[PATCH 0/14] New uid & gid mount option parsing helpers

[PATCH 0/14] New uid & gid mount option parsing helpers

[Eric Sandeen]

Multiple filesystems take uid and gid as options, and the code to
create the ID from an integer and validate it is standard boilerplate
that can be moved into common helper functions, so do that for
consistency and less cut&paste.

This also helps avoid the buggy pattern noted by Seth Jenkins at
https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
because uid/gid parsing will fail before any assignment in most
filesystems.

Net effect is a bit of code removal, as well.

Patch 1 is the infrastructure change, then per-fs conversions follow,
cc'd as appropriate.

This series is also at
https://git.kernel.org/pub/scm/linux/kernel/git/sandeen/linux.git/log/?h=mount-api-uid-helper

Thanks,
-Eric

 Documentation/filesystems/mount_api.rst |    9 +++++++--
 fs/autofs/inode.c                       |   16 ++++------------
 fs/debugfs/inode.c                      |   16 ++++------------
 fs/efivarfs/super.c                     |   12 ++++--------
 fs/exfat/super.c                        |    8 ++++----
 fs/ext4/super.c                         |   22 ++++------------------
 fs/fs_parser.c                          |   34 ++++++++++++++++++++++++++++++++++
 fs/fuse/inode.c                         |   12 ++++--------
 fs/hugetlbfs/inode.c                    |   12 ++++--------
 fs/isofs/inode.c                        |   16 ++++------------
 fs/ntfs3/super.c                        |   12 ++++--------
 fs/smb/client/fs_context.c              |   39 ++++++++++++---------------------------
 fs/tracefs/inode.c                      |   16 ++++------------
 include/linux/fs_parser.h               |    6 +++++-
 mm/shmem.c                              |   12 ++++--------
 15 files changed, 102 insertions(+), 140 deletions(-)

[PATCH 01/14] fs_parse: add uid & gid option option parsing helpers

[Eric Sandeen]

Multiple filesystems take uid and gid as options, and the code to
create the ID from an integer and validate it is standard boilerplate
that can be moved into common helper functions, so do that for
consistency and less cut&paste.

This also helps avoid the buggy pattern noted by Seth Jenkins at
https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
because uid/gid parsing will fail before any assignment in most
filesystems.

Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---
 Documentation/filesystems/mount_api.rst |  9 +++++--
 fs/fs_parser.c                          | 34 +++++++++++++++++++++++++
 include/linux/fs_parser.h               |  6 ++++-
 3 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/Documentation/filesystems/mount_api.rst b/Documentation/filesystems/mount_api.rst
index 9aaf6ef75eb5..317934c9e8fc 100644
--- a/Documentation/filesystems/mount_api.rst
+++ b/Documentation/filesystems/mount_api.rst
@@ -645,6 +645,8 @@ The members are as follows:
 	fs_param_is_blockdev	Blockdev path		* Needs lookup
 	fs_param_is_path	Path			* Needs lookup
 	fs_param_is_fd		File descriptor		result->int_32
+	fs_param_is_uid		User ID (u32)           result->uid
+	fs_param_is_gid		Group ID (u32)          result->gid
 	=======================	=======================	=====================
 
      Note that if the value is of fs_param_is_bool type, fs_parse() will try
@@ -678,6 +680,8 @@ The members are as follows:
 	fsparam_bdev()		fs_param_is_blockdev
 	fsparam_path()		fs_param_is_path
 	fsparam_fd()		fs_param_is_fd
+	fsparam_uid()		fs_param_is_uid
+	fsparam_gid()		fs_param_is_gid
 	=======================	===============================================
 
      all of which take two arguments, name string and option number - for
@@ -784,8 +788,9 @@ process the parameters it is given.
      option number (which it returns).
 
      If successful, and if the parameter type indicates the result is a
-     boolean, integer or enum type, the value is converted by this function and
-     the result stored in result->{boolean,int_32,uint_32,uint_64}.
+     boolean, integer, enum, uid, or gid type, the value is converted by this
+     function and the result stored in
+     result->{boolean,int_32,uint_32,uint_64,uid,gid}.
 
