Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp353794pxx; Mon, 26 Oct 2020 10:01:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx0/LQk8+WXIm842FsL+HTYEc9HFTOs2zkwALLu/vn9ZQuPY0qh6AdwPO+T8RiktFTlmLmL X-Received: by 2002:a2e:a41b:: with SMTP id p27mr6911288ljn.30.1603731677367; Mon, 26 Oct 2020 10:01:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603731677; cv=none; d=google.com; s=arc-20160816; b=bjWqa/aXnHXQC3XMvgNU3l+MtpLJ2rJE0QKFk3JcxRZd4sIDc8tohPSieKlUUTDe55 6RNubMB9e/1UtraPnRUJpMHWbPKwawWInCP27UGeCIZZi2FpDrZD+mx980dE0othIHGl iHY5W+i2CpFt5FwYVJK9IfBQa8fAXTaX4kp0DMu/Z3/PADMaRvc224Lq+Xz6Zl6TqyOx 5mEh1af7IE2+lJW6/Ig2lB7/VCHIzL0sOYQ+uW+MeOJ6CP3+m4Eb5vDwllwhI2+fF7av Q7UqeJuM4LU1y+gurTsCuv7PCoMZz2wSDrsUZ1KQe1bGYpemtwQ7toeL5ZLwoktvVu1o 0GwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=gcgBSno187aQNdhvd4N5jly+A7zB4BHcwgXiG2B//N8=; b=JTGksH6zvFulccclrgyS2qyuO5166DYY21lalsVCFN/JPDEM2Qix0nrwTZEaCg6I49 HUu+lij/dTrQr50VZzygS1fU0VaJgkqc0kT4EwfhIBmEA52Sohyf2hj6MKfyrP15EynZ 1DajQBTF4ydG43Q9UmAOLiijVVwds185sgCk9TaI/jnKM2RJVQN8QEodBxBMBegjfmHf VpN8FUPM8gkjpW9SfBPXaePdVxIoGhA7y2Os1zdBNuP2BedWfEm4S1nqcS0O8NK9dNNW S4Lpb22tPDVTgGQ4xHASB5bqC3+Pqvc5DTC+/gs048oRhj4eTJ/qjDceqR//RqIIqeF9 niww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=mlOM4XI1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bv12si7552771ejb.662.2020.10.26.10.00.51; Mon, 26 Oct 2020 10:01:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=mlOM4XI1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1775629AbgJZMwE (ORCPT + 99 others); Mon, 26 Oct 2020 08:52:04 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:38598 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1775631AbgJZMwD (ORCPT ); Mon, 26 Oct 2020 08:52:03 -0400 Received: by mail-wr1-f65.google.com with SMTP id n18so12366843wrs.5 for ; Mon, 26 Oct 2020 05:52:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=gcgBSno187aQNdhvd4N5jly+A7zB4BHcwgXiG2B//N8=; b=mlOM4XI1khkSgoo5fH4K5JNpXT7Awm84134FjHcN081ek0aPls57KS+kLhzx5mzoNA jk5ZZDTsJkFJ4DUS9zSIUxZ+BszBTOnGFBu2KystEnePEFTkdq1kGQa68LyTowdZ5Rxg mxikb7wM3mKXfzDd/OUcGPAqZrP0Cm7Rv6NqeR+HMZhmB6/qQc1HDRwRu48kyK241O95 Mz6srSYgICO7m4lizZwqLRet3eJfCUFM/4NYsI0926uB5UWNy5fCXdhXUVk+oNQJz3VH ue7yFrl1oSHq3I0kcnIRTUWgzAOQFp65k12+zKjaGkhTCOUtgoYiQD44PDlAN3LXwUL4 B+oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gcgBSno187aQNdhvd4N5jly+A7zB4BHcwgXiG2B//N8=; b=BSlJolU4/WTkxy+mk0Y8qleV4+MOMILy+Dd4QuHvpfWJTqSYc113coFOIPj2jnZFAu xP4Ci0YjZ9jhrGUMBjn6CwWMMkjrCu7lUV65N10J45w3BPZGmhG09sXc+ejgr7WAZOzq MFy1bvzl+5ibX57be7tE3DJ9aXAC/Y+Hhh+V+Xo66XD+yOgT9Iyn1FjkjY+oO90vyxnt Su7MhQ5oq6Q47aKdBaoS2+bfiA9gM1utxutLY+T6w9WMmNSyVcWrRvH1djJsp5XMJ2Ll wfvN4wfZI4FLiELqH/s94QGAALJynHj+IAbAjjNBD5hcPDtUflOZ7a3/r35WChS49Pgp OGyA== X-Gm-Message-State: AOAM533DOWgNseSJvUO15bZxOUl/4hV2eLjOTt5vm1NgGuy4C+3/Cy1c Zh7hxT8YTkbO5xHC8F+nRypW3g== X-Received: by 2002:adf:e849:: with SMTP id d9mr19065260wrn.25.1603716720303; Mon, 26 Oct 2020 05:52:00 -0700 (PDT) Received: from balsini.lon.corp.google.com ([2a00:79e0:d:210:7220:84ff:fe09:7d5c]) by smtp.gmail.com with ESMTPSA id r1sm24423262wro.18.2020.10.26.05.51.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Oct 2020 05:51:59 -0700 (PDT) From: Alessio Balsini To: Miklos Szeredi Cc: Akilesh Kailash , Amir Goldstein , Antonio SJ Musumeci , David Anderson , Giuseppe Scrivano , Jann Horn , Jens Axboe , Martijn Coenen , Palmer Dabbelt , Paul Lawrence , Stefano Duo , Zimuzo Ezeozue , fuse-devel@lists.sourceforge.net, kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH V10 5/5] fuse: Use daemon creds in passthrough mode Date: Mon, 26 Oct 2020 12:50:16 +0000 Message-Id: <20201026125016.1905945-6-balsini@android.com> X-Mailer: git-send-email 2.29.0.rc1.297.gfa9743e501-goog In-Reply-To: <20201026125016.1905945-1-balsini@android.com> References: <20201026125016.1905945-1-balsini@android.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When using FUSE passthrough, read/write operations are directly forwarded to the lower file system file through VFS, but there is no guarantee that the process that is triggering the request has the right permissions to access the lower file system. This would cause the read/write access to fail. In passthrough file systems, where the FUSE daemon is responsible for the enforcement of the lower file system access policies, often happens that the process dealing with the FUSE file system doesn't have access to the lower file system. Being the FUSE daemon in charge of implementing the FUSE file operations, that in the case of read/write operations usually simply results in the copy of memory buffers from/to the lower file system respectively, these operations are executed with the FUSE daemon privileges. This patch adds a reference to the FUSE daemon credentials, referenced at FUSE_DEV_IOC_PASSTHROUGH_OPEN ioctl() time so that they can be used to temporarily raise the user credentials when accessing lower file system files in passthrough. The process accessing the FUSE file with passthrough enabled temporarily receives the privileges of the FUSE daemon while performing read/write operations. Similar behavior is implemented in overlayfs. These privileges will be reverted as soon as the IO operation completes. This feature does not provide any higher security privileges to those processes accessing the FUSE file system with passthrough enabled. This is because it is still the FUSE daemon responsible for enabling or not the passthrough feature at file open time, and should enable the feature only after appropriate access policy checks. Signed-off-by: Alessio Balsini --- fs/fuse/fuse_i.h | 5 ++++- fs/fuse/passthrough.c | 11 +++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index a888d3df5877..59e033a59551 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -165,10 +165,13 @@ struct fuse_release_args; /** * Reference to lower filesystem file for read/write operations handled in - * passthrough mode + * passthrough mode. + * This struct also tracks the credentials to be used for handling read/write + * operations. */ struct fuse_passthrough { struct file *filp; + struct cred *cred; }; /** FUSE specific file data */ diff --git a/fs/fuse/passthrough.c b/fs/fuse/passthrough.c index 10b6872cdaa7..ab81dd8f010b 100644 --- a/fs/fuse/passthrough.c +++ b/fs/fuse/passthrough.c @@ -67,6 +67,7 @@ ssize_t fuse_passthrough_read_iter(struct kiocb *iocb_fuse, struct iov_iter *iter) { ssize_t ret; + const struct cred *old_cred; struct file *fuse_filp = iocb_fuse->ki_filp; struct fuse_file *ff = fuse_filp->private_data; struct file *passthrough_filp = ff->passthrough.filp; @@ -74,6 +75,7 @@ ssize_t fuse_passthrough_read_iter(struct kiocb *iocb_fuse, if (!iov_iter_count(iter)) return 0; + old_cred = override_creds(ff->passthrough.cred); if (is_sync_kiocb(iocb_fuse)) { ret = vfs_iter_read(passthrough_filp, iter, &iocb_fuse->ki_pos, iocb_to_rw_flags(iocb_fuse->ki_flags)); @@ -91,6 +93,7 @@ ssize_t fuse_passthrough_read_iter(struct kiocb *iocb_fuse, if (ret != -EIOCBQUEUED) fuse_aio_cleanup_handler(aio_req); } + revert_creds(old_cred); return ret; } @@ -99,6 +102,7 @@ ssize_t fuse_passthrough_write_iter(struct kiocb *iocb_fuse, struct iov_iter *iter) { ssize_t ret; + const struct cred *old_cred; struct file *fuse_filp = iocb_fuse->ki_filp; struct fuse_file *ff = fuse_filp->private_data; struct inode *fuse_inode = file_inode(fuse_filp); @@ -110,6 +114,7 @@ ssize_t fuse_passthrough_write_iter(struct kiocb *iocb_fuse, inode_lock(fuse_inode); + old_cred = override_creds(ff->passthrough.cred); if (is_sync_kiocb(iocb_fuse)) { file_start_write(passthrough_filp); ret = vfs_iter_write(passthrough_filp, iter, &iocb_fuse->ki_pos, @@ -137,6 +142,7 @@ ssize_t fuse_passthrough_write_iter(struct kiocb *iocb_fuse, fuse_aio_cleanup_handler(aio_req); } out: + revert_creds(old_cred); inode_unlock(fuse_inode); return ret; @@ -174,6 +180,7 @@ int fuse_passthrough_open(struct fuse_dev *fud, return -ENOMEM; passthrough->filp = passthrough_filp; + passthrough->cred = prepare_creds(); idr_preload(GFP_KERNEL); spin_lock(&fc->passthrough_req_lock); @@ -231,4 +238,8 @@ void fuse_passthrough_release(struct fuse_passthrough *passthrough) fput(passthrough->filp); passthrough->filp = NULL; } + if (passthrough->cred) { + put_cred(passthrough->cred); + passthrough->cred = NULL; + } } -- 2.29.0.rc1.297.gfa9743e501-goog