Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp4640868rwb; Wed, 17 Aug 2022 03:46:25 -0700 (PDT) X-Google-Smtp-Source: AA6agR6RkJD7+D5f/zIWpNs7ZeP78zmFqyNTdH8IRtQ8Xsd+9hMZF9NsIGqFcpV+pHXK15J/x8/J X-Received: by 2002:a05:6402:5418:b0:435:5a48:daa9 with SMTP id ev24-20020a056402541800b004355a48daa9mr22908033edb.304.1660733185363; Wed, 17 Aug 2022 03:46:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660733185; cv=none; d=google.com; s=arc-20160816; b=0j+K7H8OpeBohVPbwSm/hooe24EJdxyESWI4qT1n7XLrc8f/L4jHDQm0Owyk0PEN5B yKj/lbL7AGw7MsFXzHJzyQYevazkJaKy0ch+GV7jmJKxkSJSrItn5Sku2BeVejD9vbKu Wc/uJQXezc+VY9Y7Bvputwo08MsaFVr9NpX1Hqdu8Fmop+WnKBEw1r0ulK0WjUWPXtBz 0qSdFINlpDqjKXKz7GA3oD9+Yk4jiXnqUQX5evLVqjg+IuhzkHmc0VAKd+OxCsmUXGxV iDC3+jS8+rCToMS5RH2UIzyVfzxo8GXb9Gw3W3Digr/sBiz5qVIqX/4ivoAwalQ+gdv1 PfWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=J3IKdVhXLZLfPNASaRZ8CQnnZ1EcpJpoNyaZolsmz7M=; b=gQ62vif8PlMxAwl0nuApWQrGk5hF1cPvAVVY2f6hclyyTIUTSf6jOX4V913ft7/75t XMlQ50m1bmScaS5KE3c8fnXpZ+vNFmdiJl5Urv4+31tPd7LFF2DybBrX/p6nBQjqAPP0 OfReLM8NC2+xC3bT1EQ4e1hX+/ugVYiMsVx2Ioap91WP7HPDftsr75qaGH2EDNmfvQf9 wnHLauEjUiqY3H6BjuinlXOhzC6Oz5rsW6y/CtzxdILoem6nALboTTvGMrM/3kRupPQt W4dgTwR0LTj9PJBwwXDfiDbsoWKJYlo9d8VVp7VNebX1qDtzBXEGYOu4Se0VSIPYl2mE 9KWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NUfuFx1M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ds1-20020a170907724100b00730a42c33f5si12890397ejc.768.2022.08.17.03.45.58; Wed, 17 Aug 2022 03:46:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NUfuFx1M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235824AbiHQKaC (ORCPT + 99 others); Wed, 17 Aug 2022 06:30:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229705AbiHQK37 (ORCPT ); Wed, 17 Aug 2022 06:29:59 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2319753A3; Wed, 17 Aug 2022 03:29:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 55AAAB81C02; Wed, 17 Aug 2022 10:29:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4843FC433C1; Wed, 17 Aug 2022 10:29:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1660732196; bh=MnPYzp5W8sB2Ju6i8m/PlVUzI4SSY78hH5YcE4odSbU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=NUfuFx1MfZK67V4gh9g8lZt13UXLXrTVbBZaN9xJa0abe4WUJ2KcyJ0hKXyL1tysO difDE68E3XyDyH0GNp43bCHszLMRQKv+BsACVxTvsVCOI/fYSb9qZQ94cTzckEsTkA ZQzIwfCGOqQGuTfE0bsBIAT8o3x6H9IAjbQnsZmsxnIhAN86XDENBmjKApb6BX5BCh Azy8jY24oZwjfoCQLnmmYpPmCe5+L1XCq3gWPfX9oFWLafipv5STHHCEp8GUnZzOLY J62OXjrD91ZKPdbvTTdxG8A5/FdlcfdazUyNdqTpyTqROaLxYiAXrZ2pGw9rbE6i4C LYYSPm3tLhqlg== Date: Wed, 17 Aug 2022 12:29:51 +0200 From: Christian Brauner To: Amir Goldstein Cc: =?utf-8?B?5aSp6LWQ5byg?= , Miklos Szeredi , overlayfs , linux-kernel , Jiachen Zhang Subject: Re: [External] Re: [PATCH] ovl: Do not override fsuid and fsgid in ovl_link() Message-ID: <20220817102951.xnvesg3a7rbv576x@wittgenstein> References: <20220817034559.44936-1-zhangtianci.1997@bytedance.com> <20220817102722.wny7x5iwf62edpkd@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220817102722.wny7x5iwf62edpkd@wittgenstein> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 17, 2022 at 12:27:27PM +0200, Christian Brauner wrote: > On Wed, Aug 17, 2022 at 12:55:22PM +0300, Amir Goldstein wrote: > > On Wed, Aug 17, 2022 at 12:53 PM Amir Goldstein wrote: > > > > > > On Wed, Aug 17, 2022 at 12:11 PM 天赐张 wrote: > > > > > > > > On Wed, Aug 17, 2022 at 3:36 PM Amir Goldstein wrote: > > > > > > > > > > On Wed, Aug 17, 2022 at 6:49 AM Zhang Tianci > > > > > wrote: > > > > > > > > > > > > ovl_link() did not create a new inode after commit > > > > > > 51f7e52dc943 ("ovl: share inode for hard link"), so > > > > > > in ovl_create_or_link() we should not override cred's > > > > > > fsuid and fsgid when called by ovl_link(). > > > > > > > > > > > > Signed-off-by: Zhang Tianci > > > > > > Signed-off-by: Jiachen Zhang > > > > > > --- > > > > > > fs/overlayfs/dir.c | 4 ++-- > > > > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > > > > > > > diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c > > > > > > index 6b03457f72bb..568d338032db 100644 > > > > > > --- a/fs/overlayfs/dir.c > > > > > > +++ b/fs/overlayfs/dir.c > > > > > > @@ -595,9 +595,9 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, > > > > > > err = -ENOMEM; > > > > > > override_cred = prepare_creds(); > > > > > > if (override_cred) { > > > > > > - override_cred->fsuid = inode->i_uid; > > > > > > - override_cred->fsgid = inode->i_gid; > > > > > > if (!attr->hardlink) { > > > > > > + override_cred->fsuid = inode->i_uid; > > > > > > + override_cred->fsgid = inode->i_gid; > > > > > > err = security_dentry_create_files_as(dentry, > > > > > > attr->mode, &dentry->d_name, old_cred, > > > > > > override_cred); > > > > > > -- > > > > > > > > > > This change looks incorrect. > > > > > Unless I am missing something, fsuid/fsgid still need to > > > > > be overridden for calling link() on underlying fs. > > > > > What made you do this change? > > > > > > > > > > Thanks, > > > > > Amir. > > > > > > > > Hi Amir, > > > > > > > > I ran into an error when I tested overlay on fuse: > > > > $ mkdir /lower /fuse /merge > > > > $ mount -t fuse /fuse > > > > $ mkdir /fuse/upper /fuse/work > > > > $ mount -t overlay /merge -o lowerdir=/lower,upperdir=/fuse/upper,workdir=work > > > > $ touch /merge/file > > > > $ chown bin.bin /merge/file // the file's caller becomes "bin" > > > > $ ln /merge/file /merge/lnkfile > > > > > > > > Then I got an error(EACCES) because fuse daemon checks the link()'s > > > > caller is "bin", it denied this request. > > > > I browsed the changing history of ovl_link(). There are two key commits: > > > > The first is commit bb0d2b8ad296 ("ovl: fix sgid on directory") which > > > > overrides the cred's fsuid/fsgid using the new inode. The new inode's > > > > owner is initialized by inode_init_owner(), and inode->fsuid is > > > > assigned to the current user. So the override fsuid becomes the > > > > current user. We know link() is actually modifying the directory, so > > > > the caller must have the MAY_WRITE permission on the directory. The > > > > current caller may should have this permission. I think this is > > > > acceptable to use the caller's fsuid(But I still feel a little > > > > conflicted with the overlay's design). > > > > The second is commit 51f7e52dc943 ("ovl: share inode for hard link") > > > > which removed the inode creation in ovl_link(). This commit move > > > > inode_init_owner() into ovl_create_object(), so the ovl_link() just > > > > give the old inode to ovl_create_or_link(). Then the override fsuid > > > > becomes the old inode's fsuid, neither the caller nor the overlay's > > > > creator! So I think this is incorrect. > > > > I think the link() should be like unlink(), overlay fs should just use > > > > the creator cred to do underlying fs's operations. > > > > > > > > > > I see. The reproducer and explanation belong in the commit message. > > > > > > Your argument makes sense to me, but CC Christian to make > > > sure I am not missing anything related to ACLs and what not. > > > > Once again with correct email address... > > So we have: > > ovl_create_object() > -> ovl_override_creds(ovl_sb) > -> ovl_new_inode() > -> inode_init_owner() > { > inode->i_uid = current_fsuid(); > inode->i_gid = current_fsgid(); > } > -> ovl_create_or_link(inode, ...) > -> prepare_creds() // Copy of caller's creds s/caller's/creator's/ > { > override_creds->fsuid = inode->i_uid; > override_creds->fsgid = inode->i_gid; > } > -> revert_creds() > > which afaict means that the mounter's credentials are used apart from > the fs{g,u}id which is taken from inode->i_{g,u}id which should > correspond to current_fs{g,u}id(). > > The commit that is pointed out in the patch > 51f7e52dc943 ("ovl: share inode for hard link") > seems to have broken that assumption. > > Given that the intention was to use the creator's creds _with the > caller's fs{g,u}id_ wouldn't it make more sense to simply ensure that > the caller's fs{g,u}id are always used instead of using the full > creator's creds just for the link operation? So something like this > (untested): > > diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c > index 6b03457f72bb..4a3ee16a6d70 100644 > --- a/fs/overlayfs/dir.c > +++ b/fs/overlayfs/dir.c > @@ -575,6 +575,9 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, > const struct cred *old_cred; > struct cred *override_cred; > struct dentry *parent = dentry->d_parent; > + /* Retrieve caller's fs{g,u}id before we override creds below. */ > + kuid_t caller_fsuid = current_fsuid(); > + kgid_t caller_fsgid = current_fsgid(); > > err = ovl_copy_up(parent); > if (err) > @@ -595,8 +598,8 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, > err = -ENOMEM; > override_cred = prepare_creds(); > if (override_cred) { > - override_cred->fsuid = inode->i_uid; > - override_cred->fsgid = inode->i_gid; > + override_cred->fsuid = caller_fsuid; > + override_cred->fsgid = caller_fsgid; > if (!attr->hardlink) { > err = security_dentry_create_files_as(dentry, > attr->mode, &dentry->d_name, old_cred,