Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2890136pxb;
        Tue, 19 Jan 2021 08:28:04 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyAFTsmUKcS7MACKyGmKmeIP1DN4f1dzj69FFpAX3Ml1L2vQHQ67oXYuSYwxKBSTeMmg7jP
X-Received: by 2002:a05:6402:26c9:: with SMTP id x9mr4087235edd.365.1611073684275;
        Tue, 19 Jan 2021 08:28:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611073684; cv=none;
        d=google.com; s=arc-20160816;
        b=sHe2FoToagDZslROdLWHE9ojBw0XdBSMLZ3sJAshMIDQB0B0AX/ZjE3zNBkDL74B3U
         /TeAz4GUzy3Hbv72GNlSsEWBBSLox12wV1/3VZPdlG1YMiuR2g2NxXl4Mwf7g4UgE6aI
         g+9nATqCj10r8qvC6x3Aewyc4GQeYGC+jj1rOw7gNg+oD7waDnoMk0begID/GJVcTxEj
         GlfBW44yCOmRNiuDs1UcsJQY7VhHzIFOrVRCfPUE6SitCzNJPOyBIy1/LXA2Rq5QO6Rx
         lw6jlM102YB4Miat/FgFI5wBYiWRd7XEZNcXKoGWpMgVoSNjK+UMBMFqUCTe43CgKDKS
         Tm1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=e0d34g0cQgU3pUUMcwk4mh+TGyc8uh3BJ8u4e70DhUc=;
        b=Q2ifiKGeore5CcNYtH2sS/wX71+mNUOvifM9lLGy4v5GXM7nkYWCUHxUpZSLkZvCyv
         RiiIUpxeS7LcVlNrK8qZCcW9BGbYPkEwufMbQHkLavdT6z/Jyl+MzG1xKMjKY6n+8aD7
         ESdujdL9eKqja9JRYStzlyTqdQKAKC9LU3mkoR1kbsWKdVv21FJHYHNLnVUnZFtmmxy8
         Juwtgw4stkoPRhk62by05+rldbMwebqe7ntW6Bod7pSuUB/JcJCfWTzhUBepSCC1qrnV
         aE88PGGboZioVSzOmwAKK1abZN2EKAvNBoY5R1ffTMIS3cWUiQ897LmVk3+x5qe3y0X6
         ldmA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IUYlsU1V;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x22si2785572ejv.202.2021.01.19.08.27.37;
        Tue, 19 Jan 2021 08:28:04 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IUYlsU1V;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730714AbhASQZ1 (ORCPT <rfc822;liuchenandwork@gmail.com>
        + 99 others); Tue, 19 Jan 2021 11:25:27 -0500
Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:26097 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1731536AbhASQXl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Jan 2021 11:23:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1611073333;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=e0d34g0cQgU3pUUMcwk4mh+TGyc8uh3BJ8u4e70DhUc=;
        b=IUYlsU1V9oJTjDGvC27Kw/THljz9Yef6xx1nT/7VC5goYHf3wv+gHnPTZNCA/8qAGa0tPA
        376Ge2xyyabGiOE2c/UrhFdY7dR81WINtlM+kQy7TNOX4ITLgPsVKB5OKAYc08cTyz6WN/
        9XkJrkFFlinn8RrzUveFok2qE/SmUK0=
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com
 [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-375-CUL3zIEPPK2EvUR2TC5C8Q-1; Tue, 19 Jan 2021 11:22:10 -0500
X-MC-Unique: CUL3zIEPPK2EvUR2TC5C8Q-1
Received: by mail-ed1-f69.google.com with SMTP id w4so5904876edu.0
        for <linux-kernel@vger.kernel.org>; Tue, 19 Jan 2021 08:22:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=e0d34g0cQgU3pUUMcwk4mh+TGyc8uh3BJ8u4e70DhUc=;
        b=DFUNDM2H2/8v8rdFeyib2s7Dc7mZyAtzuo6RhOVTmD1Ni3sK3kOMaRxUY7vqHU79kn
         0lXZyJFq6Yf9jD4Qu8+nrP/bI8jA9BLJGQjMdCv8WfDjpc8gpDuXVod5W3xe5iR2PSjL
         COH1o8XndjfO9Q6zi/Rxg1ysUmlwSZR6h38YS9vRKrRYsMSSRp4d3bNXiiax98j0FWUg
         2SOhLQMFPgS3LqY6tjCc5Z+U9Urun/KVkyZMVtCg5m1hmWHFl8xQNRDJDdfJFH9N9Y3z
         7qKxrhonBWMAzv5V4O1E1Q8oQDcitI4fSRwWjUiK6Nk4+KiBIWjNoRbITWu7IPRIeTeB
         LYAg==
X-Gm-Message-State: AOAM532YUNL/kyVWzXMzFO/JIkkkjgbxElAsl2lN/KBobRwWTsZrj/UX
        9JbPX7MMew2G/JcH0pSOP13cAyzdU4fDzwHtzJYvOj5xgtGxgWyBmk0jeO2jQbaJmALnMquXNVv
        fI/gh79Fho/ycxf/I/XsJX8sB
X-Received: by 2002:a17:906:f18c:: with SMTP id gs12mr3548353ejb.422.1611073329718;
        Tue, 19 Jan 2021 08:22:09 -0800 (PST)
X-Received: by 2002:a17:906:f18c:: with SMTP id gs12mr3548339ejb.422.1611073329537;
        Tue, 19 Jan 2021 08:22:09 -0800 (PST)
Received: from miu.piliscsaba.redhat.com (catv-86-101-169-67.catv.broadband.hu. [86.101.169.67])
        by smtp.gmail.com with ESMTPSA id f22sm2168066eje.34.2021.01.19.08.22.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 Jan 2021 08:22:09 -0800 (PST)
From:   Miklos Szeredi <mszeredi@redhat.com>
To:     "Eric W . Biederman" <ebiederm@xmission.com>
Cc:     linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Tyler Hicks <code@tyhicks.com>
Subject: [PATCH 1/2] ecryptfs: fix uid translation for setxattr on security.capability
Date:   Tue, 19 Jan 2021 17:22:03 +0100
Message-Id: <20210119162204.2081137-2-mszeredi@redhat.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20210119162204.2081137-1-mszeredi@redhat.com>
References: <20210119162204.2081137-1-mszeredi@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Prior to commit 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into
vfs_setxattr()") the translation of nscap->rootid did not take stacked
filesystems (overlayfs and ecryptfs) into account.

