From patchwork Tue Apr 26 04:19:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12826439 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3E74C433EF for ; Tue, 26 Apr 2022 03:19:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242876AbiDZDWP (ORCPT ); Mon, 25 Apr 2022 23:22:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240250AbiDZDWN (ORCPT ); Mon, 25 Apr 2022 23:22:13 -0400 Received: from mail1.bemta34.messagelabs.com (mail1.bemta34.messagelabs.com [195.245.231.2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F917939B3; Mon, 25 Apr 2022 20:19:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650943146; i=@fujitsu.com; bh=u31o66RvqjlzILoXUByOPpepwtsEmCeLKTUxGK5xW5U=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=ND58KwO4zE8xrHQEaDJYYpuDIlE0GA9HQJo6GCr5ZMYp/4MkYYo3JQPVY5aC1/MZ3 2BG2c9J3WPjQEweDKUel5jVCxo8IohKD0AewiSnN5oP5TWi/o9FBHzCV7MIMjBUT/y wJqGbjAr3CKs/VNUz9ld/VES+IC9pN+soEskoMFHqv1iEDNFAI7lQ8dmm3rCMWJ5pY 6VIRuxt4Vky1XGemMsyJ3sUNKY88O7MtvXtwSFV8KEjXyP9p94dgqwqxJiSJlK4F+1 zJRHBaXK1N9IYtOO43tpAO/QcHvAm5g5mn/rAkHQPcMUM1S+qJs9bH0DadNOyqSiFN fAMEyA0WWZa6A== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrFIsWRWlGSWpSXmKPExsViZ8MRors8JT3 J4Opna4vXhz8xWny4OYnJYsuxe4wWl5/wWfxctordYs/ekywW5/8eZ7X4/WMOmwOHx6lFEh6b V2h5bFrVyebxeZOcx6Ynb5kCWKNYM/OS8isSWDO6d11nKVgsXnF88Um2Bsb9wl2MXBxCAq8ZJ Y59vcwC4exhlDg85xNjFyMnB5uApsSzzgXMILaIgKPEi/YZYEXMAocYJe4f6gJLCAukSPz81s gOYrMIqEpcP/AFKM7BwSvgIdG+xhEkLCGgIDHl4Xuwcl4BQYmTM5+wgNjMAhISB1+8YIaoUZS 41PGNEcKukJg1q41pAiPvLCQts5C0LGBkWsVonVSUmZ5RkpuYmaNraGCga2hoqmtsqWtkYKCX WKWbqJdaqlueWlyia6SXWF6sl1pcrFdcmZuck6KXl1qyiREYzCnF6id2MD5d+VPvEKMkB5OSK O+WpPQkIb6k/JTKjMTijPii0pzU4kOMMhwcShK8rCA5waLU9NSKtMwcYGTBpCU4eJREeMtA0r zFBYm5xZnpEKlTjLocT5+f2MssxJKXn5cqJc7rAoxTIQGQoozSPLgRsCi/xCgrJczLyMDAIMR TkFqUm1mCKv+KUZyDUUmYlwNkCk9mXgncpldARzABHfGpNhXkiJJEhJRUA5N0cRO3b07m9ule 6VXyLt3zXySI+zocmlkweYntDMfE1aJPfl532nckZbmSy4P7slNE+5VSmo7O2pf4OG1/7Ufmp Z4CYdWnc+byqr/LuOBy8GGCp/Cf+v/XFvi87LZNfRpl97Reo1yvct7+2vNX3/0/puT2WVVm0n 7LWXzP78xVscu+ZZpVOC00WyrrzzWF64xPTpf41p3/fbO5oGob87K6sz4VWks2rA0vrOjWefS s97rdOTc/Zv+rTy+ItXz6d29XXdOFwFs/M5gUN+x9rTjTV1y78eSifs3/53nqOK5qz9wpumpB LFdWUfT6tJvVF7d/+n8h1eqmpLvsmmOeMuKuIb6H836drijheWxn91KJpTgj0VCLuag4EQA9U BtgbQMAAA== X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-6.tower-571.messagelabs.com!1650943143!212575!1 X-Originating-IP: [62.60.8.84] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30478 invoked from network); 26 Apr 2022 03:19:03 -0000 Received: from unknown (HELO mailhost3.uk.fujitsu.com) (62.60.8.84) by server-6.tower-571.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 26 Apr 2022 03:19:03 -0000 Received: from R01UKEXCASM126.r01.fujitsu.local ([10.183.43.178]) by mailhost3.uk.fujitsu.com (8.14.5/8.14.5) with ESMTP id 23Q3ItNM019448 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Apr 2022 04:18:57 +0100 Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 26 Apr 2022 04:18:48 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v7 1/4] fs: move sgid stripping operation from inode_init_owner into mode_strip_sgid Date: Tue, 26 Apr 2022 12:19:49 +0800 Message-ID: <1650946792-9545-1-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org This has no functional change. Just create and export mode_strip_sgid api for the subsequent patch. This function is used to strip S_ISGID mode when init a new inode. Reviewed-by: Darrick