From patchwork Tue Mar 7 18:59:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164635 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7275CC678D4 for ; Tue, 7 Mar 2023 19:16:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229847AbjCGTQq (ORCPT ); Tue, 7 Mar 2023 14:16:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233903AbjCGTP7 (ORCPT ); Tue, 7 Mar 2023 14:15:59 -0500 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA969D160B; Tue, 7 Mar 2023 10:59:28 -0800 (PST) Received: by mail-pj1-x102b.google.com with SMTP id m20-20020a17090ab79400b00239d8e182efso17479002pjr.5; Tue, 07 Mar 2023 10:59:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215568; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vTTlW5wBweKyzFgRUchw4DAOPNZXpMvxZNLnQ0TRyhM=; b=i1aSQzoXOMsGvmdZrC1cQP9atiwhkAIPo856vZCYXHWXnmAPT4KI7fklYnXDCAfjOi FtRLD6JQu4p1oGIBuEom3kZZpxZXJBGDAGuR3jkS7NbaJpkfIjVibpUBTFOWSPw4Nbim udxVFuIBamFSc7XPt5Dc0APOghtnB0hVkuVyPFFHRq296D55q10O493/u3fYbPUlmNu+ lDpdOzjx85WIUlObjJMIAFEW9BzbTTEqENruXB2bNXveJ/VxST/VePF3c2YW9vwpSRUY HMHOOgsv/tckYJq4wV7LjEt2PYYehncnF7ky/0v/vtoPL0Qcmxm38ALYuNz2l9kPACoK uJFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215568; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vTTlW5wBweKyzFgRUchw4DAOPNZXpMvxZNLnQ0TRyhM=; b=ZEb0KzctlDAIZULwRjYLIre28dX1FPfg3U205VjshRzHmJeRBfzVFlLAldMrDPncYv zIaxm9mspyImxEks4BsICPrvFHmj6wP77gLPl+00FONmAiI72MrQWWFmVH3CLFmnocMN TWqmaIaAp8yB2FXubiH10c3NBm+UlXvMJugDAtdqVjDy7h60XlUmm/5YHoIl4hSAYMkn QFoweRfT1SdDQvz/8S+ghoppI9SB6VLr7px5WXFyvDI7RFFgsvfJ33RA4RnpegX9aF5t eJQNYHfkg/rm40HAo3V9njR/X2jhZgrFLV07hVE0RhhV8/LYLEkx+oY6sFbiKkNz99NN OX5g== X-Gm-Message-State: AO0yUKXIDJWYXDWkx8MXVj/hOzLhtNeruEqtqdkGK1Q914dk3MyZIwOz a8QUTSNPWyQal/YaBhDCn5jcJEHUv82OHg== X-Google-Smtp-Source: AK7set8wsCAzYWAEMKG06p/Ytyn7h4UcTQQUG/YtQXiCRF406f/lJgxtaO8UUhy84ZB2p4SmMSiklg== X-Received: by 2002:a17:902:9a03:b0:19c:d505:cdba with SMTP id v3-20020a1709029a0300b0019cd505cdbamr13367777plp.62.1678215568020; Tue, 07 Mar 2023 10:59:28 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:27 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, "Darrick J. Wong" , Dave Chinner , Christoph Hellwig , Christian Brauner , Leah Rumancik Subject: [PATCH 5.15 01/11] xfs: use setattr_copy to set vfs inode attributes Date: Tue, 7 Mar 2023 10:59:12 -0800 Message-Id: <20230307185922.125907-2-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" commit e014f37db1a2d109afa750042ac4d69cf3e3d88e upsream. Filipe Manana pointed out that XFS' behavior w.r.t. setuid/setgid revocation isn't consistent with btrfs[1] or ext4. Those two filesystems use the VFS function setattr_copy to convey certain attributes from struct iattr into the VFS inode structure. Andrey Zhadchenko reported[2] that XFS uses the wrong user namespace to decide if it should clear setgid and setuid on a file attribute update. This is a second symptom of the problem that Filipe noticed. XFS, on the other hand, open-codes setattr_copy in xfs_setattr_mode, xfs_setattr_nonsize, and xfs_setattr_time. Regrettably, setattr_copy is /not/ a simple copy function; it contains additional logic to clear the setgid bit when setting the mode, and XFS' version no longer matches. The VFS implements its own setuid/setgid stripping logic, which establishes consistent behavior. It's a tad unfortunate that it's scattered across notify_change, should_remove_suid, and setattr_copy but XFS should really follow the Linux VFS. Adapt XFS to use the VFS functions and get rid of the old functions. [1] https://lore.kernel.org/fstests/CAL3q7H47iNQ=Wmk83WcGB-KBJVOEtR9+qGczzCeXJ9Y2KCV25Q@mail.gmail.com/ [2] https://lore.kernel.org/linux-xfs/20220221182218.748084-1-andrey.zhadchenko@virtuozzo.com/ Fixes: 7fa294c8991c ("userns: Allow chown and setgid preservation") Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Christian Brauner Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/xfs/xfs_iops.c | 56 +++-------------------------------------------- fs/xfs/xfs_pnfs.c | 3 ++- 2 files changed, 5 insertions(+), 54 deletions(-) diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c index a607d6aca5c4..1eb71275e5b0 100644 --- a/fs/xfs/xfs_iops.c +++ b/fs/xfs/xfs_iops.c @@ -634,37 +634,6 @@ xfs_vn_getattr( return 0; } -static void -xfs_setattr_mode( - struct xfs_inode *ip, - struct iattr *iattr) -{ - struct inode *inode = VFS_I(ip); - umode_t mode = iattr->ia_mode; - - ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); - - inode->i_mode &= S_IFMT; - inode->i_mode |= mode & ~S_IFMT; -} - -void -xfs_setattr_time( - struct xfs_inode *ip, - struct iattr *iattr) -{ - struct inode *inode = VFS_I(ip); - - ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); - - if (iattr->ia_valid & ATTR_ATIME) - inode->i_atime = iattr->ia_atime; - if (iattr->ia_valid & ATTR_CTIME) - inode->i_ctime = iattr->ia_ctime; - if (iattr->ia_valid & ATTR_MTIME) - inode->i_mtime = iattr->ia_mtime; -} - static int xfs_vn_change_ok( struct user_namespace *mnt_userns, @@ -763,16 +732,6 @@ xfs_setattr_nonsize( gid = (mask & ATTR_GID) ? iattr->ia_gid : igid; uid = (mask & ATTR_UID) ? iattr->ia_uid : iuid; - /* - * CAP_FSETID overrides the following restrictions: - * - * The set-user-ID and set-group-ID bits of a file will be - * cleared upon successful return from chown() - */ - if ((inode->i_mode & (S_ISUID|S_ISGID)) && - !capable(CAP_FSETID)) - inode->i_mode &= ~(S_ISUID|S_ISGID); - /* * Change the ownerships and register quota modifications * in the transaction. @@ -784,7 +743,6 @@ xfs_setattr_nonsize( olddquot1 = xfs_qm_vop_chown(tp, ip, &ip->i_udquot, udqp); } - inode->i_uid = uid; } if (!gid_eq(igid, gid)) { if (XFS_IS_GQUOTA_ON(mp)) { @@ -795,15 +753,10 @@ xfs_setattr_nonsize( olddquot2 = xfs_qm_vop_chown(tp, ip, &ip->i_gdquot, gdqp); } - inode->i_gid = gid; } } - if (mask & ATTR_MODE) - xfs_setattr_mode(ip, iattr); - if (mask & (ATTR_ATIME|ATTR_CTIME|ATTR_MTIME)) - xfs_setattr_time(ip, iattr); - + setattr_copy(mnt_userns, inode, iattr); xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE); XFS_STATS_INC(mp, xs_ig_attrchg); @@ -1028,11 +981,8 @@ xfs_setattr_size( xfs_inode_clear_eofblocks_tag(ip); } - if (iattr->ia_valid & ATTR_MODE) - xfs_setattr_mode(ip, iattr); - if (iattr->ia_valid & (ATTR_ATIME|ATTR_CTIME|ATTR_MTIME)) - xfs_setattr_time(ip, iattr); - + ASSERT(!(iattr->ia_valid & (ATTR_UID | ATTR_GID))); + setattr_copy(mnt_userns, inode, iattr); xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE); XFS_STATS_INC(mp, xs_ig_attrchg); diff --git a/fs/xfs/xfs_pnfs.c b/fs/xfs/xfs_pnfs.c index 5e1d29d8b2e7..8865f7d4404a 100644 --- a/fs/xfs/xfs_pnfs.c +++ b/fs/xfs/xfs_pnfs.c @@ -283,7 +283,8 @@ xfs_fs_commit_blocks( xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL); xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE); - xfs_setattr_time(ip, iattr); + ASSERT(!(iattr->ia_valid & (ATTR_UID | ATTR_GID))); + setattr_copy(&init_user_ns, inode, iattr); if (update_isize) { i_size_write(inode, iattr->ia_size); ip->i_disk_size = iattr->ia_size; From patchwork Tue Mar 7 18:59:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164634 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 232F4C6FD1B for ; Tue, 7 Mar 2023 19:16:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231518AbjCGTQs (ORCPT ); Tue, 7 Mar 2023 14:16:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230162AbjCGTQA (ORCPT ); Tue, 7 Mar 2023 14:16:00 -0500 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE8AF9FE6F; Tue, 7 Mar 2023 10:59:29 -0800 (PST) Received: by mail-pl1-x62f.google.com with SMTP id p20so15138192plw.13; Tue, 07 Mar 2023 10:59:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215569; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KOXF001rhRxZuqFFDlNcwqSqhf9g7Mw9x8kZ8yl6lH8=; b=pXW4sldrNoI1/DCOpMzWxDH740WtYrVE7E1BxA1dscco7kL5VvwXX+rK91yUZP9TrC yrRKVeUYEZrEa46YwSM8AFHpgXlLmH9IbmAzCI2+fVAvd6SdmyHAtcLqB9FRV/jP60uK CsJ9RM7tbBv8m3Ji3jiD0huYpP9UwN+oBorCLOSh5/3NXkZCZp86JEJn09Vhu9xrFf2f NmU0Lz2GXhik4PT0JeGrn0cpgYYdLTazLWG8rwE9uB4xvm/eGsMN0AzJs6vC3qJnNMK5 MgFe6uLWTO11LZHfUcOtOmZt0s2e7/4m+lJ908YU9Y3TJTycdEVwtDkUEEOswEVbEwKO DgGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215569; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KOXF001rhRxZuqFFDlNcwqSqhf9g7Mw9x8kZ8yl6lH8=; b=TU7hYJbeMfrqwrFrtA9CRSqlMFFG08E861ulQMknIJZesBHFRreXxTmoyq6vlGxyJr GRnkm4/jA/zQ6FFq2PSLjQR/9H3EsB+opyE7akLT/PqLeqfJfDFqgfC5NE+iW7nhOUR6 Dsi16iTO/FCNftqDXgMQfXVTUMh+c7G3mznU0RJpz0UhMVlH0SFd6LVeVL64jCLbYvB2 QGLkWaO42Gd3pylwBHqI8sbiEthLOH4uXA3kGBgCV8ZRZNt5WE+sDQwH5Gd6r484YOyj NSADJsm//OixMqKz1U3w0VdzUM+x0gWTO3qRPxqulOlgZIhnskq6kSDSdipva9BzQBGv ZExQ== X-Gm-Message-State: AO0yUKX2ulCrDP3j7CvdRyk3NDqSXZbZdpwzVaCYqmCUM7DapSMVMbGf h14BXjykAcOl42F5l4KEsVK2FQmzVHA1JA== X-Google-Smtp-Source: AK7set84HdqY+mXTzkl/AOQcapYHtvlZ+FGxAOT3cDo+doddvtLrCFJfYUktX5LTMz1i2oNEJDe8hw== X-Received: by 2002:a17:902:d4cf:b0:19c:eb9a:7712 with SMTP id o15-20020a170902d4cf00b0019ceb9a7712mr21434710plg.1.1678215569114; Tue, 07 Mar 2023 10:59:29 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:28 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Dave Chinner , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 02/11] xfs: remove XFS_PREALLOC_SYNC Date: Tue, 7 Mar 2023 10:59:13 -0800 Message-Id: <20230307185922.125907-3-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Dave Chinner commit 472c6e46f589c26057596dcba160712a5b3e02c5 upstream. [partial backport for dependency - xfs_ioc_space() still uses XFS_PREALLOC_SYNC] Callers can acheive the same thing by calling xfs_log_force_inode() after making their modifications. There is no need for xfs_update_prealloc_flags() to do this. Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/xfs/xfs_file.c | 13 +++++++------ fs/xfs/xfs_pnfs.c | 6 ++++-- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c index 240eb932c014..752b676c92e3 100644 --- a/fs/xfs/xfs_file.c +++ b/fs/xfs/xfs_file.c @@ -95,8 +95,6 @@ xfs_update_prealloc_flags( ip->i_diflags &= ~XFS_DIFLAG_PREALLOC; xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE); - if (flags & XFS_PREALLOC_SYNC) - xfs_trans_set_sync(tp); return xfs_trans_commit(tp); } @@ -1059,9 +1057,6 @@ xfs_file_fallocate( } } - if (file->f_flags & O_DSYNC) - flags |= XFS_PREALLOC_SYNC; - error = xfs_update_prealloc_flags(ip, flags); if (error) goto out_unlock; @@ -1084,8 +1079,14 @@ xfs_file_fallocate( * leave shifted extents past EOF and hence losing access to * the data that is contained within them. */ - if (do_file_insert) + if (do_file_insert) { error = xfs_insert_file_space(ip, offset, len); + if (error) + goto out_unlock; + } + + if (file->f_flags & O_DSYNC) + error = xfs_log_force_inode(ip); out_unlock: xfs_iunlock(ip, iolock); diff --git a/fs/xfs/xfs_pnfs.c b/fs/xfs/xfs_pnfs.c index 8865f7d4404a..3a82a13d880c 100644 --- a/fs/xfs/xfs_pnfs.c +++ b/fs/xfs/xfs_pnfs.c @@ -164,10 +164,12 @@ xfs_fs_map_blocks( * that the blocks allocated and handed out to the client are * guaranteed to be present even after a server crash. */ - error = xfs_update_prealloc_flags(ip, - XFS_PREALLOC_SET | XFS_PREALLOC_SYNC); + error = xfs_update_prealloc_flags(ip, XFS_PREALLOC_SET); + if (!error) + error = xfs_log_force_inode(ip); if (error) goto out_unlock; + } else { xfs_iunlock(ip, lock_flags); } From patchwork Tue Mar 7 18:59:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164633 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29847C678D5 for ; Tue, 7 Mar 2023 19:16:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229889AbjCGTQp (ORCPT ); Tue, 7 Mar 2023 14:16:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233906AbjCGTP7 (ORCPT ); Tue, 7 Mar 2023 14:15:59 -0500 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA3A8D6E8E; Tue, 7 Mar 2023 10:59:30 -0800 (PST) Received: by mail-pl1-x630.google.com with SMTP id u5so15167814plq.7; Tue, 07 Mar 2023 10:59:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215570; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rRwd4y2CL9MgXEkMrjTHLqtYjZ1aeFX8aqeqmMGCm58=; b=ApeTZjbC4tczaTcklWa47crmSBYizvjhuicla9VTJYg7J9V6ikJuxhDqeWdhOBiYfI kBPv6xIapfLnzLcusZMoHPoMHAFYpVsDsKRhKnjJtVhyEOxUKXPVbbjRs+aw/oyo8nnz Rm9aT486rVraiK1HOwC+iWzq/XMjvQprHkp6it1uNKCyljXQauuBNrU94i0vaFiJQVH2 YuEZhWhGeTg2870ynqBFxxKRJAUGFPmf0gTWQhcMovFhFboAp7nUogEMxLVGLN6JMi82 xRs0JfxU/a2euxM9YcHxjovasRRayphm7QeaUNyZCtrNEG9f4jSHIA06s/5fwRup0hbV i0gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215570; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rRwd4y2CL9MgXEkMrjTHLqtYjZ1aeFX8aqeqmMGCm58=; b=FYD9l/a4Gvs0DZfGUnk8sCcbTOvUMBlr2eLScH6BNAC90nKHXLXvXjK4HTPARIHZ8L I6bzsKaF9EzluKs7v0+2bqUeLgA56TojzbbyIXOsaafhtxveyqlM8wZCFAYKGHNdz/yl SqhHboXZl1yLJTzma8Ppg3ffhQmmssvjv9W+4C9bmDC1qkayHfT93zdbgZ/onr/GD0In 1u/IetQk0Q7A3kV4NHUL+vaZWCGxdM2WsPR9DqLVWkEU/JQeaeV2iMX23HqX/jDJ1Xkd BQbagLVCYPsxgkQnUFWjtSQXHSzEoNjx+eezDYyd97U8nAViCbWh6tor8KBEJNyeKqEE m7VQ== X-Gm-Message-State: AO0yUKUz45E2MgxDTxCKxycCJD+g/htLxLhpL82SuqE4yqFE9t9Cz55U foaXM+3UbKPz0/0IwlI02M3Pz2BRqNeKFA== X-Google-Smtp-Source: AK7set8fz4gE/jqiW+mW9U4OApcISBcQxqBp20TQMiyQWB8OofhHW1leV+RSUlIGzXIAHb48CGfISQ== X-Received: by 2002:a17:902:e884:b0:19e:845d:d898 with SMTP id w4-20020a170902e88400b0019e845dd898mr16955433plg.14.1678215570140; Tue, 07 Mar 2023 10:59:30 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:29 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Dave Chinner , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 03/11] xfs: fallocate() should call file_modified() Date: Tue, 7 Mar 2023 10:59:14 -0800 Message-Id: <20230307185922.125907-4-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Dave Chinner commit fbe7e520036583a783b13ff9744e35c2a329d9a4 upsream. In XFS, we always update the inode change and modification time when any fallocate() operation succeeds. Furthermore, as various fallocate modes can change the file contents (extending EOF, punching holes, zeroing things, shifting extents), we should drop file privileges like suid just like we do for a regular write(). There's already a VFS helper that figures all this out for us, so use that. The net effect of this is that we no longer drop suid/sgid if the caller is root, but we also now drop file capabilities. We also move the xfs_update_prealloc_flags() function so that it now is only called by the scope that needs to set the the prealloc flag. Based on a patch from Darrick Wong. Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/xfs/xfs_file.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c index 752b676c92e3..020e0a412287 100644 --- a/fs/xfs/xfs_file.c +++ b/fs/xfs/xfs_file.c @@ -954,6 +954,10 @@ xfs_file_fallocate( goto out_unlock; } + error = file_modified(file); + if (error) + goto out_unlock; + if (mode & FALLOC_FL_PUNCH_HOLE) { error = xfs_free_file_space(ip, offset, len); if (error) @@ -1055,11 +1059,12 @@ xfs_file_fallocate( if (error) goto out_unlock; } - } - error = xfs_update_prealloc_flags(ip, flags); - if (error) - goto out_unlock; + error = xfs_update_prealloc_flags(ip, XFS_PREALLOC_SET); + if (error) + goto out_unlock; + + } /* Change file size if needed */ if (new_size) { From patchwork Tue Mar 7 18:59:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164639 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C903BC6FD1B for ; Tue, 7 Mar 2023 19:16:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229845AbjCGTQz (ORCPT ); Tue, 7 Mar 2023 14:16:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233655AbjCGTQK (ORCPT ); Tue, 7 Mar 2023 14:16:10 -0500 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4622FD6E91; Tue, 7 Mar 2023 10:59:32 -0800 (PST) Received: by mail-pj1-x102c.google.com with SMTP id u3-20020a17090a450300b00239db6d7d47so12764410pjg.4; Tue, 07 Mar 2023 10:59:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215571; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pRdmyL8Qwyge+Rj02qOUtmgEn96ygPNBRveL38n1eeE=; b=qzRecHSmuKokPRP1CoJroMBeiDxUqXQR7ebQ1nPF3o7Z0vCfEeR6JjLbW4B4blmKUd 9FsfDurZ33wQEzekLxd2zZWrKeLvocaq+4DUq0P4Cb6BLgU0DYCX6zs4wYgjYbPidUdO BnTUm4lUhncZOkTKxGKXsnx1Fx4wYoF08dgDbPZDOfGWpO+9l4aACIiDog/xPRhGEABV kR82tiBXq9sMXVPAPD28hoYvGhqHXT19jp0M8lP/ISHYMyO1j9iZUR0FwKOn1O1LGdGm VBz0UG0x++2Z59rgolcrC1Tcy7gf+uRuUYyobWes9ZQ692SzNNC93gtbHcvrcMaVCy0p Xq4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215571; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pRdmyL8Qwyge+Rj02qOUtmgEn96ygPNBRveL38n1eeE=; b=QlH1Sb3Kt/OAOELeIs/JahwsOqxv0jTQhFXCBknXm6Q9k7N8bmnRZgbLFBDEOxc9Uh EOQJmYYHOeiSbJQoFd1lO+9EcM1DTeLszdbolHGmKzM5XzMgVwlmZ49j4pzXpBx+ugmL /rBtuxMWRv5UCN70pjxPaqb+DGbwFTdDreJDk1kZnQUvsgut22Md1UGKxa4bDhSGqMwA 5jnXjyWu4n9PQxSKlY4cghvJ5b77Qamm5BvC1fXq1m2w9edeN4xosqgpCRj4WOs4n+W6 0k4ARPNgt/2pxfmndfZOWbqSmOuWXzU4wq4vFApuH746PLYKnRmIfb+wJY7mdsaYOK2y nq1w== X-Gm-Message-State: AO0yUKUfiy4lpqmPnYpotqxi0faJ+Il/xY1IQlrgteHRSkRm5CyfnP9K ChEW0tdXHZDxxV6h0Wlay/2xdjjWIank5w== X-Google-Smtp-Source: AK7set+cFopbxWiAQ5wLMH/J/f+mkxXjSSw5OFzphbMOxKG9AwI13dsdGKQbw/4gH0TGK/iuLbFXww== X-Received: by 2002:a17:902:cec1:b0:198:adc4:229d with SMTP id d1-20020a170902cec100b00198adc4229dmr17488408plg.24.1678215571464; Tue, 07 Mar 2023 10:59:31 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:30 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Dave Chinner , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 04/11] xfs: set prealloc flag in xfs_alloc_file_space() Date: Tue, 7 Mar 2023 10:59:15 -0800 Message-Id: <20230307185922.125907-5-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Dave Chinner commit 0b02c8c0d75a738c98c35f02efb36217c170d78c upsream. Now that we only call xfs_update_prealloc_flags() from xfs_file_fallocate() in the case where we need to set the preallocation flag, do this in xfs_alloc_file_space() where we already have the inode joined into a transaction and get rid of the call to xfs_update_prealloc_flags() from the fallocate code. This also means that we now correctly avoid setting the XFS_DIFLAG_PREALLOC flag when xfs_is_always_cow_inode() is true, as these inodes will never have preallocated extents. Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/xfs/xfs_bmap_util.c | 9 +++------ fs/xfs/xfs_file.c | 8 -------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c index 73a36b7be3bd..fd2ad6a3019c 100644 --- a/fs/xfs/xfs_bmap_util.c +++ b/fs/xfs/xfs_bmap_util.c @@ -851,9 +851,6 @@ xfs_alloc_file_space( rblocks = 0; } - /* - * Allocate and setup the transaction. - */ error = xfs_trans_alloc_inode(ip, &M_RES(mp)->tr_write, dblocks, rblocks, false, &tp); if (error) @@ -870,9 +867,9 @@ xfs_alloc_file_space( if (error) goto error; - /* - * Complete the transaction - */ + ip->i_diflags |= XFS_DIFLAG_PREALLOC; + xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE); + error = xfs_trans_commit(tp); xfs_iunlock(ip, XFS_ILOCK_EXCL); if (error) diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c index 020e0a412287..8cd0c3df253f 100644 --- a/fs/xfs/xfs_file.c +++ b/fs/xfs/xfs_file.c @@ -909,7 +909,6 @@ xfs_file_fallocate( struct inode *inode = file_inode(file); struct xfs_inode *ip = XFS_I(inode); long error; - enum xfs_prealloc_flags flags = 0; uint iolock = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL; loff_t new_size = 0; bool do_file_insert = false; @@ -1007,8 +1006,6 @@ xfs_file_fallocate( } do_file_insert = true; } else { - flags |= XFS_PREALLOC_SET; - if (!(mode & FALLOC_FL_KEEP_SIZE) && offset + len > i_size_read(inode)) { new_size = offset + len; @@ -1059,11 +1056,6 @@ xfs_file_fallocate( if (error) goto out_unlock; } - - error = xfs_update_prealloc_flags(ip, XFS_PREALLOC_SET); - if (error) - goto out_unlock; - } /* Change file size if needed */ From patchwork Tue Mar 7 18:59:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164636 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99637C678DB for ; Tue, 7 Mar 2023 19:16:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233726AbjCGTQt (ORCPT ); Tue, 7 Mar 2023 14:16:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233616AbjCGTQJ (ORCPT ); Tue, 7 Mar 2023 14:16:09 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E32CB78AD; Tue, 7 Mar 2023 10:59:33 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id oj5so14183078pjb.5; Tue, 07 Mar 2023 10:59:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215572; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cVIyveesaPzxyGs8rOLixVIRbiaAfjdret3wPvq45AM=; b=T/crhf63EH3KsazTeaA8eUh5UZGOYxE18ottJ2uCHRmycMIIU3YfplnUd744dwP+Fd OCOBqEY3DOuA+eTDsfq6KllSJnzZy/VUTj/I+Nch2Hgijtg91Yn46/IsRFedWGdDShmX djfb+s6XwHkHPyM9z4TWRB5EmktsAxYgohvJcNCi/kYBkOzZjcmnb575aOlC48MuI3lJ vxMUmxe/5nsamR7ZC0AxY9+YFoVfYl2VLAKdHyg5lk+35zbd0FjkIKTLLbsXrxtFbQmo OWhxozVFV9sKXY9sb1U2HZ4ifPSlt+PuL5CVlE1x2JDEuAEhBMI5SGVn3E63V75SAi+p Tu0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215572; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cVIyveesaPzxyGs8rOLixVIRbiaAfjdret3wPvq45AM=; b=L6D7NYAjq1KDutix0Cq/ikkCazCqtsrhO57EvTJ6UnimNvCe7s1QCmmS6D7k7JRB1J VVGqXNSMWu4VnTcPsgSbbwamtv5avZjz437e/WwR5abIPcliNK6x64Kaek3zKyjWS5sa 1uyxg2llZw+kQ8GD15Piz6WRuH1jzYcLNO+tsfFxOoVz7pePCeNNrn1e9IU+/JBMaGl1 UZ48XoSSN5mLPrV0GCqVPQ9oWnJr8tcrmwR1xcHKkfBD13HwReyGyR5KxaR807p9Ps4/ c8sMEvTwsQIgWB7vUoSPfScd3FOkeonw5b6mx4HRCQnLz3nOsE6qYSdnrI+wG3jfkuLU DEgQ== X-Gm-Message-State: AO0yUKU6nSX3OmUgsYOQoSYRXxSpujREJ85KTFFdGiH19SGm29aG5WaQ ALXa/6HgO1cvLH/vC2VYrQN1cLRivw0hOQ== X-Google-Smtp-Source: AK7set/l9W+JtVlwgRTkld68TyA0wV+sDBJHL+IKlddH46B81hTsrAmZ8/TF6vFgZEpw9vHRmvPgeg== X-Received: by 2002:a17:903:2347:b0:19a:9859:be26 with SMTP id c7-20020a170903234700b0019a9859be26mr21614273plh.22.1678215572639; Tue, 07 Mar 2023 10:59:32 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:32 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Yang Xu , "Darrick J . Wong" , Christian Brauner , Jeff Layton , Leah Rumancik Subject: [PATCH 5.15 05/11] fs: add mode_strip_sgid() helper Date: Tue, 7 Mar 2023 10:59:16 -0800 Message-Id: <20230307185922.125907-6-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Yang Xu commit 2b3416ceff5e6bd4922f6d1c61fb68113dd82302 upsream. Add a dedicated helper to handle the setgid bit when creating a new file in a setgid directory. This is a preparatory patch for moving setgid stripping into the vfs. The patch contains no functional changes. Currently the setgid stripping logic is open-coded directly in inode_init_owner() and the individual filesystems are responsible for handling setgid inheritance. Since this has proven to be brittle as evidenced by old issues we uncovered over the last months (see [1] to [3] below) we will try to move this logic into the vfs. Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [1] Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [2] Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [3] Link: https://lore.kernel.org/r/1657779088-2242-1-git-send-email-xuyang2018.jy@fujitsu.com Reviewed-by: Darrick J. Wong Reviewed-by: Christian Brauner (Microsoft) Reviewed-and-Tested-by: Jeff Layton Signed-off-by: Yang Xu Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/inode.c | 36 ++++++++++++++++++++++++++++++++---- include/linux/fs.h | 2 ++ 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 8279c700a2b7..3740102c9bd5 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2165,10 +2165,8 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && - !in_group_p(i_gid_into_mnt(mnt_userns, dir)) && - !capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) - mode &= ~S_ISGID; + else + mode = mode_strip_sgid(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; @@ -2324,3 +2322,33 @@ struct timespec64 current_time(struct inode *inode) return timestamp_truncate(now, inode); } EXPORT_SYMBOL(current_time); + +/** + * mode_strip_sgid - handle the sgid bit for non-directories + * @mnt_userns: User namespace of the mount the inode was created from + * @dir: parent directory inode + * @mode: mode of the file to be created in @dir + * + * If the @mode of the new file has both the S_ISGID and S_IXGRP bit + * raised and @dir has the S_ISGID bit raised ensure that the caller is + * either in the group of the parent directory or they have CAP_FSETID + * in their user namespace and are privileged over the parent directory. + * In all other cases, strip the S_ISGID bit from @mode. + * + * Return: the new mode to use for the file + */ +umode_t mode_strip_sgid(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode) +{ + if ((mode & (S_ISGID | S_IXGRP)) != (S_ISGID | S_IXGRP)) + return mode; + if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID)) + return mode; + if (in_group_p(i_gid_into_mnt(mnt_userns, dir))) + return mode; + if (capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) + return mode; + + return mode & ~S_ISGID; +} +EXPORT_SYMBOL(mode_strip_sgid); diff --git a/include/linux/fs.h b/include/linux/fs.h index 1e1ac116dd13..be9be4a7216c 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1941,6 +1941,8 @@ extern long compat_ptr_ioctl(struct file *file, unsigned int cmd, void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, const struct inode *dir, umode_t mode); extern bool may_open_dev(const struct path *path); +umode_t mode_strip_sgid(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode); /* * This is the "filldir" function type, used by readdir() to let From patchwork Tue Mar 7 18:59:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164640 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10B7EC678D5 for ; Tue, 7 Mar 2023 19:16:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233793AbjCGTQw (ORCPT ); Tue, 7 Mar 2023 14:16:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233754AbjCGTQL (ORCPT ); Tue, 7 Mar 2023 14:16:11 -0500 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B12FD6E96; Tue, 7 Mar 2023 10:59:35 -0800 (PST) Received: by mail-pj1-x1036.google.com with SMTP id qa18-20020a17090b4fd200b0023750b675f5so17496831pjb.3; Tue, 07 Mar 2023 10:59:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215574; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UA/1q1zeM0W/AAfs1drjXbgERI9tLchrPVDjuQMIeT0=; b=o+SfxPhd45FJxG4fYY/UrXDhDHmH5SJEDl4yN6IAmEJ/WPDg5HKHliwrD2dqGVZEz0 +RYAsqLKmGSfGGgAiE1kgauwSXkgXUhHdng8/coDh5wtTwgmNZYZEJz+ZXDx7b7ncPQp 8mUyAjP7oLK+8iyTfQHZHJ8YkZolcy+sc0OWwxP7yzH3x3kzd4Ux1kt5aWMGYNLrUJRQ 0ChgPIRUF4VT8OVXBdxrOfwNOATIQwcpI9jJkJGeJBpzDzazphqqaECANYoM61cP2WPg fgqABX3JaXZvVH404LZZqDp1AA3l68cHtOaTrq6zO7syh+IuEELzEtm0hXbijr+lpfMc ylag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215574; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UA/1q1zeM0W/AAfs1drjXbgERI9tLchrPVDjuQMIeT0=; b=peQ0Nm0AI+inT4/a3n1UJ+dLm/DMmFRC1iFsrsb8UwthK6zhUYW4OSEJ7FMczjbWgI GaUF+dqkhFvnTQWpyK9+VC1yFbrJXKbzQkuuHLnLC44F9QP7Jxsc6iMt3RUYX+A602wW jStvFkxCwHlGw4RwCF6PeOglGY2TjV4FRQqU/FPpe8oD2K4OhBOWdxg0rk2qlHdQ9gt0 HdJiDbp4rZ4K1n+/+Pp1m03lQd9Y7Fnwlr/GBN8s1V38KfQAU4whH4ttHKyN4bnxCR6M WmJcayb6rKt+2/35qlxfs3wHssfAnClLHlz97cZIVBerkZe8dPnnR9Oj4nbEs8b4DaK0 h0Kw== X-Gm-Message-State: AO0yUKWGZe9KSznsrZ3JnCoOo8D+BKF93kACNQX5yR2KnZfejk7eT6Vv RVTFggwkQDi/O/Z8fa7S+tqK1VTRXyG0Fw== X-Google-Smtp-Source: AK7set81hclzsR6WhV1vHXm3YESvfflPVwg5ow1EV/cyNqEsCu4cQx4rzvFkqHXX75roPRSloX7PVg== X-Received: by 2002:a17:902:bf42:b0:19a:ad2f:2df9 with SMTP id u2-20020a170902bf4200b0019aad2f2df9mr14410132pls.55.1678215574198; Tue, 07 Mar 2023 10:59:34 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:33 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Yang Xu , Dave Chinner , Christian Brauner , "Darrick J . Wong" , Jeff Layton , Leah Rumancik Subject: [PATCH 5.15 06/11] fs: move S_ISGID stripping into the vfs_*() helpers Date: Tue, 7 Mar 2023 10:59:17 -0800 Message-Id: <20230307185922.125907-7-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Yang Xu commit 1639a49ccdce58ea248841ed9b23babcce6dbb0b upsream. Move setgid handling out of individual filesystems and into the VFS itself to stop the proliferation of setgid inheritance bugs. Creating files that have both the S_IXGRP and S_ISGID bit raised in directories that themselves have the S_ISGID bit set requires additional privileges to avoid security issues. When a filesystem creates a new inode it needs to take care that the caller is either in the group of the newly created inode or they have CAP_FSETID in their current user namespace and are privileged over the parent directory of the new inode. If any of these two conditions is true then the S_ISGID bit can be raised for an S_IXGRP file and if not it needs to be stripped. However, there are several key issues with the current implementation: * S_ISGID stripping logic is entangled with umask stripping. If a filesystem doesn't support or enable POSIX ACLs then umask stripping is done directly in the vfs before calling into the filesystem. If the filesystem does support POSIX ACLs then unmask stripping may be done in the filesystem itself when calling posix_acl_create(). Since umask stripping has an effect on S_ISGID inheritance, e.g., by stripping the S_IXGRP bit from the file to be created and all relevant filesystems have to call posix_acl_create() before inode_init_owner() where we currently take care of S_ISGID handling S_ISGID handling is order dependent. IOW, whether or not you get a setgid bit depends on POSIX ACLs and umask and in what order they are called. Note that technically filesystems are free to impose their own ordering between posix_acl_create() and inode_init_owner() meaning that there's additional ordering issues that influence S_SIGID inheritance. * Filesystems that don't rely on inode_init_owner() don't get S_ISGID stripping logic. While that may be intentional (e.g. network filesystems might just defer setgid stripping to a server) it is often just a security issue. This is not just ugly it's unsustainably messy especially since we do still have bugs in this area years after the initial round of setgid bugfixes. So the current state is quite messy and while we won't be able to make it completely clean as posix_acl_create() is still a filesystem specific call we can improve the S_SIGD stripping situation quite a bit by hoisting it out of inode_init_owner() and into the vfs creation operations. This means we alleviate the burden for filesystems to handle S_ISGID stripping correctly and can standardize the ordering between S_ISGID and umask stripping in the vfs. We add a new helper vfs_prepare_mode() so S_ISGID handling is now done in the VFS before umask handling. This has S_ISGID handling is unaffected unaffected by whether umask stripping is done by the VFS itself (if no POSIX ACLs are supported or enabled) or in the filesystem in posix_acl_create() (if POSIX ACLs are supported). The vfs_prepare_mode() helper is called directly in vfs_*() helpers that create new filesystem objects. We need to move them into there to make sure that filesystems like overlayfs hat have callchains like: sys_mknod() -> do_mknodat(mode) -> .mknod = ovl_mknod(mode) -> ovl_create(mode) -> vfs_mknod(mode) get S_ISGID stripping done when calling into lower filesystems via vfs_*() creation helpers. Moving vfs_prepare_mode() into e.g. vfs_mknod() takes care of that. This is in any case semantically cleaner because S_ISGID stripping is VFS security requirement. Security hooks so far have seen the mode with the umask applied but without S_ISGID handling done. The relevant hooks are called outside of vfs_*() creation helpers so by calling vfs_prepare_mode() from vfs_*() helpers the security hooks would now see the mode without umask stripping applied. For now we fix this by passing the mode with umask settings applied to not risk any regressions for LSM hooks. IOW, nothing changes for LSM hooks. It is worth pointing out that security hooks never saw the mode that is seen by the filesystem when actually creating the file. They have always been completely misplaced for that to work. The following filesystems use inode_init_owner() and thus relied on S_ISGID stripping: spufs, 9p, bfs, btrfs, ext2, ext4, f2fs, hfsplus, hugetlbfs, jfs, minix, nilfs2, ntfs3, ocfs2, omfs, overlayfs, ramfs, reiserfs, sysv, ubifs, udf, ufs, xfs, zonefs, bpf, tmpfs. All of the above filesystems end up calling inode_init_owner() when new filesystem objects are created through the ->mkdir(), ->mknod(), ->create(), ->tmpfile(), ->rename() inode operations. Since directories always inherit the S_ISGID bit with the exception of xfs when irix_sgid_inherit mode is turned on S_ISGID stripping doesn't apply. The ->symlink() and ->link() inode operations trivially inherit the mode from the target and the ->rename() inode operation inherits the mode from the source inode. All other creation inode operations will get S_ISGID handling via vfs_prepare_mode() when called from their relevant vfs_*() helpers. In addition to this there are filesystems which allow the creation of filesystem objects through ioctl()s or - in the case of spufs - circumventing the vfs in other ways. If filesystem objects are created through ioctl()s the vfs doesn't know about it and can't apply regular permission checking including S_ISGID logic. Therfore, a filesystem relying on S_ISGID stripping in inode_init_owner() in their ioctl() callpath will be affected by moving this logic into the vfs. We audited those filesystems: * btrfs allows the creation of filesystem objects through various ioctls(). Snapshot creation literally takes a snapshot and so the mode is fully preserved and S_ISGID stripping doesn't apply. Creating a new subvolum relies on inode_init_owner() in btrfs_new_subvol_inode() but only creates directories and doesn't raise S_ISGID. * ocfs2 has a peculiar implementation of reflinks. In contrast to e.g. xfs and btrfs FICLONE/FICLONERANGE ioctl() that is only concerned with the actual extents ocfs2 uses a separate ioctl() that also creates the target file. Iow, ocfs2 circumvents the vfs entirely here and did indeed rely on inode_init_owner() to strip the S_ISGID bit. This is the only place where a filesystem needs to call mode_strip_sgid() directly but this is self-inflicted pain. * spufs doesn't go through the vfs at all and doesn't use ioctl()s either. Instead it has a dedicated system call spufs_create() which allows the creation of filesystem objects. But spufs only creates directories and doesn't allo S_SIGID bits, i.e. it specifically only allows 0777 bits. * bpf uses vfs_mkobj() but also doesn't allow S_ISGID bits to be created. The patch will have an effect on ext2 when the EXT2_MOUNT_GRPID mount option is used, on ext4 when the EXT4_MOUNT_GRPID mount option is used, and on xfs when the XFS_FEAT_GRPID mount option is used. When any of these filesystems are mounted with their respective GRPID option then newly created files inherit the parent directories group unconditionally. In these cases non of the filesystems call inode_init_owner() and thus did never strip the S_ISGID bit for newly created files. Moving this logic into the VFS means that they now get the S_ISGID bit stripped. This is a user visible change. If this leads to regressions we will either need to figure out a better way or we need to revert. However, given the various setgid bugs that we found just in the last two years this is a regression risk we should take. Associated with this change is a new set of fstests to enforce the semantics for all new filesystems. Link: https://lore.kernel.org/ceph-devel/20220427092201.wvsdjbnc7b4dttaw@wittgenstein [1] Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [2] Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [3] Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [4] Link: https://lore.kernel.org/r/1657779088-2242-3-git-send-email-xuyang2018.jy@fujitsu.com Suggested-by: Dave Chinner Suggested-by: Christian Brauner (Microsoft) Reviewed-by: Darrick J. Wong Reviewed-and-Tested-by: Jeff Layton Signed-off-by: Yang Xu [: rewrote commit message] Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/inode.c | 2 -- fs/namei.c | 82 ++++++++++++++++++++++++++++++++++++++++-------- fs/ocfs2/namei.c | 1 + 3 files changed, 70 insertions(+), 15 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 3740102c9bd5..957b2d18ec29 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2165,8 +2165,6 @@ void inode_init_owner(struct user_namespace *mnt_userns, struct inode *inode, /* Directories are special, and always inherit S_ISGID */ if (S_ISDIR(mode)) mode |= S_ISGID; - else - mode = mode_strip_sgid(mnt_userns, dir, mode); } else inode_fsgid_set(inode, mnt_userns); inode->i_mode = mode; diff --git a/fs/namei.c b/fs/namei.c index 81b31d9a063f..02e99606c65b 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3000,6 +3000,65 @@ void unlock_rename(struct dentry *p1, struct dentry *p2) } EXPORT_SYMBOL(unlock_rename); +/** + * mode_strip_umask - handle vfs umask stripping + * @dir: parent directory of the new inode + * @mode: mode of the new inode to be created in @dir + * + * Umask stripping depends on whether or not the filesystem supports POSIX + * ACLs. If the filesystem doesn't support it umask stripping is done directly + * in here. If the filesystem does support POSIX ACLs umask stripping is + * deferred until the filesystem calls posix_acl_create(). + * + * Returns: mode + */ +static inline umode_t mode_strip_umask(const struct inode *dir, umode_t mode) +{ + if (!IS_POSIXACL(dir)) + mode &= ~current_umask(); + return mode; +} + +/** + * vfs_prepare_mode - prepare the mode to be used for a new inode + * @mnt_userns: user namespace of the mount the inode was found from + * @dir: parent directory of the new inode + * @mode: mode of the new inode + * @mask_perms: allowed permission by the vfs + * @type: type of file to be created + * + * This helper consolidates and enforces vfs restrictions on the @mode of a new + * object to be created. + * + * Umask stripping depends on whether the filesystem supports POSIX ACLs (see + * the kernel documentation for mode_strip_umask()). Moving umask stripping + * after setgid stripping allows the same ordering for both non-POSIX ACL and + * POSIX ACL supporting filesystems. + * + * Note that it's currently valid for @type to be 0 if a directory is created. + * Filesystems raise that flag individually and we need to check whether each + * filesystem can deal with receiving S_IFDIR from the vfs before we enforce a + * non-zero type. + * + * Returns: mode to be passed to the filesystem + */ +static inline umode_t vfs_prepare_mode(struct user_namespace *mnt_userns, + const struct inode *dir, umode_t mode, + umode_t mask_perms, umode_t type) +{ + mode = mode_strip_sgid(mnt_userns, dir, mode); + mode = mode_strip_umask(dir, mode); + + /* + * Apply the vfs mandated allowed permission mask and set the type of + * file to be created before we call into the filesystem. + */ + mode &= (mask_perms & ~S_IFMT); + mode |= (type & S_IFMT); + + return mode; +} + /** * vfs_create - create new file * @mnt_userns: user namespace of the mount the inode was found from @@ -3025,8 +3084,8 @@ int vfs_create(struct user_namespace *mnt_userns, struct inode *dir, if (!dir->i_op->create) return -EACCES; /* shouldn't it be ENOSYS? */ - mode &= S_IALLUGO; - mode |= S_IFREG; + + mode = vfs_prepare_mode(mnt_userns, dir, mode, S_IALLUGO, S_IFREG); error = security_inode_create(dir, dentry, mode); if (error) return error; @@ -3291,8 +3350,7 @@ static struct dentry *lookup_open(struct nameidata *nd, struct file *file, if (open_flag & O_CREAT) { if (open_flag & O_EXCL) open_flag &= ~O_TRUNC; - if (!IS_POSIXACL(dir->d_inode)) - mode &= ~current_umask(); + mode = vfs_prepare_mode(mnt_userns, dir->d_inode, mode, mode, mode); if (likely(got_write)) create_error = may_o_create(mnt_userns, &nd->path, dentry, mode); @@ -3525,8 +3583,7 @@ struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns, child = d_alloc(dentry, &slash_name); if (unlikely(!child)) goto out_err; - if (!IS_POSIXACL(dir)) - mode &= ~current_umask(); + mode = vfs_prepare_mode(mnt_userns, dir, mode, mode, mode); error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); if (error) goto out_err; @@ -3804,6 +3861,7 @@ int vfs_mknod(struct user_namespace *mnt_userns, struct inode *dir, if (!dir->i_op->mknod) return -EPERM; + mode = vfs_prepare_mode(mnt_userns, dir, mode, mode, mode); error = devcgroup_inode_mknod(mode, dev); if (error) return error; @@ -3854,9 +3912,8 @@ static int do_mknodat(int dfd, struct filename *name, umode_t mode, if (IS_ERR(dentry)) goto out1; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); - error = security_path_mknod(&path, dentry, mode, dev); + error = security_path_mknod(&path, dentry, + mode_strip_umask(path.dentry->d_inode, mode), dev); if (error) goto out2; @@ -3926,7 +3983,7 @@ int vfs_mkdir(struct user_namespace *mnt_userns, struct inode *dir, if (!dir->i_op->mkdir) return -EPERM; - mode &= (S_IRWXUGO|S_ISVTX); + mode = vfs_prepare_mode(mnt_userns, dir, mode, S_IRWXUGO | S_ISVTX, 0); error = security_inode_mkdir(dir, dentry, mode); if (error) return error; @@ -3954,9 +4011,8 @@ int do_mkdirat(int dfd, struct filename *name, umode_t mode) if (IS_ERR(dentry)) goto out_putname; - if (!IS_POSIXACL(path.dentry->d_inode)) - mode &= ~current_umask(); - error = security_path_mkdir(&path, dentry, mode); + error = security_path_mkdir(&path, dentry, + mode_strip_umask(path.dentry->d_inode, mode)); if (!error) { struct user_namespace *mnt_userns; mnt_userns = mnt_user_ns(path.mnt); diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c index 11807034dd48..5b8237ceb8cc 100644 --- a/fs/ocfs2/namei.c +++ b/fs/ocfs2/namei.c @@ -197,6 +197,7 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) * callers. */ if (S_ISDIR(mode)) set_nlink(inode, 2); + mode = mode_strip_sgid(&init_user_ns, dir, mode); inode_init_owner(&init_user_ns, inode, dir, mode); status = dquot_initialize(inode); if (status) From patchwork Tue Mar 7 18:59:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164638 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94276C6FD1E for ; Tue, 7 Mar 2023 19:16:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233812AbjCGTQy (ORCPT ); Tue, 7 Mar 2023 14:16:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233684AbjCGTQL (ORCPT ); Tue, 7 Mar 2023 14:16:11 -0500 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E59FD6E9A; Tue, 7 Mar 2023 10:59:36 -0800 (PST) Received: by mail-pj1-x102c.google.com with SMTP id x34so14247050pjj.0; Tue, 07 Mar 2023 10:59:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215575; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=N3/89BQbS9qa9xZLhN3jaD5mzSRJ9y6W4zs9EOpt7UY=; b=JXiHmriJjObPH+BM11YW8sd7uRom08ap5qhj41FY+1EkXh0YiZpFlheNN5ue2dJZh5 tm9CZ3RtHn+Jw6lZtx4fBdtdxaglDopjTUXJsVAlGszyP7EUbugL+eG+t4UW/uNe3D4Q Kp1mb76OeOAyFdJ8hI66zY+vvHFRlqSfmkiigDq3xNHcqE6Hl35SQIcLd3o0yU5Ak6hs 9AX9ifgP7Q5as810jT7XVDrhCsmZUOe6gvX53Kf/cMK1bTLHUXlg7Cf58WssXGVvqZmk zJmejAJ4T21rPfxyrPa7AOmCPZdojePkKIgabWPLKIZKl/tjbLggW7IzLq592sCpH3zy 5gyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215575; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N3/89BQbS9qa9xZLhN3jaD5mzSRJ9y6W4zs9EOpt7UY=; b=U0UZoVGOgWRQdDEaqKMa5gSQBrAP5NPGh5XhEQGtX6tPXxSpfRilLkARreGYqJOB3r EsFSs3VaAcQpr+/qLIBWV11nBRtXPZUO+Dl/lqFXPH7tOOeZnK+ktwrXrfbeR2OdLBu1 ovkeAX4wRmNcR/sD5k9JzaPoG2/WxALkGwAOaQEHyIwxmSUSZo/DfHjf543saT5X6iPw Sdl0CUBvxFVlrdPLH0C3tILpTE0fxCGCPhtXE70WMKpKXSaTRGmwIKi1NzXHNQ7dTlc5 M3ZjnQ6zRPGcaWBJ/0/YlnprVj2tM/qUZk8NufQa4XboyZhEFah7XeByf/XP4ySY4gcy brlA== X-Gm-Message-State: AO0yUKVV964pL+vZu8vS+PjEH+2R0jF2qjGOchuv3b9rFwHTEei8l5gl Jw7x44DXTYmZ52weVj3zKVK/6BBu+wVBxw== X-Google-Smtp-Source: AK7set91vwHADNEik3Z4zIxZwvYO4F5nnFkL7/+yFvK/3UWe68uJKVH3QzceACWTGLPkxjWU7Fshdg== X-Received: by 2002:a17:903:18e:b0:19a:75b8:f4ff with SMTP id z14-20020a170903018e00b0019a75b8f4ffmr19823271plg.35.1678215575513; Tue, 07 Mar 2023 10:59:35 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:35 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Christian Brauner , Leah Rumancik , "Darrick J . Wong" Subject: [PATCH 5.15 07/11] attr: add in_group_or_capable() Date: Tue, 7 Mar 2023 10:59:18 -0800 Message-Id: <20230307185922.125907-8-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Christian Brauner commit 11c2a8700cdcabf9b639b7204a1e38e2a0b6798e upstream. [backport to 5.15.y, prior to vfsgid_t] In setattr_{copy,prepare}() we need to perform the same permission checks to determine whether we need to drop the setgid bit or not. Instead of open-coding it twice add a simple helper the encapsulates the logic. We will reuse this helpers to make dropping the setgid bit during write operations more consistent in a follow up patch. Reviewed-by: Amir Goldstein Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/attr.c | 8 ++++---- fs/inode.c | 28 ++++++++++++++++++++++++---- fs/internal.h | 2 ++ 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index f581c4d00897..686840aa91c8 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -18,6 +18,8 @@ #include #include +#include "internal.h" + /** * chown_ok - verify permissions to chown inode * @mnt_userns: user namespace of the mount @inode was found from @@ -141,8 +143,7 @@ int setattr_prepare(struct user_namespace *mnt_userns, struct dentry *dentry, mapped_gid = i_gid_into_mnt(mnt_userns, inode); /* Also check the setgid bit! */ - if (!in_group_p(mapped_gid) && - !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) + if (!in_group_or_capable(mnt_userns, inode, mapped_gid)) attr->ia_mode &= ~S_ISGID; } @@ -257,8 +258,7 @@ void setattr_copy(struct user_namespace *mnt_userns, struct inode *inode, if (ia_valid & ATTR_MODE) { umode_t mode = attr->ia_mode; kgid_t kgid = i_gid_into_mnt(mnt_userns, inode); - if (!in_group_p(kgid) && - !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) + if (!in_group_or_capable(mnt_userns, inode, kgid)) mode &= ~S_ISGID; inode->i_mode = mode; } diff --git a/fs/inode.c b/fs/inode.c index 957b2d18ec29..a71fb82279bb 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2321,6 +2321,28 @@ struct timespec64 current_time(struct inode *inode) } EXPORT_SYMBOL(current_time); +/** + * in_group_or_capable - check whether caller is CAP_FSETID privileged + * @mnt_userns: user namespace of the mount @inode was found from + * @inode: inode to check + * @gid: the new/current gid of @inode + * + * Check wether @gid is in the caller's group list or if the caller is + * privileged with CAP_FSETID over @inode. This can be used to determine + * whether the setgid bit can be kept or must be dropped. + * + * Return: true if the caller is sufficiently privileged, false if not. + */ +bool in_group_or_capable(struct user_namespace *mnt_userns, + const struct inode *inode, kgid_t gid) +{ + if (in_group_p(gid)) + return true; + if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) + return true; + return false; +} + /** * mode_strip_sgid - handle the sgid bit for non-directories * @mnt_userns: User namespace of the mount the inode was created from @@ -2342,11 +2364,9 @@ umode_t mode_strip_sgid(struct user_namespace *mnt_userns, return mode; if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID)) return mode; - if (in_group_p(i_gid_into_mnt(mnt_userns, dir))) - return mode; - if (capable_wrt_inode_uidgid(mnt_userns, dir, CAP_FSETID)) + if (in_group_or_capable(mnt_userns, dir, + i_gid_into_mnt(mnt_userns, dir))) return mode; - return mode & ~S_ISGID; } EXPORT_SYMBOL(mode_strip_sgid); diff --git a/fs/internal.h b/fs/internal.h index 9075490f21a6..c89814727281 100644 --- a/fs/internal.h +++ b/fs/internal.h @@ -150,6 +150,8 @@ extern int vfs_open(const struct path *, struct file *); extern long prune_icache_sb(struct super_block *sb, struct shrink_control *sc); extern void