      If a match isn't initially made, the key is prefixed with "no" and no
      value is present then an attempt will be made to look up the key with the
diff --git a/fs/fs_parser.c b/fs/fs_parser.c
index a4d6ca0b8971..24727ec34e5a 100644
--- a/fs/fs_parser.c
+++ b/fs/fs_parser.c
@@ -308,6 +308,40 @@ int fs_param_is_fd(struct p_log *log, const struct fs_parameter_spec *p,
 }
 EXPORT_SYMBOL(fs_param_is_fd);
 
+int fs_param_is_uid(struct p_log *log, const struct fs_parameter_spec *p,
+		    struct fs_parameter *param, struct fs_parse_result *result)
+{
+	kuid_t uid;
+
+	if (fs_param_is_u32(log, p, param, result) != 0)
+		return fs_param_bad_value(log, param);
+
+	uid = make_kuid(current_user_ns(), result->uint_32);
+	if (!uid_valid(uid))
+		return inval_plog(log, "Invalid uid '%s'", param->string);
+
+	result->uid = uid;
+	return 0;
+}
+EXPORT_SYMBOL(fs_param_is_uid);
+
+int fs_param_is_gid(struct p_log *log, const struct fs_parameter_spec *p,
+		    struct fs_parameter *param, struct fs_parse_result *result)
+{
+	kgid_t gid;
+
+	if (fs_param_is_u32(log, p, param, result) != 0)
+		return fs_param_bad_value(log, param);
+
+	gid = make_kgid(current_user_ns(), result->uint_32);
+	if (!gid_valid(gid))
+		return inval_plog(log, "Invalid gid '%s'", param->string);
+
+	result->gid = gid;
+	return 0;
+}
+EXPORT_SYMBOL(fs_param_is_gid);
+
 int fs_param_is_blockdev(struct p_log *log, const struct fs_parameter_spec *p,
 		  struct fs_parameter *param, struct fs_parse_result *result)
 {
diff --git a/include/linux/fs_parser.h b/include/linux/fs_parser.h
index d3350979115f..6cf713a7e6c6 100644
--- a/include/linux/fs_parser.h
+++ b/include/linux/fs_parser.h
@@ -28,7 +28,7 @@ typedef int fs_param_type(struct p_log *,
  */
 fs_param_type fs_param_is_bool, fs_param_is_u32, fs_param_is_s32, fs_param_is_u64,
 	fs_param_is_enum, fs_param_is_string, fs_param_is_blob, fs_param_is_blockdev,
-	fs_param_is_path, fs_param_is_fd;
+	fs_param_is_path, fs_param_is_fd, fs_param_is_uid, fs_param_is_gid;
 
 /*
  * Specification of the type of value a parameter wants.
@@ -57,6 +57,8 @@ struct fs_parse_result {
 		int		int_32;		/* For spec_s32/spec_enum */
 		unsigned int	uint_32;	/* For spec_u32{,_octal,_hex}/spec_enum */
 		u64		uint_64;	/* For spec_u64 */
+		kuid_t		uid;
+		kgid_t		gid;
 	};
 };
 
@@ -131,6 +133,8 @@ static inline bool fs_validate_description(const char *name,
 #define fsparam_bdev(NAME, OPT)	__fsparam(fs_param_is_blockdev, NAME, OPT, 0, NULL)
 #define fsparam_path(NAME, OPT)	__fsparam(fs_param_is_path, NAME, OPT, 0, NULL)
 #define fsparam_fd(NAME, OPT)	__fsparam(fs_param_is_fd, NAME, OPT, 0, NULL)
+#define fsparam_uid(NAME, OPT) __fsparam(fs_param_is_uid, NAME, OPT, 0, NULL)
+#define fsparam_gid(NAME, OPT) __fsparam(fs_param_is_gid, NAME, OPT, 0, NULL)
 
 /* String parameter that allows empty argument */
 #define fsparam_string_empty(NAME, OPT) \
-- 
2.45.2

[PATCH 02/14] autofs: Convert to new uid/gid option parsing helpers

[Eric Sandeen]

Convert to new uid/gid option parsing helpers

Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---
 fs/autofs/inode.c | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
index 1f5db6863663..cf792d4de4f1 100644
--- a/fs/autofs/inode.c
+++ b/fs/autofs/inode.c
@@ -126,7 +126,7 @@ enum {
 const struct fs_parameter_spec autofs_param_specs[] = {
 	fsparam_flag	("direct",		Opt_direct),
 	fsparam_fd	("fd",			Opt_fd),
-	fsparam_u32	("gid",			Opt_gid),
+	fsparam_gid	("gid",			Opt_gid),
 	fsparam_flag	("ignore",		Opt_ignore),
 	fsparam_flag	("indirect",		Opt_indirect),
 	fsparam_u32	("maxproto",		Opt_maxproto),
@@ -134,7 +134,7 @@ const struct fs_parameter_spec autofs_param_specs[] = {
 	fsparam_flag	("offset",		Opt_offset),
 	fsparam_u32	("pgrp",		Opt_pgrp),
 	fsparam_flag	("strictexpire",	Opt_strictexpire),
-	fsparam_u32	("uid",			Opt_uid),
+	fsparam_uid	("uid",			Opt_uid),
 	{}
 };
 
@@ -193,8 +193,6 @@ static int autofs_parse_param(struct fs_context *fc, struct fs_parameter *param)
 	struct autofs_fs_context *ctx = fc->fs_private;
 	struct autofs_sb_info *sbi = fc->s_fs_info;
 	struct fs_parse_result result;
-	kuid_t uid;
-	kgid_t gid;
 	int opt;
 
 	opt = fs_parse(fc, autofs_param_specs, param, &result);
@@ -205,16 +203,10 @@ static int autofs_parse_param(struct fs_context *fc, struct fs_parameter *param)
 	case Opt_fd:
 		return autofs_parse_fd(fc, sbi, param, &result);
 	case Opt_uid:
-		uid = make_kuid(current_user_ns(), result.uint_32);
-		if (!uid_valid(uid))
-			return invalfc(fc, "Invalid uid");
-		ctx->uid = uid;
+		ctx->uid = result.uid;
 		break;
 	case Opt_gid:
-		gid = make_kgid(current_user_ns(), result.uint_32);
-		if (!gid_valid(gid))
-			return invalfc(fc, "Invalid gid");
-		ctx->gid = gid;
+		ctx->gid = result.gid;
 		break;
 	case Opt_pgrp:
 		ctx->pgrp = result.uint_32;
-- 
2.45.2

Re: [PATCH 01/14] fs_parse: add uid & gid option option parsing helpers

[Jan Kara]

On Thu 27-06-24 19:26:24, Eric Sandeen wrote:
> Multiple filesystems take uid and gid as options, and the code to
> create the ID from an integer and validate it is standard boilerplate
> that can be moved into common helper functions, so do that for
> consistency and less cut&paste.
> 
> This also helps avoid the buggy pattern noted by Seth Jenkins at
> https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
> because uid/gid parsing will fail before any assignment in most
> filesystems.
> 
> Signed-off-by: Eric Sandeen <sandeen@sandeen.net>

I like the idea since this seems like a nobrainer but is actually
surprisingly subtle...

> diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> index a4d6ca0b8971..24727ec34e5a 100644
> --- a/fs/fs_parser.c
> +++ b/fs/fs_parser.c
> @@ -308,6 +308,40 @@ int fs_param_is_fd(struct p_log *log, const struct fs_parameter_spec *p,
>  }
>  EXPORT_SYMBOL(fs_param_is_fd);
>  
> +int fs_param_is_uid(struct p_log *log, const struct fs_parameter_spec *p,
> +		    struct fs_parameter *param, struct fs_parse_result *result)
> +{
> +	kuid_t uid;
> +
> +	if (fs_param_is_u32(log, p, param, result) != 0)
> +		return fs_param_bad_value(log, param);
> +
> +	uid = make_kuid(current_user_ns(), result->uint_32);

But here is the problem: Filesystems mountable in user namespaces need to use
fc->user_ns for resolving uids / gids (e.g. like fuse_parse_param()).
Having helpers that work for some filesystems and are subtly broken for
others is worse than no helpers... Or am I missing something?

And the problem with fc->user_ns is that currently __fs_parse() does not
get fs_context as an argument... So that will need some larger work.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Re: [PATCH 0/14] New uid & gid mount option parsing helpers

[Christian Brauner]

On Thu, Jun 27, 2024 at 07:24:59PM GMT, Eric Sandeen wrote:
> Multiple filesystems take uid and gid as options, and the code to
> create the ID from an integer and validate it is standard boilerplate
> that can be moved into common helper functions, so do that for
> consistency and less cut&paste.
> 
> This also helps avoid the buggy pattern noted by Seth Jenkins at
> https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
> because uid/gid parsing will fail before any assignment in most
> filesystems.
> 
> Net effect is a bit of code removal, as well.

Thanks, this all looks good to me. I'll have one comment about the fuse
patch.

Re: [PATCH 01/14] fs_parse: add uid & gid option option parsing helpers

[Christian Brauner]

On Fri, Jun 28, 2024 at 11:45:17AM GMT, Jan Kara wrote:
> On Thu 27-06-24 19:26:24, Eric Sandeen wrote:
> > Multiple filesystems take uid and gid as options, and the code to
> > create the ID from an integer and validate it is standard boilerplate
> > that can be moved into common helper functions, so do that for
> > consistency and less cut&paste.
> > 
> > This also helps avoid the buggy pattern noted by Seth Jenkins at
> > https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
> > because uid/gid parsing will fail before any assignment in most
> > filesystems.
> > 
> > Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
> 
> I like the idea since this seems like a nobrainer but is actually
> surprisingly subtle...
> 
> > diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> > index a4d6ca0b8971..24727ec34e5a 100644
> > --- a/fs/fs_parser.c
> > +++ b/fs/fs_parser.c
> > @@ -308,6 +308,40 @@ int fs_param_is_fd(struct p_log *log, const struct fs_parameter_spec *p,
> >  }
> >  EXPORT_SYMBOL(fs_param_is_fd);
> >  
> > +int fs_param_is_uid(struct p_log *log, const struct fs_parameter_spec *p,
> > +		    struct fs_parameter *param, struct fs_parse_result *result)
> > +{
> > +	kuid_t uid;
> > +
> > +	if (fs_param_is_u32(log, p, param, result) != 0)
> > +		return fs_param_bad_value(log, param);
> > +
> > +	uid = make_kuid(current_user_ns(), result->uint_32);
> 
> But here is the problem: Filesystems mountable in user namespaces need to use
> fc->user_ns for resolving uids / gids (e.g. like fuse_parse_param()).
> Having helpers that work for some filesystems and are subtly broken for
> others is worse than no helpers... Or am I missing something?
> 
> And the problem with fc->user_ns is that currently __fs_parse() does not
> get fs_context as an argument... So that will need some larger work.

Not really. If someone does an fsopen() in a namespace but the process
that actually sets mount options is in another namespace then it's
completely intransparent what uid/gid this will resolve to if it's
resovled according to fsopen().

It's also a bit strange if someone ends up handing off a tmpfs fscontext
that was created in the initial namespace to some random namespace and
they now can set uid/gid options that aren't mapped according to their
namespace but instead are 1:1 resolved according to the intial
namespace. So this would hinder delegation.

The expectation is that uid/gid options are resolved in the caller's
namespace and that shouldn't be any different for fscontexts for
namespace mountable filesystems. The crucial point is to ensure that the
resulting kuid/kgid can be resolved in the namespace the filesystem is
mounted in at the end. That's what was lacking in e.g., tmpfs in commit
0200679fc795 ("tmpfs: verify {g,u}id mount options correctly")

The fuse conversion is the only inconsistency in that regard.

Re: [PATCH 01/14] fs_parse: add uid & gid option option parsing helpers

[Eric Sandeen]

On 6/28/24 4:45 AM, Jan Kara wrote:
> On Thu 27-06-24 19:26:24, Eric Sandeen wrote:
>> Multiple filesystems take uid and gid as options, and the code to
>> create the ID from an integer and validate it is standard boilerplate
>> that can be moved into common helper functions, so do that for
>> consistency and less cut&paste.
>>
>> This also helps avoid the buggy pattern noted by Seth Jenkins at
>> https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
>> because uid/gid parsing will fail before any assignment in most
>> filesystems.
>>
>> Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
> 
> I like the idea since this seems like a nobrainer but is actually
> surprisingly subtle...
> 
>> diff --git a/fs/fs_parser.c b/fs/fs_parser.c
>> index a4d6ca0b8971..24727ec34e5a 100644
>> --- a/fs/fs_parser.c
>> +++ b/fs/fs_parser.c
>> @@ -308,6 +308,40 @@ int fs_param_is_fd(struct p_log *log, const struct fs_parameter_spec *p,
>>  }
>>  EXPORT_SYMBOL(fs_param_is_fd);
>>  
>> +int fs_param_is_uid(struct p_log *log, const struct fs_parameter_spec *p,
>> +		    struct fs_parameter *param, struct fs_parse_result *result)
>> +{
>> +	kuid_t uid;
>> +
>> +	if (fs_param_is_u32(log, p, param, result) != 0)
>> +		return fs_param_bad_value(log, param);
>> +
>> +	uid = make_kuid(current_user_ns(), result->uint_32);
> 
> But here is the problem: Filesystems mountable in user namespaces need to use
> fc->user_ns for resolving uids / gids (e.g. like fuse_parse_param()).
> Having helpers that work for some filesystems and are subtly broken for
> others is worse than no helpers... Or am I missing something?

Yeah, I should have pointed that out. tmpfs still does that check after the
initial trivial parsing after this change to use the basic helper:

        case Opt_uid:
                kuid = result.uid;
        
                /*
                 * The requested uid must be representable in the
                 * filesystem's idmapping.
                 */
                if (!kuid_has_mapping(fc->user_ns, kuid))
                        goto bad_value;
        
                ctx->uid = kuid;
                break;

I can see your point about risks of a helper that doesn't cover all cases
though.
 
> And the problem with fc->user_ns is that currently __fs_parse() does not
> get fs_context as an argument... So that will need some larger work.

Yup, this was discussed a little when I sent this idea as an RFC, and the
(brief/small) consensus was that it was worth going this far for now.

Getting fc back into __fs_parse looks rather tricky and Al was not keen
on the idea, for some reason.

Thanks,
-Eric
> 								Honza

Re: [PATCH 02/14] autofs: Convert to new uid/gid option parsing helpers

[Ian Kent]

On 28/6/24 08:27, Eric Sandeen wrote:
> Convert to new uid/gid option parsing helpers
>
> Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
> ---
>   fs/autofs/inode.c | 16 ++++------------
>   1 file changed, 4 insertions(+), 12 deletions(-)
>
> diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
> index 1f5db6863663..cf792d4de4f1 100644
> --- a/fs/autofs/inode.c
> +++ b/fs/autofs/inode.c
> @@ -126,7 +126,7 @@ enum {
>   const struct fs_parameter_spec autofs_param_specs[] = {
>   	fsparam_flag	("direct",		Opt_direct),
>   	fsparam_fd	("fd",			Opt_fd),
> -	fsparam_u32	("gid",			Opt_gid),
> +	fsparam_gid	("gid",			Opt_gid),
>   	fsparam_flag	("ignore",		Opt_ignore),
>   	fsparam_flag	("indirect",		Opt_indirect),
>   	fsparam_u32	("maxproto",		Opt_maxproto),
> @@ -134,7 +134,7 @@ const struct fs_parameter_spec autofs_param_specs[] = {
>   	fsparam_flag	("offset",		Opt_offset),
>   	fsparam_u32	("pgrp",		Opt_pgrp),
>   	fsparam_flag	("strictexpire",	Opt_strictexpire),
> -	fsparam_u32	("uid",			Opt_uid),
> +	fsparam_uid	("uid",			Opt_uid),
>   	{}
>   };
>   
> @@ -193,8 +193,6 @@ static int autofs_parse_param(struct fs_context *fc, struct fs_parameter *param)
>   	struct autofs_fs_context *ctx = fc->fs_private;
>   	struct autofs_sb_info *sbi = fc->s_fs_info;
>   	struct fs_parse_result result;
> -	kuid_t uid;
> -	kgid_t gid;
>   	int opt;
>   
>   	opt = fs_parse(fc, autofs_param_specs, param, &result);
> @@ -205,16 +203,10 @@ static int autofs_parse_param(struct fs_context *fc, struct fs_parameter *param)
>   	case Opt_fd:
>   		return autofs_parse_fd(fc, sbi, param, &result);
>   	case Opt_uid:
> -		uid = make_kuid(current_user_ns(), result.uint_32);
> -		if (!uid_valid(uid))
> -			return invalfc(fc, "Invalid uid");
> -		ctx->uid = uid;
> +		ctx->uid = result.uid;
>   		break;
>   	case Opt_gid:
> -		gid = make_kgid(current_user_ns(), result.uint_32);
> -		if (!gid_valid(gid))
> -			return invalfc(fc, "Invalid gid");
> -		ctx->gid = gid;
> +		ctx->gid = result.gid;
>   		break;
>   	case Opt_pgrp:
>   		ctx->pgrp = result.uint_32;


I like the idea and it looks just fine for autofs.

Acked-by: Ian Kent <raven@themaw.net>


Ian

Re: [PATCH 01/14] fs_parse: add uid & gid option option parsing helpers

[Jan Kara]

On Fri 28-06-24 14:23:35, Christian Brauner wrote:
> On Fri, Jun 28, 2024 at 11:45:17AM GMT, Jan Kara wrote:
> > On Thu 27-06-24 19:26:24, Eric Sandeen wrote:
> > > Multiple filesystems take uid and gid as options, and the code to
> > > create the ID from an integer and validate it is standard boilerplate
> > > that can be moved into common helper functions, so do that for
> > > consistency and less cut&paste.
> > > 
> > > This also helps avoid the buggy pattern noted by Seth Jenkins at
> > > https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
> > > because uid/gid parsing will fail before any assignment in most
> > > filesystems.
> > > 
> > > Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
> > 
> > I like the idea since this seems like a nobrainer but is actually
> > surprisingly subtle...
> > 
> > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> > > index a4d6ca0b8971..24727ec34e5a 100644
> > > --- a/fs/fs_parser.c
> > > +++ b/fs/fs_parser.c
> > > @@ -308,6 +308,40 @@ int fs_param_is_fd(struct p_log *log, const struct fs_parameter_spec *p,
> > >  }
> > >  EXPORT_SYMBOL(fs_param_is_fd);
> > >  
> > > +int fs_param_is_uid(struct p_log *log, const struct fs_parameter_spec *p,
> > > +		    struct fs_parameter *param, struct fs_parse_result *result)
> > > +{
> > > +	kuid_t uid;
> > > +
> > > +	if (fs_param_is_u32(log, p, param, result) != 0)
> > > +		return fs_param_bad_value(log, param);
> > > +
> > > +	uid = make_kuid(current_user_ns(), result->uint_32);
> > 
> > But here is the problem: Filesystems mountable in user namespaces need to use
> > fc->user_ns for resolving uids / gids (e.g. like fuse_parse_param()).
> > Having helpers that work for some filesystems and are subtly broken for
> > others is worse than no helpers... Or am I missing something?
> > 
> > And the problem with fc->user_ns is that currently __fs_parse() does not
> > get fs_context as an argument... So that will need some larger work.
> 
> Not really. If someone does an fsopen() in a namespace but the process
> that actually sets mount options is in another namespace then it's
> completely intransparent what uid/gid this will resolve to if it's
> resovled according to fsopen().
> 
> It's also a bit strange if someone ends up handing off a tmpfs fscontext
> that was created in the initial namespace to some random namespace and
> they now can set uid/gid options that aren't mapped according to their
> namespace but instead are 1:1 resolved according to the intial
> namespace. So this would hinder delegation.
> 
> The expectation is that uid/gid options are resolved in the caller's
> namespace and that shouldn't be any different for fscontexts for
> namespace mountable filesystems. The crucial point is to ensure that the
> resulting kuid/kgid can be resolved in the namespace the filesystem is
> mounted in at the end. That's what was lacking in e.g., tmpfs in commit
> 0200679fc795 ("tmpfs: verify {g,u}id mount options correctly")
> 
> The fuse conversion is the only inconsistency in that regard.

OK, thanks for explanation!

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Re: (subset) [PATCH 0/14] New uid & gid mount option parsing helpers

[Christian Brauner]

On Thu, 27 Jun 2024 19:24:59 -0500, Eric Sandeen wrote:
> Multiple filesystems take uid and gid as options, and the code to
> create the ID from an integer and validate it is standard boilerplate
> that can be moved into common helper functions, so do that for
> consistency and less cut&paste.
> 
> This also helps avoid the buggy pattern noted by Seth Jenkins at
> https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com/
> because uid/gid parsing will fail before any assignment in most
> filesystems.
> 
> [...]

I've snatched everything but the fuse change as we should do that one in
two steps.

---

Applied to the vfs.mount.api branch of the vfs/vfs.git tree.
Patches in the vfs.mount.api branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.mount.api

[01/14] fs_parse: add uid & gid option option parsing helpers
        https://git.kernel.org/vfs/vfs/c/9f111059e725
[02/14] autofs: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/748cddf13de5
[03/14] debugfs: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/49abee5991e1
[04/14] efivarfs: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/dcffad38c767
[05/14] exfat: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/ffe1b94d7464
[06/14] ext4: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/6b5732b5ca4f
[08/14] hugetlbfs: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/eefc13247722
[09/14] isofs: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/6a265845db28
[10/14] ntfs3: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/c449cb5d1bce
[11/14] tmpfs: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/2ec07010b6a9
[12/14] smb: client: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/3229e3a5a374
[13/14] tracefs: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/b548291690d1
[14/14] vboxsf: Convert to new uid/gid option parsing helpers
        https://git.kernel.org/vfs/vfs/c/da99d45bd551