From patchwork Thu Apr 21 07:54:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12821157 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50B44C43217 for ; Thu, 21 Apr 2022 06:54:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1385395AbiDUG5L (ORCPT ); Thu, 21 Apr 2022 02:57:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385352AbiDUG5C (ORCPT ); Thu, 21 Apr 2022 02:57:02 -0400 Received: from mail3.bemta32.messagelabs.com (mail3.bemta32.messagelabs.com [195.245.230.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AB1E6350; Wed, 20 Apr 2022 23:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650524014; i=@fujitsu.com; bh=bsIcrEQ7T7ZDVCzc9c2YjRMuEHA0WkrkYfM8+exRdkg=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=YdKQCqP0aagpdAvIVn+6T818kHeK7wZvH4FiNWjk2AFzAwOBH8xcSCkLDJdKUVNPj r2JUHuGj0Bgk4z6HVGaxReV6t4KmjAM507R0ElaIAbqvzefk8YiYNEfY6HmOB5BRbZ 15Wd1qoJ376xwdwoDluzXEjs6W14cEAHoaGDCcZEEoXeHdqY3lbI9wcp0j0DwgSjl2 iQA/JjOBg8DuIGtX3pYzV1RUko+vuyrA2bUl0R3c5BBwTYGZha79JQenDRLcqSkzlR AitgalKTC6u8EU9Kfa/EKVUBeDRQO3GvtvLn9SRj+j1WmWV9nQdxieHY0OKFJVBjBN JWVJ7h3Z9Wg2A== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKIsWRWlGSWpSXmKPExsViZ8ORqJv7PyH JYPZmbYvXhz8xWny4OYnJYsuxe4wWl5/wWfxctordYs/ekywW5/8eZ7X4/WMOmwOHx6lFEh6b V2h5bFrVyebxeZOcx6Ynb5kCWKNYM/OS8isSWDO6dh1iLfgmWDFj9Ry2BsbJ/F2MXBxCAlsYJ Q7N6GTuYuQEchYwSSzfwQOR2MMocefFVBaQBJuApsSzzgVgRSICjhIv2meAxZkFNjNKLHscDm ILCyRKtP+eCFbDIqAqceEohM0r4CHxa85yNhBbQkBBYsrD91BxQYmTM59AzZGQOPjiBTNEjaL EpY5vjBB2hcSsWW1MELaaxNVzm5gnMPLPQtI+C0n7AkamVYxWSUWZ6RkluYmZObqGBga6hoam uqa6RkameolVuol6qaW65anFJbqGeonlxXqpxcV6xZW5yTkpenmpJZsYgaGfUsz6cAfj4r6fe ocYJTmYlER5L/5KSBLiS8pPqcxILM6ILyrNSS0+xCjDwaEkwdv7GSgnWJSanlqRlpkDjEOYtA QHj5IIr/I/oDRvcUFibnFmOkTqFKOilDivFUhCACSRUZoH1waL/UuMslLCvIwMDAxCPAWpRbm ZJajyrxjFORiVhHn9QabwZOaVwE1/BbSYCWhx9ZRYkMUliQgpqQYmV+WtC28JVP3zljyhPm1x 1VaVtVwBy9o+PLprP/NBxrPmVzz9Coszum/yia1hqTTr+Tzp/A5VyZvJN1Yeq9px4XRHhmSw+ bl5/duCik61TPEq3eNh83uJVmVjXX2g+hqmLStkGI/G7kn2/dkWoPPXNnnq3Oi+2Z1/zNLLpB 9VXz3wenfGZx2/uWGrvAI97DedP3lFaeMOAR+L2BOFWnLCkm+aU5/vVXQLdmIRP7x2An/ise3 cxkIZ9hPSOWIUe9vf167fz21pcOaD2byPlc/L/p2Jfdc8c0HomYvfex2V9Z9vMEn8FCdVzK8q syBCppgtfA7veqZ9fDLzO2+lm2zeacc98b+Zcobcz/PCMzWVWIozEg21mIuKEwF6hfXreAMAA A== X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-16.tower-585.messagelabs.com!1650524013!37518!1 X-Originating-IP: [62.60.8.97] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28394 invoked from network); 21 Apr 2022 06:53:33 -0000 Received: from unknown (HELO n03ukasimr01.n03.fujitsu.local) (62.60.8.97) by server-16.tower-585.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 21 Apr 2022 06:53:33 -0000 Received: from n03ukasimr01.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTP id 07ED71001A0; Thu, 21 Apr 2022 07:53:33 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTPS id E1755100183; Thu, 21 Apr 2022 07:53:32 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Thu, 21 Apr 2022 07:53:27 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v5 1/4] fs: move sgid strip operation from inode_init_owner into inode_sgid_strip Date: Thu, 21 Apr 2022 15:54:15 +0800 Message-ID: <1650527658-2218-1-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org This has no functional change. Just create and export inode_sgid_strip api for the subsequent patch. This function is used to strip inode's S_ISGID mode when init a new inode. Signed-off-by: Yang Xu Reviewed-by: Christian Brauner (Microsoft) --- v4-v5: use umode_t return value instead of mode pointer fs/inode.c | 23 +++++++++++++++++++---- include/linux/fs.h | 2 ++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 9d9b422504d1..57130e4ef8b4 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2246,10 +2246,8 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && - !in_group_p(i_gid_into_mnt(mnt_userns, dir)) && - !capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) - mode &= ~S_ISGID; + else + mode = inode_sgid_strip(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; @@ -2405,3 +2403,20 @@ struct timespec64 current_time(struct inode *inode) return timestamp_truncate(now, inode); } EXPORT_SYMBOL(current_time); + +umode_t inode_sgid_strip(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode) +{ + if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID)) + return mode; + if ((mode & (S_ISGID | S_IXGRP)) != (S_ISGID | S_IXGRP)) + return mode; + if (in_group_p(i_gid_into_mnt(mnt_userns, dir))) + return mode; + if (capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) + return mode; + + mode &= ~S_ISGID; + return mode; +} +EXPORT_SYMBOL(inode_sgid_strip); diff --git a/include/linux/fs.h b/include/linux/fs.h index bbde95387a23..532de76c9b91 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1897,6 +1897,8 @@ extern long compat_ptr_ioctl(struct file *file, unsigned int cmd, void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, const struct inode *dir, umode_t mode); extern bool may_open_dev(const struct path *path); +umode_t inode_sgid_strip(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode); /* * This is the "filldir" function type, used by readdir() to let From patchwork Thu Apr 21 07:54:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12821158 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D1D7C433F5 for ; Thu, 21 Apr 2022 06:55:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1385375AbiDUG54 (ORCPT ); Thu, 21 Apr 2022 02:57:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385464AbiDUG5E (ORCPT ); Thu, 21 Apr 2022 02:57:04 -0400 Received: from mail1.bemta34.messagelabs.com (mail1.bemta34.messagelabs.com [195.245.231.3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 947C911A12; Wed, 20 Apr 2022 23:53:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650524032; i=@fujitsu.com; bh=ThqRNMVwN/gYuY+yP+qvGKhzoByHtom9pEJS+r8beCs=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=tjrCl8UtPkba5w/pcw3u5QJAVYOycC5Bi4g3tqerZ8zM+piOrtpaMf0bfNJEnnLme TMketcMWUlAgCoJ89aSRy0kRVY7NCdM1ZbyfvjUydXsT45GfZtcg14jo0tbPUT5hY4 CnYcQD9O7e1kN588knPXmgsMGGbp6FLbBlpT3p1fg87R+wKogEfSVbLkA7hKgsHZqv WiVToSl5BhZtUYJE4+OPMyx2OMU5aLtK4W1tcHgcIWcD1ricBJ/8wYk+BHFroQWTLu ACYW4mAqeKRZ/kGMoylzqIpA/MfynuzkIRwaCqpNkcALkvi9cLwj1QQgB1ZNu55PVv uU/CRhMyIMTMw== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrGIsWRWlGSWpSXmKPExsViZ8MxRbf+f0K SwadGNovXhz8xWny4OYnJYsuxe4wWl5/wWfxctordYs/ekywW5/8eZ7X4/WMOmwOHx6lFEh6b V2h5bFrVyebxeZOcx6Ynb5kCWKNYM/OS8isSWDMe7lnLWPCRveLv/ZVsDYz32boYuTiEBF4zS txoWcnUxcgJ5OxhlNiwhwPEZhPQlHjWuYAZxBYRcJR40T6DBaSBWeAQo8T9Q11gCWEBJ4klL6 