Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3197580ybi; Tue, 2 Jul 2019 03:46:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqwVC5ijWskXOU/Ox2FdBRkxxLCQVBMgVQt5ynz4NTtFGpMY3PYVw+ST0qthLNXC0XjU6gd+ X-Received: by 2002:a63:c607:: with SMTP id w7mr29727165pgg.379.1562064386950; Tue, 02 Jul 2019 03:46:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562064386; cv=none; d=google.com; s=arc-20160816; b=x3YE7zEKnbAA4XAco0T/Fz6Ky7PqvAdxWevyJ2a0oRZGeWAeAb22y95Mw3fpYEmtw+ uoUurKXr0c3jreKKquxDnsKFSrPtyx1HY/WJhzT/w432oZCzHQQY+VJHX3lUergNzpdE BMzoGHOlrAeJ5SxmaxxXCUw+Qjr/OD626ccGFIn3VQ6OgRitmmnrh9bXlxFl3evn/zVm a2YNgHnHmJKA8g9YsQh8abQpmJEFoABsIJtnKxMQ51Jlg/v7O5H6XUG82Io1qAlT8JCx qhBLt8bbWE+emuOCs0nXKoGuKIXUurH89b6WZT1UZ8DeuTTidMyF5/BZ7iy9gyjO7AMQ HeTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=vlidC+hQ/gD/8v9eleM4nXtfiap8zhCG0j5qbLCVw18=; b=NJGsVUFG/JKjKDpYBELJ5phpe3WkUXgSGZotGjiDOzDxi7OIAi1MLhboJ5A26wC4ty jqv/JfQb8kiWLix/fhjbtVKxZQl6kKIykreAUZMT3RmaGmKUUMbKNDZQlgrqxgMv1T3h ux7mGVjtZGpS9b73sSkxS1B78G6YBHftoN0pkSdiNV8gmJYwsfpxdRcgaqS3zCZ7zkkU YSppQoB4VwgrWW4QoOhyoP2cTdfHkmjdP9l2FKZ8MEzL5z2cljzpgaN71ICQSiohuFYE opN4yKAfVyaWBd5wag+iouaabO8eBMJvWiZjJmBc2kFAtu3gMDqulzVkG1L/k+IyMc0b HvNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="kdVby+/P"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z13si12582622pgj.205.2019.07.02.03.46.12; Tue, 02 Jul 2019 03:46:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="kdVby+/P"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726820AbfGBKpp (ORCPT + 99 others); Tue, 2 Jul 2019 06:45:45 -0400 Received: from mail-yb1-f193.google.com ([209.85.219.193]:41634 "EHLO mail-yb1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725780AbfGBKpp (ORCPT ); Tue, 2 Jul 2019 06:45:45 -0400 Received: by mail-yb1-f193.google.com with SMTP id y67so1127843yba.8; Tue, 02 Jul 2019 03:45:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vlidC+hQ/gD/8v9eleM4nXtfiap8zhCG0j5qbLCVw18=; b=kdVby+/PzZu5i6Y9UcQYatHEHHsEPhAQY+mjVHF6xlggt8o+nszbdHXCHfEBil5H5H UL+/28eYKfUAOv8AvNzRMQHWK/y4MABFSamQhRwNZH1hpEc5BUQCjqITvhev6DLWRzG3 uOgpinFcBt7pSePpbwiWspS3cbj7dBXMod+4Z94YngJ+nIPc3qdhbsYftXAC3oBGhakE Bt+6iCjbrfqQEg0SzB1WdrzlyuHEb0JfhuYdop7KFU8fbo4QPvOCj4+Z+NVkWFYsg5RT IRHHoit1jxeDZWaJHULPmpdSPTutxwczS9nSE3h7MYk2MPhM/kHniCv9ovLGXWy3LfTv lmfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vlidC+hQ/gD/8v9eleM4nXtfiap8zhCG0j5qbLCVw18=; b=kOQko23Rc0IeST7t53H2gjWohdZk/9tmrCy9j0Rme3aK0mIIU5LjQKBiS+ejJnCJLr eXv3MY5B5zssNxt6ivw3b3ZBvK1ZL89h6U4Y+3AIy7lCyyPMsPb/G6izNdRCpd06xd6E pLh/ruAZmfaEUtviP+xATCFMGfeg5ePmN+63xu/FldL9ljRQfqyluhxF2LBRFjCNOzmg NH1VOREpBkgGMKCPlQ1BVPd3q1TOF4cF+KqV12p2Ladm8UDSa0rsfY1id/BS+Xr1YQRm UvHTCY97g7hTBu2cu7OTDhNjAo9ZikyO8JHLd7mxjGRiEsZr/AWbSs/fESX06x1R833k KGPw== X-Gm-Message-State: APjAAAV+qRNH++e6+G9m8S/OV+UlGtYWnV7DHAfM2HUbmIWLZUzkYUAg YebvmfFBvHMYW+g+t12VT1xBFQeakkjTeDO9KTg= X-Received: by 2002:a25:8109:: with SMTP id o9mr16913558ybk.132.1562064343920; Tue, 02 Jul 2019 03:45:43 -0700 (PDT) MIME-Version: 1.0 References: <156174687561.1557469.7505651950825460767.stgit@magnolia> <156174690758.1557469.9258105121276292687.stgit@magnolia> <20190701154200.GK1404256@magnolia> In-Reply-To: <20190701154200.GK1404256@magnolia> From: Amir Goldstein Date: Tue, 2 Jul 2019 13:45:32 +0300 Message-ID: Subject: Re: [PATCH v2 4/4] vfs: don't allow most setxattr to immutable files To: "Darrick J. Wong" Cc: matthew.garrett@nebula.com, Chao Yu , Theodore Tso , Ard Biesheuvel , Josef Bacik , Christoph Hellwig , Chris Mason , Andreas Dilger , Al Viro , Jan Kara , David Sterba , Jaegeuk Kim , jk@ozlabs.org, reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org, devel@lists.orangefs.org, linux-kernel , linux-f2fs-devel@lists.sourceforge.net, linux-xfs , Linux MM , linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel , Ext4 , Linux Btrfs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 1, 2019 at 7:31 PM Darrick J. Wong wrote: > > From: Darrick J. Wong > > The chattr manpage has this to say about immutable files: > > "A file with the 'i' attribute cannot be modified: it cannot be deleted > or renamed, no link can be created to this file, most of the file's > metadata can not be modified, and the file can not be opened in write > mode." > > However, we don't actually check the immutable flag in the setattr code, > which means that we can update inode flags and project ids and extent > size hints on supposedly immutable files. Therefore, reject setflags > and fssetxattr calls on an immutable file if the file is immutable and > will remain that way. > > Signed-off-by: Darrick J. Wong > --- > v2: use memcmp instead of open coding a bunch of checks Thanks, Reviewed-by: Amir Goldstein > --- > fs/inode.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/fs/inode.c b/fs/inode.c > index cf07378e5731..31f694e405fe 100644 > --- a/fs/inode.c > +++ b/fs/inode.c > @@ -2214,6 +2214,14 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, > !capable(CAP_LINUX_IMMUTABLE)) > return -EPERM; > > + /* > + * We aren't allowed to change any other flags if the immutable flag is > + * already set and is not being unset. > + */ > + if ((oldflags & FS_IMMUTABLE_FL) && (flags & FS_IMMUTABLE_FL) && > + oldflags != flags) > + return -EPERM; > + > /* > * Now that we're done checking the new flags, flush all pending IO and > * dirty mappings before setting S_IMMUTABLE on an inode via > @@ -2284,6 +2292,15 @@ int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, > !(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))) > return -EINVAL; > > + /* > + * We aren't allowed to change any fields if the immutable flag is > + * already set and is not being unset. > + */ > + if ((old_fa->fsx_xflags & FS_XFLAG_IMMUTABLE) && > + (fa->fsx_xflags & FS_XFLAG_IMMUTABLE) && > + memcmp(fa, old_fa, offsetof(struct fsxattr, fsx_pad))) > + return -EPERM; > + > /* Extent size hints of zero turn off the flags. */ > if (fa->fsx_extsize == 0) > fa->fsx_xflags &= ~(FS_XFLAG_EXTSIZE | FS_XFLAG_EXTSZINHERIT);