From: "Serge E. Hallyn" <serge@hallyn.com>
To: Miklos Szeredi <mszeredi@redhat.com>
Cc: Christian Brauner <christian@brauner.io>,
linux-api@vger.kernel.org, linux-man@vger.kernel.org,
linux-security-module@vger.kernel.org,
Karel Zak <kzak@redhat.com>,
linux-fsdevel@vger.kernel.org, Ian Kent <raven@themaw.net>,
David Howells <dhowells@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 3/4] listmount: small changes in semantics
Date: Wed, 6 Dec 2023 13:58:07 -0600 [thread overview]
Message-ID: <20231206195807.GA209606@mail.hallyn.com> (raw)
In-Reply-To: <20231128160337.29094-4-mszeredi@redhat.com>
On Tue, Nov 28, 2023 at 05:03:34PM +0100, Miklos Szeredi wrote:
> 1) Make permission checking consistent with statmount(2): fail if mount is
> unreachable from current root. Previously it failed if mount was
> unreachable from root->mnt->mnt_root.
>
> 2) List all submounts, even if unreachable from current root. This is
> safe, since 1) will prevent listing unreachable mounts for unprivileged
> users.
>
> 3) LSMT_ROOT is unchaged, it lists mounts under current root.
>
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> ---
> fs/namespace.c | 39 ++++++++++++++-------------------------
> 1 file changed, 14 insertions(+), 25 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index ad62cf7ee334..10cd651175b5 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -5004,37 +5004,26 @@ static struct mount *listmnt_next(struct mount *curr)
> return node_to_mount(rb_next(&curr->mnt_node));
> }
>
> -static ssize_t do_listmount(struct mount *first, struct vfsmount *mnt,
> +static ssize_t do_listmount(struct mount *first, struct path *orig, u64 mnt_id,
> u64 __user *buf, size_t bufsize,
> const struct path *root)
> {
> - struct mount *r, *m = real_mount(mnt);
> - struct path rootmnt = {
> - .mnt = root->mnt,
> - .dentry = root->mnt->mnt_root
> - };
> - struct path orig;
> + struct mount *r;
> ssize_t ctr;
> int err;
>
> - if (!is_path_reachable(m, mnt->mnt_root, &rootmnt))
> - return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;
> + if (!capable(CAP_SYS_ADMIN) &&
Was there a reason to do the capable check first? In general,
checking capable() when not needed is frowned upon, as it will
set the PF_SUPERPRIV flag.
> + !is_path_reachable(real_mount(orig->mnt), orig->dentry, root))
> + return -EPERM;
>
> - err = security_sb_statfs(mnt->mnt_root);
> + err = security_sb_statfs(orig->dentry);
> if (err)
> return err;
>
> - if (root->mnt == mnt) {
> - orig = *root;
> - } else {
> - orig.mnt = mnt;
> - orig.dentry = mnt->mnt_root;
> - }
> -
> for (ctr = 0, r = first; r; r = listmnt_next(r)) {
> - if (r == m)
> + if (r->mnt_id_unique == mnt_id)
> continue;
> - if (!is_path_reachable(r, r->mnt.mnt_root, &orig))
> + if (!is_path_reachable(r, r->mnt.mnt_root, orig))
> continue;
>
> if (ctr >= bufsize)
> @@ -5053,9 +5042,8 @@ SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
> {
> struct mnt_namespace *ns = current->nsproxy->mnt_ns;
> struct mnt_id_req kreq;
> - struct vfsmount *mnt;
> struct mount *first;
> - struct path root;
> + struct path root, orig;
> u64 mnt_id;
> ssize_t ret;
>
> @@ -5071,16 +5059,17 @@ SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
> down_read(&namespace_sem);
> get_fs_root(current->fs, &root);
> if (mnt_id == LSMT_ROOT) {
> - mnt = root.mnt;
> + orig = root;
> } else {
> ret = -ENOENT;
> - mnt = lookup_mnt_in_ns(mnt_id, ns);
> - if (!mnt)
> + orig.mnt = lookup_mnt_in_ns(mnt_id, ns);
> + if (!orig.mnt)
> goto err;
> + orig.dentry = orig.mnt->mnt_root;
> }
> first = node_to_mount(rb_first(&ns->mounts));
>
> - ret = do_listmount(first, mnt, buf, bufsize, &root);
> + ret = do_listmount(first, &orig, mnt_id, buf, bufsize, &root);
> err:
> path_put(&root);
> up_read(&namespace_sem);
> --
> 2.41.0
>
next prev parent reply other threads:[~2023-12-06 19:58 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-28 16:03 [PATCH 0/4] listmount changes Miklos Szeredi
2023-11-28 16:03 ` [PATCH 1/4] listmount: rip out flags Miklos Szeredi
2023-11-28 16:03 ` [PATCH 2/4] listmount: list mounts in ID order Miklos Szeredi
2023-11-28 16:03 ` [PATCH 3/4] listmount: small changes in semantics Miklos Szeredi
2023-12-06 19:58 ` Serge E. Hallyn [this message]
2023-12-06 20:24 ` Miklos Szeredi
2023-12-08 13:07 ` Christian Brauner
2023-11-28 16:03 ` [PATCH 4/4] listmount: allow continuing Miklos Szeredi
2023-11-29 9:52 ` [PATCH 0/4] listmount changes Christian Brauner
2023-11-29 10:22 ` Miklos Szeredi
2023-11-29 10:40 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231206195807.GA209606@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=christian@brauner.io \
--cc=dhowells@redhat.com \
--cc=kzak@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=raven@themaw.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).