[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <55AE4915.9010702@yandex-team.ru>
Date: Tue, 21 Jul 2015 16:28:53 +0300
From: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
To: David Howells <dhowells@...hat.com>, sds@...ho.nsa.gov,
viro@...iv.linux.org.uk, miklos@...redi.hu
CC: linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-unionfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/8] overlayfs: Make f_path always point to the overlay
and f_inode to the underlay
On 20.07.2015 15:42, Konstantin Khlebnikov wrote:
> On 18.06.2015 16:32, David Howells wrote:
>> Make file->f_path always point to the overlay dentry so that the path in
>> /proc/pid/fd is correct and to ensure that label-based LSMs have
>> access to the
>> overlay as well as the underlay (path-based LSMs probably don't need it).
>
> Cool. Looks like this fixes MNT_NOEXEC,MNT_NOSUID,MNT_NODEV for
> overlayfs. But probably breaks MNT_LOCK_NOEXEC/SUID/DEV.
Just checked: mount -o remount,nosuid and noexec now work as expected.
Flag -o nodev already worked before because it's checked before open.
Overlayfs now ignores these restrictions from lower mountpoints.
Looks like all ok but some brave maintainers add FS_USERNS_MOUNT to
overlayfs: this way any user can create user-ns and bypass restrictions
of underlying filesystem like that was in CVE-2015-1328.
Executing suid binaries from noexec/nosuid filesystem shouldn't be a
problem if this happens only inside user-ns and mnt-ns. Right?
>
>>
>> Using my union testsuite to set things up, before the patch I see:
>>
>> [root@...romeda union-testsuite]# bash 5</mnt/a/foo107
>> [root@...romeda union-testsuite]# ls -l /proc/$$/fd/
>> ...
>> lr-x------. 1 root root 64 Jun 5 14:38 5 -> /a/foo107
>> [root@...romeda union-testsuite]# stat /mnt/a/foo107
>> ...
>> Device: 23h/35d Inode: 13381 Links: 1
>> ...
>> [root@...romeda union-testsuite]# stat -L /proc/$$/fd/5
>> ...
>> Device: 23h/35d Inode: 13381 Links: 1
>> ...
>>
>> After the patch:
>>
>> [root@...romeda union-testsuite]# bash 5</mnt/a/foo107
>> [root@...romeda union-testsuite]# ls -l /proc/$$/fd/
>> ...
>> lr-x------. 1 root root 64 Jun 5 14:22 5 -> /mnt/a/foo107
>> [root@...romeda union-testsuite]# stat /mnt/a/foo107
>> ...
>> Device: 23h/35d Inode: 40346 Links: 1
>> ...
>> [root@...romeda union-testsuite]# stat -L /proc/$$/fd/5
>> ...
>> Device: 23h/35d Inode: 40346 Links: 1
>> ...
>>
>> Note the change in where /proc/$$/fd/5 points to in the ls command.
>> It was
>> pointing to /a/foo107 (which doesn't exist) and now points to
>> /mnt/a/foo107
>> (which is correct).
>>
>> The inode accessed, however, is the lower layer. The union layer is
>> on device
>> 25h/37d and the upper layer on 24h/36d.
>>
>> Signed-off-by: David Howells <dhowells@...hat.com>
>> ---
>>
>> fs/dcache.c | 5 ++++-
>> fs/internal.h | 1 +
>> fs/open.c | 49
>> ++++++++++++++++++++++++----------------------
>> fs/overlayfs/inode.c | 14 ++++++-------
>> fs/overlayfs/overlayfs.h | 1 +
>> fs/overlayfs/super.c | 1 +
>> include/linux/dcache.h | 2 ++
>> include/linux/fs.h | 2 --
>> 8 files changed, 41 insertions(+), 34 deletions(-)
>>
>> diff --git a/fs/dcache.c b/fs/dcache.c
>> index 37b5afdaf698..c4ce35110704 100644
>> --- a/fs/dcache.c
>> +++ b/fs/dcache.c
>> @@ -1673,7 +1673,8 @@ void d_set_d_op(struct dentry *dentry, const
>> struct dentry_operations *op)
>> DCACHE_OP_COMPARE |
>> DCACHE_OP_REVALIDATE |
>> DCACHE_OP_WEAK_REVALIDATE |
>> - DCACHE_OP_DELETE ));
>> + DCACHE_OP_DELETE |
>> + DCACHE_OP_SELECT_INODE));
>> dentry->d_op = op;
>> if (!op)
>> return;
>> @@ -1689,6 +1690,8 @@ void d_set_d_op(struct dentry *dentry, const
>> struct dentry_operations *op)
>> dentry->d_flags |= DCACHE_OP_DELETE;
>> if (op->d_prune)
>> dentry->d_flags |= DCACHE_OP_PRUNE;
>> + if (op->d_select_inode)
>> + dentry->d_flags |= DCACHE_OP_SELECT_INODE;
>>
>> }
>> EXPORT_SYMBOL(d_set_d_op);
>> diff --git a/fs/internal.h b/fs/internal.h
>> index 01dce1d1476b..4d5af583ab03 100644
>> --- a/fs/internal.h
>> +++ b/fs/internal.h
>> @@ -107,6 +107,7 @@ extern struct file *do_file_open_root(struct
>> dentry *, struct vfsmount *,
>> extern long do_handle_open(int mountdirfd,
>> struct file_handle __user *ufh, int open_flag);
>> extern int open_check_o_direct(struct file *f);
>> +extern int vfs_open(const struct path *, struct file *, const struct
>> cred *);
>>
>> /*
>> * inode.c
>> diff --git a/fs/open.c b/fs/open.c
>> index e0250bdcc440..b1c5823b7f11 100644
>> --- a/fs/open.c
>> +++ b/fs/open.c
>> @@ -678,18 +678,18 @@ int open_check_o_direct(struct file *f)
>> }
>>
>> static int do_dentry_open(struct file *f,
>> + struct inode *inode,
>> int (*open)(struct inode *, struct file *),
>> const struct cred *cred)
>> {
>> static const struct file_operations empty_fops = {};
>> - struct inode *inode;
>> int error;
>>
>> f->f_mode = OPEN_FMODE(f->f_flags) | FMODE_LSEEK |
>> FMODE_PREAD | FMODE_PWRITE;
>>
>> path_get(&f->f_path);
>> - inode = f->f_inode = f->f_path.dentry->d_inode;
>> + f->f_inode = inode;
>> f->f_mapping = inode->i_mapping;
>>
>> if (unlikely(f->f_flags & O_PATH)) {
>> @@ -793,7 +793,8 @@ int finish_open(struct file *file, struct dentry
>> *dentry,
>> BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
>>
>> file->f_path.dentry = dentry;
>> - error = do_dentry_open(file, open, current_cred());
>> + error = do_dentry_open(file, d_backing_inode(dentry), open,
>> + current_cred());
>> if (!error)
>> *opened |= FILE_OPENED;
>>
>> @@ -822,6 +823,28 @@ int finish_no_open(struct file *file, struct
>> dentry *dentry)
>> }
>> EXPORT_SYMBOL(finish_no_open);
>>
>> +/**
>> + * vfs_open - open the file at the given path
>> + * @path: path to open
>> + * @file: newly allocated file with f_flag initialized
>> + * @cred: credentials to use
>> + */
>> +int vfs_open(const struct path *path, struct file *file,
>> + const struct cred *cred)
>> +{
>> + struct dentry *dentry = path->dentry;
>> + struct inode *inode = dentry->d_inode;
>> +
>> + file->f_path = *path;
>> + if (dentry->d_flags & DCACHE_OP_SELECT_INODE) {
>> + inode = dentry->d_op->d_select_inode(dentry, file->f_flags);
>> + if (IS_ERR(inode))
>> + return PTR_ERR(inode);
>> + }
>> +
>> + return do_dentry_open(file, inode, NULL, cred);
>> +}
>> +
>> struct file *dentry_open(const struct path *path, int flags,
>> const struct cred *cred)
>> {
>> @@ -853,26 +876,6 @@ struct file *dentry_open(const struct path *path,
>> int flags,
>> }
>> EXPORT_SYMBOL(dentry_open);
>>
>> -/**
>> - * vfs_open - open the file at the given path
>> - * @path: path to open
>> - * @filp: newly allocated file with f_flag initialized
>> - * @cred: credentials to use
>> - */
>> -int vfs_open(const struct path *path, struct file *filp,
>> - const struct cred *cred)
>> -{
>> - struct inode *inode = path->dentry->d_inode;
>> -
>> - if (inode->i_op->dentry_open)
>> - return inode->i_op->dentry_open(path->dentry, filp, cred);
>> - else {
>> - filp->f_path = *path;
>> - return do_dentry_open(filp, NULL, cred);
>> - }
>> -}
>> -EXPORT_SYMBOL(vfs_open);
>> -
>> static inline int build_open_flags(int flags, umode_t mode, struct
>> open_flags *op)
>> {
>> int lookup_flags = 0;
>> diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
>> index 21079d1ca2aa..f140e3dbfb7b 100644
>> --- a/fs/overlayfs/inode.c
>> +++ b/fs/overlayfs/inode.c
>> @@ -337,31 +337,30 @@ static bool ovl_open_need_copy_up(int flags,
>> enum ovl_path_type type,
>> return true;
>> }
>>
>> -static int ovl_dentry_open(struct dentry *dentry, struct file *file,
>> - const struct cred *cred)
>> +struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned
>> file_flags)
>> {
>> int err;
>> struct path realpath;
>> enum ovl_path_type type;
>>
>> type = ovl_path_real(dentry, &realpath);
>> - if (ovl_open_need_copy_up(file->f_flags, type, realpath.dentry)) {
>> + if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) {
>> err = ovl_want_write(dentry);
>> if (err)
>> - return err;
>> + return ERR_PTR(err);
>>
>> - if (file->f_flags & O_TRUNC)
>> + if (file_flags & O_TRUNC)
>> err = ovl_copy_up_last(dentry, NULL, true);
>> else
>> err = ovl_copy_up(dentry);
>> ovl_drop_write(dentry);
>> if (err)
>> - return err;
>> + return ERR_PTR(err);
>>
>> ovl_path_upper(dentry, &realpath);
>> }
>>
>> - return vfs_open(&realpath, file, cred);
>> + return d_backing_inode(realpath.dentry);
>> }
>>
>> static const struct inode_operations ovl_file_inode_operations = {
>> @@ -372,7 +371,6 @@ static const struct inode_operations
>> ovl_file_inode_operations = {
>> .getxattr = ovl_getxattr,
>> .listxattr = ovl_listxattr,
>> .removexattr = ovl_removexattr,
>> - .dentry_open = ovl_dentry_open,
>> };
>>
>> static const struct inode_operations ovl_symlink_inode_operations = {
>> diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
>> index 17ac5afc9ffb..ea5a40b06e3a 100644
>> --- a/fs/overlayfs/overlayfs.h
>> +++ b/fs/overlayfs/overlayfs.h
>> @@ -173,6 +173,7 @@ ssize_t ovl_getxattr(struct dentry *dentry, const
>> char *name,
>> void *value, size_t size);
>> ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size);
>> int ovl_removexattr(struct dentry *dentry, const char *name);
>> +struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned
>> file_flags);
>>
>> struct inode *ovl_new_inode(struct super_block *sb, umode_t mode,
>> struct ovl_entry *oe);
>> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
>> index 5f0d1993e6e3..84c5e27fbfd9 100644
>> --- a/fs/overlayfs/super.c
>> +++ b/fs/overlayfs/super.c
>> @@ -275,6 +275,7 @@ static void ovl_dentry_release(struct dentry *dentry)
>>
>> static const struct dentry_operations ovl_dentry_operations = {
>> .d_release = ovl_dentry_release,
>> + .d_select_inode = ovl_d_select_inode,
>> };
>>
>> static struct ovl_entry *ovl_alloc_entry(unsigned int numlower)
>> diff --git a/include/linux/dcache.h b/include/linux/dcache.h
>> index df334cbacc6d..167ec0934049 100644
>> --- a/include/linux/dcache.h
>> +++ b/include/linux/dcache.h
>> @@ -160,6 +160,7 @@ struct dentry_operations {
>> char *(*d_dname)(struct dentry *, char *, int);
>> struct vfsmount *(*d_automount)(struct path *);
>> int (*d_manage)(struct dentry *, bool);
>> + struct inode *(*d_select_inode)(struct dentry *, unsigned);
>> } ____cacheline_aligned;
>>
>> /*
>> @@ -225,6 +226,7 @@ struct dentry_operations {
>>
>> #define DCACHE_MAY_FREE 0x00800000
>> #define DCACHE_FALLTHRU 0x01000000 /* Fall through to
>> lower layer */
>> +#define DCACHE_OP_SELECT_INODE 0x02000000 /* Unioned entry:
>> dcache op selects inode */
>>
>> extern seqlock_t rename_lock;
>>
>> diff --git a/include/linux/fs.h b/include/linux/fs.h
>> index b577e801b4af..2bd77e10e8e5 100644
>> --- a/include/linux/fs.h
>> +++ b/include/linux/fs.h
>> @@ -1641,7 +1641,6 @@ struct inode_operations {
>> int (*set_acl)(struct inode *, struct posix_acl *, int);
>>
>> /* WARNING: probably going away soon, do not use! */
>> - int (*dentry_open)(struct dentry *, struct file *, const struct
>> cred *);
>> } ____cacheline_aligned;
>>
>> ssize_t rw_copy_check_uvector(int type, const struct iovec __user *
>> uvector,
>> @@ -2194,7 +2193,6 @@ extern struct file *file_open_name(struct
>> filename *, int, umode_t);
>> extern struct file *filp_open(const char *, int, umode_t);
>> extern struct file *file_open_root(struct dentry *, struct vfsmount *,
>> const char *, int);
>> -extern int vfs_open(const struct path *, struct file *, const struct
>> cred *);
>> extern struct file * dentry_open(const struct path *, int, const
>> struct cred *);
>> extern int filp_close(struct file *, fl_owner_t id);
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-fsdevel" in
>> the body of a message to majordomo@...r.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists