Received: by 10.213.65.68 with SMTP id h4csp1070428imn; Wed, 21 Mar 2018 01:40:17 -0700 (PDT) X-Google-Smtp-Source: AG47ELv8j15gynFSTbil+S+RsDlb8klD6iSHK8sKhthE1AM/Yt5SNcgKLfYmXcjw62Y3Iy6wTRrr X-Received: by 2002:a17:902:9:: with SMTP id 9-v6mr20548778pla.42.1521621617781; Wed, 21 Mar 2018 01:40:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521621617; cv=none; d=google.com; s=arc-20160816; b=Kh8XYTKzolBfhsflq7K6O5a2P6Wf7QB6MvgRoE01eiyQTVHznbnxy+JlEIZTexqtEV T0dkjWE/GbozgYc89zZCWRqjJeLhzHo9c9EV9yWSNqsRdIgK27K+poLsBhLBWcLof7uh vzImvgBc1cPfwdPF1un2jA/jyjMeZipSGifTijV5qPJmCFQCmj2aLkd6/UAJ0yKOVukN w0bK2PxbM/lbsPu24sZvO8xZxMM3pfFFkdJ6Z81L3/NeUQiiIX47Kk8o1sAdMUZLUHjy GpfVv13Njx3gWuPT3lFAe4ythgTLN84LjBCwfPFnum+rvviUtfJBxZ2blnhJwp8MuUYt 35Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:arc-authentication-results; bh=unGXGDMr12nKx5ZMAQbmFAkPk3NPJJJauWAP8tH5NLE=; b=gLc1+tjyFatMuF2EGF8OOmJFyEAHh6YySl3T57VIoN6KxxZME2v0Ael4lxy+tg3UvC ifr+Gz0oT4BXNZH+/lGOHdXgoC/eTG+BHMTAs9H4Qq0r46y0KKzRkyVKK0HZ0loaHzy7 VvGGYMwHnMx8UEHzLfb/9uepFaAOL0+gzsvhts51y+CtsMDy8atqFrE/viqhqcTPTDXv Uf6/gOdpbxlumSBgdZji9bD5xucQ6hcrnaU6qv1KObWZxkT1yxphV93Rhklm4XARBjMd 2LSPmBxTl3yhMjnkT0H9VIfEBO8tfWK5UTKfhvcw4z86Yhv6AmS/ZlvDNa9doa1Nl9RT /G8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2-v6si3461896plh.44.2018.03.21.01.40.03; Wed, 21 Mar 2018 01:40:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751824AbeCUIiw (ORCPT + 99 others); Wed, 21 Mar 2018 04:38:52 -0400 Received: from mail-ot0-f179.google.com ([74.125.82.179]:42302 "EHLO mail-ot0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751481AbeCUIir (ORCPT ); Wed, 21 Mar 2018 04:38:47 -0400 Received: by mail-ot0-f179.google.com with SMTP id v23-v6so4763131oth.9 for ; Wed, 21 Mar 2018 01:38:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=unGXGDMr12nKx5ZMAQbmFAkPk3NPJJJauWAP8tH5NLE=; b=EGVpLd/jqyR8ub9NNVlncXf2FWlLCdHm7sIdCKVZVvW7z8ZSEvxgFLHjmvmTvFpOjh u6Yj77UcNabtsDFgixPFwDlCUF8JaBMz+n1rWZWWjer3TM6CErU/aCvZPM2TzKZ/eV0y WfBJkgYSi+V8S9abP8oNI8Ozst8n0fde2t0PEKyOOyoTnU7sJBKMxU29zZ+PsKaZcXAa 6qwqohgeaJI87n1o2MYe5RxO25KH+wS+cV7ZIEvDr+C04cwzFYj9dDaQRCNDAXvZClCb q6yRdQKjaLskk39nrp0S0UEQUagVEAW+Swtp4Q8SFDQG9EISEz4ZLTnuLY/AoPOwaQj+ wFeQ== X-Gm-Message-State: AElRT7EvTGTZwFkB5s6MkOCXYuiqr/B45GtEC12U+RplQPz1/QMgQflE eKn2bGFkrSC5RMF6wscr2Zw/kwjeoNNOyJYBrbQFkg== X-Received: by 2002:a9d:38b2:: with SMTP id p47-v6mr5711761otc.171.1521621527252; Wed, 21 Mar 2018 01:38:47 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:a65:0:0:0:0:0 with HTTP; Wed, 21 Mar 2018 01:38:46 -0700 (PDT) In-Reply-To: <87tvta38lu.fsf@xmission.com> References: <878tbmf5vl.fsf@xmission.com> <87po4rz4ui.fsf_-_@xmission.com> <87r2p287i8.fsf_-_@xmission.com> <87ina6ntx0.fsf_-_@xmission.com> <87tvta38lu.fsf@xmission.com> From: Miklos Szeredi Date: Wed, 21 Mar 2018 09:38:46 +0100 Message-ID: Subject: Re: [PATCH v9 0/4] fuse: mounts from non-init user namespaces To: "Eric W. Biederman" Cc: lkml , Linux Containers , linux-fsdevel , Alban Crequy , Seth Forshee , Sargun Dhillon , Dongsu Park , "Serge E. Hallyn" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 20, 2018 at 7:27 PM, Eric W. Biederman wrote: > Miklos Szeredi writes: >> I did just one modification to "fuse: Fail all requests with invalid >> uids or gids": instead of zeroing out the context for the nofail case, >> continue to use the "_munged" variants. I don't think this hurts and >> is better for backward compatibility (I guess the only relevant use >> would be for debugging output, but we don't want to regress even for >> that if not necessary) > > Hmm... > > The thing is the failure doesn't come in the difference between the > _munged and the normal variants. The difference between > munged and non-munged variants is how they handled failure ((uid16_t)-2) > aka 0xfffe for munged and -1 for the non-munged case. > > The failures are introduced by changing &init_user_ns to fc->user_ns. Right. > The operations in question are iop->flush and fuse_force_forget (on an > error). I don't know what value having ids on those paths will do > they are operations that must succeed, and they should not change the > on-disk ids. I was thinking saying the most privileged id was asking > for the oepration would seem to make sense. I don't think anybody should actually *care* about the id's in flush, but I'd still not change the current behavior for change's sake. > > With the munged variants we will get (uid16_t)-2 aka 0xfffe aka > nobody asking for the operation if things don't map. In practice > the don't map case is new. > > Since the id's should not be looked at anyway I don't see it makes > much difference which ids we use so the munged case seems at least > plausible. > > It might be better to use the non-munghed variant and do: > if (req->in.h.uid == (uid_t)-1) > req.in.h.uid = 0; > if (req->in.h.gid == (gid_t)-1) > req.in.h.gid = 0; > > That might be less surprising to userspace. As I don't think the > unmapped case has ever occurred in practice yet. Right, that would work too, but I don't think it actually matters, so unless you can think of an actual security issue arising from using the munged variants, I'd just leave it as it is. Thanks, Miklos