Re: [patch 00/13] vfs: add helpers to check r/o bind mounts

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Erez Zadok <ezk@cs.sunysb.edu>,
	Miklos Szeredi <miklos@szeredi.hu>,
	akpm@linux-foundation.org, torvalds@linux-foundation.org,
	dave@linux.vnet.ibm.com, mhalcrow@us.ibm.com,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [patch 00/13] vfs: add helpers to check r/o bind mounts
Date: Mon, 28 Apr 2008 17:53:13 -0400	[thread overview]
Message-ID: <20080428215313.GE28142@fieldses.org> (raw)
In-Reply-To: <20080424181332.GB5882@ZenIV.linux.org.uk>

On Thu, Apr 24, 2008 at 07:13:32PM +0100, Al Viro wrote:
> On Thu, Apr 24, 2008 at 01:29:49PM -0400, Erez Zadok wrote:
> > In message <20080424142857.GF15214@ZenIV.linux.org.uk>, Al Viro writes:
> > > On Thu, Apr 24, 2008 at 04:09:18PM +0200, Miklos Szeredi wrote:
> > [...]
> > > FWIW, I'm not all that happy about the way ecryptfs_interpose() is done,
> > > while we are at it.  We get the sucker opened by whoever steps on given
> > > place in the tree first, with subsequent operations done using the resulting
> > > struct file.  With fallback to r/o open.  What happens to somebody who
> > > tries to open it with enough permissions to do r/w?
> > 
> > Yes, ecryptfs_interpose() calls ecryptfs_init_persistent_file() which calls
> > dentry_open(O_RDWR).  What's the proposed solution for this in the face of
> > r/o vfsmounts?  How could ecryptfs avoid calling this dentry_open in the
> > first place?
> 
> Doesn't have anything to do with vfsmounts (you have one to deal with and
> if it's r/o, it's equivalent to just doing the entire thing on top of r/o
> fs; not interesting).
> 
> No, what I'm worried about is much simpler.  Look: we have a file on
> underlying fs, owned by root.root with 644 for permissions.  Comes a
> luser and tries to open the counterpart of that file in ecryptfs; that
> triggers ecryptfs_interpose() and attempts to open file.  Of course,
> that's going to fail - it's not world-writable.  So then it (actually
> ecryptfs_init_persistent_file()) falls back to opening with O_RDONLY.
> Which succeeds just fine and file (opened r/o) is set as ->lower_file.
> 
> Now comes root and tries to open the damn thing r/w.  It should be able
> to and if it came first it'd get it; as it is, what it gets is ->lower_file
> and that puppy is opened read-only and you have no guarantee that underlying
> fs will not go bonkers seeing write attempts on it (e.g. open for write
> doing a bit more setup of ->private_data, etc.).

This looks like the same ugly stuff that the nfsv4 server is currently
doing; see, e.g., fs/nfsd/nfs4state.c:nfs4_upgrade_open().

A concrete example of a bug (e.g., export FOOfs over nfsd, do an open
upgrade, watch the oops) would be great motivation to finally get this
fixed, if you know of such an example off the top of your head....

--b.

next prev parent reply	other threads:[~2008-04-28 21:54 UTC|newest]

