From: Seth Forshee <sforshee@digitalocean.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>,
Amir Goldstein <amir73il@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
Christian Brauner <christian.brauner@ubuntu.com>
Subject: Re: [PATCH v2 06/10] fs: use low-level mapping helpers
Date: Thu, 2 Dec 2021 11:34:49 -0600 [thread overview]
Message-ID: <YakDuY2qLG7KiNF8@do-x1extreme> (raw)
In-Reply-To: <20211130121032.3753852-7-brauner@kernel.org>
On Tue, Nov 30, 2021 at 01:10:28PM +0100, Christian Brauner wrote:
> From: Christian Brauner <christian.brauner@ubuntu.com>
>
> In a few places the vfs needs to interact with bare k{g,u}ids directly
> instead of struct inode. These are just a few. In previous patches we
> introduced low-level mapping helpers that are able to support
> filesystems mounted an idmapping. This patch simply converts the places
> to use these new helpers.
>
> Link: https://lore.kernel.org/r/20211123114227.3124056-7-brauner@kernel.org (v1)
> Cc: Seth Forshee <sforshee@digitalocean.com>
> Cc: Amir Goldstein <amir73il@gmail.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> CC: linux-fsdevel@vger.kernel.org
> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: Seth Forshee <sforshee@digitalocean.com>
> ---
> /* v2 */
> unchanged
> ---
> fs/ksmbd/smbacl.c | 18 ++----------------
> fs/ksmbd/smbacl.h | 4 ++--
> fs/open.c | 4 ++--
> fs/posix_acl.c | 16 ++++++++++------
> security/commoncap.c | 13 ++++++++-----
> 5 files changed, 24 insertions(+), 31 deletions(-)
>
> diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c
> index ab8099e0fd7f..6ecf55ea1fed 100644
> --- a/fs/ksmbd/smbacl.c
> +++ b/fs/ksmbd/smbacl.c
> @@ -275,14 +275,7 @@ static int sid_to_id(struct user_namespace *user_ns,
> uid_t id;
>
> id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);
> - /*
> - * Translate raw sid into kuid in the server's user
> - * namespace.
> - */
> - uid = make_kuid(&init_user_ns, id);
> -
> - /* If this is an idmapped mount, apply the idmapping. */
> - uid = kuid_from_mnt(user_ns, uid);
> + uid = mapped_kuid_user(user_ns, &init_user_ns, KUIDT_INIT(id));
> if (uid_valid(uid)) {
> fattr->cf_uid = uid;
> rc = 0;
> @@ -292,14 +285,7 @@ static int sid_to_id(struct user_namespace *user_ns,
> gid_t id;
>
> id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);
> - /*
> - * Translate raw sid into kgid in the server's user
> - * namespace.
> - */
> - gid = make_kgid(&init_user_ns, id);
> -
> - /* If this is an idmapped mount, apply the idmapping. */
> - gid = kgid_from_mnt(user_ns, gid);
> + gid = mapped_kgid_user(user_ns, &init_user_ns, KGIDT_INIT(id));
> if (gid_valid(gid)) {
> fattr->cf_gid = gid;
> rc = 0;
> diff --git a/fs/ksmbd/smbacl.h b/fs/ksmbd/smbacl.h
> index eba1ebb9e92e..811af3309429 100644
> --- a/fs/ksmbd/smbacl.h
> +++ b/fs/ksmbd/smbacl.h
> @@ -217,7 +217,7 @@ static inline uid_t posix_acl_uid_translate(struct user_namespace *mnt_userns,
> kuid_t kuid;
>
> /* If this is an idmapped mount, apply the idmapping. */
> - kuid = kuid_into_mnt(mnt_userns, pace->e_uid);
> + kuid = mapped_kuid_fs(mnt_userns, &init_user_ns, pace->e_uid);
>
> /* Translate the kuid into a userspace id ksmbd would see. */
> return from_kuid(&init_user_ns, kuid);
> @@ -229,7 +229,7 @@ static inline gid_t posix_acl_gid_translate(struct user_namespace *mnt_userns,
> kgid_t kgid;
>
> /* If this is an idmapped mount, apply the idmapping. */
> - kgid = kgid_into_mnt(mnt_userns, pace->e_gid);
> + kgid = mapped_kgid_fs(mnt_userns, &init_user_ns, pace->e_gid);
>
> /* Translate the kgid into a userspace id ksmbd would see. */
> return from_kgid(&init_user_ns, kgid);
> diff --git a/fs/open.c b/fs/open.c
> index 2450cc1a2f64..40a00e71865b 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -653,8 +653,8 @@ int chown_common(const struct path *path, uid_t user, gid_t group)
> gid = make_kgid(current_user_ns(), group);
>
> mnt_userns = mnt_user_ns(path->mnt);
> - uid = kuid_from_mnt(mnt_userns, uid);
> - gid = kgid_from_mnt(mnt_userns, gid);
> + uid = mapped_kuid_user(mnt_userns, &init_user_ns, uid);
> + gid = mapped_kgid_user(mnt_userns, &init_user_ns, gid);
>
> retry_deleg:
> newattrs.ia_valid = ATTR_CTIME;
> diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> index 632bfdcf7cc0..4b5fb9a9b90f 100644
> --- a/fs/posix_acl.c
> +++ b/fs/posix_acl.c
> @@ -375,7 +375,9 @@ posix_acl_permission(struct user_namespace *mnt_userns, struct inode *inode,
> goto check_perm;
> break;
> case ACL_USER:
> - uid = kuid_into_mnt(mnt_userns, pa->e_uid);
> + uid = mapped_kuid_fs(mnt_userns,
> + &init_user_ns,
> + pa->e_uid);
> if (uid_eq(uid, current_fsuid()))
> goto mask;
> break;
> @@ -388,7 +390,9 @@ posix_acl_permission(struct user_namespace *mnt_userns, struct inode *inode,
> }
> break;
> case ACL_GROUP:
> - gid = kgid_into_mnt(mnt_userns, pa->e_gid);
> + gid = mapped_kgid_fs(mnt_userns,
> + &init_user_ns,
