| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2164801.1747125039@warthog.procyon.org.uk>
Date: Tue, 13 May 2025 09:30:39 +0100
From: David Howells <dhowells@...hat.com>
To: Christian Brauner <brauner@...nel.org>
Cc: dhowells@...hat.com, Alexander Viro <viro@...iv.linux.org.uk>,
Etienne Champetier <champetier.etienne@...il.com>,
Marc Dionne <marc.dionne@...istor.com>,
Jeffrey Altman <jaltman@...istor.com>,
Chet Ramey <chet.ramey@...e.edu>, Steve French <sfrench@...ba.org>,
linux-afs@...ts.infradead.org, openafs-devel@...nafs.org,
linux-cifs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] afs, bash: Fix open(O_CREAT) on an extant AFS file in a sticky dir
Christian Brauner <brauner@...nel.org> wrote:
> There's a few other places where we compare vfsuids:
>
> * may_delete()
> -> check_sticky()
> -> __check_sticky()
>
> * may_follow_link()
>
> * may_linkat()
>
> * fsuidgid_has_mapping()
>
> Anyone of those need special treatment on AFS as well?
That's a good question. I think it might be better to switch back to the v1
patch - which gives me two separate ops and provide a couple of vfs wrappers
for them and use them more widely.
So, perhaps:
vfs_have_same_owner(inode1, inode2)
which indicates if the two inodes have the same ownership and:
vfs_is_owned_by_me(inode)
which compares the inode's ownership to current_fsuid() by default.
The following places need to be considered for being changed:
(*) chown_ok()
(*) chgrp_ok()
Should call vfs_is_owned_by_me(). Possibly these need to defer all their
checks to the network filesystem as the interpretation of the target
UID/GID depends on the netfs.
(*) do_coredump()
Should probably call vfs_is_owned_by_me() to check that the file created
is owned by the caller - but the check that's there might be sufficient.
(*) inode_owner_or_capable()
Should call vfs_is_owned_by_me(). I'm not sure whether the namespace
mapping makes sense in such a case, but it probably could be used.
(*) vfs_setlease()
Should call vfs_is_owned_by_me(). Actually, it should query if leasing
is permitted.
Also, setting locks could perhaps do with a permission call to the
filesystem driver as AFS, for example, has a lock permission bit in the
ACL, but since the AFS server checks that when the RPC call is made, it's
probably unnecessary.
(*) acl_permission_check()
(*) posix_acl_permission()
UIDs are part of these ACLs, so no change required. AFS implements its
own ACLs and evaluates them in ->permission() and on the server.
(*) may_follow_link()
Should call vfs_is_owned_by_me() and also vfs_have_same_owner() on the
the link and its parent dir. The latter only applies on world-writable
sticky dirs.
(*) may_create_in_sticky()
The initial subject of this patch. Should call vfs_is_owned_by_me() and
also vfs_have_same_owner() both.
(*) __check_sticky()
Should call vfs_is_owned_by_me() on both the dir and the inode.
(*) may_dedupe_file()
Should call vfs_is_owned_by_me().
(*) IMA policy ops.
No idea.
David
Powered by blists - more mailing lists