Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp531390rwe; Wed, 31 Aug 2022 06:57:33 -0700 (PDT) X-Google-Smtp-Source: AA6agR508EW85ogVyWmibolervHwudtiyed60lIKEahJAwGQ+3sinps8TUPhFy9dmrvu2p+T3ivU X-Received: by 2002:a05:6402:1d54:b0:447:b1f7:9ecf with SMTP id dz20-20020a0564021d5400b00447b1f79ecfmr24313472edb.425.1661954253072; Wed, 31 Aug 2022 06:57:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661954253; cv=none; d=google.com; s=arc-20160816; b=WmB9IHI7Akg53zDFibVSajb6OsgSHOMf5/jKb2h5E6tgIWJLJ+SWboLrPIHPJ99y6q ON9gWJDAtwqd8E6DjO8/c4JAIgF8+PBsLOkPycTzCnBQat+pALnmxPwVJ7axAsu1vwEk SeZFIkXjBPBUtlEV9EZ7j/e72TfBgcZMBGtOqBPdOBcZPbz1J5U7lIf2EyeBl8aiQSK6 bA/T1wLaVZXLSa7CX3ECz8KMQdsEITEHILXULcAqGOdPchViaiRTt9syMQSTCGYPjAkv W2jfk9cPGjCmtSgTPfF1w6uEWVQbTuRde8sxHVU9ZwZrIfGK8ftIMPzVV5s9aeHJZDRa GIXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ZYWcIC4vy2XeGsDP6BjuKpedgdIJKsS0P1WXlDrJWG8=; b=RIDRSYFpyHHW0MEoC4pj/V/Iel+yBna2maQ+LMnmhvxnhRL6iIkxQW8CDcqajHGz3f aAfvlm4VDuwx0rAoEMlHe09MwBTW4FM1uE6o7ZiByF/srQSVairDFcjk01MOGoZA1l9W jEs9JF5aAJTWMmXeSVHY0yfYutlZsx3VxITUzGC4ICe7Hx4MZJgR0uXNcBWxfLTqsMmC 5bD6CoZQw9BdmQNVPKW0xP+WgEc2xhBaITDhSFjP5m79tLS71xHZOyrWW8Bw8DtpMwhA oKOLQ6OfuUx5De7LLSM+ImnQ0qnsDMn76wLnZCqWjh11B188oS2mVxL7j6O1eAvzg40i ZvUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@szeredi.hu header.s=google header.b=dDgp5fsn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=szeredi.hu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ho15-20020a1709070e8f00b0073cb69ac7eesi11831991ejc.379.2022.08.31.06.56.45; Wed, 31 Aug 2022 06:57:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@szeredi.hu header.s=google header.b=dDgp5fsn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=szeredi.hu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229510AbiHaNAg (ORCPT + 99 others); Wed, 31 Aug 2022 09:00:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231625AbiHaNAd (ORCPT ); Wed, 31 Aug 2022 09:00:33 -0400 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 317833AE6B for ; Wed, 31 Aug 2022 06:00:31 -0700 (PDT) Received: by mail-ed1-x52e.google.com with SMTP id r4so18264914edi.8 for ; Wed, 31 Aug 2022 06:00:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=ZYWcIC4vy2XeGsDP6BjuKpedgdIJKsS0P1WXlDrJWG8=; b=dDgp5fsn6FdbQC4/Rjm6JLJPezVH5toN9fUpgew3b7PErSPG1AJ70Wa0M/GMWVFXI+ PkDFBqWKTeEnwOm70Mla3HK0m0TpUNxeB2SJDmuwzNAoNLjFFlmXQ7iKPAdFZ6pjtkIh fHYL+7lUxjShBqzlCEx4lGdd00wlclNzwA3Pc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=ZYWcIC4vy2XeGsDP6BjuKpedgdIJKsS0P1WXlDrJWG8=; b=tvnn92RJFXLX/DKjQ5ApEcpr+Y9HDkgEq/4sy/RyAib40fewhQnbceDzR8una34J8M CKoB9YfWKCeItAhUfzKopfZGfUenmbxuZVdW4chRskh0gFx+S1WCNWcykSVApqCob87v 6MUOgVwn2dbIHSslZ4ZHR40xPTpZzq8HjPIwmTk07SXhYzvpdBCfHAmasWVDEPGg3a2y LQHgxemr0+5NjuGyYo6l4cc7TWST6q149cRIFcUfwlPS6dDKet31VugUOPJ5xfmWUKsI cIZys7K4qmkk9jc662AoKAPBMmdFbo2mZVsOVMxkI+EqvlK5lbGyUPkIoIIXDsIzaQk6 +OLA== X-Gm-Message-State: ACgBeo3KvsXqKFl9MSbStkdRv2TJ6y4XMTCoQbhgAY2z+SHEBhnAMvpi hwYU5gvw6ze8nkufFKRmr5t1nnD7fghiRgkNYvIreA== X-Received: by 2002:a05:6402:42c5:b0:448:913e:f16 with SMTP id i5-20020a05640242c500b00448913e0f16mr10173119edc.22.1661950829701; Wed, 31 Aug 2022 06:00:29 -0700 (PDT) MIME-Version: 1.0 References: <20220825130552.29587-1-zhangtianci.1997@bytedance.com> In-Reply-To: <20220825130552.29587-1-zhangtianci.1997@bytedance.com> From: Miklos Szeredi Date: Wed, 31 Aug 2022 15:00:18 +0200 Message-ID: Subject: Re: [PATCH v2] ovl: Use current fsuid and fsgid in ovl_link() To: Zhang Tianci Cc: linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, amir73il@gmail.com, Jiachen Zhang , Christian Brauner Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 25 Aug 2022 at 15:08, Zhang Tianci wrote: > > There is a wrong case of link() on overlay: > $ mkdir /lower /fuse /merge > $ mount -t fuse /fuse > $ mkdir /fuse/upper /fuse/work > $ mount -t overlay /merge -o lowerdir=/lower,upperdir=/fuse/upper,\ > workdir=work > $ touch /merge/file > $ chown bin.bin /merge/file // the file's caller becomes "bin" > $ ln /merge/file /merge/lnkfile > > Then we will get an error(EACCES) because fuse daemon checks the link()'s > caller is "bin", it denied this request. > > In the changing history of ovl_link(), there are two key commits: > > The first is commit bb0d2b8ad296 ("ovl: fix sgid on directory") which > overrides the cred's fsuid/fsgid using the new inode. The new inode's > owner is initialized by inode_init_owner(), and inode->fsuid is > assigned to the current user. So the override fsuid becomes the > current user. We know link() is actually modifying the directory, so > the caller must have the MAY_WRITE permission on the directory. The > current caller may should have this permission. This is acceptable > to use the caller's fsuid. > > The second is commit 51f7e52dc943 ("ovl: share inode for hard link") > which removed the inode creation in ovl_link(). This commit move > inode_init_owner() into ovl_create_object(), so the ovl_link() just > give the old inode to ovl_create_or_link(). Then the override fsuid > becomes the old inode's fsuid, neither the caller nor the overlay's > creator! So this is incorrect. > > Fix this bug by using current fsuid/fsgid to do underlying fs's link(). > > Link: https://lore.kernel.org/all/20220817102951.xnvesg3a7rbv576x@wittgenstein/T > > Signed-off-by: Zhang Tianci > Signed-off-by: Jiachen Zhang > Signed-off-by: Christian Brauner (Microsoft) > --- > fs/overlayfs/dir.c | 16 +++++++++++----- > fs/overlayfs/overlayfs.h | 2 ++ > 2 files changed, 13 insertions(+), 5 deletions(-) > > diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c > index 6b03457f72bb..dd84e6fc5f6e 100644 > --- a/fs/overlayfs/dir.c > +++ b/fs/overlayfs/dir.c > @@ -595,8 +595,8 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, > err = -ENOMEM; > override_cred = prepare_creds(); > if (override_cred) { > - override_cred->fsuid = inode->i_uid; > - override_cred->fsgid = inode->i_gid; > + override_cred->fsuid = attr->fsuid; > + override_cred->fsgid = attr->fsgid; > if (!attr->hardlink) { > err = security_dentry_create_files_as(dentry, > attr->mode, &dentry->d_name, old_cred, > @@ -646,6 +646,8 @@ static int ovl_create_object(struct dentry *dentry, int mode, dev_t rdev, > inode_init_owner(&init_user_ns, inode, dentry->d_parent->d_inode, mode); > attr.mode = inode->i_mode; > > + attr.fsuid = inode->i_uid; > + attr.fsgid = inode->i_gid; > err = ovl_create_or_link(dentry, inode, &attr, false); > /* Did we end up using the preallocated inode? */ > if (inode != d_inode(dentry)) > @@ -702,6 +704,7 @@ static int ovl_link(struct dentry *old, struct inode *newdir, > { > int err; > struct inode *inode; > + struct ovl_cattr attr; > > err = ovl_want_write(old); > if (err) > @@ -728,9 +731,12 @@ static int ovl_link(struct dentry *old, struct inode *newdir, > inode = d_inode(old); > ihold(inode); > > - err = ovl_create_or_link(new, inode, > - &(struct ovl_cattr) {.hardlink = ovl_dentry_upper(old)}, > - ovl_type_origin(old)); > + attr = (struct ovl_cattr) { > + .hardlink = ovl_dentry_upper(old), > + .fsuid = current_fsuid(), > + .fsgid = current_fsgid(), > + }; Why do we need to override fsuid/fsgid for the hardlink case? Wouldn't it be simpler to just use the mounter's creds unmodified in this case? The inode is not created in this case, so overriding with current uid/gid is not necessary, I think. Another way to look at it is: rename(A, B) is equivalent to an imaginary atomic [link(A, B) + unlink(A)] pair. But we don't override uid/gid for rename() or unlink() so why should we for link(). Thanks, Miklos