From patchwork Wed Sep 23 20:16:02 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 521832 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 958A4140213 for ; Thu, 24 Sep 2015 06:23:55 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1ZeqUR-0001cj-Mw; Wed, 23 Sep 2015 20:18:07 +0000 Received: from mail-ig0-f180.google.com ([209.85.213.180]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1ZeqT8-0000wS-C1 for linux-mtd@lists.infradead.org; Wed, 23 Sep 2015 20:16:46 +0000 Received: by igbkq10 with SMTP id kq10so107241339igb.0 for ; Wed, 23 Sep 2015 13:16:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FxgutdvDVJzA723QJTRz9whTI0PktjZFsYi2eAFetdQ=; b=PHYi69glJ5gcoYNjugr4HTU75SD9p9HY9VmHdBymxYlbEDisHE13cIcrLpI+KG+9fm rNaKXESqM7dN2WYWNQMAgFezcR5nSgg6KxQ8uH7pDvGix0NPl8crP1jRT8PDTfKHLmsb 9k1S5rsP7JnqkCS0T7+HNSt8pbFKX+BpiN65NDx5wtM0yMcdFl2daXwUU/MIgHHjohJH +KzAsZrYJObiv9CFyNLuUSwq/jTIlyQqQdghmrS96LNOM6xLqGqlcPnbJz3dzzKEziMJ ef9muEnDYtpkbjRgwU9PDDuA3twgvrKmEXg274TLkthADQXqKninDYj5DzQQcNhVnF/S BDWw== X-Gm-Message-State: ALoCoQlKQfo99PdUK5nXmZ/So49yIJy1y7z3nmVBmGahoP06taRERxJmQFYH0MVIdmCrbGW4/PbE X-Received: by 10.50.85.20 with SMTP id d20mr26606827igz.77.1443039385216; Wed, 23 Sep 2015 13:16:25 -0700 (PDT) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id v3sm4000886igb.3.2015.09.23.13.16.24 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 23 Sep 2015 13:16:24 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro , Jeff Layton , "J. Bruce Fields" Subject: [PATCH v4 2/7] userns: Simpilify MNT_NODEV handling. Date: Wed, 23 Sep 2015 15:16:02 -0500 Message-Id: <1443039368-55445-3-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1443039368-55445-1-git-send-email-seth.forshee@canonical.com> References: <1443039368-55445-1-git-send-email-seth.forshee@canonical.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20150923_131646_462049_CB147C30 X-CRM114-Status: GOOD ( 16.85 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [209.85.213.180 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.213.180 listed in wl.mailspike.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Serge Hallyn , linux-kernel@vger.kernel.org, Andy Lutomirski , Seth Forshee , linux-security-module@vger.kernel.org, linux-mtd@lists.infradead.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: "Eric W. Biederman" - Consolidate the testing if a device node may be opened in a new function may_open_dev. - Move the check for allowing access to device nodes on filesystems not mounted in the initial user namespace from mount time to open time and include it in may_open_dev. This set of changes removes the implicit adding of MNT_NODEV which simplifies the logic in fs/namespace.c and removes a potentially problematic difference in how normal and unprivileged mount namespaces work. This is a user visible change in behavior for remount in unpriviliged mount namespaces but is unlikely to cause problems for existing software. Signed-off-by: "Eric W. Biederman" --- fs/block_dev.c | 2 +- fs/namei.c | 9 ++++++++- fs/namespace.c | 18 ++++-------------- include/linux/fs.h | 1 + 4 files changed, 14 insertions(+), 16 deletions(-) diff --git a/fs/block_dev.c b/fs/block_dev.c index 073bb57adab1..46bd98482f71 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -1737,7 +1737,7 @@ struct block_device *lookup_bdev(const char *pathname) if (!S_ISBLK(inode->i_mode)) goto fail; error = -EACCES; - if (path.mnt->mnt_flags & MNT_NODEV) + if (!may_open_dev(&path)) goto fail; error = -ENOMEM; bdev = bd_acquire(inode); diff --git a/fs/namei.c b/fs/namei.c index 726d211db484..fcc5751d6395 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2663,6 +2663,13 @@ int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, } EXPORT_SYMBOL(vfs_create); +bool may_open_dev(const struct path *path) +{ + return !(path->mnt->mnt_flags & MNT_NODEV) && + ((path->mnt->mnt_sb->s_user_ns == &init_user_ns) || + (path->mnt->mnt_sb->s_type->fs_flags & FS_USERNS_DEV_MOUNT)); +} + static int may_open(struct path *path, int acc_mode, int flag) { struct dentry *dentry = path->dentry; @@ -2685,7 +2692,7 @@ static int may_open(struct path *path, int acc_mode, int flag) break; case S_IFBLK: case S_IFCHR: - if (path->mnt->mnt_flags & MNT_NODEV) + if (!may_open_dev(path)) return -EACCES; /*FALLTHRU*/ case S_IFIFO: diff --git a/fs/namespace.c b/fs/namespace.c index d023a353dc63..da70f7c4ece1 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2177,13 +2177,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags, } if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) && !(mnt_flags & MNT_NODEV)) { - /* Was the nodev implicitly added in mount? */ - if ((mnt->mnt_ns->user_ns != &init_user_ns) && - !(sb->s_type->fs_flags & FS_USERNS_DEV_MOUNT)) { - mnt_flags |= MNT_NODEV; - } else { - return -EPERM; - } + return -EPERM; } if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) && !(mnt_flags & MNT_NOSUID)) { @@ -2396,13 +2390,6 @@ static int do_new_mount(struct path *path, const char *fstype, int flags, put_filesystem(type); return -EPERM; } - /* Only in special cases allow devices from mounts - * created outside the initial user namespace. - */ - if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) { - flags |= MS_NODEV; - mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV; - } if (type->fs_flags & FS_USERNS_VISIBLE) { if (!fs_fully_visible(type, &mnt_flags)) return -EPERM; @@ -3238,6 +3225,9 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags) mnt_flags = mnt->mnt.mnt_flags; if (mnt->mnt.mnt_sb->s_iflags & SB_I_NOEXEC) mnt_flags &= ~(MNT_LOCK_NOSUID | MNT_LOCK_NOEXEC); + if (mnt->mnt.mnt_sb->s_user_ns != &init_user_ns && + !(mnt->mnt.mnt_sb->s_type->fs_flags & FS_USERNS_DEV_MOUNT)) + mnt_flags &= ~(MNT_LOCK_NODEV); /* Verify the mount flags are equal to or more permissive * than the proposed new mount. diff --git a/include/linux/fs.h b/include/linux/fs.h index 79c15ab2159d..5ec201e8308c 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1537,6 +1537,7 @@ extern void dentry_unhash(struct dentry *dentry); */ extern void inode_init_owner(struct inode *inode, const struct inode *dir, umode_t mode); +extern bool may_open_dev(const struct path *path); /* * VFS FS_IOC_FIEMAP helper definitions. */