Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp7419220imm; Tue, 28 Aug 2018 11:42:29 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYfBe+XBwCYROqxshTg9RRz7YbtfyLJ+t383z8THcl2qt5pUxLVmYgVWObNuVjHQ+Or9HIF X-Received: by 2002:a63:f902:: with SMTP id h2-v6mr2658523pgi.154.1535481749904; Tue, 28 Aug 2018 11:42:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535481749; cv=none; d=google.com; s=arc-20160816; b=1Bd+duSFdsYRAZVJs7okhNARA6W18RYxGV0PU29S/UyLRbHD7zCBQj6lCndHjXGHZA dK2vWwZLSmy9fmuisr3w5g/0kKUTgf6jy34mOJagEYYPZA5Z5ApRNV/6TXWKk/UYOrwO zTAYmjJfn7NDjzM072uA+FL5aeEKVfTZXDHcPSQDHdjBXtKv6eO+mMt1NXPRKuZto2vj rGuLhornMkfFWof7OJrA/Jdx6hUrrqLAwaxQRWCYWSXsklJd+e+X1Njh7v9ttUl38b4k x+Q0VVK3zW31fjvkfQOOaq7yqA73q9UDQXlRjMa9n3kyX1aGM7Pyq6c8zfJ0HeRmwKOS ouEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=kssQ/fVX4Mt4Z/D8+giv1IASl4n+kflYnJDu+1iEhnI=; b=xeAfjlPlK5T1jDPa+xfmfpq/jynctXgDGDsixifiPdRPbij1A6UsNOpc8EPkCDPD49 /u699THEzC14KLuIFpAAmgbKIsEBHcQLxCQpAWi5fCCKpNx14RLtAozJRCwlQMf3LmXF CKze82yp3GTUrZesrMDqCkIIkaYUWCpVuZdyyH9SRnYZtCtIookkTjEvGRX8yfihlABP 7XZeI2GLKCL9lnYt2KjLZb5DUEwnMZLRuQH1BZ8Sl/EwEZ3ChXDbvINSUR7OwW1cpM7f mBc/sCxibDDtzVzPBz8WL+SLIw+sgCK1HIOQeyERknp6nVqk1pvltzZ1lPmf0vVwFlMI tf0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jN8W1PAG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g27-v6si1489174pgm.208.2018.08.28.11.42.11; Tue, 28 Aug 2018 11:42:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jN8W1PAG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727199AbeH1WdS (ORCPT + 99 others); Tue, 28 Aug 2018 18:33:18 -0400 Received: from mail-yb0-f195.google.com ([209.85.213.195]:44518 "EHLO mail-yb0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727054AbeH1WdS (ORCPT ); Tue, 28 Aug 2018 18:33:18 -0400 Received: by mail-yb0-f195.google.com with SMTP id l16-v6so987475ybk.11; Tue, 28 Aug 2018 11:40:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kssQ/fVX4Mt4Z/D8+giv1IASl4n+kflYnJDu+1iEhnI=; b=jN8W1PAGslPJiaxWwjB82AfNyCVcpNiqUQrNoD4GzybgV/l86GpjlmTNrPcYTEdS+b fNZOSpzdugiptAPOuEfktQJR8EsRmzunS9KD66s4Ey3ya/+hDa09KrsbMjiV1Ztcp7US oPOF+D7SIcJj5MD8LvCtRXfFMqbWmUER8nOCE4OmUtQrSAwShrveBWrQ1x9WMIq/pJ4e nsVtZWdPh56BPQ+4DhTbUp5LNR9DJHJhUl7Ll1VMWTFnmyfKUli1x8YsPiHwjlOUa8DX b2ZpjHb51H+44m1+cZ952M2ae73oFk/lolkzlr/iaymziTVJmjnnkS4ltiZpV+OGT/vD e3bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kssQ/fVX4Mt4Z/D8+giv1IASl4n+kflYnJDu+1iEhnI=; b=eq9C4UmSc/TgiyZnvpnQyhwRB+FdZi9zGADT4niwoyhHWC9t4Q/N+bzAwZYhnaBuoC f8E6uegprz26v+F9UT1fHD+wCl44K1xE/h+/+S7AJzZ6PZbN3OmMabkicWFkSnc0GNtI Ip1miu0c31pTeJxtumC7jUbl0slJ5dNAcbED+WNm9f+293n320oYpfcxYHOmQPlc5fig Fa251zeUjrCY6sewTqmu6ciEezjhUjos50ZplMEqr22/z1M8aPLpPioaUCxCoy6fEI5p sdKqRHZsQKukJ/eP3v5sZ5M9LMeTI0CJT7Tf1qMe0MSgiv1pfAFsMWweZuPoHPFSiylC dYWg== X-Gm-Message-State: APzg51DY2Kc6D6w5vb9kSUZz2PwhWOxJJPaK1Lz4/qJH+qIpo6hTjH0P 9rozLj7HgFcC/9Gyjy5FbIrVtjxZ367cxuGMlWY= X-Received: by 2002:a25:ddc5:: with SMTP id u188-v6mr1533733ybg.32.1535481622087; Tue, 28 Aug 2018 11:40:22 -0700 (PDT) MIME-Version: 1.0 References: <20180828165259.211474-1-salyzyn@android.com> <7998ae36-662b-91f7-c42a-8a4d35d333c1@android.com> In-Reply-To: <7998ae36-662b-91f7-c42a-8a4d35d333c1@android.com> From: Amir Goldstein Date: Tue, 28 Aug 2018 21:40:10 +0300 Message-ID: Subject: Re: [PATCH v5 1/3] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh To: Mark Salyzyn Cc: linux-kernel , Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W. Biederman" , Randy Dunlap , Stephen Smalley , overlayfs , linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 28, 2018 at 8:44 PM Mark Salyzyn wrote: > > On 08/28/2018 10:34 AM, Amir Goldstein wrote: > > On Tue, Aug 28, 2018 at 7:53 PM Mark Salyzyn wrote: > >> Assumption never checked, should fail if the mounter creds are not > >> sufficient. > >> > >> Signed-off-by: Mark Salyzyn > >> Cc: Miklos Szeredi > >> Cc: Jonathan Corbet > >> Cc: Vivek Goyal > >> Cc: Eric W. Biederman > >> Cc: Amir Goldstein > >> Cc: Randy Dunlap > >> Cc: Stephen Smalley > >> Cc: linux-unionfs@vger.kernel.org > >> Cc: linux-doc@vger.kernel.org > >> Cc: linux-kernel@vger.kernel.org > >> > >> v5: > >> - dependency of "overlayfs: override_creds=off option bypass creator_cred" > >> --- > >> fs/overlayfs/namei.c | 5 +++++ > >> 1 file changed, 5 insertions(+) > >> > >> diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c > >> index c993dd8db739..84982b6525fb 100644 > >> --- a/fs/overlayfs/namei.c > >> +++ b/fs/overlayfs/namei.c > >> @@ -193,6 +193,11 @@ struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, > >> if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid)) > >> return NULL; > >> > >> + if (!capable(CAP_DAC_READ_SEARCH)) { > >> + origin = ERR_PTR(-EPERM); > >> + goto out; > > Which branch is this works based on? > > I don't see any out label in current code. > > I can only truly test this on 4.14 (android's current top of > tree) and on Hikey with that. Lack of due diligence for Top of Linux. Well, not sure how that review is going to work out. anyway, this case should not return an error. returning NULL should be just fine. > > > >> + } > >> + > >> bytes = (fh->len - offsetof(struct ovl_fh, fid)); > >> real = exportfs_decode_fh(mnt, (struct fid *)fh->fid, > >> bytes >> 2, (int)fh->type, > >> -- > > Please add same test in ovl_can_decode_fh(). > > Ahhhh > > Problem: none of the ovl_export_operations functions override creds. > > I guess things are working now because nfsd is privileged enough. > > IOW, the capability check you added doesn't check mounter creds > > when coming from nfs export ops - I guess that is not what you want > > although you probably don'r enable nfs export. > NFS export/import blocked on Android devices. > > Thanks, > > Amir. > >