Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1438155pxb;
        Fri, 26 Feb 2021 10:37:00 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxTbPQyd5BhkmS28zqWM9sqFe1ink5efUnLLlvx2xQ1LJnq07A9VCQXISdrcPkGgHSmEuAv
X-Received: by 2002:a50:d90a:: with SMTP id t10mr5069575edj.162.1614364620650;
        Fri, 26 Feb 2021 10:37:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614364620; cv=none;
        d=google.com; s=arc-20160816;
        b=gAvOsCy4WN46cu/qAXhDz9B6FSukbJP11IkDNrDdbFD+BLqrzTxIogRpXYvMxXoc+z
         u4Gut78iWK9KurDBA1vuB9xN1W8fSrQQrMrA53NjUlcfjisH73kpyXeu6uGK4u2tFdzp
         UnGXPUnHd3pcP2v17NwJ3FQ8VtiKT+IMNBIdCrmjC77XW/+uzRRLF3gYmcseGMusmgHO
         TOWf8vtbzwMpQvNpskO1fdqm8svOHOEZDH62lOKo190de78QOiC9gk0JE63vi/AD5Hje
         DP09RKPPI66W1Wq7GxDSsgi9YHyvmM7d7Nui4PHQ0TrlYmjDs5YAm1xy4eDc8RB0x0e4
         HEGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=+Zvj9FbXJoupwZAqQoXD2AAbxb667JA9zEG6dWZbPm8=;
        b=ixKY09QfyfqciznZ1vNt7yQIdh1p8ymMYMjpGUsmdTMKblsy5r/n/Z2rNrYcGDUflw
         SaUuRtxIrET53Qg5ZelCd/ISKV88rzoGjUIQyubwuaYUtf5HDdrrk7+wzWGzSBbgKu69
         gm/qOSEtV3xYKCB1JdeFQUQKcg2q2YYkyybQ4NzLT1Sn/lHnDvIc9uMX7X7wAkntEhsn
         QIwxJ++ZuUr6xL/oHmbWt21jkddPSY9AIXvj1C5T/P1l2gyaob0lUpXvMnS/zWSCU5zu
         b2eBlpc4lDHhxObF/Z9EeLKJpoZd/PrJ3vJt6jt7A7pldcB5EIw8ufDcDZ6HMKh/shPu
         bHiQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id cb23si5609615ejb.496.2021.02.26.10.36.37;
        Fri, 26 Feb 2021 10:37:00 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230479AbhBZSfS (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Fri, 26 Feb 2021 13:35:18 -0500
Received: from mx2.suse.de ([195.135.220.15]:52786 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S230360AbhBZSdd (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 Feb 2021 13:33:33 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id 795F6AFF5;
        Fri, 26 Feb 2021 18:32:51 +0000 (UTC)
Received: from localhost (brahms [local])
        by brahms (OpenSMTPD) with ESMTPA id 57c09077;
        Fri, 26 Feb 2021 18:33:58 +0000 (UTC)
From:   Luis Henriques <lhenriques@suse.de>
To:     Miklos Szeredi <miklos@szeredi.hu>
Cc:     Vivek Goyal <vgoyal@redhat.com>, linux-fsdevel@vger.kernel.org,
        virtio-fs@redhat.com, linux-kernel@vger.kernel.org,
        Luis Henriques <lhenriques@suse.de>
Subject: [RFC PATCH] fuse: Clear SGID bit when setting mode in setacl
Date:   Fri, 26 Feb 2021 18:33:57 +0000
Message-Id: <20210226183357.28467-1-lhenriques@suse.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Setting file permissions with POSIX ACLs (setxattr) isn't clearing the
setgid bit.  This seems to be CVE-2016-7097, detected by running fstest
generic/375 in virtiofs.  Unfortunately, when the fix for this CVE landed
in the kernel with commit 073931017b49 ("posix_acl: Clear SGID bit when
setting file permissions"), FUSE didn't had ACLs support yet.

Signed-off-by: Luis Henriques <lhenriques@suse.de>
---
 fs/fuse/acl.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/fs/fuse/acl.c b/fs/fuse/acl.c
index f529075a2ce8..1b273277c1c9 100644
--- a/fs/fuse/acl.c
+++ b/fs/fuse/acl.c
@@ -54,7 +54,9 @@ int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 {
 	struct fuse_conn *fc = get_fuse_conn(inode);
 	const char *name;
+	umode_t mode = inode->i_mode;
 	int ret;
+	bool update_mode = false;
 
 	if (fuse_is_bad(inode))
 		return -EIO;
@@ -62,11 +64,18 @@ int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 	if (!fc->posix_acl || fc->no_setxattr)
 		return -EOPNOTSUPP;
 
-	if (type == ACL_TYPE_ACCESS)
+	if (type == ACL_TYPE_ACCESS) {
 		name = XATTR_NAME_POSIX_ACL_ACCESS;
-	else if (type == ACL_TYPE_DEFAULT)
+		if (acl) {
+			ret = posix_acl_update_mode(inode, &mode, &acl);
+			if (ret)
+				return ret;
+			if (inode->i_mode != mode)
+				update_mode = true;
+		}
+	} else if (type == ACL_TYPE_DEFAULT) {
 		name = XATTR_NAME_POSIX_ACL_DEFAULT;
-	else
+	} else
 		return -EINVAL;
 
 	if (acl) {
@@ -98,6 +107,20 @@ int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 	} else {
 		ret = fuse_removexattr(inode, name);
 	}
+	if (!ret && update_mode) {
+		struct dentry *entry;
+		struct iattr attr;
+
+		entry = d_find_alias(inode);
+		if (entry) {
+			memset(&attr, 0, sizeof(attr));
+			attr.ia_valid = ATTR_MODE | ATTR_CTIME;
+			attr.ia_mode = mode;
+			attr.ia_ctime = current_time(inode);
+			ret = fuse_do_setattr(entry, &attr, NULL);
+			dput(entry);
+		}
+	}
 	forget_all_cached_acls(inode);
 	fuse_invalidate_attr(inode);