Commit 28ba5876 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Thadeu Lima de Souza Cascardo

fs: Better permission checking for submounts

BugLink: http://bugs.launchpad.net/bugs/1649292

To support unprivileged users mounting filesystems two permission
checks have to be performed: a test to see if the user allowed to
create a mount in the mount namespace, and a test to see if
the user is allowed to access the specified filesystem.

The automount case is special in that mounting the original filesystem
grants permission to mount the sub-filesystems, to any user who
happens to stumble across the their mountpoint and satisfies the
ordinary filesystem permission checks.

Attempting to handle the automount case by using override_creds
almost works.  It preserves the idea that permission to mount
the original filesystem is permission to mount the sub-filesystem.
Unfortunately using override_creds messes up the filesystems
ordinary permission checks.

Solve this by being explicit that a mount is a submount by introducing
vfs_submount, and using it where appropriate.

vfs_submount uses a new mount internal mount flags MS_SUBMOUNT, to let
sget and friends know that a mount is a submount so they can take appropriate
action.

sget and sget_userns are modified to not perform any permission checks
on submounts.

follow_automount is modified to stop using override_creds as that
has proven problemantic.

do_mount is modified to always remove the new MS_SUBMOUNT flag so
that we know userspace will never by able to specify it.

autofs4 is modified to stop using current_real_cred that was put in
there to handle the previous version of submount permission checking.

cifs is modified to pass the mountpoint all of the way down to vfs_submount.

debugfs is modified to pass the mountpoint all of the way down to
trace_automount by adding a new parameter.  To make this change easier
a new typedef debugfs_automount_t is introduced to capture the type of
the debugfs automount function.

