Re: [RFC PATCH 1/1] overlayfs: use kernel service credentials for copy up and xattr manipulations

[Serge Hallyn <serge.hallyn@ubuntu.com>]

Quoting Andy Whitcroft (apw@canonical.com):
> We need to be priviledged to perform operations such as copy up and
> xattr manipulations on "trusted.".  Use prepare_kernel_cred to obtain
> the necessary priviledges; from its documentation:
> 
>    "Prepare a set of credentials for a kernel service.  This can then be
>     used to override a task's own credentials so that work can be done
>     on behalf of that task that requires a different subjective context."
> 
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Thanks, Andy.  Both of these worked, and both look sane.  I prefer
this patch, personally, but my test+ack applies to either.

Tested-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

> ---
>  fs/overlayfs/copy_up.c | 14 +-------------
>  fs/overlayfs/dir.c     | 35 +++++++++++------------------------
>  fs/overlayfs/readdir.c | 18 ++----------------
>  fs/overlayfs/super.c   |  4 +---
>  4 files changed, 15 insertions(+), 56 deletions(-)
> 
> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> index 351c162..c7894de 100644
> --- a/fs/overlayfs/copy_up.c
> +++ b/fs/overlayfs/copy_up.c
> @@ -276,24 +276,12 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry,
>  	}
>  
>  	err = -ENOMEM;
> -	override_cred = prepare_creds();
> +	override_cred = prepare_kernel_cred(NULL);
>  	if (!override_cred)
>  		goto out_free_link;
>  
>  	override_cred->fsuid = stat->uid;
>  	override_cred->fsgid = stat->gid;
> -	/*
> -	 * CAP_SYS_ADMIN for copying up extended attributes
> -	 * CAP_DAC_OVERRIDE for create
> -	 * CAP_FOWNER for chmod, timestamp update
> -	 * CAP_FSETID for chmod
> -	 * CAP_MKNOD for mknod
> -	 */
> -	cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
> -	cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
> -	cap_raise(override_cred->cap_effective, CAP_FOWNER);
> -	cap_raise(override_cred->cap_effective, CAP_FSETID);
> -	cap_raise(override_cred->cap_effective, CAP_MKNOD);
>  	old_cred = override_creds(override_cred);
>  
>  	mutex_lock_nested(&upperdir->d_inode->i_mutex, I_MUTEX_PARENT);
> diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
> index a209409..0a7eb4a 100644
> --- a/fs/overlayfs/dir.c
> +++ b/fs/overlayfs/dir.c
> @@ -11,6 +11,7 @@
>  #include <linux/namei.h>
>  #include <linux/xattr.h>
>  #include <linux/security.h>
> +#include <linux/sched.h>
>  #include <linux/cred.h>
>  #include "overlayfs.h"
>  
> @@ -26,20 +27,16 @@ static int ovl_whiteout(struct dentry *upperdir, struct dentry *dentry)
>  	/* FIXME: recheck lower dentry to see if whiteout is really needed */
>  
>  	err = -ENOMEM;
> -	override_cred = prepare_creds();
> +	override_cred = prepare_kernel_cred(NULL);
>  	if (!override_cred)
>  		goto out;
>  
> -	/*
> -	 * CAP_SYS_ADMIN for setxattr
> -	 * CAP_DAC_OVERRIDE for symlink creation
> -	 * CAP_FOWNER for unlink in sticky directory
> -	 */
> -	cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
> -	cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
> -	cap_raise(override_cred->cap_effective, CAP_FOWNER);
> -	override_cred->fsuid = GLOBAL_ROOT_UID;
> -	override_cred->fsgid = GLOBAL_ROOT_GID;
> +	override_cred->fsuid = make_kuid(current_user_ns(), 0);
> +	if (!uid_valid(override_cred->fsuid))
> +		override_cred->fsuid = GLOBAL_ROOT_UID;
> +	override_cred->fsgid = make_kgid(current_user_ns(), 0);
> +	if (!gid_valid(override_cred->fsgid))
> +		override_cred->fsgid = GLOBAL_ROOT_GID;
>  	old_cred = override_creds(override_cred);
>  
>  	newdentry = lookup_one_len(dentry->d_name.name, upperdir,
> @@ -103,16 +100,10 @@ static struct dentry *ovl_lookup_create(struct dentry *upperdir,
>  			goto out_dput;
>  
>  		err = -ENOMEM;
> -		override_cred = prepare_creds();
> +		override_cred = prepare_kernel_cred(NULL);
>  		if (!override_cred)
>  			goto out_dput;
>  
> -		/*
> -		 * CAP_SYS_ADMIN for getxattr
> -		 * CAP_FOWNER for unlink in sticky directory
> -		 */
> -		cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
> -		cap_raise(override_cred->cap_effective, CAP_FOWNER);
>  		old_cred = override_creds(override_cred);
>  
>  		err = -EEXIST;
> @@ -205,12 +196,10 @@ static int ovl_set_opaque(struct dentry *upperdentry)
>  	const struct cred *old_cred;
>  	struct cred *override_cred;
>  
> -	override_cred = prepare_creds();
> +	override_cred = prepare_kernel_cred(NULL);
>  	if (!override_cred)
>  		return -ENOMEM;
>  
> -	/* CAP_SYS_ADMIN for setxattr of "trusted" namespace */
> -	cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
>  	old_cred = override_creds(override_cred);
>  	err = vfs_setxattr(upperdentry, ovl_opaque_xattr, "y", 1, 0);
>  	revert_creds(old_cred);
> @@ -225,12 +214,10 @@ static int ovl_remove_opaque(struct dentry *upperdentry)
>  	const struct cred *old_cred;
>  	struct cred *override_cred;
>  
> -	override_cred = prepare_creds();
> +	override_cred = prepare_kernel_cred(NULL);
>  	if (!override_cred)
>  		return -ENOMEM;
>  
> -	/* CAP_SYS_ADMIN for removexattr of "trusted" namespace */
> -	cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
>  	old_cred = override_creds(override_cred);
>  	err = vfs_removexattr(upperdentry, ovl_opaque_xattr);
>  	revert_creds(old_cred);
> diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
> index 9c6f08f..1cc4cbd 100644
> --- a/fs/overlayfs/readdir.c
> +++ b/fs/overlayfs/readdir.c
> @@ -218,18 +218,12 @@ static int ovl_dir_mark_whiteouts(struct ovl_readdir_data *rdd)
>  	const struct cred *old_cred;
>  	struct cred *override_cred;
>  
> -	override_cred = prepare_creds();
> +	override_cred = prepare_kernel_cred(NULL);
>  	if (!override_cred) {
>  		ovl_cache_free(rdd->list);
>  		return -ENOMEM;
>  	}
>  
> -	/*
> -	 * CAP_SYS_ADMIN for getxattr
> -	 * CAP_DAC_OVERRIDE for lookup
> -	 */
> -	cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
> -	cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
>  	old_cred = override_creds(override_cred);
>  
>  	mutex_lock(&rdd->dir->d_inode->i_mutex);
> @@ -503,18 +497,10 @@ static int ovl_remove_whiteouts(struct dentry *dir, struct list_head *list)
>  	ovl_path_upper(dir, &upperpath);
>  	upperdir = upperpath.dentry;
>  
> -	override_cred = prepare_creds();
> +	override_cred = prepare_kernel_cred(NULL);
>  	if (!override_cred)
>  		return -ENOMEM;
>  
> -	/*
> -	 * CAP_DAC_OVERRIDE for lookup and unlink
> -	 * CAP_SYS_ADMIN for setxattr of "trusted" namespace
> -	 * CAP_FOWNER for unlink in sticky directory
> -	 */
> -	cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
> -	cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
> -	cap_raise(override_cred->cap_effective, CAP_FOWNER);
>  	old_cred = override_creds(override_cred);
>  
>  	err = vfs_setxattr(upperdir, ovl_opaque_xattr, "y", 1, 0);
> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
> index 50890c2..79288a8 100644
> --- a/fs/overlayfs/super.c
> +++ b/fs/overlayfs/super.c
> @@ -304,12 +304,10 @@ static int ovl_do_lookup(struct dentry *dentry)
>  			struct cred *override_cred;
>  
>  			err = -ENOMEM;
> -			override_cred = prepare_creds();
> +			override_cred = prepare_kernel_cred(NULL);
>  			if (!override_cred)
>  				goto out_dput_upper;
>  
> -			/* CAP_SYS_ADMIN needed for getxattr */
> -			cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
>  			old_cred = override_creds(override_cred);
>  
>  			if (ovl_is_opaquedir(upperdentry)) {
> -- 
> 1.9.0