[PATCH v2 17/19] ovl: handle idmappings in layer open helpers

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Christian Brauner <brauner@kernel.org>
To: Amir Goldstein <amir73il@gmail.com>,
	Miklos Szeredi <mszeredi@redhat.com>
Cc: "Christian Brauner" <brauner@kernel.org>,
	"Christoph Hellwig" <hch@lst.de>,
	linux-unionfs@vger.kernel.org, "Aleksa Sarai" <cyphar@cyphar.com>,
	"Giuseppe Scrivano" <gscrivan@redhat.com>,
	"Rodrigo Campos Catelin" <rodrigo@sdfg.com.ar>,
	"Seth Forshee" <sforshee@digitalocean.com>,
	"Luca Bocassi" <luca.boccassi@microsoft.com>,
	"Lennart Poettering" <mzxreary@0pointer.de>,
	"Stéphane Graber" <stgraber@ubuntu.com>
Subject: [PATCH v2 17/19] ovl: handle idmappings in layer open helpers
Date: Wed, 30 Mar 2022 12:24:05 +0200	[thread overview]
Message-ID: <20220330102409.1290850-18-brauner@kernel.org> (raw)
In-Reply-To: <20220330102409.1290850-1-brauner@kernel.org>

In earlier patches we already passed down the relevant upper or lower
path to ovl_open_realfile(). Now let the open helpers actually take the
idmapping of the relevant mount into account when checking permissions.
This is needed to support idmapped base layers with overlay.

Cc: <linux-unionfs@vger.kernel.org>
Tested-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
---
/* v2 */
unchanged
---
 fs/overlayfs/file.c | 7 +++++--
 fs/overlayfs/util.c | 5 +++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 656c30bf20a6..7dd44f4e2757 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -42,6 +42,7 @@ static struct file *ovl_open_realfile(const struct file *file,
 {
 	struct inode *realinode = d_inode(realpath->dentry);
 	struct inode *inode = file_inode(file);
+	struct user_namespace *real_idmap;
 	struct file *realfile;
 	const struct cred *old_cred;
 	int flags = file->f_flags | OVL_OPEN_FLAGS;
@@ -51,12 +52,14 @@ static struct file *ovl_open_realfile(const struct file *file,
 	if (flags & O_APPEND)
 		acc_mode |= MAY_APPEND;
 
+
 	old_cred = ovl_override_creds(inode->i_sb);
-	err = inode_permission(&init_user_ns, realinode, MAY_OPEN | acc_mode);
+	real_idmap = mnt_user_ns(realpath->mnt);
+	err = inode_permission(real_idmap, realinode, MAY_OPEN | acc_mode);
 	if (err) {
 		realfile = ERR_PTR(err);
 	} else {
-		if (!inode_owner_or_capable(&init_user_ns, realinode))
+		if (!inode_owner_or_capable(real_idmap, realinode))
 			flags &= ~O_NOATIME;
 
 		realfile = open_with_fake_path(&file->f_path, flags, realinode,
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 79fae06ee10a..7dd2e5e6662a 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -523,6 +523,7 @@ bool ovl_is_whiteout(struct dentry *dentry)
 struct file *ovl_path_open(struct path *path, int flags)
 {
 	struct inode *inode = d_inode(path->dentry);
+	struct user_namespace *real_idmap = mnt_user_ns(path->mnt);
 	int err, acc_mode;
 
 	if (flags & ~(O_ACCMODE | O_LARGEFILE))
@@ -539,12 +540,12 @@ struct file *ovl_path_open(struct path *path, int flags)
 		BUG();
 	}
 
-	err = inode_permission(&init_user_ns, inode, acc_mode | MAY_OPEN);
+	err = inode_permission(real_idmap, inode, acc_mode | MAY_OPEN);
 	if (err)
 		return ERR_PTR(err);
 
 	/* O_NOATIME is an optimization, don't fail if not permitted */
-	if (inode_owner_or_capable(&init_user_ns, inode))
+	if (inode_owner_or_capable(real_idmap, inode))
 		flags |= O_NOATIME;
 
 	return dentry_open(path, flags, current_cred());
-- 
2.32.0

next prev parent reply	other threads:[~2022-03-30 10:26 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-30 10:23 [PATCH v2 00/19] overlay: support idmapped layers Christian Brauner
2022-03-30 10:23 ` [PATCH v2 01/19] fs: add two trivial lookup helpers Christian Brauner
2022-03-30 15:25   ` Christoph Hellwig
2022-03-30 16:02     ` Christian Brauner
2022-03-30 10:23 ` [PATCH v2 02/19] exportfs: support idmapped mounts Christian Brauner
2022-03-30 15:26   ` Christoph Hellwig
2022-03-30 16:04     ` Christian Brauner
2022-03-30 16:08       ` Christoph Hellwig
2022-03-30 16:11         ` Christian Brauner
2022-03-30 10:23 ` [PATCH v2 03/19] ovl: use wrappers to all vfs_*xattr() calls Christian Brauner
2022-03-30 10:23 ` [PATCH v2 04/19] ovl: pass ofs to creation operations Christian Brauner
2022-03-30 10:23 ` [PATCH v2 05/19] ovl: add ovl_upper_idmap() wrapper Christian Brauner
2022-03-30 10:23 ` [PATCH v2 06/19] ovl: handle idmappings in creation operations Christian Brauner
2022-03-30 10:23 ` [PATCH v2 07/19] ovl: pass ofs to setattr operations Christian Brauner
2022-03-30 10:23 ` [PATCH v2 08/19] ovl: pass layer mnt to ovl_open_realfile() Christian Brauner
2022-03-30 10:23 ` [PATCH v2 09/19] ovl: use ovl_do_notify_change() wrapper Christian Brauner
2022-03-30 10:23 ` [PATCH v2 10/19] ovl: use ovl_lookup_upper() wrapper Christian Brauner
2022-03-30 10:23 ` [PATCH v2 11/19] ovl: use ovl_path_getxattr() wrapper Christian Brauner
2022-03-30 10:24 ` [PATCH v2 12/19] ovl: handle idmappings for layer fileattrs Christian Brauner
2022-03-30 10:24 ` [PATCH v2 13/19] ovl: handle idmappings for layer lookup Christian Brauner
2022-03-30 10:24 ` [PATCH v2 14/19] ovl: store lower path in ovl_inode Christian Brauner
2022-03-30 10:24 ` [PATCH v2 15/19] ovl: use ovl_copy_{real,upper}attr() wrappers Christian Brauner
2022-03-30 10:24 ` [PATCH v2 16/19] ovl: handle idmappings in ovl_permission() Christian Brauner
2022-03-30 10:24 ` Christian Brauner [this message]
2022-03-30 10:24 ` [PATCH v2 18/19] ovl: handle idmappings in ovl_xattr_{g,s}et() Christian Brauner
2022-03-30 10:24 ` [PATCH v2 19/19] ovl: support idmapped layers Christian Brauner
2022-03-30 11:02   ` Amir Goldstein
2022-03-30 11:07     ` Christian Brauner
2022-03-30 10:24 ` [PATCH v2] common: allow to run all tests on idmapped mounts Christian Brauner
2022-03-30 11:10   ` Amir Goldstein
2022-03-30 11:38     ` Christian Brauner
2022-03-30 12:03       ` Amir Goldstein

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:656c30bf20a dfblob:7dd44f4e275 dfblob:79fae06ee10
dfblob:7dd2e5e6662 )
 OR (
bs:"[PATCH v2 17/19] ovl: handle idmappings in layer open helpers" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220330102409.1290850-18-brauner@kernel.org \
    --to=brauner@kernel.org \
    --cc=amir73il@gmail.com \
    --cc=cyphar@cyphar.com \
    --cc=gscrivan@redhat.com \
    --cc=hch@lst.de \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=luca.boccassi@microsoft.com \
    --cc=mszeredi@redhat.com \
    --cc=mzxreary@0pointer.de \
    --cc=rodrigo@sdfg.com.ar \
    --cc=sforshee@digitalocean.com \
    --cc=stgraber@ubuntu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.