Cc: stable@vger.kernel.org
Fixes: 069d5ac9 ("autofs:  Fix automounts by using current_real_cred()->uid")
Fixes: aeaa4a79 ("fs: Call d_automount with the filesystems creds")
Reviewed-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
Reviewed-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
(backported from commit 93faccbb linux-next)
Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
Acked-by: default avatarTim Gardner <tim.gardner@canonical.com>
Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
parent c9636020
...@@ -202,7 +202,7 @@ static struct vfsmount *afs_mntpt_do_automount(struct dentry *mntpt) ...@@ -202,7 +202,7 @@ static struct vfsmount *afs_mntpt_do_automount(struct dentry *mntpt)
/* try and do the mount */ /* try and do the mount */
_debug("--- attempting mount %s -o %s ---", devname, options); _debug("--- attempting mount %s -o %s ---", devname, options);
mnt = vfs_kern_mount(&afs_fs_type, 0, devname, options); mnt = vfs_submount(mntpt, &afs_fs_type, devname, options);
_debug("--- mount result %p ---", mnt); _debug("--- mount result %p ---", mnt);
free_page((unsigned long) devname); free_page((unsigned long) devname);
......
...@@ -427,8 +427,8 @@ int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry, ...@@ -427,8 +427,8 @@ int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
memcpy(&wq->name, &qstr, sizeof(struct qstr)); memcpy(&wq->name, &qstr, sizeof(struct qstr));
wq->dev = autofs4_get_dev(sbi); wq->dev = autofs4_get_dev(sbi);
wq->ino = autofs4_get_ino(sbi); wq->ino = autofs4_get_ino(sbi);
wq->uid = current_real_cred()->uid; wq->uid = current_cred()->uid;
wq->gid = current_real_cred()->gid; wq->gid = current_cred()->gid;
wq->pid = pid; wq->pid = pid;
wq->tgid = tgid; wq->tgid = tgid;
wq->status = -EINTR; /* Status return if interrupted */ wq->status = -EINTR; /* Status return if interrupted */
......
...@@ -241,7 +241,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata, ...@@ -241,7 +241,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
* @fullpath: full path in UNC format * @fullpath: full path in UNC format
* @ref: server's referral * @ref: server's referral
*/ */
static struct vfsmount *cifs_dfs_do_refmount(struct cifs_sb_info *cifs_sb, static struct vfsmount *cifs_dfs_do_refmount(struct dentry *mntpt,
struct cifs_sb_info *cifs_sb,
const char *fullpath, const struct dfs_info3_param *ref) const char *fullpath, const struct dfs_info3_param *ref)
{ {
struct vfsmount *mnt; struct vfsmount *mnt;
...@@ -255,7 +256,7 @@ static struct vfsmount *cifs_dfs_do_refmount(struct cifs_sb_info *cifs_sb, ...@@ -255,7 +256,7 @@ static struct vfsmount *cifs_dfs_do_refmount(struct cifs_sb_info *cifs_sb,
if (IS_ERR(mountdata)) if (IS_ERR(mountdata))
return (struct vfsmount *)mountdata; return (struct vfsmount *)mountdata;
mnt = vfs_kern_mount(&cifs_fs_type, 0, devname, mountdata); mnt = vfs_submount(mntpt, &cifs_fs_type, devname, mountdata);
kfree(mountdata); kfree(mountdata);
kfree(devname); kfree(devname);
return mnt; return mnt;
...@@ -330,7 +331,7 @@ static struct vfsmount *cifs_dfs_do_automount(struct dentry *mntpt) ...@@ -330,7 +331,7 @@ static struct vfsmount *cifs_dfs_do_automount(struct dentry *mntpt)
mnt = ERR_PTR(-EINVAL); mnt = ERR_PTR(-EINVAL);
break; break;
} }
mnt = cifs_dfs_do_refmount(cifs_sb, mnt = cifs_dfs_do_refmount(mntpt, cifs_sb,
full_path, referrals + i); full_path, referrals + i);
cifs_dbg(FYI, "%s: cifs_dfs_do_refmount:%s , mnt:%p\n", cifs_dbg(FYI, "%s: cifs_dfs_do_refmount:%s , mnt:%p\n",
__func__, referrals[i].node_name, mnt); __func__, referrals[i].node_name, mnt);
......
...@@ -181,9 +181,9 @@ static const struct super_operations debugfs_super_operations = { ...@@ -181,9 +181,9 @@ static const struct super_operations debugfs_super_operations = {
static struct vfsmount *debugfs_automount(struct path *path) static struct vfsmount *debugfs_automount(struct path *path)
{ {
struct vfsmount *(*f)(void *); debugfs_automount_t f;
f = (struct vfsmount *(*)(void *))path->dentry->d_fsdata; f = (debugfs_automount_t)path->dentry->d_fsdata;
return f(d_inode(path->dentry)->i_private); return f(path->dentry, d_inode(path->dentry)->i_private);
} }
static const struct dentry_operations debugfs_dops = { static const struct dentry_operations debugfs_dops = {
