From: Dave Chinner <david@fromorbit.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jan Kara <jack@suse.cz>,
Seth Forshee <seth.forshee@canonical.com>,
Jann Horn <jannh@google.com>,
Linux API <linux-api@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
linux-fsdevel@vger.kernel.org, Djalal Harouni <tixxdz@gmail.com>
Subject: Re: [PATCH v2 review 09/11] quota: Handle quota data stored in s_user_ns.
Date: Wed, 6 Jul 2016 16:35:04 +1000 [thread overview]
Message-ID: <20160706063504.GH27480@dastard> (raw)
In-Reply-To: <8737nnrcyy.fsf@x220.int.ebiederm.org>
On Tue, Jul 05, 2016 at 04:28:53PM -0500, Eric W. Biederman wrote:
> Dave Chinner <david@fromorbit.com> writes:
>
> > On Tue, Jul 05, 2016 at 10:34:49AM -0500, Eric W. Biederman wrote:
> >> The more I think of it the more I think that sounds like wisdom.
> >> Dropping this patch and replacing it by one that just does:
> >>
> >> diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
> >> index d8fb0fd3ff6f..9c9890fe18b7 100644
> >> --- a/fs/quota/dquot.c
> >> +++ b/fs/quota/dquot.c
> >> @@ -2273,6 +2273,11 @@ static int vfs_load_quota_inode(struct inode *inode, int type, int format_id,
> >> error = -EINVAL;
> >> goto out_fmt;
> >> }
> >> + /* Filesystems outside of init_user_ns not yet supported */
> >> + if (sb->s_user_ns != &init_user_ns) {
> >> + error = -EINVAL;
> >> + goto out_fmt;
> >> + }
> >> /* Usage always has to be set... */
> >> if (!(flags & DQUOT_USAGE_ENABLED)) {
> >> error = -EINVAL;
> >>
> >>
> >> seems a lot more appropriate at this point. That is enough to give a
> >> great big hint there is something that needs to be done but won't
> >> embrittle the code with untested corner cases.
> >
> > You'll need to propagate that to all filesystems that have their own
> > quota implemenation, too.
>
> All of the filesytems that have their own quota implementations omit the
> flag FS_USERNS_MOUNT in fs_flags in struct filesystem so they are
> protected.
Which is the same situation currently for every filesystem that
supports quotas, regardless of the implementation infrastructure.
> p.s. I expect the the generic quota implementation is simple enough
> that it is not particularly suseptible to problems caused by malicious
> data. But I don't currently care enough to verify and test that
> assumption so this is very much the wrong time for me to be enabling the
> feature.
All the more reason you should be adding the same guard to all the
other filesystems....
All i'm asking you to do is to make this check in a way that all
filesystems that implement quotas will execute it. Don't leave
landmines with security implications around - make sure all
filesystems have the same protections.
-Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2016-07-06 6:35 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-02 17:18 [PATCH review 0/11] General unprivileged mount support Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 01/11] fs: Refuse uid/gid changes which don't map into s_user_ns Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 02/11] userns: Handle -1 in k[ug]id_has_mapping when !CONFIG_USER_NS Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 03/11] vfs: Verify acls are valid within superblock's s_user_ns Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 04/11] fs: Check for invalid i_uid in may_follow_link() Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 05/11] cred: Reject inodes with invalid ids in set_create_file_as() Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 06/11] vfs: Don't modify inodes with a uid or gid unknown to the vfs Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 07/11] vfs: Don't create " Eric W. Biederman
2016-07-04 7:59 ` Jan Kara
2016-07-05 14:55 ` Eric W. Biederman
2016-07-06 9:07 ` Jan Kara
2016-07-06 15:37 ` Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 08/11] quota: Ensure qids map to the filesystem Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 09/11] quota: Handle quota data stored in s_user_ns Eric W. Biederman
2016-07-02 17:33 ` [PATCH v2 " Eric W. Biederman
2016-07-04 9:11 ` Jan Kara
2016-07-05 14:48 ` Seth Forshee
2016-07-05 15:34 ` Eric W. Biederman
2016-07-05 20:57 ` Dave Chinner
2016-07-05 21:28 ` Eric W. Biederman
2016-07-06 6:35 ` Dave Chinner [this message]
2016-07-06 8:25 ` Jan Kara
2016-07-06 17:51 ` Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 10/11] evm: Translate user/group ids relative to s_user_ns when computing HMAC Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 11/11] fs: Update i_[ug]id_(read|write) to translate relative to s_user_ns Eric W. Biederman
2016-07-04 8:52 ` [PATCH review 0/11] General unprivileged mount support Jan Kara
2016-07-04 16:27 ` Eric W. Biederman
2016-07-06 8:54 ` Jan Kara
2016-07-06 13:54 ` Seth Forshee
2016-07-06 14:22 ` Jan Kara
2016-07-06 14:46 ` Seth Forshee
2016-07-06 15:01 ` Eric W. Biederman
2016-07-06 15:23 ` James Bottomley
2016-07-06 16:35 ` Eric W. Biederman
2016-07-06 13:44 ` Andy Lutomirski
2016-07-06 15:21 ` Eric W. Biederman
2016-07-06 14:01 ` Andy Lutomirski
2016-07-06 15:19 ` Eric W. Biederman
2016-07-06 18:10 ` [PATCH review 0/12] General unprivileged mount support v2 Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 01/12] fs: Refuse uid/gid changes which don't map into s_user_ns Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 02/12] userns: Handle -1 in k[ug]id_has_mapping when !CONFIG_USER_NS Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 03/12] vfs: Verify acls are valid within superblock's s_user_ns Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 04/12] fs: Check for invalid i_uid in may_follow_link() Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 05/12] cred: Reject inodes with invalid ids in set_create_file_as() Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 06/12] vfs: Don't modify inodes with a uid or gid unknown to the vfs Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 07/12] vfs: Don't create " Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 08/12] quota: Ensure qids map to the filesystem Eric W. Biederman
2016-07-11 10:14 ` Jan Kara
2016-07-11 18:12 ` Eric W. Biederman
2016-07-13 1:34 ` Dave Chinner
2016-07-13 3:45 ` Dave Chinner
2016-07-13 5:43 ` Jann Horn
2016-07-14 17:03 ` Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 09/12] quota: Handle quota data stored in s_user_ns in quota_setxquota Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 10/12] dquot: For now explicitly don't support filesystems outside of init_user_ns Eric W. Biederman
2016-07-11 10:09 ` Jan Kara
2016-07-06 18:12 ` [PATCH review 11/12] evm: Translate user/group ids relative to s_user_ns when computing HMAC Eric W. Biederman
2016-07-06 18:12 ` [PATCH review 12/12] fs: Update i_[ug]id_(read|write) to translate relative to s_user_ns Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160706063504.GH27480@dastard \
--to=david@fromorbit.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=seth.forshee@canonical.com \
--cc=tixxdz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox