lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20220803122600.55053-1-broonie@kernel.org>
Date:   Wed,  3 Aug 2022 13:26:00 +0100
From:   broonie@...nel.org
To:     Miklos Szeredi <miklos@...redi.hu>
Cc:     Christian Brauner <brauner@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux Next Mailing List <linux-next@...r.kernel.org>,
        Miklos Szeredi <mszeredi@...hat.com>,
        Yang Xu <xuyang2018.jy@...itsu.com>
Subject: linux-next: manual merge of the overlayfs tree with the origin tree

Hi all,

Today's linux-next merge of the overlayfs tree got a conflict in:

  fs/overlayfs/inode.c

between commit:

  1aa5fef575a83 ("ovl: handle idmappings in ovl_get_acl()")

from the origin tree and commit:

  ded536561a367 ("ovl: improve ovl_get_acl() if POSIX ACL support is off")

from the overlayfs tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

diff --cc fs/overlayfs/inode.c
index 7922b619f6c8b,beef5e2ff5639..0000000000000
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@@ -454,95 -454,26 +454,97 @@@ ssize_t ovl_listxattr(struct dentry *de
  	return res;
  }
  
 +/*
 + * Apply the idmapping of the layer to POSIX ACLs. The caller must pass a clone
 + * of the POSIX ACLs retrieved from the lower layer to this function to not
 + * alter the POSIX ACLs for the underlying filesystem.
 + */
 +static void ovl_idmap_posix_acl(struct user_namespace *mnt_userns,
 +				struct posix_acl *acl)
 +{
 +	for (unsigned int i = 0; i < acl->a_count; i++) {
 +		vfsuid_t vfsuid;
 +		vfsgid_t vfsgid;
 +
 +		struct posix_acl_entry *e = &acl->a_entries[i];
 +		switch (e->e_tag) {
 +		case ACL_USER:
 +			vfsuid = make_vfsuid(mnt_userns, &init_user_ns, e->e_uid);
 +			e->e_uid = vfsuid_into_kuid(vfsuid);
 +			break;
 +		case ACL_GROUP:
 +			vfsgid = make_vfsgid(mnt_userns, &init_user_ns, e->e_gid);
 +			e->e_gid = vfsgid_into_kgid(vfsgid);
 +			break;
 +		}
 +	}
 +}
 +
 +/*
 + * When the relevant layer is an idmapped mount we need to take the idmapping
 + * of the layer into account and translate any ACL_{GROUP,USER} values
 + * according to the idmapped mount.
 + *
 + * We cannot alter the ACLs returned from the relevant layer as that would
 + * alter the cached values filesystem wide for the lower filesystem. Instead we
 + * can clone the ACLs and then apply the relevant idmapping of the layer.
 + *
 + * This is obviously only relevant when idmapped layers are used.
 + */
+ #ifdef CONFIG_FS_POSIX_ACL
  struct posix_acl *ovl_get_acl(struct inode *inode, int type, bool rcu)
  {
  	struct inode *realinode = ovl_inode_real(inode);
 -	const struct cred *old_cred;
 -	struct posix_acl *acl;
 +	struct posix_acl *acl, *clone;
 +	struct path realpath;
  
- 	if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode))
+ 	if (!IS_POSIXACL(realinode))
  		return NULL;
  
 -	if (rcu)
 -		return get_cached_acl_rcu(realinode, type);
 +	/* Careful in RCU walk mode */
 +	ovl_i_path_real(inode, &realpath);
 +	if (!realpath.dentry) {
 +		WARN_ON(!rcu);
 +		return ERR_PTR(-ECHILD);
 +	}
  
 -	old_cred = ovl_override_creds(inode->i_sb);
 -	acl = get_acl(realinode, type);
 -	revert_creds(old_cred);
 +	if (rcu) {
 +		acl = get_cached_acl_rcu(realinode, type);
 +	} else {
 +		const struct cred *old_cred;
 +
 +		old_cred = ovl_override_creds(inode->i_sb);
 +		acl = get_acl(realinode, type);
 +		revert_creds(old_cred);
 +	}
 +	/*
 +	 * If there are no POSIX ACLs, or we encountered an error,
 +	 * or the layer isn't idmapped we don't need to do anything.
 +	 */
 +	if (!is_idmapped_mnt(realpath.mnt) || IS_ERR_OR_NULL(acl))
 +		return acl;
  
 -	return acl;
 +	/*
 +	 * We only get here if the layer is idmapped. So drop out of RCU path
 +	 * walk so we can clone the ACLs. There's no need to release the ACLs
 +	 * since get_cached_acl_rcu() doesn't take a reference on the ACLs.
 +	 */
 +	if (rcu)
 +		return ERR_PTR(-ECHILD);
 +
 +	clone = posix_acl_clone(acl, GFP_KERNEL);
 +	if (!clone)
 +		clone = ERR_PTR(-ENOMEM);
 +	else
 +		ovl_idmap_posix_acl(mnt_user_ns(realpath.mnt), clone);
 +	/*
 +	 * Since we're not in RCU path walk we always need to release the
 +	 * original ACLs.
 +	 */
 +	posix_acl_release(acl);
 +	return clone;
  }
+ #endif
  
  int ovl_update_time(struct inode *inode, struct timespec64 *ts, int flags)
  {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