J. Wong Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Yang Xu --- fs/inode.c | 37 +++++++++++++++++++++++++++++++++---- include/linux/fs.h | 2 ++ 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 9d9b422504d1..e9a5f2ec2f89 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2246,10 +2246,8 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && - !in_group_p(i_gid_into_mnt(mnt_userns, dir)) && - !capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) - mode &= ~S_ISGID; + else + mode = mode_strip_sgid(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; @@ -2405,3 +2403,34 @@ struct timespec64 current_time(struct inode *inode) return timestamp_truncate(now, inode); } EXPORT_SYMBOL(current_time); + +/** + * mode_strip_sgid - handle the sgid bit for non-directories + * @mnt_userns: User namespace of the mount the inode was created from + * @dir: parent directory inode + * @mode: mode of the file to be created in @dir + * + * If the @mode of the new file has both the S_ISGID and S_IXGRP bit + * raised and @dir has the S_ISGID bit raised ensure that the caller is + * either in the group of the parent directory or they have CAP_FSETID + * in their user namespace and are privileged over the parent directory. + * In all other cases, strip the S_ISGID bit from @mode. + * + * Return: the new mode to use for the file + */ +umode_t mode_strip_sgid(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode) +{ + if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID)) + return mode; + if ((mode & (S_ISGID | S_IXGRP)) != (S_ISGID | S_IXGRP)) + return mode; + if (in_group_p(i_gid_into_mnt(mnt_userns, dir))) + return mode; + if (capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) + return mode; + + mode &= ~S_ISGID; + return mode; +} +EXPORT_SYMBOL(mode_strip_sgid); diff --git a/include/linux/fs.h b/include/linux/fs.h index bbde95387a23..98b44a2732f5 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1897,6 +1897,8 @@ extern long compat_ptr_ioctl(struct file *file, unsigned int cmd, void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, const struct inode *dir, umode_t mode); extern bool may_open_dev(const struct path *path); +umode_t mode_strip_sgid(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode); /* * This is the "filldir" function type, used by readdir() to let From patchwork Tue Apr 26 04:19:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12826440 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6816DC433FE for ; Tue, 26 Apr 2022 03:19:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242914AbiDZDWn (ORCPT ); Mon, 25 Apr 2022 23:22:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232679AbiDZDWj (ORCPT ); Mon, 25 Apr 2022 23:22:39 -0400 Received: from mail1.bemta34.messagelabs.com (mail1.bemta34.messagelabs.com [195.245.231.2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5C85939B3; Mon, 25 Apr 2022 20:19:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650943171; i=@fujitsu.com; bh=8H4EYBmAmvlD4ppPy7czpIZvvSugYPtrUgavqYgtwHU=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=jkkgporBoA4Ux3kMbPf/FzsmiT8WrCB0YX7xhPQc7iknsE2PlSgsvVQP2aF0gpAKD 3UWrWlrgWNFYIJwKY6YkyzUKoHMkTRIqnxz6NRKJrFCPSP+gg1263kip8ZGSJ+aL4O NAG5f2uqTg6gOs46MLle5kz7JlQHCjIyyqzf0hKJxlIrO5fYQoIQ2RHv8uckZBzk+l OQkU4kspTCDxcIwPAg4bufkOsk8g0O77U9pFl40GKG7dK1VDFjboU2fOwUJBWW46g3 dkFj+xCAo++ud2H3ob+GwzQfJpxtOrFeO6Zij5AwaPU+dMrQPCyb+q+k9c5//+qBZG Kg0YmpP1r1BPw== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleJIrShJLcpLzFFi42Kxs+FI1D2Ykp5 k0LtD1OL14U+MFh9uTmKy2HLsHqPF5Sd8Fj+XrWK32LP3JIvFgo2PGC3O/z3OavH7xxw2B06P U4skPDav0PLYtKqTzePzJjmPTU/eMgWwRrFm5iXlVySwZszd+5a5YBNnxYYJu9gbGDs4uhi5O IQEtjBKdK3/wQThLGCSWPx2FxuEs4dRYlrfKpYuRk4ONgFNiWedC5hBbBEBR4kX7TNYQIqYBc 4ySnTMWMQOkhAWcJLYfPsFWAOLgKrEhtkLmEBsXgEPiZ5Ta8FqJAQUJKY8fA82iFPAU+LX8XY 2EFsIqGbF0lmMEPWCEidnPgGbwywgIXHwxQtmiF5FiUsd3xgh7AqJWbPamCBsNYmr5zYxT2AU nIWkfRaS9gWMTKsYrZOKMtMzSnITM3N0DQ0MdA0NTXWNLXWNDAz0Eqt0E/VSS3XLU4tLdI30E suL9VKLi/WKK3OTc1L08lJLNjECYyelWP3EDsanK3/qHWKU5GBSEuXdkpSeJMSXlJ9SmZFYnB FfVJqTWnyIUYaDQ0mClxUkJ1iUmp5akZaZA4xjmLQEB4+SCG8ZSJq3uCAxtzgzHSJ1ilFRSpz XBRj9QgIgiYzSPLg2WOq4xCgrJczLyMDAIMRTkFqUm1mCKv+KUZyDUUmYlwNkCk9mXgnc9FdA i5mAFn+qTQVZXJKIkJJqYNowc+8M34V6f39enJ/y9hTnnqfGF6eGKEhUdp7sP3E6Yd83H7Gzq hN2LPG3q153aKaxruy7nz+XqYTycwUfzSzgqLBpr2qxWsCb8XWOVyqb4AGlY8FRmediJe2r50 ++UR9qE7pxnrrbgkePJlno8HFMeCt74FSS3aNqkcDqV9OueXxWvZe+l0HwwV273IjdohlPvn3 f+NNA4uJa2bB3U8/K/WvfLt1x+9GhUr+Tv/ff2sGz4FGBErN8dPHGp+kndrjeunTk3M49P6Qv TXJjFhJkrsqwvz9POJH59ledbP1IFpb4cDv5Bi7jgJ3JG//0nU6YemXvgm+uzk8Dr+2/m8y34 SKX7v99Jozbz29Y2rtCiaU4I9FQi7moOBEA7/479JgDAAA= X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-5.tower-565.messagelabs.com!1650943169!150990!1 X-Originating-IP: [62.60.8.97] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16073 invoked from network); 26 Apr 2022 03:19:29 -0000 Received: from unknown (HELO n03ukasimr01.n03.fujitsu.local) (62.60.8.97) by server-5.tower-565.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 26 Apr 2022 03:19:29 -0000 Received: from n03ukasimr01.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTP id C0BC3100191; Tue, 26 Apr 2022 04:19:28 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTPS id 985FA10004D; Tue, 26 Apr 2022 04:19:28 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 26 Apr 2022 04:19:00 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu , Subject: [PATCH v7 2/4] fs: Add missing umask strip in vfs_tmpfile Date: Tue, 26 Apr 2022 12:19:50 +0800 Message-ID: <1650946792-9545-2-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650946792-9545-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650946792-9545-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org All creation paths except for O_TMPFILE handle umask in the vfs directly if the filesystem doesn't support or enable POSIX ACLs. If the filesystem does then umask handling is deferred until posix_acl_create(). Because, O_TMPFILE misses umask handling in the vfs it will not honor umask settings. Fix this by adding the missing umask handling. Fixes: 60545d0d4610 ("[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...") Cc: # 4.19+ Reported-by: Christian Brauner (Microsoft) Acked-by: Christian Brauner (Microsoft) Reviewed-by: Darrick J. Wong Signed-off-by: Yang Xu --- fs/namei.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/namei.c b/fs/namei.c index 509657fdf4f5..73646e28fae0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3521,6 +3521,8 @@ struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns, child = d_alloc(dentry, &slash_name); if (unlikely(!child)) goto out_err; + if (!IS_POSIXACL(dir)) + mode &= ~current_umask(); error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); if (error) goto out_err; From patchwork Tue Apr 26 04:19:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12826441 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84A35C433F5 for ; Tue, 26 Apr 2022 03:19:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242935AbiDZDWp (ORCPT ); Mon, 25 Apr 2022 23:22:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240250AbiDZDWk (ORCPT ); Mon, 25 Apr 2022 23:22:40 -0400 Received: from mail1.bemta36.messagelabs.com (mail1.bemta36.messagelabs.com [85.158.142.2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DB6A939B4; Mon, 25 Apr 2022 20:19:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650943172; i=@fujitsu.com; bh=Feehx/LwXRCh0hZLGJz+0BoYx5+JGde0nyiK0QmnP8E=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=WxKQgUZPCbeb37NPA4Jh2YWdP3HH7Kk3V0Sb5kUPpGdvsCIkfDArfX2NnY4ZedH3G OEpllCogElC2UV6d0RftlTGs0uSZ3oMnXh4oKv6v7fI/p04TwY2/L9l0TzmyFS2Ytv NeoLTBSth25/jwznJog96qZMyg6EbEuLo2K3DB0cqvzE6KCceyIlVaqEI6OcGLcUyN kb57cURjfy1GPkheZkZTQdTUWygbbepvmQazm2C0BPMkaGZmZXaDtxmcGhuZxwypNO XbgwuM6w+luGrzL0BCe8dlJjqRAqvkZgTniA3nDRUFhp1mS8Zhryz4T1hbmER6sq5y 9yBj2QdyAwIQQ== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRWlGSWpSXmKPExsViZ8ORqHswJT3 JYNsbDYvXhz8xWny4OYnJYsuxe4wWl5/wWfxctordYs/ekywW5/8eZ7X4/WMOmwOHx6lFEh6b V2h5bFrVyebxeZOcx6Ynb5kCWKNYM/OS8isSWDOO9kkVrPSpWDzvKVsD4wyHLkYuDiGBLYwSD Rdns0A4C5gknva3MkM4exgllk2ewdrFyMnBJqAp8axzATOILSLgKPGifQYLiM0ssBmo6HE4iC 0skCDRdXUaUJyDg0VAVWLflUgQk1fAQ+LImiqQCgkBBYkpD9+DTeEU8JT4dbydDcQWAipZsXQ WI4jNKyAocXLmE6jpEhIHX7xghuhVlLjU8Y0Rwq6QmDWrjQnCVpO4em4T8wRGwVlI2mchaV/A yLSK0S6pKDM9oyQ3MTNH19DAQNfQ0FTXzEzX0MJML7FKN1EvtVQ3OTWvpCgRKK2XWF6sl1pcr FdcmZuck6KXl1qyiREYLynFTrt2MB7s+6l3iFGSg0lJlHdLUnqSEF9SfkplRmJxRnxRaU5q8S FGGQ4OJQleVpCcYFFqempFWmYOMHZh0hIcPEoivGUgad7igsTc4sx0iNQpRkuO8zv372XmWNt wAEj+/fR3L7MQS15+XqqUOK8LMEEICYA0ZJTmwY2DpZdLjLJSwryMDAwMQjwFqUW5mSWo8q8Y xTkYlYR5OUCm8GTmlcBtfQV0EBPQQZ9qU0EOKklESEk1MC3/O0m4eofE1P7yyrpzmUcX+ajNO /6qJ8zv6ZqLd6+tquoMasrTf+q58f2V/66s6/9Xdk8pNDgc8vKhs0//3HMNe4W/fhXfMr2txl tngsLtoz8FPio8czerzerSYX3j/mjJKRWBR6vtTV+t+pGRyNYbdGqu7dVtYaw5+w/YmocERCa cObb3ethxJt05XbMsJO3/6GxeN1U5ZM6X/0sZZqn8Obd1od2XwJivt/knP7fKrw0JPPTxymtz kWCjhN+zghe1x91M6atk99lWxpT+ryxpUVtDv3HljncHVJartSou8W/TvbK9nfnoL8NUc7Wql H9P0m9MtYn8yHFx3+L6PXcvPC0/+dX2YdfVKBbD2fZKLMUZiYZazEXFiQBbFgm6qgMAAA== X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-21.tower-528.messagelabs.com!1650943169!55805!1 X-Originating-IP: [62.60.8.97] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 29238 invoked from network); 26 Apr 2022 03:19:29 -0000 Received: from unknown (HELO n03ukasimr01.n03.fujitsu.local) (62.60.8.97) by server-21.tower-528.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 26 Apr 2022 03:19:29 -0000 Received: from n03ukasimr01.n03.fujitsu.local (localhost [127.0.0.1]) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTP id E9A4B100192; Tue, 26 Apr 2022 04:19:28 +0100 (BST) Received: from R01UKEXCASM126.r01.fujitsu.local (unknown [10.183.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by n03ukasimr01.n03.fujitsu.local (Postfix) with ESMTPS id A4A0E10018E; Tue, 26 Apr 2022 04:19:28 +0100 (BST) Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 26 Apr 2022 04:19:21 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v7 3/4] fs: strip file's S_ISGID mode on vfs instead of on underlying filesystem Date: Tue, 26 Apr 2022 12:19:51 +0800 Message-ID: <1650946792-9545-3-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650946792-9545-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650946792-9545-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org Currently, vfs only passes mode parameter to filesystem, then use inode_init_owner() to strip S_ISGID. Some filesystem(ie ext4/btrfs) will call inode_init_owner firstly, then posxi acl setup, but xfs uses the contrary order. It will affect S_ISGID clear especially we filter S_IXGRP by umask or acl. Regardless of which filesystem is in use, failure to strip the SGID correctly is considered a security failure that needs to be fixed. The current VFS infrastructure requires the filesystem to do everything right and not step on any landmines to strip the SGID bit, when in fact it can easily be done at the VFS and the filesystems then don't even need to be aware that the SGID needs to be (or has been stripped) by the operation the user asked to be done. Vfs has all the info it needs - it doesn't need the filesystems to do everything correctly with the mode and ensuring that they order things like posix acl setup functions correctly with inode_init_owner() to strip the SGID bit. Just strip the SGID bit at the VFS, and then the filesystem can't get it wrong. Also, the mode_strip_sgid() api should be used before IS_POSIXACL() because this api may change mode. Only the following places use inode_init_owner " arch/powerpc/platforms/cell/spufs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode | S_IFDIR); arch/powerpc/platforms/cell/spufs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode | S_IFDIR); fs/9p/vfs_inode.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/bfs/dir.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/btrfs/inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/btrfs/tests/btrfs-tests.c: inode_init_owner(&init_user_ns, inode, NULL, S_IFREG); fs/ext2/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ext4/ialloc.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/f2fs/namei.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/hfsplus/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/hugetlbfs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/jfs/jfs_inode.c: inode_init_owner(&init_user_ns, inode, parent, mode); fs/minix/bitmap.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/nilfs2/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ntfs3/inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/ocfs2/dlmfs/dlmfs.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/ocfs2/dlmfs/dlmfs.c: inode_init_owner(&init_user_ns, inode, parent, mode); fs/ocfs2/namei.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/omfs/inode.c: inode_init_owner(&init_user_ns, inode, NULL, mode); fs/overlayfs/dir.c: inode_init_owner(&init_user_ns, inode, dentry->d_parent->d_inode, mode); fs/ramfs/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/reiserfs/namei.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/sysv/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ubifs/dir.