mirror of
https://github.com/torvalds/linux.git
synced 2025-11-01 09:09:47 +02:00
18b19abc37
-----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCaNZQgQAKCRCRxhvAZXjc oiFXAQCpbLvkWbld9wLgxUBhq+q+kw5NvGxzpvqIhXwJB9F9YAEA44/Wevln4xGx +kRUbP+xlRQqenIYs2dLzVHzAwAdfQ4= =EO4Y -----END PGP SIGNATURE----- Merge tag 'namespace-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull namespace updates from Christian Brauner: "This contains a larger set of changes around the generic namespace infrastructure of the kernel. Each specific namespace type (net, cgroup, mnt, ...) embedds a struct ns_common which carries the reference count of the namespace and so on. We open-coded and cargo-culted so many quirks for each namespace type that it just wasn't scalable anymore. So given there's a bunch of new changes coming in that area I've started cleaning all of this up. The core change is to make it possible to correctly initialize every namespace uniformly and derive the correct initialization settings from the type of the namespace such as namespace operations, namespace type and so on. This leaves the new ns_common_init() function with a single parameter which is the specific namespace type which derives the correct parameters statically. This also means the compiler will yell as soon as someone does something remotely fishy. The ns_common_init() addition also allows us to remove ns_alloc_inum() and drops any special-casing of the initial network namespace in the network namespace initialization code that Linus complained about. Another part is reworking the reference counting. The reference counting was open-coded and copy-pasted for each namespace type even though they all followed the same rules. This also removes all open accesses to the reference count and makes it private and only uses a very small set of dedicated helpers to manipulate them just like we do for e.g., files. In addition this generalizes the mount namespace iteration infrastructure introduced a few cycles ago. As reminder, the vfs makes it possible to iterate sequentially and bidirectionally through all mount namespaces on the system or all mount namespaces that the caller holds privilege over. This allow userspace to iterate over all mounts in all mount namespaces using the listmount() and statmount() system call. Each mount namespace has a unique identifier for the lifetime of the systems that is exposed to userspace. The network namespace also has a unique identifier working exactly the same way. This extends the concept to all other namespace types. The new nstree type makes it possible to lookup namespaces purely by their identifier and to walk the namespace list sequentially and bidirectionally for all namespace types, allowing userspace to iterate through all namespaces. Looking up namespaces in the namespace tree works completely locklessly. This also means we can move the mount namespace onto the generic infrastructure and remove a bunch of code and members from struct mnt_namespace itself. There's a bunch of stuff coming on top of this in the future but for now this uses the generic namespace tree to extend a concept introduced first for pidfs a few cycles ago. For a while now we have supported pidfs file handles for pidfds. This has proven to be very useful. This extends the concept to cover namespaces as well. It is possible to encode and decode namespace file handles using the common name_to_handle_at() and open_by_handle_at() apis. As with pidfs file handles, namespace file handles are exhaustive, meaning it is not required to actually hold a reference to nsfs in able to decode aka open_by_handle_at() a namespace file handle. Instead the FD_NSFS_ROOT constant can be passed which will let the kernel grab a reference to the root of nsfs internally and thus decode the file handle. Namespaces file descriptors can already be derived from pidfds which means they aren't subject to overmount protection bugs. IOW, it's irrelevant if the caller would not have access to an appropriate /proc/<pid>/ns/ directory as they could always just derive the namespace based on a pidfd already. It has the same advantage as pidfds. It's possible to reliably and for the lifetime of the system refer to a namespace without pinning any resources and to compare them trivially. Permission checking is kept simple. If the caller is located in the namespace the file handle refers to they are able to open it otherwise they must hold privilege over the owning namespace of the relevant namespace. The namespace file handle layout is exposed as uapi and has a stable and extensible format. For now it simply contains the namespace identifier, the namespace type, and the inode number. The stable format means that userspace may construct its own namespace file handles without going through name_to_handle_at() as they are already allowed for pidfs and cgroup file handles" * tag 'namespace-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (65 commits) ns: drop assert ns: move ns type into struct ns_common nstree: make struct ns_tree private ns: add ns_debug() ns: simplify ns_common_init() further cgroup: add missing ns_common include ns: use inode initializer for initial namespaces selftests/namespaces: verify initial namespace inode numbers ns: rename to __ns_ref nsfs: port to ns_ref_*() helpers net: port to ns_ref_*() helpers uts: port to ns_ref_*() helpers ipv4: use check_net() net: use check_net() net-sysfs: use check_net() user: port to ns_ref_*() helpers time: port to ns_ref_*() helpers pid: port to ns_ref_*() helpers ipc: port to ns_ref_*() helpers cgroup: port to ns_ref_*() helpers ...
469 lines
13 KiB
C
469 lines
13 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#include <linux/syscalls.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/file.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/namei.h>
|
|
#include <linux/exportfs.h>
|
|
#include <linux/fs_struct.h>
|
|
#include <linux/fsnotify.h>
|
|
#include <linux/personality.h>
|
|
#include <linux/uaccess.h>
|
|
#include <linux/compat.h>
|
|
#include <linux/nsfs.h>
|
|
#include "internal.h"
|
|
#include "mount.h"
|
|
|
|
static long do_sys_name_to_handle(const struct path *path,
|
|
struct file_handle __user *ufh,
|
|
void __user *mnt_id, bool unique_mntid,
|
|
int fh_flags)
|
|
{
|
|
long retval;
|
|
struct file_handle f_handle;
|
|
int handle_dwords, handle_bytes;
|
|
struct file_handle *handle = NULL;
|
|
|
|
/*
|
|
* We need to make sure whether the file system support decoding of
|
|
* the file handle if decodeable file handle was requested.
|
|
*/
|
|
if (!exportfs_can_encode_fh(path->dentry->d_sb->s_export_op, fh_flags))
|
|
return -EOPNOTSUPP;
|
|
|
|
/*
|
|
* A request to encode a connectable handle for a disconnected dentry
|
|
* is unexpected since AT_EMPTY_PATH is not allowed.
|
|
*/
|
|
if (fh_flags & EXPORT_FH_CONNECTABLE &&
|
|
WARN_ON(path->dentry->d_flags & DCACHE_DISCONNECTED))
|
|
return -EINVAL;
|
|
|
|
if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle)))
|
|
return -EFAULT;
|
|
|
|
if (f_handle.handle_bytes > MAX_HANDLE_SZ)
|
|
return -EINVAL;
|
|
|
|
handle = kzalloc(struct_size(handle, f_handle, f_handle.handle_bytes),
|
|
GFP_KERNEL);
|
|
if (!handle)
|
|
return -ENOMEM;
|
|
|
|
/* convert handle size to multiple of sizeof(u32) */
|
|
handle_dwords = f_handle.handle_bytes >> 2;
|
|
|
|
/* Encode a possibly decodeable/connectable file handle */
|
|
retval = exportfs_encode_fh(path->dentry,
|
|
(struct fid *)handle->f_handle,
|
|
&handle_dwords, fh_flags);
|
|
handle->handle_type = retval;
|
|
/* convert handle size to bytes */
|
|
handle_bytes = handle_dwords * sizeof(u32);
|
|
handle->handle_bytes = handle_bytes;
|
|
if ((handle->handle_bytes > f_handle.handle_bytes) ||
|
|
(retval == FILEID_INVALID) || (retval < 0)) {
|
|
/* As per old exportfs_encode_fh documentation
|
|
* we could return ENOSPC to indicate overflow
|
|
* But file system returned 255 always. So handle
|
|
* both the values
|
|
*/
|
|
if (retval == FILEID_INVALID || retval == -ENOSPC)
|
|
retval = -EOVERFLOW;
|
|
/*
|
|
* set the handle size to zero so we copy only
|
|
* non variable part of the file_handle
|
|
*/
|
|
handle_bytes = 0;
|
|
} else {
|
|
/*
|
|
* When asked to encode a connectable file handle, encode this
|
|
* property in the file handle itself, so that we later know
|
|
* how to decode it.
|
|
* For sanity, also encode in the file handle if the encoded
|
|
* object is a directory and verify this during decode, because
|
|
* decoding directory file handles is quite different than
|
|
* decoding connectable non-directory file handles.
|
|
*/
|
|
if (fh_flags & EXPORT_FH_CONNECTABLE) {
|
|
handle->handle_type |= FILEID_IS_CONNECTABLE;
|
|
if (d_is_dir(path->dentry))
|
|
handle->handle_type |= FILEID_IS_DIR;
|
|
}
|
|
retval = 0;
|
|
}
|
|
/* copy the mount id */
|
|
if (unique_mntid) {
|
|
if (put_user(real_mount(path->mnt)->mnt_id_unique,
|
|
(u64 __user *) mnt_id))
|
|
retval = -EFAULT;
|
|
} else {
|
|
if (put_user(real_mount(path->mnt)->mnt_id,
|
|
(int __user *) mnt_id))
|
|
retval = -EFAULT;
|
|
}
|
|
/* copy the handle */
|
|
if (retval != -EFAULT &&
|
|
copy_to_user(ufh, handle,
|
|
struct_size(handle, f_handle, handle_bytes)))
|
|
retval = -EFAULT;
|
|
kfree(handle);
|
|
return retval;
|
|
}
|
|
|
|
/**
|
|
* sys_name_to_handle_at: convert name to handle
|
|
* @dfd: directory relative to which name is interpreted if not absolute
|
|
* @name: name that should be converted to handle.
|
|
* @handle: resulting file handle
|
|
* @mnt_id: mount id of the file system containing the file
|
|
* (u64 if AT_HANDLE_MNT_ID_UNIQUE, otherwise int)
|
|
* @flag: flag value to indicate whether to follow symlink or not
|
|
* and whether a decodable file handle is required.
|
|
*
|
|
* @handle->handle_size indicate the space available to store the
|
|
* variable part of the file handle in bytes. If there is not
|
|
* enough space, the field is updated to return the minimum
|
|
* value required.
|
|
*/
|
|
SYSCALL_DEFINE5(name_to_handle_at, int, dfd, const char __user *, name,
|
|
struct file_handle __user *, handle, void __user *, mnt_id,
|
|
int, flag)
|
|
{
|
|
struct path path;
|
|
int lookup_flags;
|
|
int fh_flags = 0;
|
|
int err;
|
|
|
|
if (flag & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH | AT_HANDLE_FID |
|
|
AT_HANDLE_MNT_ID_UNIQUE | AT_HANDLE_CONNECTABLE))
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* AT_HANDLE_FID means there is no intention to decode file handle
|
|
* AT_HANDLE_CONNECTABLE means there is an intention to decode a
|
|
* connected fd (with known path), so these flags are conflicting.
|
|
* AT_EMPTY_PATH could be used along with a dfd that refers to a
|
|
* disconnected non-directory, which cannot be used to encode a
|
|
* connectable file handle, because its parent is unknown.
|
|
*/
|
|
if (flag & AT_HANDLE_CONNECTABLE &&
|
|
flag & (AT_HANDLE_FID | AT_EMPTY_PATH))
|
|
return -EINVAL;
|
|
else if (flag & AT_HANDLE_FID)
|
|
fh_flags |= EXPORT_FH_FID;
|
|
else if (flag & AT_HANDLE_CONNECTABLE)
|
|
fh_flags |= EXPORT_FH_CONNECTABLE;
|
|
|
|
lookup_flags = (flag & AT_SYMLINK_FOLLOW) ? LOOKUP_FOLLOW : 0;
|
|
if (flag & AT_EMPTY_PATH)
|
|
lookup_flags |= LOOKUP_EMPTY;
|
|
err = user_path_at(dfd, name, lookup_flags, &path);
|
|
if (!err) {
|
|
err = do_sys_name_to_handle(&path, handle, mnt_id,
|
|
flag & AT_HANDLE_MNT_ID_UNIQUE,
|
|
fh_flags);
|
|
path_put(&path);
|
|
}
|
|
return err;
|
|
}
|
|
|
|
static int get_path_anchor(int fd, struct path *root)
|
|
{
|
|
if (fd >= 0) {
|
|
CLASS(fd, f)(fd);
|
|
if (fd_empty(f))
|
|
return -EBADF;
|
|
*root = fd_file(f)->f_path;
|
|
path_get(root);
|
|
return 0;
|
|
}
|
|
|
|
if (fd == AT_FDCWD) {
|
|
get_fs_pwd(current->fs, root);
|
|
return 0;
|
|
}
|
|
|
|
if (fd == FD_PIDFS_ROOT) {
|
|
pidfs_get_root(root);
|
|
return 0;
|
|
}
|
|
|
|
if (fd == FD_NSFS_ROOT) {
|
|
nsfs_get_root(root);
|
|
return 0;
|
|
}
|
|
|
|
return -EBADF;
|
|
}
|
|
|
|
static int vfs_dentry_acceptable(void *context, struct dentry *dentry)
|
|
{
|
|
struct handle_to_path_ctx *ctx = context;
|
|
struct user_namespace *user_ns = current_user_ns();
|
|
struct dentry *d, *root = ctx->root.dentry;
|
|
struct mnt_idmap *idmap = mnt_idmap(ctx->root.mnt);
|
|
int retval = 0;
|
|
|
|
if (!root)
|
|
return 1;
|
|
|
|
/* Old permission model with global CAP_DAC_READ_SEARCH. */
|
|
if (!ctx->flags)
|
|
return 1;
|
|
|
|
/*
|
|
* Verify that the decoded dentry itself has a valid id mapping.
|
|
* In case the decoded dentry is the mountfd root itself, this
|
|
* verifies that the mountfd inode itself has a valid id mapping.
|
|
*/
|
|
if (!privileged_wrt_inode_uidgid(user_ns, idmap, d_inode(dentry)))
|
|
return 0;
|
|
|
|
/*
|
|
* It's racy as we're not taking rename_lock but we're able to ignore
|
|
* permissions and we just need an approximation whether we were able
|
|
* to follow a path to the file.
|
|
*
|
|
* It's also potentially expensive on some filesystems especially if
|
|
* there is a deep path.
|
|
*/
|
|
d = dget(dentry);
|
|
while (d != root && !IS_ROOT(d)) {
|
|
struct dentry *parent = dget_parent(d);
|
|
|
|
/*
|
|
* We know that we have the ability to override DAC permissions
|
|
* as we've verified this earlier via CAP_DAC_READ_SEARCH. But
|
|
* we also need to make sure that there aren't any unmapped
|
|
* inodes in the path that would prevent us from reaching the
|
|
* file.
|
|
*/
|
|
if (!privileged_wrt_inode_uidgid(user_ns, idmap,
|
|
d_inode(parent))) {
|
|
dput(d);
|
|
dput(parent);
|
|
return retval;
|
|
}
|
|
|
|
dput(d);
|
|
d = parent;
|
|
}
|
|
|
|
if (!(ctx->flags & HANDLE_CHECK_SUBTREE) || d == root)
|
|
retval = 1;
|
|
/*
|
|
* exportfs_decode_fh_raw() does not call acceptable() callback with
|
|
* a disconnected directory dentry, so we should have reached either
|
|
* mount fd directory or sb root.
|
|
*/
|
|
if (ctx->fh_flags & EXPORT_FH_DIR_ONLY)
|
|
WARN_ON_ONCE(d != root && d != root->d_sb->s_root);
|
|
dput(d);
|
|
return retval;
|
|
}
|
|
|
|
static int do_handle_to_path(struct file_handle *handle, struct path *path,
|
|
struct handle_to_path_ctx *ctx)
|
|
{
|
|
int handle_dwords;
|
|
struct vfsmount *mnt = ctx->root.mnt;
|
|
struct dentry *dentry;
|
|
|
|
/* change the handle size to multiple of sizeof(u32) */
|
|
handle_dwords = handle->handle_bytes >> 2;
|
|
dentry = exportfs_decode_fh_raw(mnt, (struct fid *)handle->f_handle,
|
|
handle_dwords, handle->handle_type,
|
|
ctx->fh_flags, vfs_dentry_acceptable,
|
|
ctx);
|
|
if (IS_ERR_OR_NULL(dentry)) {
|
|
if (dentry == ERR_PTR(-ENOMEM))
|
|
return -ENOMEM;
|
|
return -ESTALE;
|
|
}
|
|
path->dentry = dentry;
|
|
path->mnt = mntget(mnt);
|
|
return 0;
|
|
}
|
|
|
|
static inline int may_decode_fh(struct handle_to_path_ctx *ctx,
|
|
unsigned int o_flags)
|
|
{
|
|
struct path *root = &ctx->root;
|
|
|
|
if (capable(CAP_DAC_READ_SEARCH))
|
|
return 0;
|
|
|
|
/*
|
|
* Allow relaxed permissions of file handles if the caller has
|
|
* the ability to mount the filesystem or create a bind-mount of
|
|
* the provided @mountdirfd.
|
|
*
|
|
* In both cases the caller may be able to get an unobstructed
|
|
* way to the encoded file handle. If the caller is only able to
|
|
* create a bind-mount we need to verify that there are no
|
|
* locked mounts on top of it that could prevent us from getting
|
|
* to the encoded file.
|
|
*
|
|
* In principle, locked mounts can prevent the caller from
|
|
* mounting the filesystem but that only applies to procfs and
|
|
* sysfs neither of which support decoding file handles.
|
|
*
|
|
* Restrict to O_DIRECTORY to provide a deterministic API that
|
|
* avoids a confusing api in the face of disconnected non-dir
|
|
* dentries.
|
|
*
|
|
* There's only one dentry for each directory inode (VFS rule)...
|
|
*/
|
|
if (!(o_flags & O_DIRECTORY))
|
|
return -EPERM;
|
|
|
|
if (ns_capable(root->mnt->mnt_sb->s_user_ns, CAP_SYS_ADMIN))
|
|
ctx->flags = HANDLE_CHECK_PERMS;
|
|
else if (is_mounted(root->mnt) &&
|
|
ns_capable(real_mount(root->mnt)->mnt_ns->user_ns,
|
|
CAP_SYS_ADMIN) &&
|
|
!has_locked_children(real_mount(root->mnt), root->dentry))
|
|
ctx->flags = HANDLE_CHECK_PERMS | HANDLE_CHECK_SUBTREE;
|
|
else
|
|
return -EPERM;
|
|
|
|
/* Are we able to override DAC permissions? */
|
|
if (!ns_capable(current_user_ns(), CAP_DAC_READ_SEARCH))
|
|
return -EPERM;
|
|
|
|
ctx->fh_flags = EXPORT_FH_DIR_ONLY;
|
|
return 0;
|
|
}
|
|
|
|
static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
|
|
struct path *path, unsigned int o_flags)
|
|
{
|
|
int retval = 0;
|
|
struct file_handle f_handle;
|
|
struct file_handle *handle __free(kfree) = NULL;
|
|
struct handle_to_path_ctx ctx = {};
|
|
const struct export_operations *eops;
|
|
|
|
if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle)))
|
|
return -EFAULT;
|
|
|
|
if ((f_handle.handle_bytes > MAX_HANDLE_SZ) ||
|
|
(f_handle.handle_bytes == 0))
|
|
return -EINVAL;
|
|
|
|
if (f_handle.handle_type < 0 ||
|
|
FILEID_USER_FLAGS(f_handle.handle_type) & ~FILEID_VALID_USER_FLAGS)
|
|
return -EINVAL;
|
|
|
|
retval = get_path_anchor(mountdirfd, &ctx.root);
|
|
if (retval)
|
|
return retval;
|
|
|
|
eops = ctx.root.mnt->mnt_sb->s_export_op;
|
|
if (eops && eops->permission)
|
|
retval = eops->permission(&ctx, o_flags);
|
|
else
|
|
retval = may_decode_fh(&ctx, o_flags);
|
|
if (retval)
|
|
goto out_path;
|
|
|
|
handle = kmalloc(struct_size(handle, f_handle, f_handle.handle_bytes),
|
|
GFP_KERNEL);
|
|
if (!handle) {
|
|
retval = -ENOMEM;
|
|
goto out_path;
|
|
}
|
|
/* copy the full handle */
|
|
*handle = f_handle;
|
|
if (copy_from_user(&handle->f_handle,
|
|
&ufh->f_handle,
|
|
f_handle.handle_bytes)) {
|
|
retval = -EFAULT;
|
|
goto out_path;
|
|
}
|
|
|
|
/*
|
|
* If handle was encoded with AT_HANDLE_CONNECTABLE, verify that we
|
|
* are decoding an fd with connected path, which is accessible from
|
|
* the mount fd path.
|
|
*/
|
|
if (f_handle.handle_type & FILEID_IS_CONNECTABLE) {
|
|
ctx.fh_flags |= EXPORT_FH_CONNECTABLE;
|
|
ctx.flags |= HANDLE_CHECK_SUBTREE;
|
|
}
|
|
if (f_handle.handle_type & FILEID_IS_DIR)
|
|
ctx.fh_flags |= EXPORT_FH_DIR_ONLY;
|
|
/* Filesystem code should not be exposed to user flags */
|
|
handle->handle_type &= ~FILEID_USER_FLAGS_MASK;
|
|
retval = do_handle_to_path(handle, path, &ctx);
|
|
|
|
out_path:
|
|
path_put(&ctx.root);
|
|
return retval;
|
|
}
|
|
|
|
static long do_handle_open(int mountdirfd, struct file_handle __user *ufh,
|
|
int open_flag)
|
|
{
|
|
long retval = 0;
|
|
struct path path __free(path_put) = {};
|
|
struct file *file;
|
|
const struct export_operations *eops;
|
|
|
|
retval = handle_to_path(mountdirfd, ufh, &path, open_flag);
|
|
if (retval)
|
|
return retval;
|
|
|
|
CLASS(get_unused_fd, fd)(open_flag);
|
|
if (fd < 0)
|
|
return fd;
|
|
|
|
eops = path.mnt->mnt_sb->s_export_op;
|
|
if (eops->open)
|
|
file = eops->open(&path, open_flag);
|
|
else
|
|
file = file_open_root(&path, "", open_flag, 0);
|
|
if (IS_ERR(file))
|
|
return PTR_ERR(file);
|
|
|
|
fd_install(fd, file);
|
|
return take_fd(fd);
|
|
}
|
|
|
|
/**
|
|
* sys_open_by_handle_at: Open the file handle
|
|
* @mountdirfd: directory file descriptor
|
|
* @handle: file handle to be opened
|
|
* @flags: open flags.
|
|
*
|
|
* @mountdirfd indicate the directory file descriptor
|
|
* of the mount point. file handle is decoded relative
|
|
* to the vfsmount pointed by the @mountdirfd. @flags
|
|
* value is same as the open(2) flags.
|
|
*/
|
|
SYSCALL_DEFINE3(open_by_handle_at, int, mountdirfd,
|
|
struct file_handle __user *, handle,
|
|
int, flags)
|
|
{
|
|
long ret;
|
|
|
|
if (force_o_largefile())
|
|
flags |= O_LARGEFILE;
|
|
|
|
ret = do_handle_open(mountdirfd, handle, flags);
|
|
return ret;
|
|
}
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
/*
|
|
* Exactly like fs/open.c:sys_open_by_handle_at(), except that it
|
|
* doesn't set the O_LARGEFILE flag.
|
|
*/
|
|
COMPAT_SYSCALL_DEFINE3(open_by_handle_at, int, mountdirfd,
|
|
struct file_handle __user *, handle, int, flags)
|
|
{
|
|
return do_handle_open(mountdirfd, handle, flags);
|
|
}
|
|
#endif
|