[PATCH 0/4] xfs: Allow user to change project id in un-init userns

[PATCH 0/4] xfs: Allow user to change project id in un-init userns

[Gao feng]

This patchset add two helper functions to convert user space project id
to kernel space project id without any struct changed.

Since the projid_map of user namespace has limit the range of valid project
ids for user namespace, we can safely allow user to change file's project
id in un-init user namespace.

Gao feng (4):
  xfs: add helper function to convert project id between user and kernel
    space
  userns: ioctl: convert project id between user and kernel space
  xfs: allow un-init user namespace to change file's project id
  userns: eofblocks: convert project id from user to kernel space

 fs/xfs/xfs_icache.h |  9 ++++++++-
 fs/xfs/xfs_ioctl.c  | 26 ++++++++++++--------------
 fs/xfs/xfs_linux.h  | 19 +++++++++++++++++++
 3 files changed, 39 insertions(+), 15 deletions(-)

-- 
1.8.3.1

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[PATCH 1/4] xfs: add helper function to convert project id between user and kernel space

[Gao feng]

Create two helper functions to convert project id between
user and kernel space.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 fs/xfs/xfs_linux.h | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
index f9bb590..cc9cc5b 100644
--- a/fs/xfs/xfs_linux.h
+++ b/fs/xfs/xfs_linux.h
@@ -215,6 +215,25 @@ static inline kgid_t xfs_gid_to_kgid(__uint32_t gid)
 	return make_kgid(&init_user_ns, gid);
 }
 
+static inline int
+xfs_convert_to_kernel_projid(__uint32_t prid, prid_t *kprid)
+{
+	kprojid_t kprojid = make_kprojid(current_user_ns(), prid);
+	if (!projid_valid(kprojid))
+		return -1;
+
+	*kprid = from_kprojid(&init_user_ns, kprojid);
+	return 0;
+}
+
+static inline __uint32_t
+xfs_convert_to_user_projid(prid_t kprid)
+{
+	kprojid_t kprojid = make_kprojid(&init_user_ns, kprid);
+
+	return from_kprojid(current_user_ns(), kprojid);
+}
+
 /*
  * Various platform dependent calls that don't fit anywhere else
  */
-- 
1.8.3.1

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[PATCH 2/4] userns: ioctl: convert project id between user and kernel space

[Gao feng]

User namespace use /proc/<pid>/projid_map to map the project ids
in user namespace to the global project ids.

This patch adds the conversion of xfs proj_t to the global project
id struct kprojid_t, and adds the validating check.

User in un-init user namespace can only change file's project id
to the specified ids which are configured in projid_map of userns.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 fs/xfs/xfs_ioctl.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index bdebc21..8db622f 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -855,7 +855,7 @@ xfs_ioc_fsgetxattr(
 	xfs_ilock(ip, XFS_ILOCK_SHARED);
 	fa.fsx_xflags = xfs_ip2xflags(ip);
 	fa.fsx_extsize = ip->i_d.di_extsize << ip->i_mount->m_sb.sb_blocklog;
-	fa.fsx_projid = xfs_get_projid(ip);
+	fa.fsx_projid = xfs_convert_to_user_projid(xfs_get_projid(ip));
 
 	if (attr) {
 		if (ip->i_afp) {
@@ -965,6 +965,7 @@ xfs_ioctl_setattr(
 	struct xfs_dquot	*pdqp = NULL;
 	struct xfs_dquot	*olddquot = NULL;
 	int			code;
+	prid_t			projid = 0;
 
 	trace_xfs_ioctl_setattr(ip);
 
@@ -976,9 +977,12 @@ xfs_ioctl_setattr(
 	/*
 	 * Disallow 32bit project ids when projid32bit feature is not enabled.
 	 */
-	if ((mask & FSX_PROJID) && (fa->fsx_projid > (__uint16_t)-1) &&
-			!xfs_sb_version_hasprojid32bit(&ip->i_mount->m_sb))
-		return XFS_ERROR(EINVAL);
+	if ((mask & FSX_PROJID)) {
+		if ((xfs_convert_to_kernel_projid(fa->fsx_projid, &projid) < 0) ||
+		    ((projid > (__uint16_t)-1) &&
+		     !xfs_sb_version_hasprojid32bit(&ip->i_mount->m_sb)))
+			return XFS_ERROR(EINVAL);
+	}
 
 	/*
 	 * If disk quotas is on, we make sure that the dquots do exist on disk,
@@ -990,7 +994,7 @@ xfs_ioctl_setattr(
 	 */
 	if (XFS_IS_QUOTA_ON(mp) && (mask & FSX_PROJID)) {
 		code = xfs_qm_vop_dqalloc(ip, ip->i_d.di_uid,
-					 ip->i_d.di_gid, fa->fsx_projid,
+					 ip->i_d.di_gid, projid,
 					 XFS_QMOPT_PQUOTA, &udqp, NULL, &pdqp);
 		if (code)
 			return code;
@@ -1033,7 +1037,7 @@ xfs_ioctl_setattr(
 
 		if (XFS_IS_QUOTA_RUNNING(mp) &&
 		    XFS_IS_PQUOTA_ON(mp) &&
-		    xfs_get_projid(ip) != fa->fsx_projid) {
+		    xfs_get_projid(ip) != projid) {
 			ASSERT(tp);
 			code = xfs_qm_vop_chown_reserve(tp, ip, udqp, NULL,
 						pdqp, capable(CAP_FOWNER) ?
@@ -1151,12 +1155,12 @@ xfs_ioctl_setattr(
 		 * Change the ownerships and register quota modifications
 		 * in the transaction.
 		 */
-		if (xfs_get_projid(ip) != fa->fsx_projid) {
+		if (xfs_get_projid(ip) != projid) {
 			if (XFS_IS_QUOTA_RUNNING(mp) && XFS_IS_PQUOTA_ON(mp)) {
 				olddquot = xfs_qm_vop_chown(tp, ip,
 							&ip->i_pdquot, pdqp);
 			}
-			xfs_set_projid(ip, fa->fsx_projid);
+			xfs_set_projid(ip, projid);
 
 			/*
 			 * We may have to rev the inode as well as
-- 
1.8.3.1

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[PATCH 3/4] xfs: allow un-init user namespace to change file's project id

[Gao feng]

We already make sure un-init user namespace can only change
project id to the ids we allowd. changing project id of files
in un-init user namespace is under control. it's safe to allow
un-init user namespace to change files' project id.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 fs/xfs/xfs_ioctl.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 8db622f..b4e1741 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1026,14 +1026,8 @@ xfs_ioctl_setattr(
 
 	/*
 	 * Do a quota reservation only if projid is actually going to change.
-	 * Only allow changing of projid from init_user_ns since it is a
-	 * non user namespace aware identifier.
 	 */
 	if (mask & FSX_PROJID) {
-		if (current_user_ns() != &init_user_ns) {
-			code = XFS_ERROR(EINVAL);
-			goto error_return;
-		}
 
 		if (XFS_IS_QUOTA_RUNNING(mp) &&
 		    XFS_IS_PQUOTA_ON(mp) &&
-- 
1.8.3.1

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[PATCH 4/4] userns: eofblocks: convert project id from user to kernel space

[Gao feng]

Convert project id from user to kernel space in
xfs_fs_eofblocks_from_user.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 fs/xfs/xfs_icache.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/xfs/xfs_icache.h b/fs/xfs/xfs_icache.h
index 8a89f7d..aeedfc8 100644
--- a/fs/xfs/xfs_icache.h
+++ b/fs/xfs/xfs_icache.h
@@ -80,7 +80,6 @@ xfs_fs_eofblocks_from_user(
 		return EINVAL;
 
 	dst->eof_flags = src->eof_flags;
-	dst->eof_prid = src->eof_prid;
 	dst->eof_min_file_size = src->eof_min_file_size;
 
 	dst->eof_uid = INVALID_UID;
@@ -96,6 +95,14 @@ xfs_fs_eofblocks_from_user(
 		if (!gid_valid(dst->eof_gid))
 			return EINVAL;
 	}
+
+	dst->eof_prid = src->eof_prid;
+	if (src->eof_flags & XFS_EOF_FLAGS_PRID) {
+		if (xfs_convert_to_kernel_projid(src->eof_prid,
+						 &dst->eof_prid) < 0)
+			return EINVAL;
+	}
+
 	return 0;
 }
 
-- 
1.8.3.1

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH 0/4] xfs: Allow user to change project id in un-init userns

[Dave Chinner]

On Wed, Sep 04, 2013 at 02:38:33PM +0800, Gao feng wrote:
> This patchset add two helper functions to convert user space project id
> to kernel space project id without any struct changed.
> 
> Since the projid_map of user namespace has limit the range of valid project
> ids for user namespace, we can safely allow user to change file's project
> id in un-init user namespace.

This doesn't address any of the concerns about whether access to
project IDs are valid in a user namaspacee environment.

Project IDs are not the same as UIDs and GIDs. They got included in
all the mapping stuff because of the fact that they are used for
quotas, but the fact is that they are not a property owned by a user
or a group or control access.

IOWs, project IDs are an *accounting* construct rather than an
*access control mechanism* If project IDs are being used by the
system administrators for accounting the space used by a *mount
namespace* container, then they must not be modifiable by a user
in a user namespace.

