From: "xuyang2018.jy@fujitsu.com" <xuyang2018.jy@fujitsu.com>
To: Christian Brauner <brauner@kernel.org>
Cc: "david@fromorbit.com" <david@fromorbit.com>,
"djwong@kernel.org" <djwong@kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"fstests@vger.kernel.org" <fstests@vger.kernel.org>
Subject: Re: [PATCH v1 1/2] idmapped-mounts: Add mknodat operation in setgid test
Date: Fri, 1 Apr 2022 06:11:49 +0000 [thread overview]
Message-ID: <624697D3.80206@fujitsu.com> (raw)
In-Reply-To: <20220331121029.r6lcwbejdd243f5r@wittgenstein>
on 2022/3/31 20:10, Christian Brauner wrote:
> On Thu, Mar 31, 2022 at 01:59:25PM +0200, Christian Brauner wrote:
>> On Thu, Mar 31, 2022 at 05:28:21PM +0800, Yang Xu wrote:
>>> Since mknodat can create file, we should also check whether strip S_ISGID.
>>> Also add new helper caps_down_fsetid to drop CAP_FSETID because strip S_ISGID
>>> depond on this cap and keep other cap(ie CAP_MKNOD) because create character device
>>> needs it when using mknod.
>>>
>>> Only test mknod with character device in setgid_create function because the another
>>> two functions will hit EPERM error.
>>
>> Fwiw, it's not allowed to create devices in userns as that would be a
>> massive attack vector. But it is possible since 5.<some version> to
>> create whiteouts in userns for the sake of overlayfs. So iirc that
>> creating a whiteout is just passing 0 as dev_t:
>>
>> mknodat(t_dir1_fd, CHRDEV1, S_IFCHR | S_ISGID | 0755, 0)
>>
>> but you'd need to detect whether the kernel allows this and skip the
>> test on EPERM when it is a userns test.
>
> Oh, iirc Eryu usually prefers if we don't just extend existing tests but
> add new tests so as not to introduce regressions. So instead of adding
> this into the existings tests you _could_ add them as new separate
>
> struct t_idmapped_mounts t_setgid[] = {
> };
>
> set of tests and add a new command line switch:
>
> --test-setgid
>
> and create a new
>
> generic/67*
>
> for it. You can use:
> d17a88e90956 ("generic: test idmapped mount circular mappings")
> as a template for what I mean.
When I write this patchset, I also think about it. I plan to move setgid
test from of test-core group and use a new test-segid group(also
increase its coverage).
Will do it on v2.
Best Regards
Yang Xu
next prev parent reply other threads:[~2022-04-01 6:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-31 9:28 [PATCH v1 1/2] idmapped-mounts: Add mknodat operation in setgid test Yang Xu
2022-03-31 9:28 ` [PATCH v1 2/2] idmapped-mounts: Add umask before test setgid_create Yang Xu
2022-03-31 12:02 ` Christian Brauner
2022-04-01 6:08 ` xuyang2018.jy
2022-04-01 10:16 ` xuyang2018.jy
2022-03-31 11:59 ` [PATCH v1 1/2] idmapped-mounts: Add mknodat operation in setgid test Christian Brauner
2022-03-31 12:10 ` Christian Brauner
2022-04-01 6:11 ` xuyang2018.jy [this message]
2022-04-01 6:08 ` xuyang2018.jy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=624697D3.80206@fujitsu.com \
--to=xuyang2018.jy@fujitsu.com \
--cc=brauner@kernel.org \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=fstests@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).