From: Valerie Aurora <vaurora@redhat.com>
To: Jan Blunck <jblunck@suse.de>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
Andy Whitcroft <apw@canonical.com>,
Scott James Remnant <scott@canonica
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 39/41] union-mount: Ignore read-only file system in permission checks
Date: Wed, 21 Oct 2009 12:19:37 -0700 [thread overview]
Message-ID: <1256152779-10054-40-git-send-email-vaurora@redhat.com> (raw)
In-Reply-To: <1256152779-10054-39-git-send-email-vaurora@redhat.com>
In certain cases, we check a file for write access before it has been
copied up to the top-level fs. We don't want to fail because the
bottom layer is read-only - of course it is - so skip that check in
those cases.
Thanks to Felix Fietkau <nbd@openwrt.org> for a bug fix.
XXX - Document when to call union_permission() vs. inode_permission()
XXX - Kinda gross. Probably a simpler solution.
Signed-off-by: Valerie Aurora <vaurora@redhat.com>
---
fs/namei.c | 21 +++++++++++++++++----
fs/open.c | 8 ++++++--
fs/union.c | 32 ++++++++++++++++++++++++++++++--
include/linux/fs.h | 1 +
include/linux/union.h | 2 ++
5 files changed, 56 insertions(+), 8 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 61e94aa..a8d3acf 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -230,16 +230,17 @@ int generic_permission(struct inode *inode, int mask,
}
/**
- * inode_permission - check for access rights to a given inode
+ * __inode_permission - check for access rights to a given inode
* @inode: inode to check permission on
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
+ * @rofs: check for read-only fs
*
* Used to check for read/write/execute permissions on an inode.
* We use "fsuid" for this, letting us set arbitrary permissions
* for filesystem access without changing the "normal" uids which
* are used for other things.
*/
-int inode_permission(struct inode *inode, int mask)
+int __inode_permission(struct inode *inode, int mask, int rofs)
{
int retval;
@@ -249,7 +250,7 @@ int inode_permission(struct inode *inode, int mask)
/*
* Nobody gets write access to a read-only fs.
*/
- if (IS_RDONLY(inode) &&
+ if ((rofs & IS_RDONLY(inode)) &&
(S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))
return -EROFS;
@@ -277,6 +278,18 @@ int inode_permission(struct inode *inode, int mask)
}
/**
+ * inode_permission - check for access rights to a given inode
+ * @inode: inode to check permission on
+ * @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
+ *
+ * This version pays attention to the MS_RDONLY flag on the fs.
+ */
+int inode_permission(struct inode *inode, int mask)
+{
+ return __inode_permission(inode, mask, 1);
+}
+
+/**
* file_permission - check for additional access rights to a given file
* @file: file to check access rights for
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
@@ -2129,7 +2142,7 @@ int may_open(struct path *path, int acc_mode, int flag)
break;
}
- error = inode_permission(inode, acc_mode);
+ error = union_permission(path, acc_mode);
if (error)
return error;
diff --git a/fs/open.c b/fs/open.c
index dd98e80..3df5a1b 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -30,6 +30,7 @@
#include <linux/audit.h>
#include <linux/falloc.h>
#include <linux/fs_struct.h>
+#include <linux/union.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
{
@@ -333,6 +334,7 @@ static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
error = security_path_truncate(&file->f_path, length,
ATTR_MTIME|ATTR_CTIME);
if (!error)
+ /* Already copied up for union, opened with write */
error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
out_putf:
fput(file);
@@ -493,7 +495,8 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
goto out_path_release;
}
- res = inode_permission(inode, mode | MAY_ACCESS);
+ res = union_permission(&path, mode | MAY_ACCESS);
+
/* SuS v2 requires we report a read only fs too */
if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
goto out_path_release;
@@ -507,7 +510,8 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
* inherently racy and know that the fs may change
* state before we even see this result.
*/
- if (__mnt_is_readonly(path.mnt))
+ if ((!is_unionized(path.dentry, path.mnt) &&
+ (__mnt_is_readonly(path.mnt))))
res = -EROFS;
out_path_release:
diff --git a/fs/union.c b/fs/union.c
index d56b829..8d94b22 100644
--- a/fs/union.c
+++ b/fs/union.c
@@ -390,6 +390,30 @@ static int union_relookup_topmost(struct nameidata *nd, int flags)
return err;
}
+
+/**
+ * union_permission - check for access rights to a given inode
+ * @inode: inode to check permission on
+ * @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
+ *
+ * In a union mount, the top layer is always read-write and the bottom
+ * is always read-only. Ignore the read-only flag on the lower fs.
+ *
+ * Only need for certain activities, like checking to see if write
+ * access is ok.
+ */
+
+int union_permission(struct path *path, int mask)
+{
+ struct inode *inode = path->dentry->d_inode;
+
+ if (!is_unionized(path->dentry, path->mnt))
+ return inode_permission(inode, mask);
+
+ /* Tell __inode_permission to ignore MS_RDONLY */
+ return __inode_permission(inode, mask, 0);
+}
+
/*
* union_create_topmost - create the topmost path component
* @nd: pointer to nameidata of the base directory
@@ -489,6 +513,9 @@ static int union_copy_file(struct dentry *old_dentry, struct vfsmount *old_mnt,
if (IS_ERR(new_file))
goto fput_old;
+ /* XXX be smart by using a length param, which indicates max
+ * data we'll want (e.g., we are about to truncate to 0 or 10
+ * bytes or something */
size = i_size_read(old_file->f_path.dentry->d_inode);
if (((size_t)size != size) || ((ssize_t)size != size)) {
ret = -EFBIG;
@@ -516,7 +543,8 @@ static int union_copy_file(struct dentry *old_dentry, struct vfsmount *old_mnt,
* The topmost directory @new_nd must already be locked. Creates the topmost
* file if it doesn't exist yet.
*/
-int __union_copyup(struct path *old, struct nameidata *new_nd, struct path *new)
+int __union_copyup(struct path *old, struct nameidata *new_nd,
+ struct path *new)
{
struct dentry *dentry;
int error;
@@ -581,7 +609,7 @@ out_dput:
* @nd: nameidata pointer to the file
* @flags: flags given to open_namei
*/
-int union_copyup(struct nameidata *nd, int flags)
+int union_copyup(struct nameidata *nd, int flags /* XXX not used */)
{
struct qstr this;
char *name;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 57690ab..38fb113 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2106,6 +2106,7 @@ extern void emergency_remount(void);
extern sector_t bmap(struct inode *, sector_t);
#endif
extern int notify_change(struct dentry *, struct iattr *);
+extern int __inode_permission(struct inode *inode, int mask, int rofs);
extern int inode_permission(struct inode *, int);
extern int generic_permission(struct inode *, int,
int (*check_acl)(struct inode *, int));
diff --git a/include/linux/union.h b/include/linux/union.h
index a0656b3..92654e0 100644
--- a/include/linux/union.h
+++ b/include/linux/union.h
@@ -58,6 +58,7 @@ extern struct dentry *union_create_topmost(struct nameidata *, struct qstr *,
extern int __union_copyup(struct path *, struct nameidata *, struct path *);
extern int union_copyup(struct nameidata *, int);
extern int union_copyup_dir(struct path *path);
+extern int union_permission(struct path *, int);
#else /* CONFIG_UNION_MOUNT */
@@ -76,6 +77,7 @@ extern int union_copyup_dir(struct path *path);
#define __union_copyup(x, y, z) ({ BUG(); (0); })
#define union_copyup(x, y) ({ (0); })
#define union_copyup_dir(x) ({ BUG(); (0); })
+#define union_permission(x, y) inode_permission((x)->dentry->d_inode, y)
#endif /* CONFIG_UNION_MOUNT */
#endif /* __KERNEL__ */
--
1.6.3.3
next prev parent reply other threads:[~2009-10-21 19:21 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-21 19:18 [RFC PATCH 00/40] Writable overlays (union mounts) Valerie Aurora
2009-10-21 19:18 ` [PATCH 01/41] VFS: BUG() if somebody tries to rehash an already hashed dentry Valerie Aurora
2009-10-21 19:19 ` [PATCH 02/41] VFS: propagate mnt_flags into do_loopback Valerie Aurora
2009-10-21 19:19 ` [PATCH 03/41] VFS: Make lookup_hash() return a struct path Valerie Aurora
2009-10-21 19:19 ` [PATCH 04/41] VFS: Remove unnecessary micro-optimization in cached_lookup() Valerie Aurora
2009-10-21 19:19 ` [PATCH 05/41] VFS: Make real_lookup() return a struct path Valerie Aurora
2009-10-21 19:19 ` [PATCH 06/41] VFS: Introduce dput() variant that maintains a kill-list Valerie Aurora
2009-10-21 19:19 ` [PATCH 07/41] VFS: Add read-only users count to superblock Valerie Aurora
2009-10-21 19:19 ` [PATCH 08/41] Don't replace nameidata path when following links Valerie Aurora
2009-10-21 19:19 ` [PATCH 09/41] whiteout: Don't return information about whiteouts to userspace Valerie Aurora
2009-10-21 19:19 ` [PATCH 10/41] whiteout: Add vfs_whiteout() and whiteout inode operation Valerie Aurora
2009-10-21 19:19 ` [PATCH 11/41] whiteout: Set S_OPAQUE inode flag when creating directories Valerie Aurora
2009-10-21 19:19 ` [PATCH 12/41] union-mount: Allow removal of a directory Valerie Aurora
2009-10-21 19:19 ` [PATCH 13/41] whiteout: tmpfs whiteout support Valerie Aurora
2009-10-21 19:19 ` [PATCH 14/41] whiteout: Split of ext2_append_link() from ext2_add_link() Valerie Aurora
2009-10-21 19:19 ` [PATCH 15/41] whiteout: ext2 whiteout support Valerie Aurora
2009-10-21 19:19 ` [PATCH 16/41] whiteout: jffs2 " Valerie Aurora
2009-10-21 19:19 ` [PATCH 17/41] whiteout: Add path_whiteout() helper Valerie Aurora
2009-10-21 19:19 ` [PATCH 18/41] union-mount: Documentation Valerie Aurora
2009-10-21 19:19 ` [PATCH 19/41] union-mount: Introduce MNT_UNION and MS_UNION flags Valerie Aurora
2009-10-21 19:19 ` [PATCH 20/41] union-mount: Introduce union_mount structure Valerie Aurora
2009-10-21 19:19 ` [PATCH 21/41] union-mount: Drive the union cache via dcache Valerie Aurora
2009-10-21 19:19 ` [PATCH 22/41] union-mount: Some checks during namespace changes Valerie Aurora
2009-10-21 19:19 ` [PATCH 23/41] union-mount: Changes to the namespace handling Valerie Aurora
2009-10-21 19:19 ` [PATCH 24/41] union-mount: Make lookup work for union-mounted file systems Valerie Aurora
2009-10-21 19:19 ` [PATCH 25/41] union-mount: stop lookup when directory has S_OPAQUE flag set Valerie Aurora
2009-10-21 19:19 ` [PATCH 26/41] union-mount: stop lookup when finding a whiteout Valerie Aurora
2009-10-21 19:19 ` [PATCH 27/41] union-mount: in-kernel file copy between union mounted filesystems Valerie Aurora
2009-10-21 19:19 ` [PATCH 28/41] union-mount: call do_whiteout() on unlink and rmdir Valerie Aurora
2009-10-21 19:19 ` [PATCH 29/41] union-mount: Always create topmost directory on open Valerie Aurora
2009-10-21 19:19 ` [PATCH 30/41] fallthru: Basic fallthru definitions Valerie Aurora
2009-10-21 19:19 ` [PATCH 31/41] fallthru: Support for fallthru entries in union mount lookup Valerie Aurora
2009-10-21 19:19 ` [PATCH 32/41] fallthru: ext2 fallthru support Valerie Aurora
2009-10-21 19:19 ` [PATCH 33/41] fallthru: jffs2 " Valerie Aurora
2009-10-21 19:19 ` [PATCH 34/41] fallthru: tmpfs " Valerie Aurora
2009-10-21 19:19 ` [PATCH 35/41] union-mount: Copy up directory entries on first readdir() Valerie Aurora
2009-10-21 19:19 ` [PATCH 36/41] union-mount: Increment read-only users count for read-only layer Valerie Aurora
2009-10-21 19:19 ` [PATCH 37/41] union-mount: Check read-only/read-write status of layers Valerie Aurora
2009-10-21 19:19 ` [PATCH 38/41] union-mount: Make pivot_root work with union mounts Valerie Aurora
2009-10-21 19:19 ` Valerie Aurora [this message]
2009-10-21 19:19 ` [PATCH 40/41] union-mount: Make truncate work in all its glorious UNIX variations Valerie Aurora
2009-10-21 19:19 ` [PATCH 41/41] union-mount: Add support for rename by __union_copyup() Valerie Aurora
2009-12-01 4:57 ` Erez Zadok
2009-12-01 4:50 ` [PATCH 40/41] union-mount: Make truncate work in all its glorious UNIX variations Erez Zadok
2009-12-01 4:34 ` [PATCH 39/41] union-mount: Ignore read-only file system in permission checks Erez Zadok
2009-12-01 4:26 ` [PATCH 38/41] union-mount: Make pivot_root work with union mounts Erez Zadok
2009-12-01 4:18 ` [PATCH 35/41] union-mount: Copy up directory entries on first readdir() Erez Zadok
2009-12-01 4:17 ` [PATCH 34/41] fallthru: tmpfs fallthru support Erez Zadok
2009-12-01 4:17 ` [PATCH 33/41] fallthru: jffs2 " Erez Zadok
2009-12-01 4:17 ` [PATCH 32/41] fallthru: ext2 " Erez Zadok
2009-12-01 4:15 ` [PATCH 31/41] fallthru: Support for fallthru entries in union mount lookup Erez Zadok
2009-12-01 4:14 ` [PATCH 30/41] fallthru: Basic fallthru definitions Erez Zadok
2009-12-01 4:14 ` [PATCH 29/41] union-mount: Always create topmost directory on open Erez Zadok
2009-12-01 4:13 ` [PATCH 27/41] union-mount: in-kernel file copy between union mounted filesystems Erez Zadok
2009-12-01 4:11 ` [PATCH 26/41] union-mount: stop lookup when finding a whiteout Erez Zadok
2009-12-01 4:10 ` [PATCH 25/41] union-mount: stop lookup when directory has S_OPAQUE flag set Erez Zadok
2009-12-01 4:10 ` [PATCH 24/41] union-mount: Make lookup work for union-mounted file systems Erez Zadok
2009-11-30 9:15 ` [PATCH 23/41] union-mount: Changes to the namespace handling Erez Zadok
2009-11-30 9:04 ` [PATCH 22/41] union-mount: Some checks during namespace changes Erez Zadok
2009-11-30 8:57 ` [PATCH 21/41] union-mount: Drive the union cache via dcache Erez Zadok
2009-11-30 8:46 ` [PATCH 20/41] union-mount: Introduce union_mount structure Erez Zadok
2010-01-26 22:38 ` Valerie Aurora
2009-11-30 8:02 ` [PATCH 19/41] union-mount: Introduce MNT_UNION and MS_UNION flags Erez Zadok
2010-01-26 20:03 ` Valerie Aurora
2009-12-01 5:37 ` [PATCH 18/41] union-mount: Documentation Erez Zadok
2009-11-30 7:57 ` [PATCH 17/41] whiteout: Add path_whiteout() helper Erez Zadok
2010-01-26 20:02 ` Valerie Aurora
2009-10-21 22:50 ` [PATCH 16/41] whiteout: jffs2 whiteout support David Woodhouse
2009-10-27 2:21 ` Valerie Aurora
2009-11-30 7:51 ` Erez Zadok
2010-01-26 19:52 ` Valerie Aurora
2009-10-21 21:17 ` [PATCH 15/41] whiteout: ext2 " Andreas Dilger
2009-10-27 2:14 ` Valerie Aurora
2009-11-30 7:45 ` Erez Zadok
2009-11-30 6:32 ` [PATCH 14/41] whiteout: Split of ext2_append_link() from ext2_add_link() Erez Zadok
2009-11-30 6:26 ` [PATCH 13/41] whiteout: tmpfs whiteout support Erez Zadok
2010-01-21 2:02 ` Valerie Aurora
2009-11-30 6:13 ` [PATCH 12/41] union-mount: Allow removal of a directory Erez Zadok
2010-01-21 0:52 ` Valerie Aurora
2009-10-27 14:36 ` [PATCH 10/41] whiteout: Add vfs_whiteout() and whiteout inode operation Eric Paris
2009-10-27 21:22 ` Valerie Aurora
2009-11-30 3:04 ` Erez Zadok
2010-01-21 0:35 ` Valerie Aurora
2009-11-30 2:53 ` [PATCH 09/41] whiteout: Don't return information about whiteouts to userspace Erez Zadok
2010-01-21 0:19 ` Valerie Aurora
2009-11-30 2:44 ` [PATCH 08/41] Don't replace nameidata path when following links Erez Zadok
2009-11-30 2:33 ` [PATCH 07/41] VFS: Add read-only users count to superblock Erez Zadok
2009-11-30 2:28 ` [PATCH 06/41] VFS: Introduce dput() variant that maintains a kill-list Erez Zadok
2010-01-20 23:31 ` Valerie Aurora
2009-11-30 2:11 ` [PATCH 05/41] VFS: Make real_lookup() return a struct path Erez Zadok
2009-11-30 2:07 ` [PATCH 04/41] VFS: Remove unnecessary micro-optimization in cached_lookup() Erez Zadok
2009-12-10 21:25 ` Valerie Aurora
2009-11-30 2:02 ` [PATCH 03/41] VFS: Make lookup_hash() return a struct path Erez Zadok
2009-12-10 21:23 ` Valerie Aurora
2009-11-30 6:04 ` Erez Zadok
2009-12-10 21:24 ` Valerie Aurora
2009-11-30 1:43 ` [PATCH 01/41] VFS: BUG() if somebody tries to rehash an already hashed dentry Erez Zadok
2009-12-10 20:20 ` Valerie Aurora
2009-10-22 2:44 ` [RFC PATCH 00/40] Writable overlays (union mounts) hooanon05
2009-10-27 2:23 ` Valerie Aurora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1256152779-10054-40-git-send-email-vaurora@redhat.com \
--to=vaurora@redhat.com \
--cc=apw@canonical.com \
--cc=hch@infradead.org \
--cc=jblunck@suse.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=scott@canonica \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).