Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3424923imu; Mon, 10 Dec 2018 01:51:10 -0800 (PST) X-Google-Smtp-Source: AFSGD/Ul7TUM0NJad7Ljuct1siaaCkx1Scc+8mbZ34lWmrj1gUt4JS5QW/liEzAAk5oQBqIYcn5D X-Received: by 2002:a62:31c1:: with SMTP id x184mr12120064pfx.204.1544435470538; Mon, 10 Dec 2018 01:51:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544435470; cv=none; d=google.com; s=arc-20160816; b=qj7hs+AQEfci33oz3KvGzNbnotD8DB4hLxCH83Ipkk0BrsNIQ0mZ5zOfOFfoNtu0eT 3Q49t31Vhe0pJVtGIMNHpOYu5rWb0EXN/jB5a7bITsfObQA+aM1V6XOeK/vwVzpGNV0J /mxj+fCIrCetbC3582a2Yv7GYqZ6OsPda85MrJyJnPRu81gr5gqF2jA6XhBgC76sD45l dVCzu3wabbeigLcPDcfLwaI3YcLKJ5StF/NDiaFGJeu1HJH8SAdvMnJPhMwY3EINJPWW JTO0feMlM819zNlYityheu1XZDRE2Mub6XgZVqfc+/s6sZprW4uUQYK849duvF+PIoaE 1Q2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=FiDn47L72h9nAVfsiqJ+BbqzeNW6TgFlLjEHVMCuyVI=; b=EcXPVA/j58VxPgJpPXBitc1Hf/W0R9x9Qq1kJK2DOI8c6dpTX1S5ct/+Xg1z8MMnbz eqrX6TeVUgBDz1foO4ohLzS/i4hYrl4FYxwJEaUtFlFZ5MQIsNStvXvBWBg0/ugyQoAK C+WCnzDw3Y06P5XQ9kngMylrr06OjtgjJ/IBjTFzukBeYhS7pb002e7FJ9p4YMpRRQzY dnEhwqwJFZL89u/2On2G54S3ZMt6vziqgldlWLp1Ikqt9wuJhbc80q0ZO81Zu/ifSDey DJ4L43CvKq8fC/1zwW/KcldU4DjoU/6EWxongjpyMvDItH/xjZSED2tADgWSaNcDkAvM aogg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l8si8809515pgr.345.2018.12.10.01.50.54; Mon, 10 Dec 2018 01:51:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726680AbeLJJrY (ORCPT + 99 others); Mon, 10 Dec 2018 04:47:24 -0500 Received: from mx2.suse.de ([195.135.220.15]:36304 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726136AbeLJJrY (ORCPT ); Mon, 10 Dec 2018 04:47:24 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id A19FEAD6F; Mon, 10 Dec 2018 09:47:22 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id 2562D1E13F8; Mon, 10 Dec 2018 10:47:22 +0100 (CET) Date: Mon, 10 Dec 2018 10:47:22 +0100 From: Jan Kara To: Al Viro Cc: Alexander Lochmann , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Jan Kara , Horst Schirmeier Subject: Re: [PATCH] Fix sync. in blkdev_write_iter() acessing i_flags Message-ID: <20181210094722.GB29289@quack2.suse.cz> References: <4903939e-d3d6-b0c2-9c33-0fea0a61213c@tu-dortmund.de> <20181207175811.GZ2217@ZenIV.linux.org.uk> <5c86e85f-0ad4-935a-3021-7046551f361f@tu-dortmund.de> <20181208004944.GA2217@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181208004944.GA2217@ZenIV.linux.org.uk> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat 08-12-18 00:49:44, Al Viro wrote: > On Fri, Dec 07, 2018 at 08:49:16PM +0100, Alexander Lochmann wrote: > > > > _What_ SUID bit? We are talking about a write to block device, for fsck sake... > > > > > That's the way I understood Jan's explanation: > > " > > Thinking more about this I'm not sure if this is actually the right > > solution. Because for example the write(2) can set S_NOSEC flag wrongly > > when it would race with chmod adding SUID bit. So probably we rather need > > to acquire i_rwsem in blkdev_write_iter() if file does not have S_NOSEC set > > (we don't want to acquire it unconditionally as that would heavily impact > > scalability of block device writes). > > IDGI. We are talking about a block device here. What business could > file_remove_privs() have doing _anything_ to it? should_remove_suid() returns > to return 0 for those; what case do you have in mind? Somebody setting > security.capabilities on a block device inode? > > IMO the bug here is file_remove_privs() not buggering off immediately > after having observed that we are dealing with a block device. It really > has nothing useful to do. I didn't notice that S_ISREG() check in should_remove_suid(). My bad. And I wasn't quite sure whether some security module does not rely on inode_need_killpriv security hook. But now when I grep I see that cap_inode_need_killpriv() is really the only user and security.capabilities probably don't make sense for it since block devices cannot be executed anyway. So yes, the easiest fix is to just bail from file_remove_privs(). Probably for anything that is not a regular file, right? Directories cannot be written anyway and for pipes and character devices same logic applies as for block devices. Honza -- Jan Kara SUSE Labs, CR