Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp698802rdg;
        Wed, 11 Oct 2023 03:06:06 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF1IObzJlhpXdsYhH4QxGnA/2f3kpYyVNmFKSbWZW5ePH3f/GQrw9qtQ0BifxPpmp2NwTHi
X-Received: by 2002:a05:6870:a448:b0:1bf:61d1:a4d4 with SMTP id n8-20020a056870a44800b001bf61d1a4d4mr26366451oal.6.1697018765652;
        Wed, 11 Oct 2023 03:06:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697018765; cv=none;
        d=google.com; s=arc-20160816;
        b=L7id+019nAmbVJ2dhP9wvQsbZJShvXkzFXqwc/jBZJgtVgeXnQUdleBEO9WVcypIrg
         Yl7hffFNDJFlY0JiskG2THSW9mUwsG5NrIkeFQwlqvJ6RjvqOKFqh3P9JtD6gfd18uwY
         v/wxkeFSADuW6dGbhNZka+IjHgECTOwn1eA0s2by5pAk3zPi4S2S7SVnMeSLk2N42non
         ECk/UPXs/e8/I/j3+Zg1NdWLWEjmtdSR7aLE8V69FJ4IS/fGULERCYXO0QJeV4JqtgVy
         tdoREyKD9J3Z2xOwCj+mnslvovKIRTti+EuJ3D7ETFQAETCASC6tYpQSLy5Okh1tzIOf
         qMTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:dkim-signature;
        bh=KvCiUYneHj84xzWqOcZeY7+I2IayaqBntzgcE8QwB8U=;
        fh=UCNfmxA/GAyh2+IdDE4JgBjhFwh+AHaS2oQaJZz2syQ=;
        b=ST91QOSWoASDh4yvISG1TnCjGckJ/TBUGzFjiTQvJvrRPqe7L7dAxwS6K835YYbdpB
         4g+PTgoDVKerkYZ5f6vBvlak4yIWQUhxNj/sMHG6sDFEzguJD4N1Xn2LTMOHqyL1d7L1
         FWeWshaI2DGiwK7x8n2rjeD1fKW2xNwdcACLFStf3jfIPOExOzfB02y0H0T1Q/mgD5/n
         1vGRyMkYE6DYhOIWt6X31aqbq7WBePBJ8/GLWmP78VVBC39lxSqxMUEj4JlU2OwrrEU9
         wIxdFHDzmcWdkXB3tyo1Al2noXRPpY36opv1tyTjvaJd89PgohdDEvyM71FzJq54qXMs
         EkBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=p+rqvMXb;
       dkim=neutral (no key) header.i=@suse.cz header.b=wNU592+V;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
        by mx.google.com with ESMTPS id l186-20020a6388c3000000b00584ba113ec5si13981790pgd.370.2023.10.11.03.06.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Oct 2023 03:06:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=p+rqvMXb;
       dkim=neutral (no key) header.i=@suse.cz header.b=wNU592+V;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id A0D5980ED9B3;
	Wed, 11 Oct 2023 03:06:02 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231468AbjJKKFr (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Wed, 11 Oct 2023 06:05:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44396 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231215AbjJKKFq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Oct 2023 06:05:46 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8E3F92;
        Wed, 11 Oct 2023 03:05:43 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id 85F1321846;
        Wed, 11 Oct 2023 10:05:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
        t=1697018742; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=KvCiUYneHj84xzWqOcZeY7+I2IayaqBntzgcE8QwB8U=;
        b=p+rqvMXbLI2hW8Qv6uv8BDydqVQ6n1DhuxcIr7zf93KJ3qtr7qHmHxKGrFvgZBDBPP84B5
        r4UCpL6t6rDLNacSKImf9aipwXnJgMUxbxhmHmYMynGz9SFfBZIITIQj3dAp7xdTOMMuAQ
        d9Dfpxw988QJ7gqWFGFOEsmS+3Wv8wg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
        s=susede2_ed25519; t=1697018742;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=KvCiUYneHj84xzWqOcZeY7+I2IayaqBntzgcE8QwB8U=;
        b=wNU592+Vcr8OXaOweD0TnSahKEDozcrRqkR02RSKK+eClIhMnSLaCUIFFxLAv35dZJR8Ti
        y+TbLbHtNl+GLwAg==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 6B8BD138EF;
        Wed, 11 Oct 2023 10:05:42 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id Xbg9GnZzJmWCVgAAMHmgww
        (envelope-from <jack@suse.cz>); Wed, 11 Oct 2023 10:05:42 +0000
Received: by quack3.suse.cz (Postfix, from userid 1000)
        id CF275A05BC; Wed, 11 Oct 2023 12:05:41 +0200 (CEST)
Date:   Wed, 11 Oct 2023 12:05:41 +0200
From:   Jan Kara <jack@suse.cz>
To:     Max Kellermann <max.kellermann@ionos.com>
Cc:     Jan Kara <jack@suse.cz>, Xiubo Li <xiubli@redhat.com>,
        Ilya Dryomov <idryomov@gmail.com>,
        Jeff Layton <jlayton@kernel.org>, Jan Kara <jack@suse.com>,
        Dave Kleikamp <shaggy@kernel.org>, ceph-devel@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-ext4@vger.kernel.org,
        jfs-discussion@lists.sourceforge.net,
        Christian Brauner <brauner@kernel.org>, fdevel@quack3,
        Yang Xu <xuyang2018.jy@fujitsu.com>
Subject: Re: [PATCH v2] fs/{posix_acl,ext2,jfs,ceph}: apply umask if ACL
 support is disabled
Message-ID: <20231011100541.sfn3prgtmp7hk2oj@quack3>
References: <69dda7be-d7c8-401f-89f3-7a5ca5550e2f@oracle.com>
 <20231009144340.418904-1-max.kellermann@ionos.com>
 <20231010131125.3uyfkqbcetfcqsve@quack3>
 <CAKPOu+-nC2bQTZYL0XTzJL6Tx4Pi1gLfNWCjU2Qz1f_5CbJc1w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAKPOu+-nC2bQTZYL0XTzJL6Tx4Pi1gLfNWCjU2Qz1f_5CbJc1w@mail.gmail.com>
X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 11 Oct 2023 03:06:02 -0700 (PDT)
X-Spam-Level: **

On Tue 10-10-23 15:17:17, Max Kellermann wrote:
> On Tue, Oct 10, 2023 at 3:11 PM Jan Kara <jack@suse.cz> wrote:
> > Thanks for the updated changelog! But as I'm looking into VFS code isn't
> > this already handled by mode_strip_umask() / vfs_prepare_mode() in
> > fs/namei.c? Because posix_acl_create() doesn't do anything to 'mode' for
> > !IS_POSIXACL() filesystems either. So at least ext2 (where I've checked
> > the mount option handling) does seem to have umask properly applied in all
> > the cases. But I might be missing something...
> 
> I'm not sure either. I was hoping the VFS experts could tell something
> about how this API is supposed to be used and whose responsibility it
> is to apply the umask. There used to be some confusion in the code, to
> the point it was missing completely for O_TMPFILE. I'm still somewhat
> confused. Maybe this is a chance to clear this confusion up and then
> document it?

So I've checked some more and the kernel doc comments before
mode_strip_umask() and vfs_prepare_mode() make it pretty obvious - all
paths creating new inodes must be calling vfs_prepare_mode(). As a result
mode_strip_umask() which handles umask stripping for filesystems not
supporting posix ACLs. For filesystems that do support ACLs,
posix_acl_create() must be call and that handles umask stripping. So your
fix should not be needed. CCed some relevant people for confirmation.

> I wish there was one central place to apply the umask, and not spread
> it around two (or more?) different code locations, depending on
> whether there's an ACL. For my taste, that sort of policy is too error
> prone for something as sensitive as umasks. After we already had the
> O_TMPFILE vulnerability (which was only fixed last year, three
> years(!) after I reported it).

I agree having umask stripping in two places is not great but it's
difficult to avoid with how posix ACLs are implemented and intertwined in
various filesystem implementations. At least the current design made it
quite a bit harder to forget to strip the umask.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR