mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-01 17:18:25 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fhandle: pull CAP_DAC_READ_SEARCH check into may_decode_fh()

Browse source 
There's no point in keeping it outside of that helper. This way we have
all the permission pieces in one place.

Link: https://lore.kernel.org/r/20241129-work-pidfs-file_handle-v1-4-87d803a42495@kernel.org
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
This commit is contained in:
Christian Brauner 2024-11-29 14:38:03 +01:00
parent 50166d57ea
commit 6ebb05b48e
No known key found for this signature in database
GPG key ID: 91C61BC06578DCA2
1 changed files with 21 additions and 17 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

38
fs/fhandle.c
View file

@ -279,28 +279,32 @@ static int do_handle_to_path(struct file_handle *handle, struct path *path,
return 0; return 0;
} }
/*
* Allow relaxed permissions of file handles if the caller has the
* ability to mount the filesystem or create a bind-mount of the
* provided @mountdirfd.
*
* In both cases the caller may be able to get an unobstructed way to
* the encoded file handle. If the caller is only able to create a
* bind-mount we need to verify that there are no locked mounts on top
* of it that could prevent us from getting to the encoded file.
*
* In principle, locked mounts can prevent the caller from mounting the
* filesystem but that only applies to procfs and sysfs neither of which
* support decoding file handles.
*/
static inline bool may_decode_fh(struct handle_to_path_ctx *ctx, static inline bool may_decode_fh(struct handle_to_path_ctx *ctx,
unsigned int o_flags) unsigned int o_flags)
{ {
struct path *root = &ctx->root; struct path *root = &ctx->root;
if (capable(CAP_DAC_READ_SEARCH))
return true;
/* /*
* Restrict to O_DIRECTORY to provide a deterministic API that avoids a * Allow relaxed permissions of file handles if the caller has
* confusing api in the face of disconnected non-dir dentries. * the ability to mount the filesystem or create a bind-mount of
* the provided @mountdirfd.
*
* In both cases the caller may be able to get an unobstructed
* way to the encoded file handle. If the caller is only able to
* create a bind-mount we need to verify that there are no
* locked mounts on top of it that could prevent us from getting
* to the encoded file.
*
* In principle, locked mounts can prevent the caller from
* mounting the filesystem but that only applies to procfs and
* sysfs neither of which support decoding file handles.
*
* Restrict to O_DIRECTORY to provide a deterministic API that
* avoids a confusing api in the face of disconnected non-dir
* dentries.
* *
* There's only one dentry for each directory inode (VFS rule)... * There's only one dentry for each directory inode (VFS rule)...
*/ */
@ -337,7 +341,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
if (retval) if (retval)
goto out_err; goto out_err;
if (!capable(CAP_DAC_READ_SEARCH) && !may_decode_fh(&ctx, o_flags)) { if (!may_decode_fh(&ctx, o_flags)) {
retval = -EPERM; retval = -EPERM;
goto out_path; goto out_path;
} }