This is a fundamentally different use case from UID/GID mapping,
because there is no possible competing access for on-disk uid/gid
fields possible from the initns like there is for project quotas.
IOWs, project quota IDs are not owned by a namespace, and so mapping
them like we do for UID/GID is not clearly the right solution for
everyone.

So, there's a bigger policy issue here that needs to be decided
first. i.e. whether project quotas and therefore project IDs should
be accessible to users inside a user namespace.

If we decide to make it optional so that a system administrator can
chose whether project IDs are to be mapped via the userns mapping
infrastructure, then we need some kind of infrastructure to support
and enforce that first.

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH 0/4] xfs: Allow user to change project id in un-init userns

[Dave Chinner]

On Fri, Sep 06, 2013 at 11:30:33AM +1000, Dave Chinner wrote:
> On Wed, Sep 04, 2013 at 02:38:33PM +0800, Gao feng wrote:
> > This patchset add two helper functions to convert user space project id
> > to kernel space project id without any struct changed.
> > 
> > Since the projid_map of user namespace has limit the range of valid project
> > ids for user namespace, we can safely allow user to change file's project
> > id in un-init user namespace.
> 
> This doesn't address any of the concerns about whether access to
> project IDs are valid in a user namaspacee environment.
> 
> Project IDs are not the same as UIDs and GIDs. They got included in
> all the mapping stuff because of the fact that they are used for
> quotas, but the fact is that they are not a property owned by a user
> or a group or control access.
> 
> IOWs, project IDs are an *accounting* construct rather than an
> *access control mechanism* If project IDs are being used by the
> system administrators for accounting the space used by a *mount
> namespace* container, then they must not be modifiable by a user
> in a user namespace.
> 
> This is a fundamentally different use case from UID/GID mapping,
> because there is no possible competing access for on-disk uid/gid
> fields possible from the initns like there is for project quotas.
> IOWs, project quota IDs are not owned by a namespace, and so mapping
> them like we do for UID/GID is not clearly the right solution for
> everyone.
> 
> So, there's a bigger policy issue here that needs to be decided
> first. i.e. whether project quotas and therefore project IDs should
> be accessible to users inside a user namespace.
> 
> If we decide to make it optional so that a system administrator can
> chose whether project IDs are to be mapped via the userns mapping
> infrastructure, then we need some kind of infrastructure to support
> and enforce that first.

BTW, if we are making project IDs mapped to userns, stuff like
XFS_PROJID_DEFAULT and project ID inheritence need work as well...

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH 0/4] xfs: Allow user to change project id in un-init userns

[Gao feng]

On 09/10/2013 08:42 AM, Dave Chinner wrote:
> On Fri, Sep 06, 2013 at 11:30:33AM +1000, Dave Chinner wrote:
>> On Wed, Sep 04, 2013 at 02:38:33PM +0800, Gao feng wrote:
>>> This patchset add two helper functions to convert user space project id
>>> to kernel space project id without any struct changed.
>>>
>>> Since the projid_map of user namespace has limit the range of valid project
>>> ids for user namespace, we can safely allow user to change file's project
>>> id in un-init user namespace.
>>
>> This doesn't address any of the concerns about whether access to
>> project IDs are valid in a user namaspacee environment.
>>
>> Project IDs are not the same as UIDs and GIDs. They got included in
>> all the mapping stuff because of the fact that they are used for
>> quotas, but the fact is that they are not a property owned by a user
>> or a group or control access.
>>
>> IOWs, project IDs are an *accounting* construct rather than an
>> *access control mechanism* If project IDs are being used by the
>> system administrators for accounting the space used by a *mount
>> namespace* container, then they must not be modifiable by a user
>> in a user namespace.
>>
>> This is a fundamentally different use case from UID/GID mapping,
>> because there is no possible competing access for on-disk uid/gid
>> fields possible from the initns like there is for project quotas.
>> IOWs, project quota IDs are not owned by a namespace, and so mapping
>> them like we do for UID/GID is not clearly the right solution for
>> everyone.
>>
>> So, there's a bigger policy issue here that needs to be decided
>> first. i.e. whether project quotas and therefore project IDs should
>> be accessible to users inside a user namespace.
>>
>> If we decide to make it optional so that a system administrator can
>> chose whether project IDs are to be mapped via the userns mapping
>> infrastructure, then we need some kind of infrastructure to support
>> and enforce that first.
> 
> BTW, if we are making project IDs mapped to userns, stuff like
> XFS_PROJID_DEFAULT and project ID inheritence need work as well...
> 


Yes, let's make it simple, if we find some cases that we have to make
project IDs mapped to userns, let's restart this work :)

Thanks

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs