Received: by 10.223.185.116 with SMTP id b49csp85804wrg; Fri, 2 Mar 2018 14:10:06 -0800 (PST) X-Google-Smtp-Source: AG47ELtMWDlEIBim0KlaTZ3nCTE/NkfHNygOIQvHByaFtj0fbq1MbdNGojR0NLwJp4qy+fqIuOV+ X-Received: by 10.99.160.80 with SMTP id u16mr5588473pgn.389.1520028606110; Fri, 02 Mar 2018 14:10:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520028606; cv=none; d=google.com; s=arc-20160816; b=B2UcMyOlAf/NMRqpUwAnvYjR4YQYAja/jE+XyED2vz8tIl2E1JOd2Nu07rrEtxdRuy 3yirm9DWr3DpxkbfnTg2LrZqWzHmdEt5DDsvrBDu0AIcYfidCmJGIeaaa38zRt8fmuv5 yRxW5Xvjk/+JNMkEmJ3gNJqzwZrD7jCg70JMg80f/GtyedlFEb12oLnMwZCR1oXl0rRG 1BPEPZ96GgvCj+KfHepCe157EJTdcCoCZceUwhOYZgJoipE3/soBkhK5ltFpjqt1vKnY AxdoJYMv3txKilWeb7bx5ahx+fxtje0hRCZCrc3hQfEEC6ZY+WdjBsVXoMQQ8O/V9vwU drrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:references:in-reply-to:message-id :date:cc:to:from:arc-authentication-results; bh=aUiMu9lBuNT5NIPXsnsE7rWg7ulRVB7px11yiwDJqf0=; b=Fucrv3EqgwInOumPATFpZDDdEdLgN0o5AahmfM1xlcnT2Im2KGTlX+/fxN3BC1cb12 IU1Kx/8zWE9MenDVUCGnE7pjlz4+whpXsHl2HXdmYug7cxfIq+xMUvq4uzKsPYTX/oMF rRpdEr4NVYJVxlDfg7hClrbGeo8g1nKW1hplSoqX908rfxAmP26wU6xKvoeX2jEioRAi Eg6EmJKFQlFJID3HjYhUVfS3KmPVYV7TugKeXkreJh2ayB/R5emKuUh/0c4GfZolItpJ Gx3qxpVaueGGHFnCnCcHH8Zp4mFLi23e3I+z6wlvn626Tu1OEJzDx3uO/Yba1rGz+U2Y Etrg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id be3-v6si2378512plb.581.2018.03.02.14.09.51; Fri, 02 Mar 2018 14:10:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933286AbeCBWCa (ORCPT + 99 others); Fri, 2 Mar 2018 17:02:30 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:39297 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932815AbeCBWBA (ORCPT ); Fri, 2 Mar 2018 17:01:00 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1ersjb-0008Km-9R; Fri, 02 Mar 2018 15:00:59 -0700 Received: from 174-19-85-160.omah.qwest.net ([174.19.85.160] helo=x220.int.ebiederm.org) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1ersjZ-0000ts-NM; Fri, 02 Mar 2018 15:00:59 -0700 From: "Eric W. Biederman" To: Miklos Szeredi Cc: linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, linux-fsdevel@vger.kernel.org, Alban Crequy , Seth Forshee , Sargun Dhillon , Dongsu Park , "Serge E. Hallyn" , Linus Torvalds , "Eric W. Biederman" Date: Fri, 2 Mar 2018 15:59:19 -0600 Message-Id: <20180302215919.27207-6-ebiederm@xmission.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <87r2p287i8.fsf_-_@xmission.com> References: <87r2p287i8.fsf_-_@xmission.com> X-XM-SPF: eid=1ersjZ-0000ts-NM;;;mid=<20180302215919.27207-6-ebiederm@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=174.19.85.160;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX196h5zsM4VeLBTVW4lH/rhDzbWOfpJ+gaY= X-SA-Exim-Connect-IP: 174.19.85.160 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa04.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01, T_TooManySym_02,XMSubLong autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5010] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=165] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=165 X-Spam-Combo: ;Miklos Szeredi X-Spam-Relay-Country: X-Spam-Timing: total 1219 ms - load_scoreonly_sql: 0.11 (0.0%), signal_user_changed: 3.2 (0.3%), b_tie_ro: 2.1 (0.2%), parse: 0.78 (0.1%), extract_message_metadata: 16 (1.3%), get_uri_detail_list: 1.74 (0.1%), tests_pri_-1000: 7 (0.6%), tests_pri_-950: 1.02 (0.1%), tests_pri_-900: 0.81 (0.1%), tests_pri_-400: 20 (1.6%), check_bayes: 19 (1.5%), b_tokenize: 6 (0.5%), b_tok_get_all: 7 (0.5%), b_comp_prob: 1.75 (0.1%), b_tok_touch_all: 2.6 (0.2%), b_finish: 0.55 (0.0%), tests_pri_0: 1162 (95.3%), check_dkim_signature: 0.48 (0.0%), check_dkim_adsp: 2.9 (0.2%), tests_pri_500: 7 (0.5%), rewrite_mail: 0.00 (0.0%) Subject: [PATCH v8 6/6] fuse: Restrict allow_other to the superblock's namespace or a descendant X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Seth Forshee Unprivileged users are normally restricted from mounting with the allow_other option by system policy, but this could be bypassed for a mount done with user namespace root permissions. In such cases allow_other should not allow users outside the userns to access the mount as doing so would give the unprivileged user the ability to manipulate processes it would otherwise be unable to manipulate. Restrict allow_other to apply to users in the same userns used at mount or a descendant of that namespace. Also export current_in_userns() for use by fuse when built as a module. Cc: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Miklos Szeredi Acked-by: Miklos Szeredi Reviewed-by: Serge Hallyn Reviewed-by: "Eric W. Biederman" Signed-off-by: Seth Forshee Signed-off-by: Dongsu Park Signed-off-by: Eric W. Biederman --- fs/fuse/dir.c | 2 +- kernel/user_namespace.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index c749a4bd4ea3..5461b63bb2a4 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -1030,7 +1030,7 @@ int fuse_allow_current_process(struct fuse_conn *fc) const struct cred *cred; if (fc->allow_other) - return 1; + return current_in_userns(fc->user_ns); cred = current_cred(); if (uid_eq(cred->euid, fc->user_id) && diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 246d4d4ce5c7..492c255e6c5a 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -1235,6 +1235,7 @@ bool current_in_userns(const struct user_namespace *target_ns) { return in_userns(target_ns, current_user_ns()); } +EXPORT_SYMBOL(current_in_userns); static inline struct user_namespace *to_user_ns(struct ns_common *ns) { -- 2.14.1