Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3896039imm; Mon, 6 Aug 2018 12:30:51 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdky0aXmPvwIb/v/1D+ZOYP2CohbPnCcZF3OH70xBpIZAT9dc7gV3UBLiQXUeePUMI0RgrI X-Received: by 2002:a63:8f53:: with SMTP id r19-v6mr15501304pgn.17.1533583851263; Mon, 06 Aug 2018 12:30:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533583851; cv=none; d=google.com; s=arc-20160816; b=Sdv5KZV3cm3ypHFIpwLLQMTh76fmC7um9FKvQgqV6d87zJDUbjweS45lOLDLV6U3uh vskd+MAKkF0BFHqnEXPhCycDCeiEFUARW5XwgV+ToARn9KhMb/kZJQsAuOW/hhOxuFr+ n9BYF9oBMiThgXCfh7jnZXjhEb/1tHFEeiSll7tQoQsBtZDmW/L40S5VKyeEdqgwy1lE 9ELQWVjby7NWXF47s8ZdJ7Jpbz3McGPkrD7+CoJk4NUfDrRNbhRfkBQqMbBivAWuW6UP tXYOxHJ/QBGVS2HLXPWNh5Ah0P/xXKki1A2Ag+h2cjFWqee5H5cnIk36AX8Q9ouVYQn8 sWFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from :arc-authentication-results; bh=zAJDmTTSoMsw4mASBCCCI/97qq4XabucRRi7VEZ3lhY=; b=e5pIRwKNq0DGsoynjCE5+194q0swaFwGMrhmnjbJ5fX1z4bE2tnEO9wpZofpWn6Wic 0MQw5v6hCJQqzNAD2/UnKxu9LxxffndVyx8s8PS5Y7EiJWhUM+Mbq9UhNJzni5s+FOML wkjtZIfHM916cWx8LC53ljuucp87K78sd7U4m0D5F402mudS/dD2d9D5Zm9xmPBYgHP0 If6JSDSwU9ygjg9XJkq3YdpmFxRwZntBuunWPYvP/klL42/di742cAgDkJTkziKfF2Fd PNiYu95Azr4ihsSv/i2FahU6xzJ5x9mz9Zi89gzJnmsrL89nHbcKkrnKEAJJy8jItODx ngTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c12-v6si13652610pgd.359.2018.08.06.12.30.36; Mon, 06 Aug 2018 12:30:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732647AbeHFTjT (ORCPT + 99 others); Mon, 6 Aug 2018 15:39:19 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:35199 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728948AbeHFTjT (ORCPT ); Mon, 6 Aug 2018 15:39:19 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fmjJg-0008HJ-Rb; Mon, 06 Aug 2018 11:29:12 -0600 Received: from [97.119.167.31] (helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fmjJR-0007G2-D4; Mon, 06 Aug 2018 11:29:12 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: David Howells Cc: viro@zeniv.linux.org.uk, linux-api@vger.kernel.org, torvalds@linux-foundation.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org References: <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> <153313723557.13253.9055982745313603422.stgit@warthog.procyon.org.uk> Date: Mon, 06 Aug 2018 12:28:47 -0500 In-Reply-To: <153313723557.13253.9055982745313603422.stgit@warthog.procyon.org.uk> (David Howells's message of "Wed, 01 Aug 2018 16:27:15 +0100") Message-ID: <87in4n9zg0.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1fmjJR-0007G2-D4;;;mid=<87in4n9zg0.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=97.119.167.31;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/xDsJmKDX5wy9WenLf/iLzUY5/vMEZyBU= X-SA-Exim-Connect-IP: 97.119.167.31 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa07.xmission.com X-Spam-Level: ** X-Spam-Status: No, score=2.0 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,T_TooManySym_02, XMNoVowels,XMSubLong autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;David Howells X-Spam-Relay-Country: X-Spam-Timing: total 15021 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 2.4 (0.0%), b_tie_ro: 1.57 (0.0%), parse: 0.80 (0.0%), extract_message_metadata: 10 (0.1%), get_uri_detail_list: 1.67 (0.0%), tests_pri_-1000: 2.8 (0.0%), tests_pri_-950: 1.18 (0.0%), tests_pri_-900: 0.99 (0.0%), tests_pri_-400: 20 (0.1%), check_bayes: 19 (0.1%), b_tokenize: 7 (0.0%), b_tok_get_all: 6 (0.0%), b_comp_prob: 2.0 (0.0%), b_tok_touch_all: 2.5 (0.0%), b_finish: 0.59 (0.0%), tests_pri_0: 183 (1.2%), check_dkim_signature: 0.83 (0.0%), check_dkim_adsp: 3.3 (0.0%), tests_pri_500: 14798 (98.5%), poll_dns_idle: 14789 (98.5%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 28/33] vfs: syscall: Add fsconfig() for configuring and managing a context [ver #11] X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org David Howells writes: > > (*) FSCONFIG_CMD_CREATE: Trigger superblock creation. > > (*) FSCONFIG_CMD_RECONFIGURE: Trigger superblock reconfiguration. > First let me thank you for adding both FSCONFIG_CMD_CREATE and FSCONFIG_CMD_RECONFIGURE. Unfortunately the implementation is currently broken. So this patch gets my: This is broken in two specific ways. 1) FSCONFIG_CMD_RECONFIGURE always returns -EOPNOTSUPPORTED. So it is useless. 2) FSCONFIG_CMD_CREATE will succeed even if the superblock already exists and it can not use all of the superblock parameters. This happens because vfs_get_super will only call fill_super if the super block is created. Which is reasonable on the face of it. But it in practice this introduces security problems. a) Either through reconfiguring a shared super block you did not realize was shared (as we saw with devpts). b) Mounting a super block and not honoring it's mount options because something has already mounted it. As we see today with proc. Leaving userspace to think the filesystem will behave one way when in fact it behaves another. I have already explained this several times, and apparently I have been ignored. This fundamental usability issue that leads to security problems. The only feedback I have had from previous time is that it is ``racy'' to fix the code. But it is only racy in the way that O_EXCL is racy. You might have to retry in userspace if the mount you want isn't in the state you expect. Until this security issue is fixed this entire patchset has my: Nacked-by: "Eric W. Biederman" > +/* > + * Perform an action on a context. > + */ > +static int vfs_fsconfig_action(struct fs_context *fc, enum fsconfig_command cmd) > +{ > + int ret = -EINVAL; > + > + switch (cmd) { > + case FSCONFIG_CMD_CREATE: > + if (fc->phase != FS_CONTEXT_CREATE_PARAMS) > + return -EBUSY; > + fc->phase = FS_CONTEXT_CREATING; > + ret = vfs_get_tree(fc); > + if (ret == 0) > + fc->phase = FS_CONTEXT_AWAITING_MOUNT; > + else > + fc->phase = FS_CONTEXT_FAILED; > + return ret; > + > + default: > + return -EOPNOTSUPP; > + } > +} See no support for FSCONFIG_CMD_RECONFIGURE, and no checks to see if the superblock has already been mounted. > + ret = mutex_lock_interruptible(&fc->uapi_mutex); > + if (ret == 0) { > + switch (cmd) { > + case FSCONFIG_CMD_CREATE: > + case FSCONFIG_CMD_RECONFIGURE: > + ret = vfs_fsconfig_action(fc, cmd); > + break; > + default: > + ret = vfs_fsconfig(fc, ¶m); > + break; > + } > + mutex_unlock(&fc->uapi_mutex); > + } > + Eric