From patchwork Mon Apr 25 03:09:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12825190 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6928C433F5 for ; Mon, 25 Apr 2022 02:09:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240261AbiDYCMM (ORCPT ); Sun, 24 Apr 2022 22:12:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234055AbiDYCMJ (ORCPT ); Sun, 24 Apr 2022 22:12:09 -0400 Received: from mail1.bemta36.messagelabs.com (mail1.bemta36.messagelabs.com [85.158.142.112]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEDB5245A0; Sun, 24 Apr 2022 19:09:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650852545; i=@fujitsu.com; bh=ZrLMonqkrdZQn/R0EhmdFYUjKu36GBpTyAZAImamfa4=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=LYi3+cfCoJOyr/4gtgSX8PZZ9suTS2RLafNZrwPDy+md7k6HoOhJmByyawp1S+qCC bJ3nw9vI3CUCXhfMuDCeIAAsx0OcUSGagBGQkMyAypYqBEu/jt0U0ZExD4uQo66QIa T/zEhN61W6thS00gBg04OLb7R0F7G7+X4kC0/nid6JtS1haQ0LAFdUszbgIQnJ6fNZ ALgTXHby7vBseST+sIL/zv/SwsZ7lM0k0zCN2b3z11Ghlz4xhDFBQq6aQgrxXpeR0i H0SdBZFfduTVbEaHLoCRBZcWTzjzKi59n3OIHQLpOnC8CDd812Vkt15rEBRPJo1FmD TphgKcvLyNntw== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRWlGSWpSXmKPExsViZ8MxSXcfU1q SQdduG4vXhz8xWny4OYnJYsuxe4wWl5/wWfxctordYs/ekywW5/8eZ7X4/WMOmwOHx6lFEh6b V2h5bFrVyebxeZOcx6Ynb5kCWKNYM/OS8isSWDN+n+9kL2gQr/j3dD5LA+MC4S5GLg4hgS2ME kenL2WDcBYwSRxe3MsC4exhlJhz9yNjFyMnB5uApsSzzgXMILaIgKPEi/YZLCA2s8BmRollj8 NBbGGBRImFq3vZQGwWAVWJVfMgbF4BT4n3F86B1UsIKEhMefieGSIuKHFy5hOoORISB1+8YIa oUZS41PGNEcKukJg1q40JwlaTuHpuE/MERv5ZSNpnIWlfwMi0itEuqSgzPaMkNzEzR9fQwEDX 0NBU18xM19DCTC+xSjdRL7VUNzk1r6QoESitl1herJdaXKxXXJmbnJOil5dasokRGAUpxU67d jAe7Pupd4hRkoNJSZQ3gzEtSYgvKT+lMiOxOCO+qDQntfgQowwHh5IEb9j/1CQhwaLU9NSKtM wcYETCpCU4eJREeH/8AErzFhck5hZnpkOkTjEqSonzOoDMFABJZJTmwbXBksAlRlkpYV5GBgY GIZ6C1KLczBJU+VeM4hyMSsK8VSBTeDLzSuCmvwJazAS0+FMt2OKSRISUVANT1LplW7S3JF59 66W5IfzDv5dJ7ot8d3S+OlibL950T2K3jZxWqH4ky6ZAb6OMxfybdc43veTmSW06UvV6fmLq0 8fl93e47q/ZsE7vDfdZy5aLTeGGVXmdZxsE77HYF/xYbdHseZBH4s7VK/79Yuunqz4vfOH1OE TOfp35tLR1BRO+/OO/vk+/ryIoLffCzJRk9v1s56WcHL59Opdd+GbRzFL73rUVGhMUjuc/5Cx 5OnFdzOH3D5ysXGZUT7KVTRUS/Pdk1iSfhWd+XtDt+duoWtbX5ROy6kTd+uZ9lQ+KBWcGb2Nj 2/fMUid4oeRNo/53hhoaEp9cCr9If939kPfE2rIVV4zKtbcuStpXruGuxFKckWioxVxUnAgAH eBKtH0DAAA= X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-10.tower-528.messagelabs.com!1650852542!64942!1 X-Originating-IP: [62.60.8.146] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 6987 invoked from network); 25 Apr 2022 02:09:02 -0000 Received: from unknown (HELO n03ukasimr02.n03.fujitsu.local) (62.60.8.146) by server-10.tower-528.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 25 Apr 2022 02:09:02 -0000 Received: from n03ukasimr02.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr02.n03.fujitsu.local (Postfix) with ESMTP id 79CB910034F; Mon, 25 Apr 2022 03:09:02 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr02.n03.fujitsu.local (Postfix) with ESMTPS id 6C1BD10033A; Mon, 25 Apr 2022 03:09:02 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Mon, 25 Apr 2022 03:08:34 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v6 1/4] fs: move sgid strip operation from inode_init_owner into inode_sgid_strip Date: Mon, 25 Apr 2022 11:09:38 +0800 Message-ID: <1650856181-21350-1-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org This has no functional change. Just create and export inode_sgid_strip api for the subsequent patch. This function is used to strip inode's S_ISGID mode when init a new inode. Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Yang Xu Reviewed-by: Darrick J. Wong --- fs/inode.c | 37 +++++++++++++++++++++++++++++++++---- include/linux/fs.h | 2 ++ 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 9d9b422504d1..78e7ef567e04 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2246,10 +2246,8 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && - !in_group_p(i_gid_into_mnt(mnt_userns, dir)) && - !capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) - mode &= ~S_ISGID; + else + mode = inode_sgid_strip(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; @@ -2405,3 +2403,34 @@ struct timespec64 current_time(struct inode *inode) return timestamp_truncate(now, inode); } EXPORT_SYMBOL(current_time); + +/** + * inode_sgid_strip - handle the sgid bit for non-directories + * @mnt_userns: User namespace of the mount the inode was created from + * @dir: parent directory inode + * @mode: mode of the file to be created in @dir + * + * If the @mode of the new file has both the S_ISGID and S_IXGRP bit + * raised and @dir has the S_ISGID bit raised ensure that the caller is + * either in the group of the parent directory or they have CAP_FSETID + * in their user namespace and are privileged over the parent directory. + * In all other cases, strip the S_ISGID bit from @mode. + * + * Return: the new mode to use for the file + */ +umode_t inode_sgid_strip(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode) +{ + if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID)) + return mode; + if ((mode & (S_ISGID | S_IXGRP)) != (S_ISGID | S_IXGRP)) + return mode; + if (in_group_p(i_gid_into_mnt(mnt_userns, dir))) + return mode; + if (capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) + return mode; + + mode &= ~S_ISGID; + return mode; +} +EXPORT_SYMBOL(inode_sgid_strip); diff --git a/include/linux/fs.h b/include/linux/fs.h index bbde95387a23..532de76c9b91 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1897,6 +1897,8 @@ extern long compat_ptr_ioctl(struct file *file, unsigned int cmd, void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, const struct inode *dir, umode_t mode); extern bool may_open_dev(const struct path *path); +umode_t inode_sgid_strip(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode); /* * This is the "filldir" function type, used by readdir() to let From patchwork Mon Apr 25 03:09:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12825191 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99313C4332F for ; Mon, 25 Apr 2022 02:09:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240282AbiDYCM2 (ORCPT ); Sun, 24 Apr 2022 22:12:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234055AbiDYCM1 (ORCPT ); Sun, 24 Apr 2022 22:12:27 -0400 Received: from mail1.bemta36.messagelabs.com (mail1.bemta36.messagelabs.com [85.158.142.2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08DDC25C68; Sun, 24 Apr 2022 19:09:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650852563; i=@fujitsu.com; bh=30ZvrW538VuKPhtUqh2TRm5bCNN23cqvHbhM9dcZbpI=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=C2MLwghZNj1dcgd35wsY9mEpJpyphyDfq69zluuvWv9TOOR+Cn13E4GHw1tIPphSG