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/udf/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/ufs/ialloc.c: inode_init_owner(&init_user_ns, inode, dir, mode); fs/xfs/xfs_inode.c: inode_init_owner(mnt_userns, inode, dir, mode); fs/zonefs/super.c: inode_init_owner(&init_user_ns, inode, parent, S_IFDIR | 0555); kernel/bpf/inode.c: inode_init_owner(&init_user_ns, inode, dir, mode); mm/shmem.c: inode_init_owner(&init_user_ns, inode, dir, mode); " They are used in filesystem to init new inode function and these init inode functions are used by following operations: mkdir symlink mknod create tmpfile rename We don't care about mkdir because we don't strip SGID bit for directory except fs.xfs.irix_sgid_inherit. But we even call vfs_prepare_mode() in do_mkdirat() since mode_strip_sgid() will skip directories anyway. This will enforce the same ordering for all relevant operations and it will make the code more uniform and easier to understand by using new helper vfs_prepare_mode(). symlink and rename only use valid mode that doesn't have SGID bit. We have added mode_strip_sgid() api for the remaining operations. In addition to the above six operations, four filesystems has a little difference 1) btrfs has btrfs_create_subvol_root to create new inode but used non SGID bit mode and can ignore 2) ocfs2 reflink function should add mode_strip_sgid api manually because this ioctl is unique and not added into vfs. It may use S_ISGID modd. 3) spufs which doesn't really go hrough the regular VFS callpath because it has separate system call spu_create, but it t only allows the creation of directories and only allows bits in 0777 and can ignore 4) bpf use vfs_mkobj in bpf_obj_do_pin with "S_IFREG | ((S_IRUSR | S_IWUSR) & ~current_umask()) mode and use bpf_mkobj_ops in bpf_iter_link_pin_kernel with S_IFREG | S_IRUSR mode, so bpf is also not affected This patch also changed grpid behaviour for ext4/xfs because the mode passed to them may been changed by vfs_prepare_mode. Also as Christian Brauner said" The patch itself is useful as it would move a security sensitive operation that is currently burried in individual filesystems into the vfs layer. But it has a decent regression potential since it might strip filesystems that have so far relied on getting the S_ISGID bit with a mode argument. So this needs a lot of testing and long exposure in -next for at least one full kernel cycle." Suggested-by: Dave Chinner Signed-off-by: Yang Xu Reviewed-by: Darrick J. Wong --- fs/inode.c | 2 -- fs/namei.c | 22 +++++++++------------- fs/ocfs2/namei.c | 1 + include/linux/fs.h | 11 +++++++++++ 4 files changed, 21 insertions(+), 15 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index e9a5f2ec2f89..dd357f4b556d 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2246,8 +2246,6 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else - mode = mode_strip_sgid(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; diff --git a/fs/namei.c b/fs/namei.c index 73646e28fae0..5dbf00704ae8 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3287,8 +3287,7 @@ static struct dentry *lookup_open(struct nameidata *nd, struct file *file, if (open_flag & O_CREAT) { if (open_flag & O_EXCL) open_flag &= ~O_TRUNC; - if (!IS_POSIXACL(dir->d_inode)) - mode &= ~current_umask(); + mode = vfs_prepare_mode(mnt_userns, dir->d_inode, mode); if (likely(got_write)) create_error = may_o_create(mnt_userns, &nd->path, dentry, mode); @@ -3521,8 +3520,7 @@ struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns, child = d_alloc(dentry, &slash_name); if (unlikely(!child)) goto out_err; - if (!IS_POSIXACL(dir)) - mode &= ~current_umask(); + mode = vfs_prepare_mode(mnt_userns, dir, mode); error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); if (error) goto out_err; @@ -3850,13 +3848,12 @@ static int do_mknodat(int dfd, struct filename *name, umode_t mode, if (IS_ERR(dentry)) goto out1; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); + mnt_userns = mnt_user_ns(path.mnt); + mode = vfs_prepare_mode(mnt_userns, path.dentry->d_inode, mode); error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out2; - mnt_userns = mnt_user_ns(path.mnt); switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(mnt_userns, path.dentry->d_inode, @@ -3943,6 +3940,7 @@ int do_mkdirat(int dfd, struct filename *name, umode_t mode) struct path path; int error; unsigned int lookup_flags = LOOKUP_DIRECTORY; + struct user_namespace *mnt_userns; retry: dentry = filename_create(dfd, name, &path, lookup_flags); @@ -3950,15 +3948,13 @@ int do_mkdirat(int dfd, struct filename *name, umode_t mode) if (IS_ERR(dentry)) goto out_putname; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); + mnt_userns = mnt_user_ns(path.mnt); + mode = vfs_prepare_mode(mnt_userns, path.dentry->d_inode, mode); error = security_path_mkdir(&path, dentry, mode); - if (!error) { - struct user_namespace *mnt_userns; - mnt_userns = mnt_user_ns(path.mnt); + if (!error) error = vfs_mkdir(mnt_userns, path.dentry->d_inode, dentry, mode); - } + done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c index c75fd54b9185..961d1cf54388 100644 --- a/fs/ocfs2/namei.c +++ b/fs/ocfs2/namei.c @@ -197,6 +197,7 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) * callers. */ if (S_ISDIR(mode)) set_nlink(inode, 2); + mode = mode_strip_sgid(&init_user_ns, dir, mode); inode_init_owner(&init_user_ns, inode, dir, mode); status = dquot_initialize(inode); if (status) diff --git a/include/linux/fs.h b/include/linux/fs.h index 98b44a2732f5..914c8f28bb02 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3459,6 +3459,17 @@ static inline bool dir_relax_shared(struct inode *inode) return !IS_DEADDIR(inode); } +static inline umode_t vfs_prepare_mode(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode) +{ + mode = mode_strip_sgid(mnt_userns, dir, mode); + + if (!IS_POSIXACL(dir)) + mode &= ~current_umask(); + + return mode; +} + extern bool path_noexec(const struct path *path); extern void inode_nohighmem(struct inode *inode); From patchwork Tue Apr 26 04:19:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yang Xu (Fujitsu)" X-Patchwork-Id: 12826442 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF827C433F5 for ; Tue, 26 Apr 2022 03:19:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242984AbiDZDWy (ORCPT ); Mon, 25 Apr 2022 23:22:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240250AbiDZDWr (ORCPT ); Mon, 25 Apr 2022 23:22:47 -0400 Received: from mail1.bemta36.messagelabs.com (mail1.bemta36.messagelabs.com [85.158.142.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F8EC939BC; Mon, 25 Apr 2022 20:19:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fujitsu.com; s=170520fj; t=1650943179; i=@fujitsu.com; bh=c5FCpwWbwNZnqJjma6yo9VosB0Dzi2MqAMD84YLxtik=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=fUXBqVyEvw/5IispoMnJ1mjZEEqWRIQQeu7OyjUoadguRMM1XKYIRmfXke8qkFPiy btgwT+2QHUwHziBNmlE1NN6nj3EnSNUEEvxwcsuqzeG7dQLzzCYb7l4cDIi+CQP/fg 7A8mO+AvD6SJ+R/WcUNj0bDcTbNrFop9A4ZUE15tYc4ubDJ0AYJUCJJGwaps51WAR/ x6DphjzhiCoayBaKBSVXz3oXBXzxIiIZ0toQFkkZFhwq4YoTorqFzegpIyYcVcsbF9 2noE9aIocBUHl+kopsFr04oKGAYecEwBWMgk0JE78v1yhjYx5NGOM7kwTC6W5yItso gstZTnoOPPfsQ== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRWlGSWpSXmKPExsViZ8MxRfdUSnq