> + pa->e_gid);
> if (in_group_p(gid)) {
> found = 1;
> if ((pa->e_perm & want) == want)
> @@ -735,17 +739,17 @@ static void posix_acl_fix_xattr_userns(
> case ACL_USER:
> uid = make_kuid(from, le32_to_cpu(entry->e_id));
> if (from_user)
> - uid = kuid_from_mnt(mnt_userns, uid);
> + uid = mapped_kuid_user(mnt_userns, &init_user_ns, uid);
> else
> - uid = kuid_into_mnt(mnt_userns, uid);
> + uid = mapped_kuid_fs(mnt_userns, &init_user_ns, uid);
> entry->e_id = cpu_to_le32(from_kuid(to, uid));
> break;
> case ACL_GROUP:
> gid = make_kgid(from, le32_to_cpu(entry->e_id));
> if (from_user)
> - gid = kgid_from_mnt(mnt_userns, gid);
> + gid = mapped_kgid_user(mnt_userns, &init_user_ns, gid);
> else
> - gid = kgid_into_mnt(mnt_userns, gid);
> + gid = mapped_kgid_fs(mnt_userns, &init_user_ns, gid);
> entry->e_id = cpu_to_le32(from_kgid(to, gid));
> break;
> default:
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 09479f71ee2e..d288a62e2999 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -419,7 +419,7 @@ int cap_inode_getsecurity(struct user_namespace *mnt_userns,
> kroot = make_kuid(fs_ns, root);
>
> /* If this is an idmapped mount shift the kuid. */
> - kroot = kuid_into_mnt(mnt_userns, kroot);
> + kroot = mapped_kuid_fs(mnt_userns, &init_user_ns, kroot);
>
> /* If the root kuid maps to a valid uid in current ns, then return
> * this as a nscap. */
> @@ -489,6 +489,7 @@ int cap_inode_getsecurity(struct user_namespace *mnt_userns,
> * @size: size of @ivalue
> * @task_ns: user namespace of the caller
> * @mnt_userns: user namespace of the mount the inode was found from
> + * @fs_userns: user namespace of the filesystem
> *
> * If the inode has been found through an idmapped mount the user namespace of
> * the vfsmount must be passed through @mnt_userns. This function will then
> @@ -498,7 +499,8 @@ int cap_inode_getsecurity(struct user_namespace *mnt_userns,
> */
> static kuid_t rootid_from_xattr(const void *value, size_t size,
> struct user_namespace *task_ns,
> - struct user_namespace *mnt_userns)
> + struct user_namespace *mnt_userns,
> + struct user_namespace *fs_userns)
> {
> const struct vfs_ns_cap_data *nscap = value;
> kuid_t rootkid;
> @@ -508,7 +510,7 @@ static kuid_t rootid_from_xattr(const void *value, size_t size,
> rootid = le32_to_cpu(nscap->rootid);
>
> rootkid = make_kuid(task_ns, rootid);
> - return kuid_from_mnt(mnt_userns, rootkid);
> + return mapped_kuid_user(mnt_userns, fs_userns, rootkid);
> }
>
> static bool validheader(size_t size, const struct vfs_cap_data *cap)
> @@ -559,7 +561,8 @@ int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
> /* user is privileged, just write the v2 */
> return size;
>
> - rootid = rootid_from_xattr(*ivalue, size, task_ns, mnt_userns);
> + rootid = rootid_from_xattr(*ivalue, size, task_ns, mnt_userns,
> + &init_user_ns);
> if (!uid_valid(rootid))
> return -EINVAL;
>
> @@ -700,7 +703,7 @@ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
> /* Limit the caps to the mounter of the filesystem
> * or the more limited uid specified in the xattr.
> */
> - rootkuid = kuid_into_mnt(mnt_userns, rootkuid);
> + rootkuid = mapped_kuid_fs(mnt_userns, &init_user_ns, rootkuid);
> if (!rootid_owns_currentns(rootkuid))
> return -ENODATA;
>
> --
> 2.30.2
>
next prev parent reply other threads:[~2021-12-02 17:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 12:10 [PATCH v2 00/10] Extend and tweak mapping support Christian Brauner
2021-11-30 12:10 ` [PATCH v2 01/10] fs: add is_idmapped_mnt() helper Christian Brauner
2021-12-02 17:09 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 02/10] fs: move mapping helpers Christian Brauner
2021-12-02 17:10 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 03/10] fs: tweak fsuidgid_has_mapping() Christian Brauner
2021-12-02 17:12 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 04/10] fs: account for filesystem mappings Christian Brauner
2021-12-02 17:13 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 05/10] docs: update mapping documentation Christian Brauner
2021-12-02 17:27 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 06/10] fs: use low-level mapping helpers Christian Brauner
2021-12-02 17:34 ` Seth Forshee [this message]
2021-11-30 12:10 ` [PATCH v2 07/10] fs: remove unused " Christian Brauner
2021-12-02 17:39 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 08/10] fs: port higher-level " Christian Brauner
2021-12-02 17:40 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 09/10] fs: add i_user_ns() helper Christian Brauner
2021-12-02 17:40 ` Seth Forshee
2021-11-30 12:10 ` [PATCH v2 10/10] fs: support mapped mounts of mapped filesystems Christian Brauner
2021-12-02 17:50 ` Seth Forshee
2021-12-02 19:20 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YakDuY2qLG7KiNF8@do-x1extreme \
--to=sforshee@digitalocean.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).