xjUeldsqhozJN0Q8f7cAOyV7LC3sfoe269BIoy8z+ueZ9wf1uiayq9W8oZ0hDHz4Nq KR3ffRBkPx/OuO2bZtKYmyjO/8ehs//NHrtUubFr9NADhWpRNHF7QTu9ob//pwCoYI bLekSCZlNONUk/kBz90nXYwE7Kb+kwWwYtosw7xYqvZ3eEzR4nLcYx/6x4DQa885YI MoE8NQotciO1Dk1yVXODkCebgo8USlfuJ+qVIpKEWaCnXOM4rZpt++a7leIw0DRrgz 7X0bLALPlXqBQ== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRWlGSWpSXmKPExsViZ8MRonuRKS3 JYM43RYvXhz8xWny4OYnJYsuxe4wWl5/wWfxctordYs/ekywWCzY+YrQ4//c4q8XvH3PYHDg9 Ti2S8Ni8Qstj06pONo/Pm+Q8Nj15yxTAGsWamZeUX5HAmrF4/l7WgkbOildfihsY77B3MXJyC Am8ZpSY9U4Rwt7DKNF4mRPEZhPQlHjWuYAZxBYRcJR40T6DBcRmFrjDKHH6cSiILSzgJLG0/y YbiM0ioCrxb/VnVhCbV8BT4vOlf2BxCQEFiSkP34PN4RTwkri24iQbxC5Pib87nzFB1AtKnJz 5BGq+hMTBFy+YIXoVJS51fGOEsCskZs1qY5rAyD8LScssJC0LGJlWMdolFWWmZ5TkJmbm6Boa GOgaGprqmpnpGlqY6SVW6SbqpZbqJqfmlRQlAqX1EsuL9VKLi/WKK3OTc1L08lJLNjEC4yCl2 GnXDsaDfT/1DjFKcjApifJmMKYlCfEl5adUZiQWZ8QXleakFh9ilOHgUJLgDfufmiQkWJSanl qRlpkDjEmYtAQHj5II748fQGne4oLE3OLMdIjUKUZFKXFeB5CZAiCJjNI8uDZYGrjEKCslzMv IwMAgxFOQWpSbWYIq/4pRnINRSZi3CmQKT2ZeCdz0V0CLmYAWf6oFW1ySiJCSamDSsVrBtDl/ 6mN2/QUrb6adPrNqp/+er51P07eU7TeY/t/07eJ7xjuZZn33WMXe+mH9aQ/eAypznsTFvtdMu Zq/8EuR54K7LvybLGc9WnciRyciume5VI5LwKmXP/1P8Dt9Oj4z6AL7Q1n5vMaFVUFn84/s15 E3tVB37Nr54+B/s7iSm8dlrRw7vkR2ntvF9yT33KOs3u6Wugnfojh8c9jPPZ050fRk5KVp05Y IfXivVj5/4ewjMeuYS+65n/3//LDxvEXL+mfpBMobRzkJd2Z5P7kb0a2nELnIbvu+hf/0JLev /SWl+vKg82q1iqmci4Nl5Od2N/0oaZR7ub5h2q8KpRUrKhZwbs4SlHBSLDTPVmIpzkg01GIuK k4EACkrF3R+AwAA X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-17.tower-545.messagelabs.com!1650852561!108109!1 X-Originating-IP: [62.60.8.84] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12610 invoked from network); 25 Apr 2022 02:09:21 -0000 Received: from unknown (HELO mailhost3.uk.fujitsu.com) (62.60.8.84) by server-17.tower-545.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 25 Apr 2022 02:09:21 -0000 Received: from R01UKEXCASM126.r01.fujitsu.local ([10.183.43.178]) by mailhost3.uk.fujitsu.com (8.14.5/8.14.5) with ESMTP id 23P2922a010430 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 25 Apr 2022 03:09:08 +0100 Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Mon, 25 Apr 2022 03:08:48 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu , Subject: [PATCH v6 2/4] fs: Add missing umask strip in vfs_tmpfile Date: Mon, 25 Apr 2022 11:09:39 +0800 Message-ID: <1650856181-21350-2-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650856181-21350-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650856181-21350-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org All creation paths except for O_TMPFILE handle umask in the vfs directly if the filesystem doesn't support or enable POSIX ACLs. If the filesystem does then umask handling is deferred until posix_acl_create(). Because, O_TMPFILE misses umask handling in the vfs it will not honor umask settings. Fix this by adding the missing umask handling. Fixes: 60545d0d4610 ("[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...") Cc: # 4.19+ Reported-by: Christian Brauner (Microsoft) Acked-by: Christian Brauner (Microsoft) Signed-off-by: Yang Xu Reviewed-by: Darrick J. Wong --- fs/namei.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/namei.c b/fs/namei.c index 509657fdf4f5..73646e28fae0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3521,6 +3521,8 @@ struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns, child = d_alloc(dentry, &slash_name); if (unlikely(!child)) goto out_err; + if (!IS_POSIXACL(dir)) + mode &= ~current_umask(); error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); if (error) goto out_err; From patchwork Mon Apr 25 03:09:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12825193 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4359DC4332F for ; Mon, 25 Apr 2022 02:10:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240317AbiDYCNI (ORCPT ); Sun, 24 Apr 2022 22:13:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240342AbiDYCMs (ORCPT ); Sun, 24 Apr 2022 22:12:48 -0400 Received: from mail1.bemta34.messagelabs.com (mail1.bemta34.messagelabs.com [195.245.231.3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F80A245A0; Sun, 24 Apr 2022 19:09:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650852583; i=@fujitsu.com; bh=RWBYLId3RCFClcmAWfKv8545xyB+Ip4xC5W9XQmcaU4=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=BJjlssEx1LUQgVfXxf8vc+/i/ZGibc+UV9eCzLKvv71D4+5adEFJ742y6NdYyEpYT c3V+86Idu39VWLqHfuNE9lcY4nWf6T3OL7HsQ4EGl+XxG+YVOGMQnlsX4rEjzKvfKk /Az0jvs3uhsbSh8/E2mQVRiQ3uSgGN26mlqY/nEDTgL5UlFk7R8QgvCAybYHmcg+6d Vfi1OidcibsyciI2vOtBoaXKi3yDJgKZjyNCoSqmO8eAfZTUmHutBs9ShY9pRQmrRE /tDw7ejHWHcgCe5hvzEJq/6xe/htr8WA6Vw3+UepL/CtWBVqIcfZ4qvYJrqWtZ8Oao 0wvJ3C2uxKn/Q== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprGKsWRWlGSWpSXmKPExsViZ8ORqPuUKS3 J4HKrhcXrw58YLT7cnMRkseXYPUaLy0/4LH4uW8VusWfvSRaL83+Ps1r8/jGHzYHD49QiCY/N K7Q8Nq3qZPP4vEnOY9OTt0wBrFGsmXlJ+RUJrBkfev+zFpzxqVi7cAtjA+MGhy5GLg4hgS2ME ufnPGaGcBYwSUzZ1MUI4exhlDiwfhJrFyMnB5uApsSzzgXMILaIgKPEi/YZLCA2s8BmRollj8 O7GDk4hAUSJC5PDAEJswioSiy7sYwdxOYV8JRYeGs1WKuEgILElIfvwWxOAS+JaytOsoHYQkA 1f3c+Y4KoF5Q4OfMJ1HgJiYMvXkD1Kkpc6vjGCGFXSMya1cYEYatJXD23iXkCo+AsJO2zkLQv YGRaxWidVJSZnlGSm5iZo2toYKBraGiqa2yha2RopJdYpZuol1qqW55aXKIL5JYX66UWF+sVV +Ym56To5aWWbGIERktKsdqVHYx7Vv3UO8QoycGkJMqbwZiWJMSXlJ9SmZFYnBFfVJqTWnyIUY aDQ0mCN+x/apKQYFFqempFWmYOMHJh0hIcPEoivD9+AKV5iwsSc4sz0yFSpxgtOc7v3L+XmWN twwEg+ffT373MQix5+XmpUuK8DiC7BEAaMkrz4MbBksslRlkpYV5GBgYGIZ6C1KLczBJU+VeM 4hyMSsK8VSBTeDLzSuC2vgI6iAnooE+1YAeVJCKkpBqYst9IVBbtYvne/LbwXMuxGcx3f4hfV 3zbvF1lccG6Z9oBb1tKH202WLCPgy8kmXFKDUNah7XJV55XngmmYRmmZ07wPDy6u+FeoPq/c7 2BPx95PgnYmHRt5mYDifu3PiueeHLRpObj7sD2i2efHTww7feDR2u7ki8k97mHuXj8qHr+rjF MIuTtm5W3w0VZY7NUHkmWfkw8bnqqv/3TChlrzZXvJRnWHHq1LHaRWrSDxv8tXCxl1awCfNxT HY5MuyJwte7n/ASVnp5XE+SZQr84Zmp+ydi5u4ffVG7O5eB+508vtmlOO8jmYn1ZtXWlUff/e GGbPF+TJ/tnKnm853DXt7KKUPiiVKk8gbf+AkulEktxRqKhFnNRcSIAI6vTy6kDAAA= X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-22.tower-571.messagelabs.com!1650852581!114958!1 X-Originating-IP: [62.60.8.97] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19472 invoked from network); 25 Apr 2022 02:09:41 -0000 Received: from unknown (HELO n03ukasimr01.n03.fujitsu.local) (62.60.8.97) by server-22.tower-571.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 25 Apr 2022 02:09:41 -0000 Received: from n03ukasimr01.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTP id 6290110019B; Mon, 25 Apr 2022 03:09:41 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTPS id 3FBC8100186; Mon, 25 Apr 2022 03:09:41 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Mon, 25 Apr 2022 03:09:06 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v6 3/4] fs: strip file's S_ISGID mode on vfs instead of on underlying filesystem Date: Mon, 25 Apr 2022 11:09:40 +0800 Message-ID: <1650856181-21350-3-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650856181-21350-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650856181-21350-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Currently, vfs only passes mode argument to filesystem, then use inode_init_owner() to strip S_ISGID. Some filesystem(ie ext4/btrfs) will call inode_init_owner firstly, then posxi acl setup, but xfs uses the contrary order. It will affect S_ISGID clear especially we filter S_IXGRP by umask or acl. Regardless of which filesystem is in use, failure to strip the SGID correctly is considered a security failure that needs to be fixed. The current VFS infrastructure requires the filesystem to do everything right and not step on any landmines to strip the SGID bit, when in fact it can easily be done at the VFS and the filesystems then don't even need to be aware that the SGID needs to be (or has been stripped) by the operation the user asked to be done. Vfs has all the info it needs - it doesn't need the filesystems to do everything correctly with the mode and ensuring that they order things like posix acl setup functions correctly with inode_init_owner() to strip the SGID bit. Just strip the SGID bit at the VFS, and then the filesystem can't get it wrong. Also, the inode_sgid_strip() api should be used before IS_POSIXACL() because this api may change mode. Only the following places use inode_init_owner " arch/powerpc/platforms/cell/spufs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode | S_IFDIR); arch/powerpc/platforms/cell/spufs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode | S_IFDIR); fs/9p/vfs_inode.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/bfs/dir.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/btrfs/inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/btrfs/tests/btrfs-tests.c: inode_init_owner(&init_user_ns, inode, NULL, S_IFREG); fs/ext2/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ext4/ialloc.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/f2fs/namei.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/hfsplus/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/hugetlbfs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/jfs/jfs_inode.c: inode_init_owner(&init_user_ns, inode, parent, mode); fs/minix/bitmap.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/nilfs2/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ntfs3/inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/ocfs2/dlmfs/dlmfs.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/ocfs2/dlmfs/dlmfs.c: inode_init_owner(&init_user_ns, inode, parent, mode); fs/ocfs2/namei.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/omfs/inode.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/overlayfs/dir.c: inode_init_owner(&init_user_ns, inode, dentry->d_parent->d_inode, mode); fs/ramfs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/reiserfs/namei.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/sysv/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ubifs/dir.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/udf/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ufs/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/xfs/xfs_inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/zonefs/super.c: inode_init_owner(&init_user_ns, inode, parent, S_IFDIR | 0555); kernel/bpf/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); mm/shmem.c: inode_init_owner(&init_user_ns, inode, dir, mode); " They are used in filesystem to init new inode function and these init inode functions are used by following operations: mkdir symlink mknod create tmpfile rename We don't care about mkdir because we don't strip SGID bit for directory except fs.xfs.irix_sgid_inherit. But we even call prepare_mode() in do_mkdirat() since inode_sgid_strip() will skip directories anyway. This will enforce the same ordering for all relevant operations and it will make the code more uniform and easier to understand by using new helper prepare_mode(). symlink and rename only use valid mode that doesn't have SGID bit. We have added inode_sgid_strip api for the remaining operations. In addition to the above six operations, four filesystems has a little difference 1) btrfs has btrfs_create_subvol_root to create new inode but used non SGID bit mode and can ignore 2) ocfs2 reflink function should add inode_sgid_strip api manually because this ioctl is only useful when backport reflink features to old kernels. ocfs2 still use vfs remap_range code to do reflink. 3) spufs which doesn't really go hrough the regular VFS callpath because it has separate system call spu_create, but it t only allows the creation of directories and only allows bits in 0777 and can ignore 4) bpf use vfs_mkobj in bpf_obj_do_pin with "S_IFREG | ((S_IRUSR | S_IWUSR) & ~current_umask()) mode and use bpf_mkobj_ops in bpf_iter_link_pin_kernel with S_IFREG | S_IRUSR mode, so bpf is also not affected This patch also changed grpid behaviour for ext4/xfs because the mode passed to them may been changed by inode_sgid_strip. Also as Christian Brauner said" The patch itself is useful as it would move a security sensitive operation that is currently burried in individual filesystems into the vfs layer. But it has a decent regression potential since it might strip filesystems that have so far relied on getting the S_ISGID bit with a mode argument. So this needs a lot of testing and long exposure in -next for at least one full kernel cycle." Suggested-by: Dave Chinner Signed-off-by: Yang Xu --- fs/inode.c | 2 -- fs/namei.c | 22 +++++++++------------- fs/ocfs2/namei.c | 1 + include/linux/fs.h | 11 +++++++++++ 4 files changed, 21 insertions(+), 15 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 78e7ef567e04..041c0837f248 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2246,8 +2246,6 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else - mode = inode_sgid_strip(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; diff --git a/fs/namei.c b/fs/namei.c index 73646e28fae0..5b8e6288d503 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3287,8 +3287,7 @@ static struct dentry *lookup_open(struct nameidata *nd, struct file *file, if (open_flag & O_CREAT) { if (open_flag & O_EXCL) open_flag &= ~O_TRUNC; - if (!IS_POSIXACL(dir->d_inode)) - mode &= ~current_umask(); + mode = prepare_mode(mnt_userns, dir->d_inode, mode); if (likely(got_write)) create_error = may_o_create(mnt_userns, &nd->path, dentry, mode); @@ -3521,8 +3520,7 @@ struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns, child = d_alloc(dentry, &slash_name); if (unlikely(!child)) goto out_err; - if (!IS_POSIXACL(dir)) - mode &= ~current_umask(); + mode = prepare_mode(mnt_userns, dir, mode); error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); if (error) goto out_err; @@ -3850,13 +3848,12 @@ static int do_mknodat(int dfd, struct filename *name, umode_t mode, if (IS_ERR(dentry)) goto out1; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); + mnt_userns = mnt_user_ns(path.mnt); + mode = prepare_mode(mnt_userns, path.dentry->d_inode, mode); error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out2; - mnt_userns = mnt_user_ns(path.mnt); switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(mnt_userns, path.dentry->d_inode, @@ -3943,6 +3940,7 @@ int do_mkdirat(int dfd, struct filename *name, umode_t mode) struct path path; int error; unsigned int lookup_flags = LOOKUP_DIRECTORY; + struct user_namespace *mnt_userns; retry: dentry = filename_create(dfd, name, &path, lookup_flags); @@ -3950,15 +3948,13 @@ int do_mkdirat(int dfd, struct filename *name, umode_t mode) if (IS_ERR(dentry)) goto out_putname; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); + mnt_userns = mnt_user_ns(path.mnt); + mode = prepare_mode(mnt_userns, path.dentry->d_inode, mode); error = security_path_mkdir(&path, dentry, mode); - if (!error) { - struct user_namespace *mnt_userns; - mnt_userns = mnt_user_ns(path.mnt); + if (!error) error = vfs_mkdir(mnt_userns, path.dentry->d_inode, dentry, mode); - } + done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c index c75fd54b9185..21f3da2e66c9 100644 --- a/fs/ocfs2/namei.c +++ b/fs/ocfs2/namei.c @@ -197,6 +197,7 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) * callers. */ if (S_ISDIR(mode)) set_nlink(inode, 2); + mode = inode_sgid_strip(&init_user_ns, dir, mode); inode_init_owner(&init_user_ns, inode, dir, mode); status = dquot_initialize(inode); if (status) diff --git a/include/linux/fs.h b/include/linux/fs.h index 532de76c9b91..ca70cdf9c9e2 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3459,6 +3459,17 @@ static inline bool dir_relax_shared(struct inode *inode) return !IS_DEADDIR(inode); } +static inline umode_t prepare_mode(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode) +{ + mode = inode_sgid_strip(mnt_userns, dir, mode); + + if (!IS_POSIXACL(dir)) + mode &= ~current_umask(); + + return mode; +} + extern bool path_noexec(const struct path *path); extern void inode_nohighmem(struct inode *inode); From patchwork Mon Apr 25 03:09:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12825192 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35EF4C433F5 for ; Mon, 25 Apr 2022 02:10:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240290AbiDYCNG (ORCPT ); Sun, 24 Apr 2022 22:13:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240351AbiDYCMv (ORCPT ); Sun, 24 Apr 2022 22:12:51 -0400 Received: from mail1.bemta32.messagelabs.com (mail1.bemta32.messagelabs.com [195.245.230.2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DE542980B; Sun, 24 Apr 2022 19:09:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650852587; i=@fujitsu.com; bh=c5FCpwWbwNZnqJjma6yo9VosB0Dzi2MqAMD84YLxtik=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=HT2GkfBb5ARGC/yOfCN/H3kYyu3MhPrqCth/YvTncsD73iOvgTrvfEjJtZIerN7RB /Af8L4QEQHcUh9AOYS9R5nBi1q7P3rmU/c8LQXP7jyZjTnR+K45skttRidLab7J47c nzOPA1OW7lGCtOOQOremcQJ0wyzbF6pinlaQ/5rzgJ7UQ2LMUjmbgIG+0bYLiek4OG u/ozDswlOKy18QGH6qbw2/NG4qVUmwZn6keIvAlyE4CIr+rlkoNFsaKfffOLejXAsu W96q8QYADpht1nuPle9wDBoPOh5C4sMjuQINt3iVcbywgFnxlcwr7HUFoGoHOjuJG2 JnRThXbfoOVmg== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkleJIrShJLcpLzFFi42Kxs+FI1H3KlJZ k8OaCmcXrw58YLT7cnMRkseXYPUaLy0/4LH4uW8VusWfvSRaL83+Ps1r8/jGHzYHD49QiCY/N K7Q8Nq3qZPP4vEnOY9OTt0wBrFGsmXlJ+RUJrBk9CxazFWxlr9izvpW1gXEZWxcjF4eQwBZGi VcLV7FCOAuYJDb8nMcE4exhlHg8ZR1QhpODTUBT4lnnAmYQW0TAUeJF+wwWEJtZYDOjxLLH4S C2sEC4xOTj39m7GDk4WARUJe48SwIJ8wp4Sqy/+JwRxJYQUJCY8vA92BhOAS+JaytOsoHYQkA 1f3c+Y4KoF5Q4OfMJ1HgJiYMvXjBD9CpKXOr4BjWnQmLWrDYmCFtN4uq5TcwTGAVnIWmfhaR9 ASPTKkarpKLM9IyS3MTMHF1DAwNdQ0NTXVNdI1NTvcQq3US91FLd8tTiEl1DvcTyYr3U4mK94 src5JwUvbzUkk2MwFhJKWb9v4Oxu++n3iFGSQ4mJVHeDMa0JCG+pPyUyozE4oz4otKc1OJDjD IcHEoSvBdBcoJFqempFWmZOcC4hUlLcPAoifD++JGaJMRbXJCYW5yZDpE6xajL8fT5ib3MQix 5+XmpUuK8G0BmCIAUZZTmwY2ApZBLjLJSwryMDAwMQjwFqUW5mSWo8q8YxTkYlYR5P4NM4cnM K4Hb9AroCCagIz7Vgh1RkoiQkmpgMngafMLTtufKLtlbHWVsXIHiKy1mWzjMf2dexrjRqiVkh /bHM3/YrLIMrtw9tvHBqqq4J9U5n+1OTnyYeJnn+sfotYGXL3oF7b69hWXj07d2KXdfTb8is3 hyWHrNFpd3e/72TuvOnlK1tilk4wOHhBYxnZ/e6mdcm1O+v5jI+O4kl79v5LQeq0JFsV9Cq6K XLHReeHrps3/rJMJO7o/b0nJv+sEfPZMO2IZr/XLvnvT6yg37Vdlm01xbb0c0FgjtnvHD7ahV tVd+EZOmPn/XpoSNW85mhc9VeDFFa/JhgWT/+j6VHifT3v6lbO4KXZ2/2PUFvhpsOnPDKO4I1 63dEgKzw/lFzwi2e8TkxBu7KLEUZyQaajEXFScCAH/rVhicAwAA X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-18.tower-591.messagelabs.com!1650852581!113011!1 X-Originating-IP: [62.60.8.97] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 14581 invoked from network); 25 Apr 2022 02:09:41 -0000 Received: from unknown (HELO n03ukasimr01.n03.fujitsu.local) (62.60.8.97) by server-18.tower-591.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 25 Apr 2022 02:09:41 -0000 Received: from n03ukasimr01.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTP id 5E776100193; Mon, 25 Apr 2022 03:09:41 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTPS id 4248310018F; Mon, 25 Apr 2022 03:09:41 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Mon, 25 Apr 2022 03:09:14 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v6 4/4] ceph: Remove S_ISGID stripping code in ceph_finish_async_create Date: Mon, 25 Apr 2022 11:09:41 +0800 Message-ID: <1650856181-21350-4-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650856181-21350-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650856181-21350-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Previous patches moved sgid stripping exclusively into the vfs. So manual sgid stripping by the filesystem isn't needed anymore. Reviewed-by: Xiubo Li Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Yang Xu --- fs/ceph/file.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 6c9e837aa1d3..8e3b99853333 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -651,10 +651,6 @@ static int ceph_finish_async_create(struct inode *dir, struct dentry *dentry, /* Directories always inherit the setgid bit. */ if (S_ISDIR(mode)) mode |= S_ISGID; - else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && - !in_group_p(dir->i_gid) && - !capable_wrt_inode_uidgid(&init_user_ns, dir, CAP_FSETID)) - mode &= ~S_ISGID; } else { in.gid = cpu_to_le32(from_kgid(&init_user_ns, current_fsgid())); }