Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp7358396imm; Tue, 28 Aug 2018 10:34:16 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZ8N/KsSGE3GKeAt08zJcJ1f8896KgCox07ucIEFDs8sc4TZwM+FcYSTaGbElj7S6FIZIgq X-Received: by 2002:a62:571b:: with SMTP id l27-v6mr2547455pfb.29.1535477656289; Tue, 28 Aug 2018 10:34:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535477656; cv=none; d=google.com; s=arc-20160816; b=fhTKZJytBoXU5MtsNs438hzDem5dVduncDJT/kF6o1S34LriBUQkjB6xoUJj5bJLRw W6Mx3lwnvKWNNMfjYXjBVsPnnbyLAJvqe7kq34+arbPh+EdhrC+PiKKwxnyJ+R7ATE7M OlYkPbTGTEadWNI0/mXAoth70KgayEGg6e6WLRoPxKefO0p7Hz+VG+Ou+36mhunxWFbT d6htwG6n4mmJQMLHdSHlb6RIUKQD1/14FXjVGk6siDhDs57jSqBcsrmi+VjyulJJ2vRS mRbangNSvHCFLurnu0JJzpMaiZaZ7m0774UgxuKynl1SHaMZAyTpcs+/ts2DidM/13x/ nb7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=UbMdiRPKcp0rF63yXFtLNTFPritkic5ohSFwzfS2+Ns=; b=C9v7LpK7tjCNNWFebdXK0uok/ehsEMNGUf2/8WRS6DUI44JtXDtIxYZsxGx12BxWje +fzUQRJY9mZeiAFT4vfZ+G0HDaNn0tMya2Y9MC2wx8xR1OugNHgAlRwsCdS4EQIXPJWU l0oI8ZsHGjxHsEEuxG5EZehU/mStHQuZ5WX04uEY2MVg1Evu5aL6MDdBrpSZSrWeAVeP ouWza0aK1ZLuU6Zgi0+soD52YidsR/8k/hLZCr2iPQo3ECiBRh7MYN27Ex3PJWGc44eV TcIUHa0TfTXrbB3zVbit2nP4sv3lFRTU9zZO9vH2HHijsTD9YASsI4Vh5CMof/KbmcAC dOqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZAhwPWoD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p32-v6si1627781pgb.198.2018.08.28.10.34.00; Tue, 28 Aug 2018 10:34:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZAhwPWoD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727315AbeH1VZg (ORCPT + 99 others); Tue, 28 Aug 2018 17:25:36 -0400 Received: from mail-yw1-f65.google.com ([209.85.161.65]:41903 "EHLO mail-yw1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726998AbeH1VZg (ORCPT ); Tue, 28 Aug 2018 17:25:36 -0400 Received: by mail-yw1-f65.google.com with SMTP id q129-v6so895262ywg.8; Tue, 28 Aug 2018 10:32:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UbMdiRPKcp0rF63yXFtLNTFPritkic5ohSFwzfS2+Ns=; b=ZAhwPWoDyjSRk9tSpwjeY6D9E8frfpU5hApihi3JjYbNZmsdKNY440qjalcjyRGM7a IMyFpDcKUGisuISZSBcZayUQxukF97fGR9J3rhLjenNeWB6vOZDa/0M6/3cJmUM+ILI9 4F4qxnsLrAtR2qzUyJlbLuNUnDIcOl2IoiROOCILUUWzf2cFElJsI3aiUobD6PQjrjxs 4viHVNt/ZslU8ncBZSYJ2J/A839r2nf6LVwVvvkqzEXu2h66BUyEIe3GKHERPLhxGKrr Nb9cs0DqIFSUH2C4P2KU5dem38DB8G8FQJlLVdg/qWYeuFXrR+knn9UnQjS+x5gZ+SJA LM4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UbMdiRPKcp0rF63yXFtLNTFPritkic5ohSFwzfS2+Ns=; b=AdTt/VLycbC7663Mam3vBm5/u/YbXT1DNUKUwwN2J8wHmjUbYWC4wOcnHhjl5yJn/u f0gFw/9O2pbVnY9CbqoFph8Pv5o6At4BC9gPUU9J3mUfVL05ku/SL1PuzW7CIGd5A3rO 2xyHJLnuBSxHcPPvCz5rQ67dPfjNvw1a2G/BvzrRt9aS9Zes4kztLgOfDiYp1Ac+Jkgt YlgCWZr8W2Z+P33DHhGU0l30OKOOmt+DiwLczdVrvsLAvGH4IDS6VQgmsUd8dFpe0Hyv 3ByI8vEqZGEbbwGP4x7nJm9i/SxYF+WBfJBR6HDLzPQLaYleiBrzs5tXVXOCdUliEK4g WZpA== X-Gm-Message-State: APzg51BrqOzGReept5ZlGYEzQ0demMZOQA8b+NuwndDQXk2N2ht6IgKI DR8u0UgwgksFdtH1y05EFPPwzvefacs9q6icO1P0eYjN X-Received: by 2002:a81:2856:: with SMTP id o83-v6mr1370214ywo.211.1535477573693; Tue, 28 Aug 2018 10:32:53 -0700 (PDT) MIME-Version: 1.0 References: <20180828165259.211474-1-salyzyn@android.com> In-Reply-To: <20180828165259.211474-1-salyzyn@android.com> From: Amir Goldstein Date: Tue, 28 Aug 2018 20:34:40 +0300 Message-ID: Subject: Re: [PATCH v5 1/3] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh To: Mark Salyzyn Cc: linux-kernel , Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W. Biederman" , Randy Dunlap , Stephen Smalley , overlayfs , linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 28, 2018 at 7:53 PM Mark Salyzyn wrote: > > Assumption never checked, should fail if the mounter creds are not > sufficient. > > Signed-off-by: Mark Salyzyn > Cc: Miklos Szeredi > Cc: Jonathan Corbet > Cc: Vivek Goyal > Cc: Eric W. Biederman > Cc: Amir Goldstein > Cc: Randy Dunlap > Cc: Stephen Smalley > Cc: linux-unionfs@vger.kernel.org > Cc: linux-doc@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > > v5: > - dependency of "overlayfs: override_creds=off option bypass creator_cred" > --- > fs/overlayfs/namei.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c > index c993dd8db739..84982b6525fb 100644 > --- a/fs/overlayfs/namei.c > +++ b/fs/overlayfs/namei.c > @@ -193,6 +193,11 @@ struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, > if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid)) > return NULL; > > + if (!capable(CAP_DAC_READ_SEARCH)) { > + origin = ERR_PTR(-EPERM); > + goto out; Which branch is this works based on? I don't see any out label in current code. > + } > + > bytes = (fh->len - offsetof(struct ovl_fh, fid)); > real = exportfs_decode_fh(mnt, (struct fid *)fh->fid, > bytes >> 2, (int)fh->type, > -- Please add same test in ovl_can_decode_fh(). Problem: none of the ovl_export_operations functions override creds. I guess things are working now because nfsd is privileged enough. IOW, the capability check you added doesn't check mounter creds when coming from nfs export ops - I guess that is not what you want although you probably don'r enable nfs export. Thanks, Amir.