From: Christian Brauner <brauner@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: linux-fsdevel@vger.kernel.org, Seth Forshee <sforshee@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v3 14/29] acl: add vfs_set_acl()
Date: Thu, 29 Sep 2022 11:01:33 +0200 [thread overview]
Message-ID: <20220929090133.2pfff6ewdjsnbvot@wittgenstein> (raw)
In-Reply-To: <20220929082554.5rclj4ioo37qg254@wittgenstein>
On Thu, Sep 29, 2022 at 10:25:59AM +0200, Christian Brauner wrote:
> On Thu, Sep 29, 2022 at 10:17:27AM +0200, Christoph Hellwig wrote:
> > > +EXPORT_SYMBOL(vfs_set_acl);
> >
> > I think all this stackable file system infrastucture should be
> > EXPORT_SYMBOL_GPL, like a lot of the other internal stuff.
>
> Ok, sounds good.
>
> >
> > > +int xattr_permission(struct user_namespace *mnt_userns, struct inode *inode,
> > > + const char *name, int mask)
> >
> > Hmm. The only think ACLs actually need from xattr_permission are
> > the immutable / append check and the HAS_UNMAPPED_ID one. I'd rather
> > open code that, or if you cane come up with a sane name do a smaller
> > helper rather than doing all the strcmp on the prefixes for now
> > good reason.
>
> I'll see if a little helper makes more sense than open-coding.
So I've added - which is then used in vfs_{set,remove}_acl():
commit 6ae39d028cb6990d69a7ec27386fc1bb7b1f3e3b
Author: Christian Brauner <brauner@kernel.org>
AuthorDate: Thu Sep 29 10:47:36 2022 +0200
Commit: Christian Brauner (Microsoft) <brauner@kernel.org>
CommitDate: Thu Sep 29 10:59:27 2022 +0200
internal: add may_write_xattr()
Split out the generic checks whether an inode allows writing xattrs. Since
security.* and system.* xattrs don't have any restrictions and we're going
to split out posix acls into a dedicated api we will use this helper to
check whether we can write posix acls.
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Notes:
To: linux-fsdevel@vger.kernel.org
Cc: Seth Forshee <sforshee@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-security-module@vger.kernel.org
/* v2 */
patch not present
/* v3 */
patch not present
/* v4 */
Christoph Hellwig <hch@lst.de>:
- Split out checks whether an inode can have xattrs written to into a helper.
diff --git a/fs/internal.h b/fs/internal.h
index 87e96b9024ce..a95b1500ed65 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -221,3 +221,4 @@ ssize_t do_getxattr(struct user_namespace *mnt_userns,
int setxattr_copy(const char __user *name, struct xattr_ctx *ctx);
int do_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
struct xattr_ctx *ctx);
+int may_write_xattr(struct user_namespace *mnt_userns, struct inode *inode);
diff --git a/fs/xattr.c b/fs/xattr.c
index 61107b6bbed2..57148c207545 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -80,6 +80,28 @@ xattr_resolve_name(struct inode *inode, const char **name)
return ERR_PTR(-EOPNOTSUPP);
}
+/**
+ * may_write_xattr - check whether inode allows writing xattr
+ * @mnt_userns: User namespace of the mount the inode was found from
+ * @inode: the inode on which to set an xattr
+ *
+ * Check whether the inode allows writing xattrs. Specifically, we can never
+ * set or remove an extended attribute on a read-only filesystem or on an
+ * immutable / append-only inode.
+ *
+ * We also need to ensure that the inode has a mapping in the mount to
+ * not risk writing back invalid i_{g,u}id values.
+ *
+ * Return: On success zero is returned. On error a negative errno is returned.
+ */
+int may_write_xattr(struct user_namespace *mnt_userns, struct inode *inode)
+{
+ if (IS_IMMUTABLE(inode) || IS_APPEND(inode) ||
+ HAS_UNMAPPED_ID(mnt_userns, inode))
+ return -EPERM;
+ return 0;
+}
+
/*
* Check permissions for extended attribute access. This is a bit complicated
* because different namespaces have very different rules.
@@ -88,20 +110,12 @@ static int
xattr_permission(struct user_namespace *mnt_userns, struct inode *inode,
const char *name, int mask)
{
- /*
- * We can never set or remove an extended attribute on a read-only
- * filesystem or on an immutable / append-only inode.
- */
if (mask & MAY_WRITE) {
- if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
- return -EPERM;
- /*
- * Updating an xattr will likely cause i_uid and i_gid
- * to be writen back improperly if their true value is
- * unknown to the vfs.
- */
- if (HAS_UNMAPPED_ID(mnt_userns, inode))
- return -EPERM;
+ int ret;
+
+ ret = may_write_xattr(mnt_userns, inode);
+ if (ret)
+ return ret;
}
/*
next prev parent reply other threads:[~2022-09-29 9:01 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-28 16:08 [PATCH v3 00/29] acl: add vfs posix acl api Christian Brauner
2022-09-28 16:08 ` [PATCH v3 01/29] orangefs: rework posix acl handling when creating new filesystem objects Christian Brauner
2022-09-29 7:50 ` Christoph Hellwig
2022-09-28 16:08 ` [PATCH v3 02/29] fs: pass dentry to set acl method Christian Brauner
2022-09-29 7:51 ` Christoph Hellwig
2022-09-29 7:57 ` Christian Brauner
2022-09-28 16:08 ` [PATCH v3 03/29] fs: rename current get " Christian Brauner
2022-09-29 8:12 ` Christoph Hellwig
2022-09-29 9:16 ` Christian Brauner
2022-09-28 16:08 ` [PATCH v3 04/29] fs: add new " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 05/29] cifs: implement " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 06/29] cifs: implement set " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 07/29] 9p: implement get " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 08/29] 9p: implement set " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 09/29] security: add get, remove and set acl hook Christian Brauner
2022-09-28 16:08 ` [PATCH v3 10/29] selinux: implement get, set and remove " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 11/29] smack: " Christian Brauner
2022-09-28 16:34 ` Casey Schaufler
2022-09-28 16:08 ` [PATCH v3 12/29] integrity: implement get and set " Christian Brauner
2022-09-29 23:25 ` Mimi Zohar
2022-09-30 8:35 ` Christian Brauner
2022-09-28 16:08 ` [PATCH v3 13/29] evm: add post " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 14/29] acl: add vfs_set_acl() Christian Brauner
2022-09-29 8:17 ` Christoph Hellwig
2022-09-29 8:25 ` Christian Brauner
2022-09-29 9:01 ` Christian Brauner [this message]
2022-09-28 16:08 ` [PATCH v3 15/29] acl: add vfs_get_acl() Christian Brauner
2022-09-28 16:08 ` [PATCH v3 16/29] acl: add vfs_remove_acl() Christian Brauner
2022-09-28 16:08 ` [PATCH v3 17/29] ksmbd: use vfs_remove_acl() Christian Brauner
2022-09-28 16:08 ` [PATCH v3 18/29] ecryptfs: implement get acl method Christian Brauner
2022-09-28 16:08 ` [PATCH v3 19/29] ecryptfs: implement set " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 20/29] ovl: implement get " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 21/29] ovl: implement set " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 22/29] ovl: use posix acl api Christian Brauner
2022-09-28 16:08 ` [PATCH v3 23/29] xattr: " Christian Brauner
2022-09-29 8:25 ` Christoph Hellwig
2022-09-29 9:10 ` Christian Brauner
2022-09-29 9:46 ` Christian Brauner
2022-09-29 10:51 ` Christoph Hellwig
2022-09-29 11:39 ` Christian Brauner
2022-09-28 16:08 ` [PATCH v3 24/29] evm: remove evm_xattr_acl_change() Christian Brauner
2022-09-28 16:08 ` [PATCH v3 25/29] ecryptfs: use stub posix acl handlers Christian Brauner
2022-09-28 16:08 ` [PATCH v3 26/29] ovl: " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 27/29] cifs: " Christian Brauner
2022-09-29 7:56 ` Christian Brauner
2022-09-28 16:08 ` [PATCH v3 28/29] 9p: " Christian Brauner
2022-09-28 16:08 ` [PATCH v3 29/29] acl: remove a slew of now unused helpers Christian Brauner
2022-09-29 8:25 ` Christoph Hellwig
2022-09-29 8:28 ` Christian Brauner
2022-09-29 11:40 ` Christoph Hellwig
2022-09-29 13:10 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220929090133.2pfff6ewdjsnbvot@wittgenstein \
--to=brauner@kernel.org \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sforshee@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox