Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp3036060rwe; Mon, 29 Aug 2022 04:57:48 -0700 (PDT) X-Google-Smtp-Source: AA6agR4FKyJc2X0lXZJju2B16cabCFautGp1n6D5m4r3iYn2Ibkw4/Ye4jyg07nHm4uGtpC4PbbR X-Received: by 2002:a05:6a00:1827:b0:538:3d5f:fd3 with SMTP id y39-20020a056a00182700b005383d5f0fd3mr4560811pfa.28.1661774268585; Mon, 29 Aug 2022 04:57:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661774268; cv=none; d=google.com; s=arc-20160816; b=0H8AAz6dlQW/0I/C5qBRTNgSwQdJaxRwK/O4C0GgjbkJpEU9LnVZttMW5yYwONzWUx GEnjD5Y7djZnelslugJ54yzOXk4ZL+m3tnojAcs55VzLXSaOa7ak6AyzdXkF+uvJZ4SW BAXADIRJwUvfyjRaRRvO2dW36ZBUxUCj+omr7W3KOV0O3/SSgo91g1LvT1NDR/F1VX4p AFitFqQQrMcD/DmrNz1C8U7wWhDn8BhIDkdeVfN7KoXwzO7fK2u0JXparnxJ21rAi9Za VWF0IaHtsceEPeapA4uYQq8JIvyn7PbGTYL1nW+S6Y2ecE0MZMmxKBjyxbVPA9lQYO3Q YZyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=X7tuCsZmu6p061wROH9BNy9qI0ityYquixExawjhHSU=; b=FDMLwIyxG4O9l2uSqlWoY5ls6yDeJod1RQh7nOaO2wvbMVtqXyZgjYeAPwZzaccZJv EK3Ykiui4tQPCvubOyX9YRA7PTNJXnr17ieFIFbTAA0qxFLMCxLvS8u3zN1PXZdjSxGj 3MMMYNDdacLqWD3ctISKPuvtaMhp7f7pUpcNosNM5UC3JlUROCXR1nF9kkgA4LprUbqh 64yC0IQnBFMiWcwDdq60H9E70e9jjBCcuo0CNNT2Yu4Quqevvu0cGzBn1FjymSkWYKdo 6tiXMc5vhu3aE17hPGdPtW/grtDPBIASOY4GeuyabCYyq9cEqXqFd6hqHNA8Cyw3kk2q FJ3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=SXHRx5AR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 70-20020a630149000000b0042b9bfe6919si6048920pgb.91.2022.08.29.04.57.35; Mon, 29 Aug 2022 04:57:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=SXHRx5AR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231349AbiH2LRx (ORCPT + 99 others); Mon, 29 Aug 2022 07:17:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229684AbiH2LRT (ORCPT ); Mon, 29 Aug 2022 07:17:19 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 142F872FC0; Mon, 29 Aug 2022 04:11:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1040CB80F4B; Mon, 29 Aug 2022 11:10:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 628AAC433D7; Mon, 29 Aug 2022 11:10:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661771438; bh=XD1fo/BaIu09cYinPxJdWvEdjdojNbeH68SN/JnxNZ4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SXHRx5ARd6ts7cmaRMeixCYdTkJZY0xcmeH/c7x/uwHHc5Xl0Qfw8861gl7XR2Oha tJbfOV3A1A54mIIhSotypTEfuVuGF/7e/lUusstWbRy25iGGP0TvDSikByLTmYjTD9 Z/U8PWNXnxlZ9lZ3qOVABSLQiy9cN88DJaeWbSMc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Filipe Manana , Goldwyn Rodrigues , David Sterba Subject: [PATCH 5.10 67/86] btrfs: check if root is readonly while setting security xattr Date: Mon, 29 Aug 2022 12:59:33 +0200 Message-Id: <20220829105759.290617647@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220829105756.500128871@linuxfoundation.org> References: <20220829105756.500128871@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Goldwyn Rodrigues commit b51111271b0352aa596c5ae8faf06939e91b3b68 upstream. For a filesystem which has btrfs read-only property set to true, all write operations including xattr should be denied. However, security xattr can still be changed even if btrfs ro property is true. This happens because xattr_permission() does not have any restrictions on security.*, system.* and in some cases trusted.* from VFS and the decision is left to the underlying filesystem. See comments in xattr_permission() for more details. This patch checks if the root is read-only before performing the set xattr operation. Testcase: DEV=/dev/vdb MNT=/mnt mkfs.btrfs -f $DEV mount $DEV $MNT echo "file one" > $MNT/f1 setfattr -n "security.one" -v 2 $MNT/f1 btrfs property set /mnt ro true setfattr -n "security.one" -v 1 $MNT/f1 umount $MNT CC: stable@vger.kernel.org # 4.9+ Reviewed-by: Qu Wenruo Reviewed-by: Filipe Manana Signed-off-by: Goldwyn Rodrigues Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/xattr.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/btrfs/xattr.c +++ b/fs/btrfs/xattr.c @@ -389,6 +389,9 @@ static int btrfs_xattr_handler_set(const const char *name, const void *buffer, size_t size, int flags) { + if (btrfs_root_readonly(BTRFS_I(inode)->root)) + return -EROFS; + name = xattr_full_name(handler, name); return btrfs_setxattr_trans(inode, name, buffer, size, flags); }