inode_add_lru(struct inode *inode); extern int dentry_needs_remove_privs(struct dentry *dentry); +bool in_group_or_capable(struct user_namespace *mnt_userns, + const struct inode *inode, kgid_t gid); /* * fs-writeback.c From patchwork Tue Mar 7 18:59:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164637 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E1B6C6FD1B for ; Tue, 7 Mar 2023 19:16:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233771AbjCGTQv (ORCPT ); Tue, 7 Mar 2023 14:16:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44616 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233755AbjCGTQL (ORCPT ); Tue, 7 Mar 2023 14:16:11 -0500 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 611F0B78B1; Tue, 7 Mar 2023 10:59:37 -0800 (PST) Received: by mail-pj1-x1035.google.com with SMTP id u3-20020a17090a450300b00239db6d7d47so12764621pjg.4; Tue, 07 Mar 2023 10:59:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215576; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LeZLdQs5ukpKkEndJo4iQKes4wfuvpMlzUJLIUAJDBU=; b=gbRMxFnlfZtjtfDzo0iEB4++od/qToZuDgx2l0g3ep6Bz0uh4LjtLzyDBNyfFd5GTI GaoDP39YlhK8MEC8tNF59d6CNgyiX6qpbVLpe5QHvxGY0xaDUFS7amX5KqeIkWYDRnz0 6OHrYMEVXkTdfhENQD6KAiwIKezFsJdI1BO1yr3n/1xnMFuQbrDNtKywyXlG7LuQBEp6 v0Xtt8hYzqrhILAxTjifPUk0UZHTx1C9LPPae0jgwSbWa1LuF0AXSad/BoIJ+Mj9P8Pn +apsZBkxzBSaPsYld41R3mJJrEL52pxsEPq6AopYF6W1HmvUWtB2DF3IuG5BkOi4EUd2 B2iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215576; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LeZLdQs5ukpKkEndJo4iQKes4wfuvpMlzUJLIUAJDBU=; b=SDagEfRkNDNIfMhJ9JVnRZLmUQxdOqVSZfELwegHYYSTK7xaMNQFH2MVsyol9l7FCl Tkdo3HaMutJoHF8k/hUHY8A8FNSFtBvEbf5ijp1bjycc5mA36gCyvsp5MI45J89HOAsD UejIXr+6rQRYl1zUjJALl0rseSPi+qaD+bA7bwBtBoY148g07rxp8YokeoOTys+maSSb gHonklyw6pN9BSaTTYjSsLmay1WZ7x/NHazCIad9WVG9ILarZqS35v6EktEz9EuCsQxK X+s46Tvzy22Wbh3bASGqH1/1y3GjEpIDzEPIti7vzl1vf2Xy1I43Eki4K/3zIRd7sKzy fYAQ== X-Gm-Message-State: AO0yUKWEXmSiVg7ZoMRG/3gYsPwkMsv8HbiJ7UUjzaGrOCOrltlLC+0P uiig156QgI4KVDdwU58Ez3l8gaC2ddjrbg== X-Google-Smtp-Source: AK7set96vFw3FB7rTNYejKR9IOg2586gF5sxHcigfJYFwphVwQ6qA9gldw3EodrOsc3cN2wsOGIxRA== X-Received: by 2002:a17:903:328e:b0:197:19f7:52b4 with SMTP id jh14-20020a170903328e00b0019719f752b4mr13668375plb.42.1678215576491; Tue, 07 Mar 2023 10:59:36 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:36 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Christian Brauner , Leah Rumancik , "Darrick J . Wong" Subject: [PATCH 5.15 08/11] fs: move should_remove_suid() Date: Tue, 7 Mar 2023 10:59:19 -0800 Message-Id: <20230307185922.125907-9-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Christian Brauner commit e243e3f94c804ecca9a8241b5babe28f35258ef4 upstream. Move the helper from inode.c to attr.c. This keeps the the core of the set{g,u}id stripping logic in one place when we add follow-up changes. It is the better place anyway, since should_remove_suid() returns ATTR_KILL_S{G,U}ID flags. Reviewed-by: Amir Goldstein Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/attr.c | 29 +++++++++++++++++++++++++++++ fs/inode.c | 29 ----------------------------- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index 686840aa91c8..f045431bab1a 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -20,6 +20,35 @@ #include "internal.h" +/* + * The logic we want is + * + * if suid or (sgid and xgrp) + * remove privs + */ +int should_remove_suid(struct dentry *dentry) +{ + umode_t mode = d_inode(dentry)->i_mode; + int kill = 0; + + /* suid always must be killed */ + if (unlikely(mode & S_ISUID)) + kill = ATTR_KILL_SUID; + + /* + * sgid without any exec bits is just a mandatory locking mark; leave + * it alone. If some exec bits are set, it's a real sgid; kill it. + */ + if (unlikely((mode & S_ISGID) && (mode & S_IXGRP))) + kill |= ATTR_KILL_SGID; + + if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode))) + return kill; + + return 0; +} +EXPORT_SYMBOL(should_remove_suid); + /** * chown_ok - verify permissions to chown inode * @mnt_userns: user namespace of the mount @inode was found from diff --git a/fs/inode.c b/fs/inode.c index a71fb82279bb..3811269259e1 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1864,35 +1864,6 @@ void touch_atime(const struct path *path) } EXPORT_SYMBOL(touch_atime); -/* - * The logic we want is - * - * if suid or (sgid and xgrp) - * remove privs - */ -int should_remove_suid(struct dentry *dentry) -{ - umode_t mode = d_inode(dentry)->i_mode; - int kill = 0; - - /* suid always must be killed */ - if (unlikely(mode & S_ISUID)) - kill = ATTR_KILL_SUID; - - /* - * sgid without any exec bits is just a mandatory locking mark; leave - * it alone. If some exec bits are set, it's a real sgid; kill it. - */ - if (unlikely((mode & S_ISGID) && (mode & S_IXGRP))) - kill |= ATTR_KILL_SGID; - - if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode))) - return kill; - - return 0; -} -EXPORT_SYMBOL(should_remove_suid); - /* * Return mask of changes for notify_change() that need to be done as a * response to write or truncate. Return 0 if nothing has to be changed. From patchwork Tue Mar 7 18:59:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164641 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF75DC74A44 for ; Tue, 7 Mar 2023 19:16:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233655AbjCGTQ4 (ORCPT ); Tue, 7 Mar 2023 14:16:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44034 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233765AbjCGTQM (ORCPT ); Tue, 7 Mar 2023 14:16:12 -0500 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94CB1AE132; Tue, 7 Mar 2023 10:59:38 -0800 (PST) Received: by mail-pj1-x1033.google.com with SMTP id l1so14212941pjt.2; Tue, 07 Mar 2023 10:59:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dOUS+CQtG3TM0vD3uA+erwsWRYHnMgU+Sry1iPaPKJM=; b=Bsk7zWfcJuyoR+pHaPUYsAMzbWiR19jV58vatP/3VdzKRT9V7KTCLdlNREOzh3qi6E 8h9s/uoPl/5WTILmSCMxUd3Hj5QsZLjm4I6Ktn2sz3sdk4R8NyFhvbb9G2GRHFxT4cfK EiDOdXXhke4p7nV9UepwUaP94NwAFLi4NF43u9SxmEgxY4ddE4w9hq6HtxFtmEmcpLDI RBZ9clY1UDTifavmBOp+6qVVMHylA3MICA/ddbhb1JcLGYUq0OwvtTXmCAQl1mgXFZC3 qeX3ye7sfC4YGcMKgieiABzZBcFTB7LZ0PvX82tpKUAXaQ3YTQR54txeWiyDgsQglWwQ YovQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dOUS+CQtG3TM0vD3uA+erwsWRYHnMgU+Sry1iPaPKJM=; b=PixyZUIHCv1AkxNecf4o0dJu55vxw5euh9oQcbmCoNiHY7GEAAmgsBg2KJkC3HMC1a vJh9dgDBlB3sQCUNa4/LYw+EmIAx14uNtw958Tq7qApq6G818u9HVhs9w+lefJBehNst aWFOzu1JOiXH4qZ6778ojKR5xcMyjsvwpd9hUKS/EZ1BhuejKsBxyyQ06qBmWdBvxpLs uel5K0EwKnSJXiKig9qaa5i0RhAk9Gquipgy/Wr6G9BFImiUpo/0Cig7f9+CZWrYJyXt WXJZu2yjRmW1Sh/imri9+agDMsK3Zju5CgXLc73vaRV+ykDdZj5w39ARAXxlGXL8gHrR PZHg== X-Gm-Message-State: AO0yUKUoAZgcOwIMeI8NPgeQKz2hsBSS4e0biix1ht27kSNS6N9mYTal rirgbUZykT3TVkY5eUKfWsVdwQQX82h1Dg== X-Google-Smtp-Source: AK7set/VOPjmKo1r1z5N7ZxiiYV++JoiYfetkLq3agDHBAcmySJ46CAmgkypA4yiciu0+zkjp6+OYQ== X-Received: by 2002:a17:902:eccb:b0:19a:b754:4053 with SMTP id a11-20020a170902eccb00b0019ab7544053mr18316471plh.26.1678215577800; Tue, 07 Mar 2023 10:59:37 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:37 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Christian Brauner , Leah Rumancik , "Darrick J . Wong" Subject: [PATCH 5.15 09/11] attr: add setattr_should_drop_sgid() Date: Tue, 7 Mar 2023 10:59:20 -0800 Message-Id: <20230307185922.125907-10-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Christian Brauner commit 72ae017c5451860443a16fb2a8c243bff3e396b8 upstream. [backport to 5.15.y, prior to vfsgid_t] The current setgid stripping logic during write and ownership change operations is inconsistent and strewn over multiple places. In order to consolidate it and make more consistent we'll add a new helper setattr_should_drop_sgid(). The function retains the old behavior where we remove the S_ISGID bit unconditionally when S_IXGRP is set but also when it isn't set and the caller is neither in the group of the inode nor privileged over the inode. We will use this helper both in write operation permission removal such as file_remove_privs() as well as in ownership change operations. Reviewed-by: Amir Goldstein Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- fs/attr.c | 28 ++++++++++++++++++++++++++++ fs/internal.h | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/fs/attr.c b/fs/attr.c index f045431bab1a..965be68ed8fa 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -20,6 +20,34 @@ #include "internal.h" +/** + * setattr_should_drop_sgid - determine whether the setgid bit needs to be + * removed + * @mnt_userns: user namespace of the mount @inode was found from + * @inode: inode to check + * + * This function determines whether the setgid bit needs to be removed. + * We retain backwards compatibility and require setgid bit to be removed + * unconditionally if S_IXGRP is set. Otherwise we have the exact same + * requirements as setattr_prepare() and setattr_copy(). + * + * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise. + */ +int setattr_should_drop_sgid(struct user_namespace *mnt_userns, + const struct inode *inode) +{ + umode_t mode = inode->i_mode; + + if (!(mode & S_ISGID)) + return 0; + if (mode & S_IXGRP) + return ATTR_KILL_SGID; + if (!in_group_or_capable(mnt_userns, inode, + i_gid_into_mnt(mnt_userns, inode))) + return ATTR_KILL_SGID; + return 0; +} + /* * The logic we want is * diff --git a/fs/internal.h b/fs/internal.h index c89814727281..45cf31d7380b 100644 --- a/fs/internal.h +++ b/fs/internal.h @@ -231,3 +231,9 @@ struct xattr_ctx { int setxattr_copy(const char __user *name, struct xattr_ctx *ctx); int do_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry, struct xattr_ctx *ctx); + +/* + * fs/attr.c + */ +int setattr_should_drop_sgid(struct user_namespace *mnt_userns, + const struct inode *inode); From patchwork Tue Mar 7 18:59:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164643 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAC67C74A4B for ; Tue, 7 Mar 2023 19:17:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233783AbjCGTQ7 (ORCPT ); Tue, 7 Mar 2023 14:16:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233680AbjCGTQN (ORCPT ); Tue, 7 Mar 2023 14:16:13 -0500 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD2FAB78AF; Tue, 7 Mar 2023 10:59:39 -0800 (PST) Received: by mail-pl1-x633.google.com with SMTP id p6so15256800plf.0; Tue, 07 Mar 2023 10:59:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215579; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7cLQxmjFeKMgd96wW6+/hw3wJEcmjhKS1r8iizNu8AA=; b=omh40ba32jnbzmiVsKWmle/HxtoYjTXhjFPISDCFYHPlvPzHGiwYktWY87rDVTfWo8 /lM8WKiLviRtuadroV8yKlWBjlYm4+/o1VETCkyzNMmpCFhJgNko62gQon7l+E6ppsaI 1kilNMVtAmXKMQmdRzrff3lOrXgPItiSAfRckV+3QVMDwuZ7TKjB1g2PgpGl7jsgjgEy 64jwchXmyZtoKquMKul9DxobIoxPLiHtUB7AOhpRcid5G6VxhHILB63GNAdFun1IMJgp ZdWITF778Xf0PKlx1aI1sn6MTFm6eKXW1eN7x3SwUCWwAfo48Mgmb1AjBhaZuhu4Mbud OQRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215579; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7cLQxmjFeKMgd96wW6+/hw3wJEcmjhKS1r8iizNu8AA=; b=u5XzZIAHa3A6qNWk9VjymGZ9H6sEXBG5J9gybcEU01QuAjHVR7uy5ihC1ae90p92L6 EJfZ8qEAdHqHTWe9AXsIrmsJFk8YrSEwdZpWO6dtKQj3+bLW6nTD7Vrg3nBdi7IB5Bea AhPcXBndJvuknIeFCfxwauhRMGducK9R14S2aXMrN33Vh2HjWkdUlnTnHMaEldFI4TJM x90cPmKl3IcXNoliGuNH8mWzxDzO1ywC2qTv94Xk1z1SwmSGJY3+qcHnmUCbIsvcNZ07 KrZdHmTtjGVnm/22LGP+Vfmz50px89jNY9gh2uj6s75dA39l14LMqcfsdJstZfXMaDop MuJg== X-Gm-Message-State: AO0yUKVVonQA/lCJQJyDTTzTcpDpfA94qoDcSQUCNpy7pDXVX5IKUjCs 2X0FNUaVPS8NPojyKX8IzqlVMofxQ7iNNg== X-Google-Smtp-Source: AK7set+725pKg7nqbaDDMVji0JnABlmKZ1vg49HPXNDdijw2IhJliptSndH+scClK/nq3HF1HgnefQ== X-Received: by 2002:a17:902:7c08:b0:19e:8088:b852 with SMTP id x8-20020a1709027c0800b0019e8088b852mr13739465pll.10.1678215578837; Tue, 07 Mar 2023 10:59:38 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:38 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Christian Brauner , Leah Rumancik , "Darrick J . Wong" Subject: [PATCH 5.15 10/11] attr: use consistent sgid stripping checks Date: Tue, 7 Mar 2023 10:59:21 -0800 Message-Id: <20230307185922.125907-11-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Christian Brauner commit ed5a7047d2011cb6b2bf84ceb6680124cc6a7d95 upstream. [backport to 5.15.y, prior to vfsgid_t] Currently setgid stripping in file_remove_privs()'s should_remove_suid() helper is inconsistent with other parts of the vfs. Specifically, it only raises ATTR_KILL_SGID if the inode is S_ISGID and S_IXGRP but not if the inode isn't in the caller's groups and the caller isn't privileged over the inode although we require this already in setattr_prepare() and setattr_copy() and so all filesystem implement this requirement implicitly because they have to use setattr_{prepare,copy}() anyway. But the inconsistency shows up in setgid stripping bugs for overlayfs in xfstests (e.g., generic/673, generic/683, generic/685, generic/686, generic/687). For example, we test whether suid and setgid stripping works correctly when performing various write-like operations as an unprivileged user (fallocate, reflink, write, etc.): echo "Test 1 - qa_user, non-exec file $verb" setup_testfile chmod a+rws $junk_file commit_and_check "$qa_user" "$verb" 64k 64k The test basically creates a file with 6666 permissions. While the file has the S_ISUID and S_ISGID bits set it does not have the S_IXGRP set. On a regular filesystem like xfs what will happen is: sys_fallocate() -> vfs_fallocate() -> xfs_file_fallocate() -> file_modified() -> __file_remove_privs() -> dentry_needs_remove_privs() -> should_remove_suid() -> __remove_privs() newattrs.ia_valid = ATTR_FORCE | kill; -> notify_change() -> setattr_copy() In should_remove_suid() we can see that ATTR_KILL_SUID is raised unconditionally because the file in the test has S_ISUID set. But we also see that ATTR_KILL_SGID won't be set because while the file is S_ISGID it is not S_IXGRP (see above) which is a condition for ATTR_KILL_SGID being raised. So by the time we call notify_change() we have attr->ia_valid set to ATTR_KILL_SUID | ATTR_FORCE. Now notify_change() sees that ATTR_KILL_SUID is set and does: ia_valid = attr->ia_valid |= ATTR_MODE attr->ia_mode = (inode->i_mode & ~S_ISUID); which means that when we call setattr_copy() later we will definitely update inode->i_mode. Note that attr->ia_mode still contains S_ISGID. Now we call into the filesystem's ->setattr() inode operation which will end up calling setattr_copy(). Since ATTR_MODE is set we will hit: if (ia_valid & ATTR_MODE) { umode_t mode = attr->ia_mode; vfsgid_t vfsgid = i_gid_into_vfsgid(mnt_userns, inode); if (!vfsgid_in_group_p(vfsgid) && !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) mode &= ~S_ISGID; inode->i_mode = mode; } and since the caller in the test is neither capable nor in the group of the inode the S_ISGID bit is stripped. But assume the file isn't suid then ATTR_KILL_SUID won't be raised which has the consequence that neither the setgid nor the suid bits are stripped even though it should be stripped because the inode isn't in the caller's groups and the caller isn't privileged over the inode. If overlayfs is in the mix things become a bit more complicated and the bug shows up more clearly. When e.g., ovl_setattr() is hit from ovl_fallocate()'s call to file_remove_privs() then ATTR_KILL_SUID and ATTR_KILL_SGID might be raised but because the check in notify_change() is questioning the ATTR_KILL_SGID flag again by requiring S_IXGRP for it to be stripped the S_ISGID bit isn't removed even though it should be stripped: sys_fallocate() -> vfs_fallocate() -> ovl_fallocate() -> file_remove_privs() -> dentry_needs_remove_privs() -> should_remove_suid() -> __remove_privs() newattrs.ia_valid = ATTR_FORCE | kill; -> notify_change() -> ovl_setattr() // TAKE ON MOUNTER'S CREDS -> ovl_do_notify_change() -> notify_change() // GIVE UP MOUNTER'S CREDS // TAKE ON MOUNTER'S CREDS -> vfs_fallocate() -> xfs_file_fallocate() -> file_modified() -> __file_remove_privs() -> dentry_needs_remove_privs() -> should_remove_suid() -> __remove_privs() newattrs.ia_valid = attr_force | kill; -> notify_change() The fix for all of this is to make file_remove_privs()'s should_remove_suid() helper to perform the same checks as we already require in setattr_prepare() and setattr_copy() and have notify_change() not pointlessly requiring S_IXGRP again. It doesn't make any sense in the first place because the caller must calculate the flags via should_remove_suid() anyway which would raise ATTR_KILL_SGID. While we're at it we move should_remove_suid() from inode.c to attr.c where it belongs with the rest of the iattr helpers. Especially since it returns ATTR_KILL_S{G,U}ID flags. We also rename it to setattr_should_drop_suidgid() to better reflect that it indicates both setuid and setgid bit removal and also that it returns attr flags. Running xfstests with this doesn't report any regressions. We should really try and use consistent checks. Reviewed-by: Amir Goldstein Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- Documentation/trace/ftrace.rst | 2 +- fs/attr.c | 33 +++++++++++++++++++-------------- fs/fuse/file.c | 2 +- fs/inode.c | 7 ++++--- fs/internal.h | 2 +- fs/ocfs2/file.c | 4 ++-- fs/open.c | 8 ++++---- include/linux/fs.h | 2 +- 8 files changed, 33 insertions(+), 27 deletions(-) diff --git a/Documentation/trace/ftrace.rst b/Documentation/trace/ftrace.rst index 4e5b26f03d5b..d036946bce7a 100644 --- a/Documentation/trace/ftrace.rst +++ b/Documentation/trace/ftrace.rst @@ -2929,7 +2929,7 @@ Produces:: bash-1994 [000] .... 4342.324898: ima_get_action <-process_measurement bash-1994 [000] .... 4342.324898: ima_match_policy <-ima_get_action bash-1994 [000] .... 4342.324899: do_truncate <-do_last - bash-1994 [000] .... 4342.324899: should_remove_suid <-do_truncate + bash-1994 [000] .... 4342.324899: setattr_should_drop_suidgid <-do_truncate bash-1994 [000] .... 4342.324899: notify_change <-do_truncate bash-1994 [000] .... 4342.324900: current_fs_time <-notify_change bash-1994 [000] .... 4342.324900: current_kernel_time <-current_fs_time diff --git a/fs/attr.c b/fs/attr.c index 965be68ed8fa..0ca14cbd4b8b 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -48,34 +48,39 @@ int setattr_should_drop_sgid(struct user_namespace *mnt_userns, return 0; } -/* - * The logic we want is +/** + * setattr_should_drop_suidgid - determine whether the set{g,u}id bit needs to + * be dropped + * @mnt_userns: user namespace of the mount @inode was found from + * @inode: inode to check * - * if suid or (sgid and xgrp) - * remove privs + * This function determines whether the set{g,u}id bits need to be removed. + * If the setuid bit needs to be removed ATTR_KILL_SUID is returned. If the + * setgid bit needs to be removed ATTR_KILL_SGID is returned. If both + * set{g,u}id bits need to be removed the corresponding mask of both flags is + * returned. + * + * Return: A mask of ATTR_KILL_S{G,U}ID indicating which - if any - setid bits + * to remove, 0 otherwise. */ -int should_remove_suid(struct dentry *dentry) +int setattr_should_drop_suidgid(struct user_namespace *mnt_userns, + struct inode *inode) { - umode_t mode = d_inode(dentry)->i_mode; + umode_t mode = inode->i_mode; int kill = 0; /* suid always must be killed */ if (unlikely(mode & S_ISUID)) kill = ATTR_KILL_SUID; - /* - * sgid without any exec bits is just a mandatory locking mark; leave - * it alone. If some exec bits are set, it's a real sgid; kill it. - */ - if (unlikely((mode & S_ISGID) && (mode & S_IXGRP))) - kill |= ATTR_KILL_SGID; + kill |= setattr_should_drop_sgid(mnt_userns, inode); if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode))) return kill; return 0; } -EXPORT_SYMBOL(should_remove_suid); +EXPORT_SYMBOL(setattr_should_drop_suidgid); /** * chown_ok - verify permissions to chown inode @@ -440,7 +445,7 @@ int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry, } } if (ia_valid & ATTR_KILL_SGID) { - if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { + if (mode & S_ISGID) { if (!(ia_valid & ATTR_MODE)) { ia_valid = attr->ia_valid |= ATTR_MODE; attr->ia_mode = inode->i_mode; diff --git a/fs/fuse/file.c b/fs/fuse/file.c index cc95a1c37644..2b19d281351e 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1295,7 +1295,7 @@ static ssize_t fuse_cache_write_iter(struct kiocb *iocb, struct iov_iter *from) return err; if (fc->handle_killpriv_v2 && - should_remove_suid(file_dentry(file))) { + setattr_should_drop_suidgid(&init_user_ns, file_inode(file))) { goto writethrough; } diff --git a/fs/inode.c b/fs/inode.c index 3811269259e1..079b64f9b756 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1869,7 +1869,8 @@ EXPORT_SYMBOL(touch_atime); * response to write or truncate. Return 0 if nothing has to be changed. * Negative value on error (change should be denied). */ -int dentry_needs_remove_privs(struct dentry *dentry) +int dentry_needs_remove_privs(struct user_namespace *mnt_userns, + struct dentry *dentry) { struct inode *inode = d_inode(dentry); int mask = 0; @@ -1878,7 +1879,7 @@ int dentry_needs_remove_privs(struct dentry *dentry) if (IS_NOSEC(inode)) return 0; - mask = should_remove_suid(dentry); + mask = setattr_should_drop_suidgid(mnt_userns, inode); ret = security_inode_need_killpriv(dentry); if (ret < 0) return ret; @@ -1920,7 +1921,7 @@ int file_remove_privs(struct file *file) if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode)) return 0; - kill = dentry_needs_remove_privs(dentry); + kill = dentry_needs_remove_privs(file_mnt_user_ns(file), dentry); if (kill < 0) return kill; if (kill) diff --git a/fs/internal.h b/fs/internal.h index 45cf31d7380b..46df4ce58e87 100644 --- a/fs/internal.h +++ b/fs/internal.h @@ -149,7 +149,7 @@ extern int vfs_open(const struct path *, struct file *); */ extern long prune_icache_sb(struct super_block *sb, struct shrink_control *sc); extern void inode_add_lru(struct inode *inode); -extern int dentry_needs_remove_privs(struct dentry *dentry); +int dentry_needs_remove_privs(struct user_namespace *, struct dentry *dentry); bool in_group_or_capable(struct user_namespace *mnt_userns, const struct inode *inode, kgid_t gid); diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c index fc5f780fa235..92182d4be247 100644 --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -1994,7 +1994,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, } } - if (file && should_remove_suid(file->f_path.dentry)) { + if (file && setattr_should_drop_suidgid(&init_user_ns, file_inode(file))) { ret = __ocfs2_write_remove_suid(inode, di_bh); if (ret) { mlog_errno(ret); @@ -2282,7 +2282,7 @@ static int ocfs2_prepare_inode_for_write(struct file *file, * inode. There's also the dinode i_size state which * can be lost via setattr during extending writes (we * set inode->i_size at the end of a write. */ - if (should_remove_suid(dentry)) { + if (setattr_should_drop_suidgid(&init_user_ns, inode)) { if (meta_level == 0) { ocfs2_inode_unlock_for_extent_tree(inode, &di_bh, diff --git a/fs/open.c b/fs/open.c index 5e322f188e83..e93c33069055 100644 --- a/fs/open.c +++ b/fs/open.c @@ -54,7 +54,7 @@ int do_truncate(struct user_namespace *mnt_userns, struct dentry *dentry, } /* Remove suid, sgid, and file capabilities on truncate too */ - ret = dentry_needs_remove_privs(dentry); + ret = dentry_needs_remove_privs(mnt_userns, dentry); if (ret < 0) return ret; if (ret) @@ -671,10 +671,10 @@ int chown_common(const struct path *path, uid_t user, gid_t group) newattrs.ia_valid |= ATTR_GID; newattrs.ia_gid = gid; } - if (!S_ISDIR(inode->i_mode)) - newattrs.ia_valid |= - ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV; inode_lock(inode); + if (!S_ISDIR(inode->i_mode)) + newattrs.ia_valid |= ATTR_KILL_SUID | ATTR_KILL_PRIV | + setattr_should_drop_sgid(mnt_userns, inode); error = security_path_chown(path, uid, gid); if (!error) error = notify_change(mnt_userns, path->dentry, &newattrs, diff --git a/include/linux/fs.h b/include/linux/fs.h index be9be4a7216c..9601c2d774c8 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3133,7 +3133,7 @@ extern void __destroy_inode(struct inode *); extern struct inode *new_inode_pseudo(struct super_block *sb); extern struct inode *new_inode(struct super_block *sb); extern void free_inode_nonrcu(struct inode *inode); -extern int should_remove_suid(struct dentry *); +extern int setattr_should_drop_suidgid(struct user_namespace *, struct inode *); extern int file_remove_privs(struct file *); extern void __insert_inode_hash(struct inode *, unsigned long hashval); From patchwork Tue Mar 7 18:59:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13164642 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CAC96C6FD1A for ; Tue, 7 Mar 2023 19:16:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233765AbjCGTQ6 (ORCPT ); Tue, 7 Mar 2023 14:16:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233801AbjCGTQN (ORCPT ); Tue, 7 Mar 2023 14:16:13 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BC37B78BA; Tue, 7 Mar 2023 10:59:41 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id ky4so15207753plb.3; Tue, 07 Mar 2023 10:59:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678215580; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=G8x2FXGYE/xrIk8aP1rcoSXqv4tUZYWMw4sXU9s9C90=; b=E1RFox8JP6OKs9zpVTGXxL3tiWtm2PY8twAu2cALQ422bOGhaPFHpwF8NEiC+V1uIt x2zdLeCCTYbMvQuRo0IhC+rTR18PFvN+oSqpN6qucTptIhY+9oEpbHchs5do36FUOiVL hJmB/dCeI29645g67AcozNJLQk84pXY+xubCTO0du+dRLJ8VENRrrTeGofj1qzxPDUn/ ZNOnliXAkglHv15FVP7KZzEusOvwv3OXD7zBgv1CaxOHMYNDVkPhPCpiGTZeWTlV6JRy QfPIDbYkA3LauGNPAVsfjRybhWtRdtvnMXRKijjdm2U68qUOsNjXGE42ehDUGMHGmJGi 5o1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678215580; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G8x2FXGYE/xrIk8aP1rcoSXqv4tUZYWMw4sXU9s9C90=; b=WzdeRW8izpmSLcFZ78Nd4j1VvQUKPaywueo+gb62TPtsS4Ffi/XcXcFeR4aL83Qmv1 aenm02HOpJ3r/ILXHsBZ9lb8jwYRDCLGQ8UXcpa6JAWRyQl0OZr5PIDhXY4NBTJY/uvR eNnmmLEsiwFG93mitUGMb2LdCKkY33cECtXL2RksszIYfzRhhwYNrApUgndbrtgX28up qmydzRJ3o5JOx1obfEDQykadWC/Anaz2BmPf+IQEJ/o6oIjUKeTFztVVMI5oI5mJBjd5 bgI+hm2B3fy8bIsZBflNzM23/p2cOvmmkv1N9tc9YxzK7Cv+bwic5yOCAWKrn9v+z56r KzIw== X-Gm-Message-State: AO0yUKW2fFOu8Crq70vyhuDODl8TlFP2QsMMB5Fyx6dKVkk172Xu4LhX 8YbB5VPirxI2oCUUb8MFle0eH4dfbXMNog== X-Google-Smtp-Source: AK7set+0dqZYAUfPChKubbuIJLQ6Vp7a6Tc+U337t07ehuqv4y95Lgu/Q+vc67b6CZ9mO4R9YSSSeA== X-Received: by 2002:a17:902:ab4f:b0:19a:9897:461 with SMTP id ij15-20020a170902ab4f00b0019a98970461mr12980331plb.52.1678215580045; Tue, 07 Mar 2023 10:59:40 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2d4:203:6f2b:1857:847c:366c]) by smtp.gmail.com with ESMTPSA id ku4-20020a170903288400b001943d58268csm8745658plb.55.2023.03.07.10.59.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 10:59:39 -0800 (PST) From: Leah Rumancik To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, amir73il@gmail.com, chandan.babu@oracle.com, Christian Brauner , Miklos Szeredi , Leah Rumancik , "Darrick J . Wong" Subject: [PATCH 5.15 11/11] fs: use consistent setgid checks in is_sxid() Date: Tue, 7 Mar 2023 10:59:22 -0800 Message-Id: <20230307185922.125907-12-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.40.0.rc0.216.gc4246ad0f0-goog In-Reply-To: <20230307185922.125907-1-leah.rumancik@gmail.com> References: <20230307185922.125907-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Christian Brauner commit 8d84e39d76bd83474b26cb44f4b338635676e7e8 upstream. Now that we made the VFS setgid checking consistent an inode can't be marked security irrelevant even if the setgid bit is still set. Make this function consistent with all other helpers. Note that enforcing consistent setgid stripping checks for file modification and mode- and ownership changes will cause the setgid bit to be lost in more cases than useed to be the case. If an unprivileged user wrote to a non-executable setgid file that they don't have privilege over the setgid bit will be dropped. This will lead to temporary failures in some xfstests until they have been updated. Reported-by: Miklos Szeredi Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Amir Goldstein Tested-by: Leah Rumancik Acked-by: Darrick J. Wong --- include/linux/fs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index 9601c2d774c8..23ecfecdc450 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3571,7 +3571,7 @@ int __init list_bdev_fs_names(char *buf, size_t size); static inline bool is_sxid(umode_t mode) { - return (mode & S_ISUID) || ((mode & S_ISGID) && (mode & S_IXGRP)); + return mode & (S_ISUID | S_ISGID); } static inline int check_sticky(struct user_namespace *mnt_userns,