Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp629810ybi; Fri, 26 Jul 2019 16:21:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqyJHcNGLLTekruF+PP+vlJ+JXx2KilyaNjLMMtIlJu2BTKLhlwwdtNEU1WebVaLuIHR/4BB X-Received: by 2002:a63:e70f:: with SMTP id b15mr93995853pgi.152.1564183282839; Fri, 26 Jul 2019 16:21:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564183282; cv=none; d=google.com; s=arc-20160816; b=KfWDurNJVSDRdeXAOmfW/UlfsIov0kgjZD3VdHNJKeI7GzA9TNNxg6CMoNJV2zKPBZ HyccpoAZoyfsZaAaf7aWEN1l7M6S+gpspgUoSO0Yqskx/LMSWfs3Iq7lxRaMcLJLMcgn 24NVwlwDzZNqDQ0RQEE7q9P0LcdNemfFQzU0dshcggntaNVV93M2MfdubgOWGIunDbV4 B5Jd1rvusNAQyO8w18Hofwgqwpk/aKjOF73Su+l6vQdgalat6kxXulkaMPqCRQmKDZJn opt+zo1q2jPvUXy21Z5pwdbxGFPXoWDre201KVOdll9aZx8IOepjx0nVl7dWIP3z0vBr yjlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=yvhl+E3GJ0wX7WnV445XNNKydMDFA46thWrGIj1mIFA=; b=AtseqnjBTYgmy/yD8cxqjTQxT5E9JS0duKAqsfDFDSS9o5wZwtF7n2kyBR7cxyBmDj Ijo51Bb9Px0ttCIY3SUSy0rfgp8D6vdeg2gOilqInfAK1Sr3a7bhS6QsAGYIznI/2lWU SWFoXtZGK+fedLysy4I4e1qaK6JMV3mSyjcTlUkZJIJL1akKx5dzYgxWqHTRreGayCQg 3jGS/zUNpXn6hsvMRGVBUb7xbDo1ifWEJyf2yS+lquDHCaIJ7vFNzx4huyMNxlUqiovJ RIZHUGcDIkqbshEyFrKTgd8S25/7+YIUQcZQvXBYE83lSpjH2btdGd63+l8dq/jemDSj bx8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=GOxLXfdp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2si20657998plt.386.2019.07.26.16.21.07; Fri, 26 Jul 2019 16:21:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=GOxLXfdp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387748AbfGZWrY (ORCPT + 99 others); Fri, 26 Jul 2019 18:47:24 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:41957 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726765AbfGZWrX (ORCPT ); Fri, 26 Jul 2019 18:47:23 -0400 Received: by mail-lj1-f193.google.com with SMTP id d24so52918203ljg.8 for ; Fri, 26 Jul 2019 15:47:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yvhl+E3GJ0wX7WnV445XNNKydMDFA46thWrGIj1mIFA=; b=GOxLXfdpuhlLftPoWnZrvMRblqxWbQ3er1hFgs/arKDDsdl194FVlQdatc/si9hxFr kVxHfT4tQQ31sJ21+3oANtmv33rMWfwJ2ONRNADmAJDyNwWi3M7uM/4KN6bZUIr7BHkT 1PE4jlh7jdUrQ17riWCjMBVCrRw1oLxWmBTCc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yvhl+E3GJ0wX7WnV445XNNKydMDFA46thWrGIj1mIFA=; b=SIO14fXaM/6xRWs7MNeeasmXi3xmu/GKl+U01CPXA3+cmh8cDFAminZbJceekdvGeD aT356prXXV/vUMvJHhC32Sof5XP02f/Ub1Ka7YrjgwOTvzu/YoU/Z8ZBDJ7xJXYX1pfs iOktP0sNyjFxpCyKCQ9y3/Bwj2eQOVSgB5iWUi3d2XLSuOhk+s3eiGV4MWZHAIlD/S5I 57KGnZt5Wz3vA0jAtnHpAxaZtnKKeU9PiQ6OWeD15+kJXvf3TVtDBJaEwJD1/PYcEtF1 DOQfLU3Xyk+CWEyA9zDp1K6PZHVerC8Sd6AbZorZwd1SdjWGgDgkNizJpsKXFxIYUbiC IRsQ== X-Gm-Message-State: APjAAAX33lkEcifhPvLyQ12bpPn/DkHrnj9TLoB6CwattZm1mRA1WODE p44gIsgv5K4fofpdOz4VHSkgTSQAsIg= X-Received: by 2002:a2e:9857:: with SMTP id e23mr50199281ljj.217.1564181240446; Fri, 26 Jul 2019 15:47:20 -0700 (PDT) Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com. [209.85.208.170]) by smtp.gmail.com with ESMTPSA id x18sm8792275lfe.42.2019.07.26.15.47.18 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jul 2019 15:47:18 -0700 (PDT) Received: by mail-lj1-f170.google.com with SMTP id p17so52948437ljg.1 for ; Fri, 26 Jul 2019 15:47:18 -0700 (PDT) X-Received: by 2002:a2e:9bc6:: with SMTP id w6mr52379784ljj.156.1564181238239; Fri, 26 Jul 2019 15:47:18 -0700 (PDT) MIME-Version: 1.0 References: <20190726115956.ifj5j4apn3tmwk64@brauner.io> In-Reply-To: <20190726115956.ifj5j4apn3tmwk64@brauner.io> From: Linus Torvalds Date: Fri, 26 Jul 2019 15:47:02 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Regression in 5.3 for some FS_USERNS_MOUNT (aka user-namespace-mountable) filesystems To: Christian Brauner Cc: Linux List Kernel Mailing , Al Viro , David Howells , Miklos Szeredi , "Eric W. Biederman" , linux-fsdevel , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 26, 2019 at 5:00 AM Christian Brauner wrote: > > The commit that introduced the regression is: > > commit 0ce0cf12fc4c6a089717ff613d76457052cf4303 > Author: Al Viro > Date: Sun May 12 15:42:48 2019 -0400 > > consolidate the capability checks in sget_{fc,userns}() > > ... into a common helper - mount_capable(type, userns) The commit message there tries to imply that it's just consolidating existing checks, but you're right - that's not at all the case. In sget_fc(), the tests are all the exact same tests, but it uses a different 'user_ns' after the commit. It *used* to use fc->user_ns, now it uses 'user_ns' which depends on that 'global' bit. And in sget_userns(), the userns is the same, but the tests are different. Before that commit, it *always* checked for capability in user_ns, and then (for non-FS_USERNS_MOUNT) it checked for capability in the init namespace. I guess the semantic change in sget_userns() is immaterial - if you have CAP_SYS_ADMIN in the init namespace, you will have it in user_ns too. But the sget_fc() semantic change is a more serious change. Maybe that was just unintentional, and Al _meant_ to pass in "fc->user_ns", but didn't? Of course, then later on, commit 20284ab7427f ("switch mount_capable() to fs_context") drops that argument entirely, and hardcodes the decision to look at fc->global. But that fc->global decision wasn't there originally, and is incorrect since it breaks existing users. What gets much more confusing about this is that the two different users then moved around. The sget_userns() case got moved to legacy_get_tree(), and then joined together in vfs_get_tree(), and then split and moved out to do_new_mount() and vfs_fsconfig_locked(). And that "joined together into vfs_get_tree()" must be wrong, because the two cases used two different namespace rules. The sget_userns() case *did* have that "global" flag check, while the sget_fc() did not. Messy. Al? Linus