Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp3036060rwe;
        Mon, 29 Aug 2022 04:57:48 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4FKyJc2X0lXZJju2B16cabCFautGp1n6D5m4r3iYn2Ibkw4/Ye4jyg07nHm4uGtpC4PbbR
X-Received: by 2002:a05:6a00:1827:b0:538:3d5f:fd3 with SMTP id y39-20020a056a00182700b005383d5f0fd3mr4560811pfa.28.1661774268585;
        Mon, 29 Aug 2022 04:57:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661774268; cv=none;
        d=google.com; s=arc-20160816;
        b=0H8AAz6dlQW/0I/C5qBRTNgSwQdJaxRwK/O4C0GgjbkJpEU9LnVZttMW5yYwONzWUx
         GEnjD5Y7djZnelslugJ54yzOXk4ZL+m3tnojAcs55VzLXSaOa7ak6AyzdXkF+uvJZ4SW
         BAXADIRJwUvfyjRaRRvO2dW36ZBUxUCj+omr7W3KOV0O3/SSgo91g1LvT1NDR/F1VX4p
         AFitFqQQrMcD/DmrNz1C8U7wWhDn8BhIDkdeVfN7KoXwzO7fK2u0JXparnxJ21rAi9Za
         VWF0IaHtsceEPeapA4uYQq8JIvyn7PbGTYL1nW+S6Y2ecE0MZMmxKBjyxbVPA9lQYO3Q
         YZyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=X7tuCsZmu6p061wROH9BNy9qI0ityYquixExawjhHSU=;
        b=FDMLwIyxG4O9l2uSqlWoY5ls6yDeJod1RQh7nOaO2wvbMVtqXyZgjYeAPwZzaccZJv
         EK3Ykiui4tQPCvubOyX9YRA7PTNJXnr17ieFIFbTAA0qxFLMCxLvS8u3zN1PXZdjSxGj
         3MMMYNDdacLqWD3ctISKPuvtaMhp7f7pUpcNosNM5UC3JlUROCXR1nF9kkgA4LprUbqh
         64yC0IQnBFMiWcwDdq60H9E70e9jjBCcuo0CNNT2Yu4Quqevvu0cGzBn1FjymSkWYKdo
         6tiXMc5vhu3aE17hPGdPtW/grtDPBIASOY4GeuyabCYyq9cEqXqFd6hqHNA8Cyw3kk2q
         FJ3w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=SXHRx5AR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id 70-20020a630149000000b0042b9bfe6919si6048920pgb.91.2022.08.29.04.57.35;
        Mon, 29 Aug 2022 04:57:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=SXHRx5AR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231349AbiH2LRx (ORCPT
        <rfc822;andriy.druk.mailinglists@gmail.com> + 99 others);
        Mon, 29 Aug 2022 07:17:53 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42916 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229684AbiH2LRT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Aug 2022 07:17:19 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 142F872FC0;
        Mon, 29 Aug 2022 04:11:20 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 1040CB80F4B;
        Mon, 29 Aug 2022 11:10:40 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 628AAC433D7;
        Mon, 29 Aug 2022 11:10:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1661771438;
        bh=XD1fo/BaIu09cYinPxJdWvEdjdojNbeH68SN/JnxNZ4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=SXHRx5ARd6ts7cmaRMeixCYdTkJZY0xcmeH/c7x/uwHHc5Xl0Qfw8861gl7XR2Oha
         tJbfOV3A1A54mIIhSotypTEfuVuGF/7e/lUusstWbRy25iGGP0TvDSikByLTmYjTD9
         Z/U8PWNXnxlZ9lZ3qOVABSLQiy9cN88DJaeWbSMc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Qu Wenruo <wqu@suse.com>,
        Filipe Manana <fdmanana@suse.com>,
        Goldwyn Rodrigues <rgoldwyn@suse.com>,
        David Sterba <dsterba@suse.com>
Subject: [PATCH 5.10 67/86] btrfs: check if root is readonly while setting security xattr
Date:   Mon, 29 Aug 2022 12:59:33 +0200
Message-Id: <20220829105759.290617647@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220829105756.500128871@linuxfoundation.org>
References: <20220829105756.500128871@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Goldwyn Rodrigues <rgoldwyn@suse.de>

commit b51111271b0352aa596c5ae8faf06939e91b3b68 upstream.

For a filesystem which has btrfs read-only property set to true, all
write operations including xattr should be denied. However, security
xattr can still be changed even if btrfs ro property is true.

This happens because xattr_permission() does not have any restrictions
on security.*, system.*  and in some cases trusted.* from VFS and
the decision is left to the underlying filesystem. See comments in
xattr_permission() for more details.

This patch checks if the root is read-only before performing the set
xattr operation.

Testcase:

  DEV=/dev/vdb
  MNT=/mnt

  mkfs.btrfs -f $DEV
  mount $DEV $MNT
  echo "file one" > $MNT/f1

  setfattr -n "security.one" -v 2 $MNT/f1
  btrfs property set /mnt ro true

  setfattr -n "security.one" -v 1 $MNT/f1

  umount $MNT

CC: stable@vger.kernel.org # 4.9+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/xattr.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/btrfs/xattr.c
+++ b/fs/btrfs/xattr.c
@@ -389,6 +389,9 @@ static int btrfs_xattr_handler_set(const
 				   const char *name, const void *buffer,
 				   size_t size, int flags)
 {
+	if (btrfs_root_readonly(BTRFS_I(inode)->root))
+		return -EROFS;
+
 	name = xattr_full_name(handler, name);
 	return btrfs_setxattr_trans(inode, name, buffer, size, flags);
 }