lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240212-vfs-fixes-bd692dfd338a@brauner>
Date: Mon, 12 Feb 2024 14:00:11 +0100
From: Christian Brauner <brauner@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Christian Brauner <brauner@...nel.org>,
	linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [GIT PULL] vfs fixes

Hey Linus,

/* Summary */
This contains two small fixes:

* Fix performance regression introduced by moving the security permission hook
  out of do_clone_file_range() and into its caller vfs_clone_file_range(). This
  causes the security hook to be called in situation were it wasn't called
  before as the fast permission checks were left in do_clone_file_range(). Fix
  this by merging the two implementations back together and restoring the old
  ordering: fast permission checks first, expensive ones later.

* Tweak mount_setattr() permission checking so that mount properties on the
  real rootfs can be changed.

  When we added mount_setattr() we added additional checks compared to legacy
  mount(2). If the mouna had a parent then verify that the caller and the mount
  namespace the mount is attached to match and if not make sure that it's an
  anonymous mount.

  But the real rootfs falls into neither category. It is neither an anoymous
  mount because it is obviously attached to the initial mount namespace but it
  also obviously doesn't have a parent mount. So that means legacy mount(2)
  allows changing mount properties on the real rootfs but mount_setattr(2)
  blocks this. This causes regressions (See the commit for details).

  Fix this by relaxing the check. If the mount has a parent or if it isn't a
  detached mount, verify that the mount namespaces of the caller and the mount
  are the same. Technically, we could probably write this even simpler and
  check that the mount namespaces match if it isn't a detached mount. But the
  slightly longer check makes it clearer what conditions one needs to think
  about.

/* Testing */
clang: Debian clang version 16.0.6 (19)
gcc: (Debian 13.2.0-7) 13.2.0

All patches are based on v6.8-rc1 and have been sitting in linux-next.
No build failures or warnings were observed.

/* Conflicts */
At the time of creating this PR no merge conflicts were reported from
linux-next and no merge conflicts showed up doing a test-merge with
current mainline.

The following changes since commit 6613476e225e090cc9aad49be7fa504e290dd33d:

  Linux 6.8-rc1 (2024-01-21 14:11:32 -0800)

are available in the Git repository at:

  git@...olite.kernel.org:pub/scm/linux/kernel/git/vfs/vfs tags/vfs-6.8-rc5.fixes

for you to fetch changes up to 46f5ab762d048dad224436978315cbc2fa79c630:

  fs: relax mount_setattr() permission checks (2024-02-07 21:16:29 +0100)

Please consider pulling these changes from the signed vfs-6.8-rc5.fixes tag.

Thanks!
Christian

----------------------------------------------------------------
vfs-6.8-rc5.fixes

----------------------------------------------------------------
Amir Goldstein (1):
      remap_range: merge do_clone_file_range() into vfs_clone_file_range()

Christian Brauner (1):
      fs: relax mount_setattr() permission checks

 fs/namespace.c         | 11 ++++++++---
 fs/overlayfs/copy_up.c | 14 ++++++--------
 fs/remap_range.c       | 31 +++++++++----------------------
 include/linux/fs.h     |  3 ---
 4 files changed, 23 insertions(+), 36 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