filesystems outside of init_user_ns Date: Tue, 26 Apr 2016 14:36:32 -0500 Message-Id: <1461699396-33000-20-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> X-Mailman-Approved-At: Tue, 26 Apr 2016 16:11:02 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, Serge Hallyn , Seth Forshee , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In order to support mounts from namespaces other than init_user_ns, fuse must translate uids and gids to/from the userns of the process servicing requests on /dev/fuse. This patch does that, with a couple of restrictions on the namespace: - The userns for the fuse connection is fixed to the namespace from which /dev/fuse is opened. - The namespace must be the same as s_user_ns. These restrictions simplify the implementation by avoiding the need to pass around userns references and by allowing fuse to rely on the checks in inode_change_ok for ownership changes. Either restriction could be relaxed in the future if needed. For cuse the namespace used for the connection is also simply current_user_ns() at the time /dev/cuse is opened. Signed-off-by: Seth Forshee --- fs/fuse/cuse.c | 3 ++- fs/fuse/dev.c | 13 ++++++++----- fs/fuse/dir.c | 14 +++++++------- fs/fuse/fuse_i.h | 6 +++++- fs/fuse/inode.c | 33 +++++++++++++++++++++------------ 5 files changed, 43 insertions(+), 26 deletions(-) diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c index c5b6b7165489..98ebd0f4fd4c 100644 --- a/fs/fuse/cuse.c +++ b/fs/fuse/cuse.c @@ -48,6 +48,7 @@ #include #include #include +#include #include "fuse_i.h" @@ -498,7 +499,7 @@ static int cuse_channel_open(struct inode *inode, struct file *file) if (!cc) return -ENOMEM; - fuse_conn_init(&cc->fc); + fuse_conn_init(&cc->fc, current_user_ns()); fud = fuse_dev_alloc(&cc->fc); if (!fud) { diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 4e91b2ac25a7..8fa1ce934df3 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -127,8 +127,8 @@ static void __fuse_put_request(struct fuse_req *req) static void fuse_req_init_context(struct fuse_conn *fc, struct fuse_req *req) { - req->in.h.uid = from_kuid_munged(&init_user_ns, current_fsuid()); - req->in.h.gid = from_kgid_munged(&init_user_ns, current_fsgid()); + req->in.h.uid = from_kuid(fc->user_ns, current_fsuid()); + req->in.h.gid = from_kgid(fc->user_ns, current_fsgid()); req->in.h.pid = pid_nr_ns(task_pid(current), fc->pid_ns); } @@ -186,7 +186,8 @@ static struct fuse_req *__fuse_get_req(struct fuse_conn *fc, unsigned npages, __set_bit(FR_WAITING, &req->flags); if (for_background) __set_bit(FR_BACKGROUND, &req->flags); - if (req->in.h.pid == 0) { + if (req->in.h.pid == 0 || req->in.h.uid == (uid_t)-1 || + req->in.h.gid == (gid_t)-1) { fuse_put_request(fc, req); return ERR_PTR(-EOVERFLOW); } @@ -1248,7 +1249,8 @@ static ssize_t fuse_dev_do_read(struct fuse_dev *fud, struct file *file, struct fuse_in *in; unsigned reqsize; - if (task_active_pid_ns(current) != fc->pid_ns) + if (task_active_pid_ns(current) != fc->pid_ns || + current_user_ns() != fc->user_ns) return -EIO; restart: @@ -1880,7 +1882,8 @@ static ssize_t fuse_dev_do_write(struct fuse_dev *fud, struct fuse_req *req; struct fuse_out_header oh; - if (task_active_pid_ns(current) != fc->pid_ns) + if (task_active_pid_ns(current) != fc->pid_ns || + current_user_ns() != fc->user_ns) return -EIO; if (nbytes < sizeof(struct fuse_out_header)) diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index 4b855b65d457..ecba75bf6640 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -841,8 +841,8 @@ static void fuse_fillattr(struct inode *inode, struct fuse_attr *attr, stat->ino = attr->ino; stat->mode = (inode->i_mode & S_IFMT) | (attr->mode & 07777); stat->nlink = attr->nlink; - stat->uid = make_kuid(&init_user_ns, attr->uid); - stat->gid = make_kgid(&init_user_ns, attr->gid); + stat->uid = make_kuid(fc->user_ns, attr->uid); + stat->gid = make_kgid(fc->user_ns, attr->gid); stat->rdev = inode->i_rdev; stat->atime.tv_sec = attr->atime; stat->atime.tv_nsec = attr->atimensec; @@ -1459,17 +1459,17 @@ static bool update_mtime(unsigned ivalid, bool trust_local_mtime) return true; } -static void iattr_to_fattr(struct iattr *iattr, struct fuse_setattr_in *arg, - bool trust_local_cmtime) +static void iattr_to_fattr(struct fuse_conn *fc, struct iattr *iattr, + struct fuse_setattr_in *arg, bool trust_local_cmtime) { unsigned ivalid = iattr->ia_valid; if (ivalid & ATTR_MODE) arg->valid |= FATTR_MODE, arg->mode = iattr->ia_mode; if (ivalid & ATTR_UID) - arg->valid |= FATTR_UID, arg->uid = from_kuid(&init_user_ns, iattr->ia_uid); + arg->valid |= FATTR_UID, arg->uid = from_kuid(fc->user_ns, iattr->ia_uid); if (ivalid & ATTR_GID) - arg->valid |= FATTR_GID, arg->gid = from_kgid(&init_user_ns, iattr->ia_gid); + arg->valid |= FATTR_GID, arg->gid = from_kgid(fc->user_ns, iattr->ia_gid); if (ivalid & ATTR_SIZE) arg->valid |= FATTR_SIZE, arg->size = iattr->ia_size; if (ivalid & ATTR_ATIME) { @@ -1629,7 +1629,7 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr, memset(&inarg, 0, sizeof(inarg)); memset(&outarg, 0, sizeof(outarg)); - iattr_to_fattr(attr, &inarg, trust_local_cmtime); + iattr_to_fattr(fc, attr, &inarg, trust_local_cmtime); if (file) { struct fuse_file *ff = file->private_data; inarg.valid |= FATTR_FH; diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index 9145445a759a..9f4c3c82edd6 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -24,6 +24,7 @@ #include #include #include +#include /** Max number of pages that can be used in a single read request */ #define FUSE_MAX_PAGES_PER_REQ 32 @@ -469,6 +470,9 @@ struct fuse_conn { /** The pid namespace for this mount */ struct pid_namespace *pid_ns; + /** The user namespace for this mount */ + struct user_namespace *user_ns; + /** The fuse mount flags for this mount */ unsigned flags; @@ -867,7 +871,7 @@ struct fuse_conn *fuse_conn_get(struct fuse_conn *fc); /** * Initialize fuse_conn */ -void fuse_conn_init(struct fuse_conn *fc); +void fuse_conn_init(struct fuse_conn *fc, struct user_namespace *user_ns); /** * Release reference to fuse_conn diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index eade0bfa4488..0a771145d853 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -167,8 +167,8 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr, inode->i_ino = fuse_squash_ino(attr->ino); inode->i_mode = (inode->i_mode & S_IFMT) | (attr->mode & 07777); set_nlink(inode, attr->nlink); - inode->i_uid = make_kuid(&init_user_ns, attr->uid); - inode->i_gid = make_kgid(&init_user_ns, attr->gid); + inode->i_uid = make_kuid(fc->user_ns, attr->uid); + inode->i_gid = make_kgid(fc->user_ns, attr->gid); inode->i_blocks = attr->blocks; inode->i_atime.tv_sec = attr->atime; inode->i_atime.tv_nsec = attr->atimensec; @@ -467,7 +467,8 @@ static int fuse_match_uint(substring_t *s, unsigned int *res) return err; } -static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev) +static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev, + struct user_namespace *user_ns) { char *p; memset(d, 0, sizeof(struct fuse_mount_data)); @@ -503,7 +504,7 @@ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev) case OPT_USER_ID: if (fuse_match_uint(&args[0], &uv)) return 0; - d->user_id = make_kuid(current_user_ns(), uv); + d->user_id = make_kuid(user_ns, uv); if (!uid_valid(d->user_id)) return 0; d->user_id_present = 1; @@ -512,7 +513,7 @@ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev) case OPT_GROUP_ID: if (fuse_match_uint(&args[0], &uv)) return 0; - d->group_id = make_kgid(current_user_ns(), uv); + d->group_id = make_kgid(user_ns, uv); if (!gid_valid(d->group_id)) return 0; d->group_id_present = 1; @@ -555,8 +556,10 @@ static int fuse_show_options(struct seq_file *m, struct dentry *root) struct super_block *sb = root->d_sb; struct fuse_conn *fc = get_fuse_conn_super(sb); - seq_printf(m, ",user_id=%u", from_kuid_munged(&init_user_ns, fc->user_id)); - seq_printf(m, ",group_id=%u", from_kgid_munged(&init_user_ns, fc->group_id)); + seq_printf(m, ",user_id=%u", + from_kuid_munged(fc->user_ns, fc->user_id)); + seq_printf(m, ",group_id=%u", + from_kgid_munged(fc->user_ns, fc->group_id)); if (fc->flags & FUSE_DEFAULT_PERMISSIONS) seq_puts(m, ",default_permissions"); if (fc->flags & FUSE_ALLOW_OTHER) @@ -587,7 +590,7 @@ static void fuse_pqueue_init(struct fuse_pqueue *fpq) fpq->connected = 1; } -void fuse_conn_init(struct fuse_conn *fc) +void fuse_conn_init(struct fuse_conn *fc, struct user_namespace *user_ns) { memset(fc, 0, sizeof(*fc)); spin_lock_init(&fc->lock); @@ -611,6 +614,7 @@ void fuse_conn_init(struct fuse_conn *fc) fc->attr_version = 1; get_random_bytes(&fc->scramble_key, sizeof(fc->scramble_key)); fc->pid_ns = get_pid_ns(task_active_pid_ns(current)); + fc->user_ns = get_user_ns(user_ns); } EXPORT_SYMBOL_GPL(fuse_conn_init); @@ -620,6 +624,7 @@ void fuse_conn_put(struct fuse_conn *fc) if (fc->destroy_req) fuse_request_free(fc->destroy_req); put_pid_ns(fc->pid_ns); + put_user_ns(fc->user_ns); fc->release(fc); } } @@ -1046,7 +1051,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) sb->s_flags &= ~(MS_NOSEC | MS_I_VERSION); - if (!parse_fuse_opt(data, &d, is_bdev)) + if (!parse_fuse_opt(data, &d, is_bdev, sb->s_user_ns)) goto err; if (is_bdev) { @@ -1070,8 +1075,12 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) if (!file) goto err; - if ((file->f_op != &fuse_dev_operations) || - (file->f_cred->user_ns != &init_user_ns)) + /* + * Require mount to happen from the same user namespace which + * opened /dev/fuse to prevent potential attacks. + */ + if (file->f_op != &fuse_dev_operations || + file->f_cred->user_ns != sb->s_user_ns) goto err_fput; fc = kmalloc(sizeof(*fc), GFP_KERNEL); @@ -1079,7 +1088,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) if (!fc) goto err_fput; - fuse_conn_init(fc); + fuse_conn_init(fc, sb->s_user_ns); fc->release = fuse_free_conn; fud = fuse_dev_alloc(fc);