From: Jeff Layton <jlayton@kernel.org>
To: Amir Goldstein <amir73il@gmail.com>,
Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>, Chuck Lever <chuck.lever@oracle.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] fhandle: use more consistent rules for decoding file handle from userns
Date: Mon, 01 Sep 2025 07:10:24 -0400 [thread overview]
Message-ID: <9170c58bfda7242ebe8e325c702828f8a7617fb4.camel@kernel.org> (raw)
In-Reply-To: <20250827194309.1259650-1-amir73il@gmail.com>
On Wed, 2025-08-27 at 21:43 +0200, Amir Goldstein wrote:
> Commit 620c266f39493 ("fhandle: relax open_by_handle_at() permission
> checks") relaxed the coditions for decoding a file handle from non init
> userns.
>
> The conditions are that that decoded dentry is accessible from the user
> provided mountfd (or to fs root) and that all the ancestors along the
> path have a valid id mapping in the userns.
>
> These conditions are intentionally more strict than the condition that
> the decoded dentry should be "lookable" by path from the mountfd.
>
> For example, the path /home/amir/dir/subdir is lookable by path from
> unpriv userns of user amir, because /home perms is 755, but the owner of
> /home does not have a valid id mapping in unpriv userns of user amir.
>
> The current code did not check that the decoded dentry itself has a
> valid id mapping in the userns. There is no security risk in that,
> because that final open still performs the needed permission checks,
> but this is inconsistent with the checks performed on the ancestors,
> so the behavior can be a bit confusing.
>
> Add the check for the decoded dentry itself, so that the entire path,
> including the last component has a valid id mapping in the userns.
>
> Fixes: 620c266f39493 ("fhandle: relax open_by_handle_at() permission checks")
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> ---
> fs/fhandle.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/fs/fhandle.c b/fs/fhandle.c
> index 68a7d2861c58f..a907ddfac4d51 100644
> --- a/fs/fhandle.c
> +++ b/fs/fhandle.c
> @@ -207,6 +207,14 @@ static int vfs_dentry_acceptable(void *context, struct dentry *dentry)
> if (!ctx->flags)
> return 1;
>
> + /*
> + * Verify that the decoded dentry itself has a valid id mapping.
> + * In case the decoded dentry is the mountfd root itself, this
> + * verifies that the mountfd inode itself has a valid id mapping.
> + */
> + if (!privileged_wrt_inode_uidgid(user_ns, idmap, d_inode(dentry)))
> + return 0;
> +
> /*
> * It's racy as we're not taking rename_lock but we're able to ignore
> * permissions and we just need an approximation whether we were able
Reviewed-by: Jeff Layton <jlayton@kernel.org>
prev parent reply other threads:[~2025-09-01 11:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-27 19:43 [PATCH] fhandle: use more consistent rules for decoding file handle from userns Amir Goldstein
2025-08-29 7:48 ` Christian Brauner
2025-08-29 10:50 ` Jan Kara
2025-08-29 12:55 ` Amir Goldstein
2025-09-01 9:44 ` Jan Kara
2025-09-01 17:47 ` Amir Goldstein
2025-09-04 11:23 ` Jan Kara
2025-09-01 11:10 ` Jeff Layton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9170c58bfda7242ebe8e325c702828f8a7617fb4.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).