exgdgsAqoSazfuABvEK+AhsWbZCVYQW0JAQWLKw/dg9ZwCnhJbP3WyQizzkLi96RhUvaDEyZl PWEBsZgEJiYMvXjBD9CpKXOr4xghhV0jMmtXGNIGRfxaSlllIWhYwMq1itE4qykzPKMlNzMzR NTQw0DU0NNU1ttA1MjTSS6zSTdRLLdUtTy0u0QVyy4v1UouL9Yorc5NzUvTyUks2MQKDP6VY7 coOxj2rfuodYpTkYFIS5b34KyFJiC8pP6UyI7E4I76oNCe1+BCjDAeHkgRv72egnGBRanpqRV pmDjASYdISHDxKIrzK/4DSvMUFibnFmekQqVOMilLivN1/gRICIImM0jy4Nlj0X2KUlRLmZWR gYBDiKUgtys0sQZV/xSjOwagkzHsDZApPZl4J3PRXQIuZgBZXT4kFWVySiJCSamBqVE6V7Vyy qXsr3/m1HSdWhiyS2rIibubr+gus7MwzxALc7hqeXjU9dcorgc0Z0esignnf7FzSkSF7Pjr2w f4HDppMGw2a1NRCLs4OPvrjoJv5BAtb1vSKNdy3d9xq2fqp6GDbdtlLa/hy9rFnMp8SMkqcKc X3tO/ZxuDOZucrsxK3hPkcUp9XFPND06q185zyCm/pBYL8Xl7f2rY+iphiMUVBIukuE+dB2z+ ia894HHr2ZM5KPyFV9SQb7klCN1RDmR3CrX33RcdIO1kd3mGomSG5Nvnc7KQ7XMUXKucx1An7 u2b1Neypadoddf32Lo27Hy7932+1ut9C4a+G4M9zCzyKjMM4np1/+ulXeIsSS3FGoqEWc1FxI gAjp4Z2eQMAAA== X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-2.tower-571.messagelabs.com!1650524030!37115!1 X-Originating-IP: [62.60.8.148] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32105 invoked from network); 21 Apr 2022 06:53:51 -0000 Received: from unknown (HELO mailhost1.uk.fujitsu.com) (62.60.8.148) by server-2.tower-571.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 21 Apr 2022 06:53:51 -0000 Received: from R01UKEXCASM126.r01.fujitsu.local ([10.183.43.178]) by mailhost1.uk.fujitsu.com (8.14.5/8.14.5) with ESMTP id 23L6rbVm002010 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 21 Apr 2022 07:53:37 +0100 Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Thu, 21 Apr 2022 07:53:34 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v5 2/4] fs: Add missing umask strip in vfs_tmpfile Date: Thu, 21 Apr 2022 15:54:16 +0800 Message-ID: <1650527658-2218-2-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650527658-2218-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650527658-2218-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org All creation paths except for O_TMPFILE handle umask in the vfs directly if the filesystem doesn't support or enable POSIX ACLs. If the filesystem does then umask handling is deferred until posix_acl_create(). Because, O_TMPFILE misses umask handling in the vfs it will not honor umask settings. Fix this by adding the missing umask handling. Reported-by: Christian Brauner (Microsoft) Acked-by: Christian Brauner (Microsoft) Signed-off-by: Yang Xu --- fs/namei.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/namei.c b/fs/namei.c index 509657fdf4f5..73646e28fae0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3521,6 +3521,8 @@ struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns, child = d_alloc(dentry, &slash_name); if (unlikely(!child)) goto out_err; + if (!IS_POSIXACL(dir)) + mode &= ~current_umask(); error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); if (error) goto out_err; From patchwork Thu Apr 21 07:54:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12821159 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1769EC433EF for ; Thu, 21 Apr 2022 06:55:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1385364AbiDUG6Z (ORCPT ); Thu, 21 Apr 2022 02:58:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58374 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385493AbiDUG5G (ORCPT ); Thu, 21 Apr 2022 02:57:06 -0400 Received: from mail1.bemta34.messagelabs.com (mail1.bemta34.messagelabs.com [195.245.231.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDB9C15A2E; Wed, 20 Apr 2022 23:54:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650524052; i=@fujitsu.com; bh=HGvPb2jaXbjnYJ59sbGA7xmxKexM+GZqA/R7XydYRJQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=K5pYdk/r0DQpae8Z1shhvA7MRx4IVgLpt/oSi8TZoIVLRiCROe07ffQ34n5/QPIbb fyLuUOzs8pEgft6nPYPmtdO2Ly6UHZCXBlNHRahY0Lwm9z4KLqowDJ6q/Zm8rocfYq abHiSZTpFeBMHYOMIE0AxWjhmLvfujOlaOvYzhWV0NQRzlto/zVHXTKjgTIns17pR3 ROkaZNzQoS+6fY7NHmq4w3x5EtuJqJsCLJ55P1IkIbSacoypuLK1P5+itoO/TE6zqy aXJhi2umURT8koiZWE5R/ziMvw1eWHcbYaOMqa3d1G3xNLlaYMrHwpvHeAh+OMtSSR XEfjUbGFi9rcw== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprKKsWRWlGSWpSXmKPExsViZ8MxSXfy/4Q kg6lbRCxeH/7EaPHh5iQmiy3H7jFaXH7CZ/Fz2Sp2iz17T7JYnP97nNXi9485bA4cHqcWSXhs XqHlsWlVJ5vH501yHpuevGUKYI1izcxLyq9IYM1Ye2IRS8Fbn4q5u6sbGC87dDFycQgJbGGUa Hv0kLGLkRPIWcAk0bNeHCKxh1Hi4+FGNpAEm4CmxLPOBcwgtoiAo8SL9hksIDazwGZGiWWPw0 FsYYEEiT1XW9hBbBYBVYmmnlVgNq+Ah0Tbmy6wXgkBBYkpD9+D2ZwCnhJbP3WyQiz2kLi96Rg TRL2gxMmZT6DmS0gcfPECqldR4lLHN0YIu0Ji1qw2JghbTeLquU3MExgFZyFpn4WkfQEj0ypG 66SizPSMktzEzBxdQwMDXUNDU11jS10jAwO9xCrdRL3UUt3y1OISXSO9xPJivdTiYr3iytzkn BS9vNSSTYzAWEkpVj+xg/Hpyp96hxglOZiURHkv/kpIEuJLyk+pzEgszogvKs1JLT7EKMPBoS TB2/sZKCdYlJqeWpGWmQOMW5i0BAePkgiv8j+gNG9xQWJucWY6ROoUoyXH+Z379zJzrG04ACT /fvq7l1mIJS8/L1VKnNcKpEEApCGjNA9uHCy1XGKUlRLmZWRgYBDiKUgtys0sQZV/xSjOwagk zOsPMoUnM68EbusroIOYgA6qnhILclBJIkJKqoHpzCYfc5kf0Z8e+i3rmGHAMN0y53CnUAmP4 //ltzfcvMumYR6tvfLrid88riuK3iwt4tfif37XIHuZ23HpG1V3Wv+ytj7JEv4yq8f1C7vG/n cfp56KPqpgte3BU5EdmiGmkz677PUyYMrKXF22OOBVayVzUzdrAT+b3ufmdUIsDazSuSk+V7h X2Gfwmjx4ur+nsOOVRXmcT0bp/eXuV4RtxGz9Lc8dX9ruaHjoi23R4aKqRqMpoS/3us++pM23 PXCCOMsddfavdcLxp0p936unTv55vnbJXtbuBymrRJ50vol7sdnpocvOvtJ5viX3vb7///Jf/ NinmwYWnWJfk88mJbYvX/9qZdPHD5scvUOUWIozEg21mIuKEwHVCeEEqAMAAA== X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-16.tower-565.messagelabs.com!1650524051!129261!1 X-Originating-IP: [62.60.8.146] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3004 invoked from network); 21 Apr 2022 06:54:11 -0000 Received: from unknown (HELO n03ukasimr02.n03.fujitsu.local) (62.60.8.146) by server-16.tower-565.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 21 Apr 2022 06:54:11 -0000 Received: from n03ukasimr02.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr02.n03.fujitsu.local (Postfix) with ESMTP id DEFB3100476; Thu, 21 Apr 2022 07:54:10 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr02.n03.fujitsu.local (Postfix) with ESMTPS id D10BB100467; Thu, 21 Apr 2022 07:54:10 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Thu, 21 Apr 2022 07:53:48 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v5 3/4] fs: strip file's S_ISGID mode on vfs instead of on underlying filesystem Date: Thu, 21 Apr 2022 15:54:17 +0800 Message-ID: <1650527658-2218-3-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650527658-2218-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650527658-2218-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Currently, vfs only passes mode argument to filesystem, then use inode_init_owner() to strip S_ISGID. Some filesystem(ie ext4/btrfs) will call inode_init_owner firstly, then posxi acl setup, but xfs uses the contrary order. It will affect S_ISGID clear