That patch fixed the overlay case, but made the ecryptfs case worse.

Restore old the behavior for ecryptfs that existed before the overlayfs
fix.  This does not fix ecryptfs's handling of complex user namespace
setups, but it does make sure existing setups don't regress.

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Cc: Tyler Hicks <code@tyhicks.com>
Fixes: 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into vfs_setxattr()")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/ecryptfs/inode.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index e23752d9a79f..58d0f7187997 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -1016,15 +1016,19 @@ ecryptfs_setxattr(struct dentry *dentry, struct inode *inode,
 {
 	int rc;
 	struct dentry *lower_dentry;
+	struct inode *lower_inode;
 
 	lower_dentry = ecryptfs_dentry_to_lower(dentry);
-	if (!(d_inode(lower_dentry)->i_opflags & IOP_XATTR)) {
+	lower_inode = d_inode(lower_dentry);
+	if (!(lower_inode->i_opflags & IOP_XATTR)) {
 		rc = -EOPNOTSUPP;
 		goto out;
 	}
-	rc = vfs_setxattr(lower_dentry, name, value, size, flags);
+	inode_lock(lower_inode);
+	rc = __vfs_setxattr_locked(lower_dentry, name, value, size, flags, NULL);
+	inode_unlock(lower_inode);
 	if (!rc && inode)
-		fsstack_copy_attr_all(inode, d_inode(lower_dentry));
+		fsstack_copy_attr_all(inode, lower_inode);
 out:
 	return rc;
 }
-- 
2.26.2