| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <pze5ejdkh5hr6qz75xbn65vmjyaw2iauseqdi52sjt3tzc6sk4@wi7vy4af5vof>
Date: Mon, 24 Feb 2025 17:38:29 +0100
From: Andrey Albershteyn <aalbersh@...hat.com>
To: Jan Kara <jack@...e.cz>
Cc: Richard Henderson <richard.henderson@...aro.org>,
Matt Turner <mattst88@...il.com>, Russell King <linux@...linux.org.uk>,
Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>,
Geert Uytterhoeven <geert@...ux-m68k.org>, Michal Simek <monstr@...str.eu>,
Thomas Bogendoerfer <tsbogend@...ha.franken.de>, "James E.J. Bottomley" <James.Bottomley@...senpartnership.com>,
Helge Deller <deller@....de>, Madhavan Srinivasan <maddy@...ux.ibm.com>,
Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
Christophe Leroy <christophe.leroy@...roup.eu>, Naveen N Rao <naveen@...nel.org>,
Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>,
Alexander Gordeev <agordeev@...ux.ibm.com>, Christian Borntraeger <borntraeger@...ux.ibm.com>,
Sven Schnelle <svens@...ux.ibm.com>, Yoshinori Sato <ysato@...rs.sourceforge.jp>,
Rich Felker <dalias@...c.org>, John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
"David S. Miller" <davem@...emloft.net>, Andreas Larsson <andreas@...sler.com>,
Andy Lutomirski <luto@...nel.org>, Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Chris Zankel <chris@...kel.net>, Max Filippov <jcmvbkbc@...il.com>,
Alexander Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>,
Mickaël Salaün <mic@...ikod.net>, Günther Noack <gnoack@...gle.com>,
Arnd Bergmann <arnd@...db.de>, linux-alpha@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, linux-m68k@...ts.linux-m68k.org, linux-mips@...r.kernel.org,
linux-parisc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org, linux-s390@...r.kernel.org,
linux-sh@...r.kernel.org, sparclinux@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-api@...r.kernel.org, linux-arch@...r.kernel.org,
linux-xfs@...r.kernel.org
Subject: Re: [PATCH v3] fs: introduce getfsxattrat and setfsxattrat syscalls
On 2025-02-24 11:54:34, Jan Kara wrote:
> On Tue 11-02-25 18:22:47, Andrey Albershteyn wrote:
> > From: Andrey Albershteyn <aalbersh@...hat.com>
> >
> > Introduce getfsxattrat and setfsxattrat syscalls to manipulate inode
> > extended attributes/flags. The syscalls take parent directory fd and
> > path to the child together with struct fsxattr.
> >
> > This is an alternative to FS_IOC_FSSETXATTR ioctl with a difference
> > that file don't need to be open as we can reference it with a path
> > instead of fd. By having this we can manipulated inode extended
> > attributes not only on regular files but also on special ones. This
> > is not possible with FS_IOC_FSSETXATTR ioctl as with special files
> > we can not call ioctl() directly on the filesystem inode using fd.
> >
> > This patch adds two new syscalls which allows userspace to get/set
> > extended inode attributes on special files by using parent directory
> > and a path - *at() like syscall.
> >
> > Also, as vfs_fileattr_set() is now will be called on special files
> > too, let's forbid any other attributes except projid and nextents
> > (symlink can have an extent).
> >
> > CC: linux-api@...r.kernel.org
> > CC: linux-fsdevel@...r.kernel.org
> > CC: linux-xfs@...r.kernel.org
> > Signed-off-by: Andrey Albershteyn <aalbersh@...hat.com>
>
> Some comments below:
>
> > +SYSCALL_DEFINE4(getfsxattrat, int, dfd, const char __user *, filename,
> > + struct fsxattr __user *, fsx, unsigned int, at_flags)
> > +{
> > + CLASS(fd, dir)(dfd);
> > + struct fileattr fa;
> > + struct path filepath;
> > + int error;
> > + unsigned int lookup_flags = 0;
> > +
> > + if ((at_flags & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0)
> > + return -EINVAL;
> > +
> > + if (at_flags & AT_SYMLINK_FOLLOW)
> ^^ This should be !(at_flags & AT_SYMLINK_NOFOLLOW)?
>
> In the check above you verify for AT_SYMLINK_NOFOLLOW and that also matches
> what setxattrat() does...
Right, didn't notice that this is actually opposite to setxattrat(),
will change that.
>
>
> > + lookup_flags |= LOOKUP_FOLLOW;
> > +
> > + if (at_flags & AT_EMPTY_PATH)
> > + lookup_flags |= LOOKUP_EMPTY;
> > +
> > + if (fd_empty(dir))
> > + return -EBADF;
>
> This check is wrong and in fact the whole dfd handling looks buggy.
> openat(2) manpage describes the expected behavior:
>
> The dirfd argument is used in conjunction with the pathname argument as
> follows:
>
> • If the pathname given in pathname is absolute, then dirfd is ig-
> nored.
> ^^^^ This is what you break. If the pathname is absolute, you're
> not expected to touch dirfd.
>
> • If the pathname given in pathname is relative and dirfd is the spe-
> cial value AT_FDCWD, then pathname is interpreted relative to the
> current working directory of the calling process (like open()).
> ^^^ Also AT_FDCWD handling would be broken by the above check.
>
> • If the pathname given in pathname is relative, then it is inter-
> preted relative to the directory referred to by the file descriptor
> dirfd (rather than relative to the current working directory of the
> calling process, as is done by open() for a relative pathname). In
> this case, dirfd must be a directory that was opened for reading
> (O_RDONLY) or using the O_PATH flag.
>
> If the pathname given in pathname is relative, and dirfd is not a valid
> file descriptor, an error (EBADF) results. (Specifying an invalid file
> descriptor number in dirfd can be used as a means to ensure that path-
> name is absolute.)
>
> > +
> > + error = user_path_at(dfd, filename, lookup_flags, &filepath);
> ^^^ And user_path_at() isn't quite what you need either
> because with AT_EMPTY_PATH we also want to allow for filename to be NULL
> (not just empty string) and user_path_at() does not support that. That's
> why I in my previous replies suggested you should follow what setxattrat()
> does and that sadly it is more painful than it should be. You need
> something like:
>
> name = getname_maybe_null(filename, at_flags);
> if (!name) {
> CLASS(fd, f)(dfd);
>
> if (fd_empty(f))
> return -EBADF;
> error = vfs_fileattr_get(file_dentry(fd_file(f)), &fa);
> } else {
> error = filename_lookup(dfd, filename, lookup_flags, &filepath,
> NULL);
> if (error)
> goto out;
> error = vfs_fileattr_get(filepath.dentry, &fa);
> path_put(&filepath);
> }
> if (!error)
> error = copy_fsxattr_to_user(&fa, fsx);
> out:
> putname(name);
> return error;
>
> Longer term, we need to provide user_path_maybe_null_at() for this but I
> don't want to drag you into this cleanup :)
Oh, I missed that, thanks for pointing this out, I will change it as
suggested.
--
- Andrey
Powered by blists - more mailing lists