especially we filter S_IXGRP by umask or acl. Regardless of which filesystem is in use, failure to strip the SGID correctly is considered a security failure that needs to be fixed. The current VFS infrastructure requires the filesystem to do everything right and not step on any landmines to strip the SGID bit, when in fact it can easily be done at the VFS and the filesystems then don't even need to be aware that the SGID needs to be (or has been stripped) by the operation the user asked to be done. Vfs has all the info it needs - it doesn't need the filesystems to do everything correctly with the mode and ensuring that they order things like posix acl setup functions correctly with inode_init_owner() to strip the SGID bit. Just strip the SGID bit at the VFS, and then the filesystem can't get it wrong. Also, the inode_sgid_strip() api should be used before IS_POSIXACL() because this api may change mode. Only the following places use inode_init_owner " arch/powerpc/platforms/cell/spufs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode | S_IFDIR); arch/powerpc/platforms/cell/spufs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode | S_IFDIR); fs/9p/vfs_inode.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/bfs/dir.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/btrfs/inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/btrfs/tests/btrfs-tests.c: inode_init_owner(&init_user_ns, inode, NULL, S_IFREG); fs/ext2/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ext4/ialloc.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/f2fs/namei.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/hfsplus/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/hugetlbfs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/jfs/jfs_inode.c: inode_init_owner(&init_user_ns, inode, parent, mode); fs/minix/bitmap.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/nilfs2/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ntfs3/inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/ocfs2/dlmfs/dlmfs.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/ocfs2/dlmfs/dlmfs.c: inode_init_owner(&init_user_ns, inode, parent, mode); fs/ocfs2/namei.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/omfs/inode.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/overlayfs/dir.c: inode_init_owner(&init_user_ns, inode, dentry->d_parent->d_inode, mode); fs/ramfs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/reiserfs/namei.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/sysv/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ubifs/dir.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/udf/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ufs/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/xfs/xfs_inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/zonefs/super.c: inode_init_owner(&init_user_ns, inode, parent, S_IFDIR | 0555); kernel/bpf/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); mm/shmem.c: inode_init_owner(&init_user_ns, inode, dir, mode); " They are used in filesystem to init new inode function and these init inode functions are used by following operations: mkdir symlink mknod create tmpfile rename We don't care about mkdir because we don't strip SGID bit for directory except fs.xfs.irix_sgid_inherit. But we even call prepare_mode() in do_mkdirat() since inode_sgid_strip() will skip directories anyway. This will enforce the same ordering for all relevant operations and it will make the code more uniform and easier to understand by using new helper prepare_mode(). symlink and rename only use valid mode that doesn't have SGID bit. We have added inode_sgid_strip api for the remaining operations. In addition to the above six operations, four filesystems has a little difference 1) btrfs has btrfs_create_subvol_root to create new inode but used non SGID bit mode and can ignore 2) ocfs2 reflink function should add inode_sgid_strip api manually because we don't add it in vfs 3) spufs which doesn't really go hrough the regular VFS callpath because it has separate system call spu_create, but it t only allows the creation of directories and only allows bits in 0777 and can ignore 4) bpf use vfs_mkobj in bpf_obj_do_pin with "S_IFREG | ((S_IRUSR | S_IWUSR) & ~current_umask()) mode and use bpf_mkobj_ops in bpf_iter_link_pin_kernel with S_IFREG | S_IRUSR mode, so bpf is also not affected This patch also changed grpid behaviour for ext4/xfs because the mode passed to them may been changed by inode_sgid_strip. Also as Christian Brauner said" The patch itself is useful as it would move a security sensitive operation that is currently burried in individual filesystems into the vfs layer. But it has a decent regression potential since it might strip filesystems that have so far relied on getting the S_ISGID bit with a mode argument. So this needs a lot of testing and long exposure in -next for at least one full kernel cycle." Suggested-by: Dave Chinner Signed-off-by: Yang Xu --- v4->v5: put inode_sgid_strip before the inode_init_owner in ocfs2 filesystem because the inode->i_mode's assignment is in inode_init_owner fs/inode.c | 2 -- fs/namei.c | 22 +++++++++------------- fs/ocfs2/namei.c | 1 + include/linux/fs.h | 11 +++++++++++ 4 files changed, 21 insertions(+), 15 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 57130e4ef8b4..95667e634bd4 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2246,8 +2246,6 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else - mode = inode_sgid_strip(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; diff --git a/fs/namei.c b/fs/namei.c index 73646e28fae0..5b8e6288d503 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3287,8 +3287,7 @@ static struct dentry *lookup_open(struct nameidata *nd, struct file *file, if (open_flag & O_CREAT) { if (open_flag & O_EXCL) open_flag &= ~O_TRUNC; - if (!IS_POSIXACL(dir->d_inode)) - mode &= ~current_umask(); + mode = prepare_mode(mnt_userns, dir->d_inode, mode); if (likely(got_write)) create_error = may_o_create(mnt_userns, &nd->path, dentry, mode); @@ -3521,8 +3520,7 @@ struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns, child = d_alloc(dentry, &slash_name); if (unlikely(!child)) goto out_err; - if (!IS_POSIXACL(dir)) - mode &= ~current_umask(); + mode = prepare_mode(mnt_userns, dir, mode); error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); if (error) goto out_err; @@ -3850,13 +3848,12 @@ static int do_mknodat(int dfd, struct filename *name, umode_t mode, if (IS_ERR(dentry)) goto out1; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); + mnt_userns = mnt_user_ns(path.mnt); + mode = prepare_mode(mnt_userns, path.dentry->d_inode, mode); error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out2; - mnt_userns = mnt_user_ns(path.mnt); switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(mnt_userns, path.dentry->d_inode, @@ -3943,6 +3940,7 @@ int do_mkdirat(int dfd, struct filename *name, umode_t mode) struct path path; int error; unsigned int lookup_flags = LOOKUP_DIRECTORY; + struct user_namespace *mnt_userns; retry: dentry = filename_create(dfd, name, &path, lookup_flags); @@ -3950,15 +3948,13 @@ int do_mkdirat(int dfd, struct filename *name, umode_t mode) if (IS_ERR(dentry)) goto out_putname; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); + mnt_userns = mnt_user_ns(path.mnt); + mode = prepare_mode(mnt_userns, path.dentry->d_inode, mode); error = security_path_mkdir(&path, dentry, mode); - if (!error) { - struct user_namespace *mnt_userns; - mnt_userns = mnt_user_ns(path.mnt); + if (!error) error = vfs_mkdir(mnt_userns, path.dentry->d_inode, dentry, mode); - } + done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c index c75fd54b9185..21f3da2e66c9 100644 --- a/fs/ocfs2/namei.c +++ b/fs/ocfs2/namei.c @@ -197,6 +197,7 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) * callers. */ if (S_ISDIR(mode)) set_nlink(inode, 2); + mode = inode_sgid_strip(&init_user_ns, dir, mode); inode_init_owner(&init_user_ns, inode, dir, mode); status = dquot_initialize(inode); if (status) diff --git a/include/linux/fs.h b/include/linux/fs.h index 532de76c9b91..0bf81ab71619 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3459,6 +3459,17 @@ static inline bool dir_relax_shared(struct inode *inode) return !IS_DEADDIR(inode); } +static inline umode_t prepare_mode(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode) +{ + mode = inode_sgid_strip(mnt_userns, dir, mode); + + if (!IS_POSIXACL(dir)) + mode &= current_umask(); + + return mode; +} + extern bool path_noexec(const struct path *path); extern void inode_nohighmem(struct inode *inode); From patchwork Thu Apr 21 07:54:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12821160 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBED7C433F5 for ; Thu, 21 Apr 2022 06:55:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1385427AbiDUG61 (ORCPT ); Thu, 21 Apr 2022 02:58:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385489AbiDUG5G (ORCPT ); Thu, 21 Apr 2022 02:57:06 -0400 Received: from mail1.bemta32.messagelabs.com (mail1.bemta32.messagelabs.com [195.245.230.66]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6E6E15A2C; Wed, 20 Apr 2022 23:54:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650524052; i=@fujitsu.com; bh=Tzs2F8+0DEjTwEaGrFc3SQdIHq8vdHXoRQd3UlmB4t8=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Kk+2svfqG4dXOjjngB0W6PWR4WlqURmkUJEFsCS4vOmhsPBv7cFk3r2yv1pCyTjIh UA7GlzboV/wwU+WicaIbnqbCzA+jORyrl1byk4lFJ6l8lbpvzTi9tnshjeq7o+MmRO 61gqLBCta4zuU78RURI0vol6fPej+hmO1uWe32+lQ/qtF2zYUbSIeOcgqPrbjwAm6H oOWpLoFpCRsgNyHLNzTYTLzFyhMq87TBTR19Cc0/aLk1qZKF6kIyOfwz+gWtHaLnjQ bmrsZuOdatlF9tSB84YmEuz9ZF4/NbwpAP8X/CRmGBqjYEdBc2CLcZwsSTIvcCO457 1oYRkNR3sq9aw== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLIsWRWlGSWpSXmKPExsViZ8MxSXfy/4Q kg6Z3MhavD39itPhwcxKTxZZj9xgtLj/hs/i5bBW7xZ69J1kszv89zmrx+8ccNgcOj1OLJDw2 r9Dy2LSqk83j8yY5j01P3jIFsEaxZuYl5VcksGa0nlnPXHCEs2LFoX8sDYz72LsYuTiEBLYwS rTsWMkI4Sxgkrh58iELhLOHUeLQvI1ADicHm4CmxLPOBcwgtoiAo8SL9hlgcWaBzYwSyx6Hdz FycAgLBEus/lgDEmYRUJWYf3o9I4jNK+Ah8brtM1irhICCxJSH78FsTgFPia2fOllBbCGgmtu bjjFB1AtKnJz5BGq8hMTBFy+gehUlLnV8Y4SwKyRmzWpjgrDVJK6e28Q8gVFwFpL2WUjaFzAy rWK0SirKTM8oyU3MzNE1NDDQNTQ01TXUNTI010us0k3USy3VLU8tLtE11EssL9ZLLS7WK67MT c5J0ctLLdnECIyVlGLGmzsYW/t+6h1ilORgUhLlvfgrIUmILyk/pTIjsTgjvqg0J7X4EKMMB4 eSBG/vZ6CcYFFqempFWmYOMG5h0hIcPEoivMr/gNK8xQWJucWZ6RCpU4yKUuK8ViAJAZBERmk eXBssVVxilJUS5mVkYGAQ4ilILcrNLEGVf8UozsGoJMx74y/QFJ7MvBK46a+AFjMBLa6eEguy uCQRISXVwCTGoLM6j1NCovjWglmJ238f7bt26PiS8jxje5XaF9XGodlci7nU5Jc0TFBh3+b3w uUkr4r0tADFuwENWlNYSgxj5Di89L5ydwdujfO7tGazr3PapKxTPF2ffYT3bn2ZlpwtkrayTN qHc6Jb2afdv4pvT6xmsy/43zCx43fJAdaaozzvYx+GPNVg1tm9bvpdHevv+fHnlb/ZvAqZb8H 3YcKH5X/zJmre/Liec/23mffN7T/59T5fsVWLLX7PT4upB28FdUU9PXVWNFlCuGZll+qS28+z O/b/2iqhvmj5ObEeZ8WtwuuOcaV+O1RfrFJim2ihEX5vzeMbZhOmfZPsWzVX63BaUE/68drwF S+NpiixFGckGmoxFxUnAgDVLxvtkAMAAA== X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-3.tower-587.messagelabs.com!1650524051!11495!1 X-Originating-IP: [62.60.8.146] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24026 invoked from network); 21 Apr 2022 06:54:11 -0000 Received: from unknown (HELO n03ukasimr02.n03.fujitsu.local) (62.60.8.146) by server-3.tower-587.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 21 Apr 2022 06:54:11 -0000 Received: from n03ukasimr02.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr02.n03.fujitsu.local (Postfix) with ESMTP id F22A410045E; Thu, 21 Apr 2022 07:54:10 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr02.n03.fujitsu.local (Postfix) with ESMTPS id E167E100478; Thu, 21 Apr 2022 07:54:10 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Thu, 21 Apr 2022 07:53:57 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v5 4/4] ceph: Remove S_ISGID clear code in ceph_finish_async_create Date: Thu, 21 Apr 2022 15:54:18 +0800 Message-ID: <1650527658-2218-4-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650527658-2218-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650527658-2218-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Since vfs has stripped S_ISGID in the previous patch, the calltrace as below: vfs: lookup_open ... if (open_flag & O_CREAT) { if (open_flag & O_EXCL) open_flag &= ~O_TRUNC; mode = prepare_mode(mnt_userns, dir->d_inode, mode); ... dir_inode->i_op->atomic_open ceph: ceph_atomic_open ... if (flags & O_CREAT) ceph_finish_async_create We have stripped sgid in prepare_mode, so remove this useless clear code directly. Signed-off-by: Yang Xu Reviewed-by: Christian Brauner (Microsoft) Reviewed-by: Xiubo Li --- fs/ceph/file.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 6c9e837aa1d3..8e3b99853333 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -651,10 +651,6 @@ static int ceph_finish_async_create(struct inode *dir, struct dentry *dentry, /* Directories always inherit the setgid bit. */ if (S_ISDIR(mode)) mode |= S_ISGID; - else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && - !in_group_p(dir->i_gid) && - !capable_wrt_inode_uidgid(&init_user_ns, dir, CAP_FSETID)) - mode &= ~S_ISGID; } else { in.gid = cpu_to_le32(from_kgid(&init_user_ns, current_fsgid())); }