SQcNDDovXhz8xWny4OYnJYsuxe4wWl5/wWfxctordYs/ekywW5/8eZ7X4/WMOmwOHx6lFEh6b V2h5bFrVyebxeZOcx6Ynb5kCWKNYM/OS8isSWDN6FixmK9jKXrFnfStrA+Myti5GLg4hgdeME ptu3WeBcPYwSnz6spW5i5GTg01AU+JZ5wIwW0TAUeJF+wywImaBQ4wS9w91gSWEBcIlZnavYQ KxWQRUJdbc6QGzeQU8JLZ962cHsSUEFCSmPHwPVs8p4Cnx63g7G4gtBFSzYuksRoh6QYmTM5+ wgNjMAhISB1+8YIboVZS41PGNEcKukJg1q41pAiP/LCQts5C0LGBkWsVol1SUmZ5RkpuYmaNr aGCga2hoqmtmqWtoaaqXWKWbqJdaqpucmldSlAiU1kssL9ZLLS7WK67MTc5J0ctLLdnECIyCl GLXwzsYd/f91DvEKMnBpCTKuyUpPUmILyk/pTIjsTgjvqg0J7X4EKMMB4eSBC8rSE6wKDU9tS ItMwcYkTBpCQ4eJRHeMpA0b3FBYm5xZjpE6hSjLsfT5yf2Mgux5OXnpUqJ87oA41tIAKQoozQ PbgQsOVxilJUS5mVkYGAQ4ilILcrNLEGVf8UozsGoJAwxhSczrwRu0yugI5iAjvhUmwpyREki QkqqgUnZWPOn2/mKRy3mueeSnrRqs5oIz7/APp3DdMVuIZsv5rsi5K5cqdjGf3yHQfL5be8rn xxJc/TrCRGYUPwgu1b72a4TBhE340UqAjhPuzgXHXhUu623fkHQkbv2Tx6ztF4XYjiVOqPO3o WZ76bt0vsq+X3igS0NXJv4jv1YfHND9/xyRZ+H1renxsb7TeRWnfXy6qsPIbFHKtNXpIQz8tx heZI9JyV5/WHpSQrSH8vZpx56GXF8mnek0LWyWZf8Xu+5+Pbhjp8blk9Vvvow2bZsh79G7JUM L51JPzf0nXE9mblA26qocMb2Rc4LHvgvniB3sCBFiPN9zqPughjhMz57n/RelRFPefc2l9Fc0 ESJpTgj0VCLuag4EQCCJj5IiQMAAA== X-Env-Sender: xuyang2018.jy@fujitsu.com X-Msg-Ref: server-20.tower-532.messagelabs.com!1650943177!213272!1 X-Originating-IP: [62.60.8.148] X-SYMC-ESS-Client-Auth: outbound-route-from=pass X-StarScan-Received: X-StarScan-Version: 9.85.8; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4507 invoked from network); 26 Apr 2022 03:19:38 -0000 Received: from unknown (HELO mailhost1.uk.fujitsu.com) (62.60.8.148) by server-20.tower-532.messagelabs.com with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 26 Apr 2022 03:19:38 -0000 Received: from R01UKEXCASM126.r01.fujitsu.local ([10.183.43.178]) by mailhost1.uk.fujitsu.com (8.14.5/8.14.5) with ESMTP id 23Q3Jb7O022457 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Apr 2022 04:19:37 +0100 Received: from localhost.localdomain (10.167.220.84) by R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 26 Apr 2022 04:19:33 +0100 From: Yang Xu To: , CC: , , , , , , Yang Xu Subject: [PATCH v7 4/4] ceph: Remove S_ISGID stripping code in ceph_finish_async_create Date: Tue, 26 Apr 2022 12:19:52 +0800 Message-ID: <1650946792-9545-4-git-send-email-xuyang2018.jy@fujitsu.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1650946792-9545-1-git-send-email-xuyang2018.jy@fujitsu.com> References: <1650946792-9545-1-git-send-email-xuyang2018.jy@fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.220.84] X-ClientProxiedBy: G08CNEXCHPEKD07.g08.fujitsu.local (10.167.33.80) To R01UKEXCASM126.r01.fujitsu.local (10.183.43.178) Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org Previous patches moved sgid stripping exclusively into the vfs. So manual sgid stripping by the filesystem isn't needed anymore. Reviewed-by: Xiubo Li Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Yang Xu --- fs/ceph/file.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 6c9e837aa1d3..8e3b99853333 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -651,10 +651,6 @@ static int ceph_finish_async_create(struct inode *dir, struct dentry *dentry, /* Directories always inherit the setgid bit. */ if (S_ISDIR(mode)) mode |= S_ISGID; - else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && - !in_group_p(dir->i_gid) && - !capable_wrt_inode_uidgid(&init_user_ns, dir, CAP_FSETID)) - mode &= ~S_ISGID; } else { in.gid = cpu_to_le32(from_kgid(&init_user_ns, current_fsgid())); }