...@@ -444,7 +444,7 @@ EXPORT_SYMBOL_GPL(debugfs_create_dir); ...@@ -444,7 +444,7 @@ EXPORT_SYMBOL_GPL(debugfs_create_dir);
*/ */
struct dentry *debugfs_create_automount(const char *name, struct dentry *debugfs_create_automount(const char *name,
struct dentry *parent, struct dentry *parent,
struct vfsmount *(*f)(void *), debugfs_automount_t f,
void *data) void *data)
{ {
struct dentry *dentry = start_creating(name, parent); struct dentry *dentry = start_creating(name, parent);
......
...@@ -1095,7 +1095,6 @@ static int follow_automount(struct path *path, struct nameidata *nd, ...@@ -1095,7 +1095,6 @@ static int follow_automount(struct path *path, struct nameidata *nd,
bool *need_mntput) bool *need_mntput)
{ {
struct vfsmount *mnt; struct vfsmount *mnt;
const struct cred *old_cred;
int err; int err;
if (!path->dentry->d_op || !path->dentry->d_op->d_automount) if (!path->dentry->d_op || !path->dentry->d_op->d_automount)
...@@ -1124,9 +1123,7 @@ static int follow_automount(struct path *path, struct nameidata *nd, ...@@ -1124,9 +1123,7 @@ static int follow_automount(struct path *path, struct nameidata *nd,
if (nd->total_link_count >= 40) if (nd->total_link_count >= 40)
return -ELOOP; return -ELOOP;
old_cred = override_creds(&init_cred);
mnt = path->dentry->d_op->d_automount(path); mnt = path->dentry->d_op->d_automount(path);
revert_creds(old_cred);
if (IS_ERR(mnt)) { if (IS_ERR(mnt)) {
/* /*
* The filesystem is allowed to return -EISDIR here to indicate * The filesystem is allowed to return -EISDIR here to indicate
......
...@@ -994,6 +994,21 @@ vfs_kern_mount(struct file_system_type *type, int flags, const char *name, void ...@@ -994,6 +994,21 @@ vfs_kern_mount(struct file_system_type *type, int flags, const char *name, void
} }
EXPORT_SYMBOL_GPL(vfs_kern_mount); EXPORT_SYMBOL_GPL(vfs_kern_mount);
struct vfsmount *
vfs_submount(const struct dentry *mountpoint, struct file_system_type *type,
const char *name, void *data)
{
/* Until it is worked out how to pass the user namespace
* through from the parent mount to the submount don't support
* unprivileged mounts with submounts.
*/
if (mountpoint->d_sb->s_user_ns != &init_user_ns)
return ERR_PTR(-EPERM);
return vfs_kern_mount(type, MS_SUBMOUNT, name, data);
}
EXPORT_SYMBOL_GPL(vfs_submount);
static struct mount *clone_mnt(struct mount *old, struct dentry *root, static struct mount *clone_mnt(struct mount *old, struct dentry *root,
int flag) int flag)
{ {
...@@ -2783,7 +2798,7 @@ long do_mount(const char *dev_name, const char __user *dir_name, ...@@ -2783,7 +2798,7 @@ long do_mount(const char *dev_name, const char __user *dir_name,
flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN | flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN |
MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
MS_STRICTATIME); MS_STRICTATIME | MS_SUBMOUNT);
if (flags & MS_REMOUNT) if (flags & MS_REMOUNT)
retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
......
...@@ -226,7 +226,7 @@ static struct vfsmount *nfs_do_clone_mount(struct nfs_server *server, ...@@ -226,7 +226,7 @@ static struct vfsmount *nfs_do_clone_mount(struct nfs_server *server,
const char *devname, const char *devname,
struct nfs_clone_mount *mountdata) struct nfs_clone_mount *mountdata)
{ {
return vfs_kern_mount(&nfs_xdev_fs_type, 0, devname, mountdata); return vfs_submount(mountdata->dentry, &nfs_xdev_fs_type, devname, mountdata);
} }
/** /**
......
...@@ -279,7 +279,7 @@ static struct vfsmount *try_location(struct nfs_clone_mount *mountdata, ...@@ -279,7 +279,7 @@ static struct vfsmount *try_location(struct nfs_clone_mount *mountdata,
mountdata->hostname, mountdata->hostname,
mountdata->mnt_path); mountdata->mnt_path);
mnt = vfs_kern_mount(&nfs4_referral_fs_type, 0, page, mountdata); mnt = vfs_submount(mountdata->dentry, &nfs4_referral_fs_type, page, mountdata);
if (!IS_ERR(mnt)) if (!IS_ERR(mnt))
break; break;
} }
......
...@@ -466,7 +466,7 @@ struct super_block *sget_userns(struct file_system_type *type, ...@@ -466,7 +466,7 @@ struct super_block *sget_userns(struct file_system_type *type,
struct super_block *old; struct super_block *old;
int err; int err;
if (!(flags & MS_KERNMOUNT) && if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) &&
!(type->fs_flags & FS_USERNS_MOUNT) && !(type->fs_flags & FS_USERNS_MOUNT) &&
!capable(CAP_SYS_ADMIN)) !capable(CAP_SYS_ADMIN))
return ERR_PTR(-EPERM); return ERR_PTR(-EPERM);
...@@ -496,7 +496,7 @@ struct super_block *sget_userns(struct file_system_type *type, ...@@ -496,7 +496,7 @@ struct super_block *sget_userns(struct file_system_type *type,
} }
if (!s) { if (!s) {
spin_unlock(&sb_lock); spin_unlock(&sb_lock);
s = alloc_super(type, flags, user_ns); s = alloc_super(type, (flags & ~MS_SUBMOUNT), user_ns);
if (!s) if (!s)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
goto retry; goto retry;
...@@ -537,8 +537,15 @@ struct super_block *sget(struct file_system_type *type, ...@@ -537,8 +537,15 @@ struct super_block *sget(struct file_system_type *type,
{ {
struct user_namespace *user_ns = current_user_ns(); struct user_namespace *user_ns = current_user_ns();
/* We don't yet pass the user namespace of the parent
* mount through to here so always use &init_user_ns
* until that changes.
*/
if (flags & MS_SUBMOUNT)
user_ns = &init_user_ns;
/* Ensure the requestor has permissions over the target filesystem */ /* Ensure the requestor has permissions over the target filesystem */
if (!(flags & MS_KERNMOUNT) && !ns_capable(user_ns, CAP_SYS_ADMIN)) if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN))
return ERR_PTR(-EPERM); return ERR_PTR(-EPERM);
return sget_userns(type, test, set, flags, user_ns, data); return sget_userns(type, test, set, flags, user_ns, data);
......
...@@ -60,9 +60,10 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent); ...@@ -60,9 +60,10 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent);
struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
const char *dest); const char *dest);
typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *);
struct dentry *debugfs_create_automount(const char *name, struct dentry *debugfs_create_automount(const char *name,
struct dentry *parent, struct dentry *parent,
struct vfsmount *(*f)(void *), debugfs_automount_t f,
void *data); void *data);
void debugfs_remove(struct dentry *dentry); void debugfs_remove(struct dentry *dentry);
......
...@@ -90,6 +90,9 @@ struct file_system_type; ...@@ -90,6 +90,9 @@ struct file_system_type;
extern struct vfsmount *vfs_kern_mount(struct file_system_type *type, extern struct vfsmount *vfs_kern_mount(struct file_system_type *type,
int flags, const char *name, int flags, const char *name,
void *data); void *data);
extern struct vfsmount *vfs_submount(const struct dentry *mountpoint,
struct file_system_type *type,
const char *name, void *data);
extern void mnt_set_expiry(struct vfsmount *mnt, struct list_head *expiry_list); extern void mnt_set_expiry(struct vfsmount *mnt, struct list_head *expiry_list);
extern void mark_mounts_for_expiry(struct list_head *mounts); extern void mark_mounts_for_expiry(struct list_head *mounts);
......
...@@ -93,6 +93,7 @@ struct inodes_stat_t { ...@@ -93,6 +93,7 @@ struct inodes_stat_t {
#define MS_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */ #define MS_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */
/* These sb flags are internal to the kernel */ /* These sb flags are internal to the kernel */
#define MS_SUBMOUNT (1<<26)
#define MS_NOSEC (1<<28) #define MS_NOSEC (1<<28)
#define MS_BORN (1<<29) #define MS_BORN (1<<29)
#define MS_ACTIVE (1<<30) #define MS_ACTIVE (1<<30)
......
...@@ -6816,7 +6816,7 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer) ...@@ -6816,7 +6816,7 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer)
} }
static struct vfsmount *trace_automount(void *ingore) static struct vfsmount *trace_automount(struct dentry *mntpt, void *ingore)
{ {
struct vfsmount *mnt; struct vfsmount *mnt;
struct file_system_type *type; struct file_system_type *type;
...@@ -6829,7 +6829,7 @@ static struct vfsmount *trace_automount(void *ingore) ...@@ -6829,7 +6829,7 @@ static struct vfsmount *trace_automount(void *ingore)
type = get_fs_type("tracefs"); type = get_fs_type("tracefs");
if (!type) if (!type)
return NULL; return NULL;
mnt = vfs_kern_mount(type, 0, "tracefs", NULL); mnt = vfs_submount(mntpt, type, "tracefs", NULL);
put_filesystem(type); put_filesystem(type);
if (IS_ERR(mnt)) if (IS_ERR(mnt))
return NULL; return NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment