From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Serge Hallyn <serge.hallyn@canonical.com>
Cc: Richard Weinberger <richard.weinberger@gmail.com>,
Austin S Hemmelgarn <ahferroin7@gmail.com>,
Miklos Szeredi <miklos@szeredi.hu>,
linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
dm-devel@redhat.com, linux-raid@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
fuse-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
Seth Forshee <seth.forshee@canonical.com>
Subject: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes
Date: Mon, 4 Jan 2016 12:03:50 -0600 [thread overview]
Message-ID: <1451930639-94331-12-git-send-email-seth.forshee@canonical.com> (raw)
In-Reply-To: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
The mounter of a filesystem should be privileged towards the
inodes of that filesystem. Extend the checks in
inode_owner_or_capable() and capable_wrt_inode_uidgid() to
permit access by users priviliged in the user namespace of the
inode's superblock.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
---
fs/inode.c | 3 +++
kernel/capability.c | 13 +++++++++----
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/inode.c b/fs/inode.c
index 1be5f9003eb3..01c036fe1950 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1962,6 +1962,9 @@ bool inode_owner_or_capable(const struct inode *inode)
ns = current_user_ns();
if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
return true;
+
+ if (ns_capable(inode->i_sb->s_user_ns, CAP_FOWNER))
+ return true;
return false;
}
EXPORT_SYMBOL(inode_owner_or_capable);
diff --git a/kernel/capability.c b/kernel/capability.c
index 45432b54d5c6..5137a38a5670 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -437,13 +437,18 @@ EXPORT_SYMBOL(file_ns_capable);
*
* Return true if the current task has the given capability targeted at
* its own user namespace and that the given inode's uid and gid are
- * mapped into the current user namespace.
+ * mapped into the current user namespace, or if the current task has
+ * the capability towards the user namespace of the inode's superblock.
*/
bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
{
- struct user_namespace *ns = current_user_ns();
+ struct user_namespace *ns;
- return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
- kgid_has_mapping(ns, inode->i_gid);
+ ns = current_user_ns();
+ if (ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
+ kgid_has_mapping(ns, inode->i_gid))
+ return true;
+
+ return ns_capable(inode->i_sb->s_user_ns, cap);
}
EXPORT_SYMBOL(capable_wrt_inode_uidgid);
--
1.9.1
next prev parent reply other threads:[~2016-01-04 18:03 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-04 18:03 [PATCH RESEND v2 00/19] Support fuse mounts in user namespaces Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 01/18] block_dev: Support checking inode permissions in lookup_bdev() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 02/18] block_dev: Check permissions towards block device inode when mounting Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 03/18] fs: Treat foreign mounts as nosuid Seth Forshee
2016-03-15 12:09 ` [PATCH] fs: remove excess check for in_userns Pavel Tikhomirov
2016-03-15 13:45 ` Seth Forshee
2016-03-15 14:19 ` Pavel Tikhomirov
2016-03-15 14:19 ` Pavel Tikhomirov
2016-03-22 23:19 ` James Morris
2016-01-04 18:03 ` [PATCH RESEND v2 04/18] selinux: Add support for unprivileged mounts from user namespaces Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 05/18] userns: Replace in_userns with current_in_userns Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 06/18] Smack: Handle labels consistently in untrusted mounts Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 07/18] fs: Check for invalid i_uid in may_follow_link() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 08/18] cred: Reject inodes with invalid ids in set_create_file_as() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 09/18] fs: Refuse uid/gid changes which don't map into s_user_ns Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 10/18] fs: Update posix_acl support to handle user namespace mounts Seth Forshee
2016-01-04 18:03 ` Seth Forshee [this message]
2016-03-03 17:02 ` [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes Seth Forshee
2016-03-04 22:43 ` Eric W. Biederman
2016-03-06 15:48 ` Seth Forshee
2016-03-06 22:07 ` Eric W. Biederman
2016-03-07 13:32 ` Seth Forshee
2016-03-28 16:59 ` Seth Forshee
2016-03-30 1:36 ` Eric W. Biederman
2016-03-30 14:58 ` Seth Forshee
2016-03-30 20:18 ` Eric W. Biederman
2016-01-04 18:03 ` [PATCH RESEND v2 12/18] fs: Don't remove suid for CAP_FSETID in s_user_ns Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 13/18] fs: Allow superblock owner to access do_remount_sb() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 14/18] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 15/18] fuse: Add support for pid namespaces Seth Forshee
2016-03-09 10:53 ` Miklos Szeredi
2016-03-09 14:17 ` Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 16/18] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2016-03-09 11:29 ` Miklos Szeredi
2016-03-09 14:18 ` Seth Forshee
2016-03-09 14:48 ` Miklos Szeredi
2016-03-09 15:25 ` Seth Forshee
2016-03-09 15:51 ` Miklos Szeredi
2016-03-09 17:07 ` Seth Forshee
2016-03-14 20:58 ` Miklos Szeredi
2016-03-25 20:31 ` Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 17/18] fuse: Restrict allow_other to the superblock's namespace or a descendant Seth Forshee
2016-03-09 11:40 ` Miklos Szeredi
2016-01-04 18:03 ` [PATCH RESEND v2 18/18] fuse: Allow user namespace mounts Seth Forshee
2016-03-09 13:08 ` Miklos Szeredi
2016-01-25 19:47 ` [PATCH RESEND v2 00/19] Support fuse mounts in user namespaces Seth Forshee
2016-01-25 20:01 ` Eric W. Biederman
2016-01-25 20:36 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1451930639-94331-12-git-send-email-seth.forshee@canonical.com \
--to=seth.forshee@canonical.com \
--cc=ahferroin7@gmail.com \
--cc=dm-devel@redhat.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=richard.weinberger@gmail.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).