Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2126145iof; Tue, 7 Jun 2022 20:36:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx/r+ZQViL+DTGBL09/DxSXIoTzdCQfv0+MVZigB61dgirVZZHal821VgJD7WxR0WZOjWiS X-Received: by 2002:a17:90b:4a92:b0:1e8:2c09:d008 with SMTP id lp18-20020a17090b4a9200b001e82c09d008mr28739899pjb.169.1654659391649; Tue, 07 Jun 2022 20:36:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654659391; cv=none; d=google.com; s=arc-20160816; b=n9Lq1bk8hncSekp0Cw2QlFExgWnOWyTApxcy9mNybl9Gqv68YuRClzYCLNWvQkFt68 JlA69xrbsPIjXHhpov9v/5hMvfKWOihAkeFPw09avWqz+rGshlkZaFP4dzMEZTlQRLIP 8/95TXthc6nUpiO2es6jEZ+c6oZsKz9hrsA0GFWxZI2GiyzBL7p0zfVRB8gvyozh3bhI bqlcTQk3rRTTX5IZ14pKr9IhoUzFdZNE2kkDOMp6Ip20r0aBsZv2AHZbmweSvFFzvmkx zreC1PQw3YUYMqWUpG/fOJYX4dNwIKJ7MmsTxrA1natgAZwOSNSmLw/fWcc2XAehX0Bf MOZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=uUXHo4H0ayMArl0hiTKdFXYGeqpGfuNVL9YC79K2sO8=; b=SM+F57HJsJyko4Kw8A26sCbRnXlMIC33bbDKEr5h/EQjscy5n9mMKsS7kkyBP6MFNL E1ve2qxe1v7YFkPkx3IfpojcxatvYd1KBWuq/axRjTW/V+Bqdnd9CVCDkxs6tOyfSNWz d9VvEiKRsXa5dhfrhG8VzvjWqRCu+lzdQF31rY1JpBdceUJzfSSiDiK4/NTbZ3sokZUB lCyuGwHNQLlYlDsfWuCPxNNS87eC9rwNdON1ZUBntGPpDmb2qE32V62tInQlQbYwjHaj 1QRYnS4TrAwzWCdJWzGim+j9zGmuwP7+ii8fpmdWHfkBgjeoKORHzoOQz5yjsUdqZXCL tHPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Pk74MNeS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id w2-20020a170902e88200b0015f179cded2si28935713plg.118.2022.06.07.20.36.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 20:36:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Pk74MNeS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 61B072B4B2A; Tue, 7 Jun 2022 19:59:22 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1384720AbiFGWUl (ORCPT + 99 others); Tue, 7 Jun 2022 18:20:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1380299AbiFGVQD (ORCPT ); Tue, 7 Jun 2022 17:16:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E6FB158750; Tue, 7 Jun 2022 11:54:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 201E8B81FE1; Tue, 7 Jun 2022 18:54:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85513C385A2; Tue, 7 Jun 2022 18:54:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654628085; bh=rtHzjj2GFfazvNSR27w6EM4Oeo2YGiREyRIw+vC3rmw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pk74MNeSdHj7EdsUhuj7se1jle8JmV8c4LETPOd1LoTGcSMUNc9S0TJAnjdT3ht9l JxeTmUfznG852oW6LkhtTI5qOj8YQ3lQ92p1OYmicuZaJHto9bDXRIngptKRjla4oy s2ve/UT2ABV6CZgHy1Eh1N+RPC37FE7B1K/1OLlY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Seth Forshee , Christoph Hellwig , Al Viro , linux-fsdevel@vger.kernel.org, "Christian Brauner (Microsoft)" , Sasha Levin Subject: [PATCH 5.18 151/879] fs: hold writers when changing mounts idmapping Date: Tue, 7 Jun 2022 18:54:29 +0200 Message-Id: <20220607165007.088140974@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Christian Brauner [ Upstream commit e1bbcd277a53e08d619ffeec56c5c9287f2bf42f ] Hold writers when changing a mount's idmapping to make it more robust. The vfs layer takes care to retrieve the idmapping of a mount once ensuring that the idmapping used for vfs permission checking is identical to the idmapping passed down to the filesystem. For ioctl codepaths the filesystem itself is responsible for taking the idmapping into account if they need to. While all filesystems with FS_ALLOW_IDMAP raised take the same precautions as the vfs we should enforce it explicitly by making sure there are no active writers on the relevant mount while changing the idmapping. This is similar to turning a mount ro with the difference that in contrast to turning a mount ro changing the idmapping can only ever be done once while a mount can transition between ro and rw as much as it wants. This is a minor user-visible change. But it is extremely unlikely to matter. The caller must've created a detached mount via OPEN_TREE_CLONE and then handed that O_PATH fd to another process or thread which then must've gotten a writable fd for that mount and started creating files in there while the caller is still changing mount properties. While not impossible it will be an extremely rare corner-case and should in general be considered a bug in the application. Consider making a mount MOUNT_ATTR_NOEXEC or MOUNT_ATTR_NODEV while allowing someone else to perform lookups or exec'ing in parallel by handing them a copy of the OPEN_TREE_CLONE fd or another fd beneath that mount. Link: https://lore.kernel.org/r/20220510095840.152264-1-brauner@kernel.org Cc: Seth Forshee Cc: Christoph Hellwig Cc: Al Viro Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Sasha Levin --- fs/namespace.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index afe2b64b14f1..41461f55c039 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -4026,8 +4026,9 @@ static int can_idmap_mount(const struct mount_kattr *kattr, struct mount *mnt) static inline bool mnt_allow_writers(const struct mount_kattr *kattr, const struct mount *mnt) { - return !(kattr->attr_set & MNT_READONLY) || - (mnt->mnt.mnt_flags & MNT_READONLY); + return (!(kattr->attr_set & MNT_READONLY) || + (mnt->mnt.mnt_flags & MNT_READONLY)) && + !kattr->mnt_userns; } static int mount_setattr_prepare(struct mount_kattr *kattr, struct mount *mnt) -- 2.35.1