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-24 11:39 [patch 00/13] vfs: add helpers to check r/o bind mounts Miklos Szeredi
2008-04-24 11:39 ` [patch 01/13] ecryptfs: add missing lock around notify_change Miklos Szeredi
2008-04-24 16:56   ` Erez Zadok
2008-04-24 17:09     ` Miklos Szeredi
2008-04-24 11:39 ` [patch 02/13] ecryptfs: clean up (un)lock_parent Miklos Szeredi
2008-04-24 11:39 ` [patch 03/13] nfsd: clean up mnt_want_write calls Miklos Szeredi
2008-04-24 11:39 ` [patch 04/13] vfs: add path_create() and path_mknod() Miklos Szeredi
2008-04-24 11:39 ` [patch 05/13] vfs: add path_mkdir() Miklos Szeredi
2008-04-24 11:39 ` [patch 06/13] vfs: add path_rmdir() Miklos Szeredi
2008-04-24 11:39 ` [patch 07/13] vfs: add path_unlink() Miklos Szeredi
2008-04-24 11:39 ` [patch 08/13] vfs: add path_symlink() Miklos Szeredi
2008-04-24 11:39 ` [patch 09/13] vfs: add path_link() Miklos Szeredi
2008-04-24 11:40 ` [patch 10/13] vfs: add path_rename() Miklos Szeredi
2008-04-24 11:40 ` [patch 11/13] vfs: add path_setattr() Miklos Szeredi
2008-04-24 11:40 ` [patch 12/13] vfs: add path_setxattr() Miklos Szeredi
2008-04-24 11:40 ` [patch 13/13] vfs: add path_removexattr() Miklos Szeredi
2008-04-24 12:42 ` [patch 00/13] vfs: add helpers to check r/o bind mounts Al Viro
2008-04-24 13:05   ` Miklos Szeredi
2008-04-24 13:48     ` Al Viro
2008-04-24 14:00       ` Al Viro
2008-04-24 14:16         ` Miklos Szeredi
2008-04-24 14:35           ` Al Viro
2008-04-24 14:42             ` Miklos Szeredi
2008-04-24 14:48               ` Al Viro
2008-04-24 14:58                 ` Miklos Szeredi
2008-04-24 15:21                   ` Al Viro
2008-04-24 15:37                     ` Miklos Szeredi
2008-04-24 15:59                       ` Al Viro
2008-04-24 16:16                         ` Miklos Szeredi
2008-04-28 10:15                           ` Miklos Szeredi
2008-04-28 14:20                             ` Michael Halcrow
2008-04-28 14:52                               ` Miklos Szeredi
2008-04-25  7:22                         ` Miklos Szeredi
2008-04-24 17:55                       ` Dave Hansen
2008-04-24 18:47                         ` Miklos Szeredi
2008-04-24 14:09       ` Miklos Szeredi
2008-04-24 14:28         ` Al Viro
2008-04-24 14:36           ` Miklos Szeredi
2008-04-24 14:44             ` Al Viro
2008-04-24 14:53               ` Miklos Szeredi
2008-04-24 15:12                 ` Al Viro
2008-04-24 15:18                   ` Miklos Szeredi
2008-04-24 15:38                     ` Al Viro
2008-04-24 15:43                       ` Miklos Szeredi
2008-04-24 17:29           ` Erez Zadok
2008-04-24 18:13             ` Al Viro
2008-04-24 19:40               ` Erez Zadok
2008-04-24 20:16                 ` Michael Halcrow
2008-04-24 22:39                   ` Erez Zadok
2008-04-24 23:33                     ` Michael Halcrow
2008-04-28 21:53               ` J. Bruce Fields [this message]
2008-04-24 17:25       ` Erez Zadok
2008-04-24 17:30         ` Al Viro
2008-04-24 19:56           ` Erez Zadok
2008-04-24 17:04   ` Erez Zadok
2008-04-24 16:52 ` Erez Zadok
2008-04-24 16:58   ` Miklos Szeredi
2008-04-24 17:14     ` Erez Zadok
2008-04-24 17:23       ` Miklos Szeredi
2008-05-01  5:40 ` Dave Hansen
2008-05-01  8:08   ` Miklos Szeredi
2008-05-01 16:40     ` Dave Hansen
2008-05-01 17:04       ` Miklos Szeredi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080428215313.GE28142@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=akpm@linux-foundation.org \
    --cc=dave@linux.vnet.ibm.com \
    --cc=ezk@cs.sunysb.edu \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhalcrow@us.ibm.com \
    --cc=miklos@szeredi.hu \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox