Re: [PATCH 11/17] mount_service: use over the other non-root user checks

["Darrick J. Wong" <djwong@kernel.org>]

On Thu, Mar 26, 2026 at 06:27:38PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
> 
> Now that we've hoisted the code that checks non-root fuse mounts to a
> common file, make fuservicemount obey them too.
> 
> Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>

Codex pointed out quite a few setuid related problems in this patch that
I wasn't aware of.  Good for it!

The first is that I needed to wrap all the system calls that involve
access and permission checks with drop_privs() and restore_privs().
That way an unprivileged user cannot connect to fuse server sockets,
files, fuse devices, call block device ioctls, or mount() to places that
the original unprivileged user cannot access.

It also mentioned that we ought to call fuse_mnt_resolve_path to make
sure that the path mount point can be resolved with the real uid of the
mount helper process; this was fortunate, because that was also key to
enabling unmount if the fuse server initialization fails early on.

--D

> ---
>  util/mount_service.c |   62 ++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 62 insertions(+)
> 
> 
> diff --git a/util/mount_service.c b/util/mount_service.c
> index 9f6feab902f89d..6e53447e1d65be 100644
> --- a/util/mount_service.c
> +++ b/util/mount_service.c
> @@ -1224,6 +1224,30 @@ static int mount_service_fsopen_mount(struct mount_service *mo,
>  # define mount_service_fsopen_mount(...)	(-2)
>  #endif
>  
> +static int check_nonroot_file_access(const struct mount_service *mo)
> +{
> +	char buf[32];
> +	char *mntpt;
> +	int fd;
> +
> +	if (mo->mountfd >= 0) {
> +		snprintf(buf, sizeof(buf), "/dev/fd/%d", mo->mountfd);
> +		mntpt = buf;
> +	} else {
> +		mntpt = mo->mountpoint;
> +	}
> +
> +	fd = open(mntpt, O_WRONLY);
> +	if (fd < 0) {
> +		fprintf(stderr, "%s: user has no write access to mountpoint %s\n",
> +			mo->msgtag, mo->mountpoint);
> +		return -1;
> +	}
> +
> +	close(fd);
> +	return 0;
> +}
> +
>  static int mount_service_handle_mount_cmd(struct mount_service *mo,
>  					  struct fuse_service_packet *p)
>  {
> @@ -1298,6 +1322,44 @@ static int mount_service_handle_mount_cmd(struct mount_service *mo,
>  		return mount_service_send_reply(mo, EINVAL);
>  	}
>  
> +	/*
> +	 * fuse.conf can limit the number of unprivileged fuse mounts.
> +	 * For unprivileged mounts (via setuid) we also require write access
> +	 * to the mountpoint, and we'll only accept certain underlying
> +	 * filesystems.
> +	 */
> +	if (getuid() != 0) {
> +		struct statfs fs_buf;
> +
> +		ret = check_nonroot_mount_count(mo->msgtag);
> +		if (ret)
> +			return mount_service_send_reply(mo, ENOMEM);
> +
> +		ret = fstatfs(mo->mountfd, &fs_buf);
> +		if (ret) {
> +			int error = errno;
> +
> +			fprintf(stderr, "%s: %s: %s\n",
> +				mo->msgtag, mo->mountpoint, strerror(error));
> +			return mount_service_send_reply(mo, error);
> +		}
> +
> +		drop_privs();
> +		if (S_ISDIR(stbuf.st_mode))
> +			ret = check_nonroot_dir_access(mo->msgtag,
> +						       mo->mountpoint,
> +						       mo->real_mountpoint,
> +						       &stbuf);
> +		else
> +			ret = check_nonroot_file_access(mo);
> +		if (!ret)
> +			ret = check_nonroot_fstype(mo->msgtag, &fs_buf);
> +		restore_privs();
> +
> +		if (ret)
> +			return mount_service_send_reply(mo, EPERM);
> +	}
> +
>  	if (mo->fsopenfd >= 0) {
>  		ret = mount_service_fsopen_mount(mo, oc, &stbuf);
>  		if (ret != -2)
> 
>