From patchwork Thu Jul 6 20:45:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1804498 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=dvaZvjyR; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QxpTr4TTgz20bY for ; Fri, 7 Jul 2023 06:46:24 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qHVro-0001WK-74; Thu, 06 Jul 2023 20:46:20 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qHVrl-0001VL-Pc for kernel-team@lists.ubuntu.com; Thu, 06 Jul 2023 20:46:17 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id CAA4C4214C for ; Thu, 6 Jul 2023 20:46:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1688676377; bh=k5A27HufYbPRG+B6usuU8pPiZE/0S8xxS7cQyWZn3PA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=dvaZvjyRn/RwuTdBTUrgPHwXu3juBPVsA+tvaJVxabx/VzeacDzy5TA0qrcgcup8Q LsgwQ9ryOWqTrcOmjf/Uc0f1z4Vx8geX4/TTp4+Q9Hachb1gZ3xAxX8QtwmmcWfDoJ eoGyEqNNJ2dxhkSEvRO9UAfGX/IHXN6hGjRpSPKx2KhvOukhNk/B64K9elkwJYW6qH G/OKeC6QC5gJ2fHzkTTlblFjkgC5lE7Zsdhu7YFCtifqwsIT1YvwF7sb63MlLXaTOq I4T37TS4cNlDi879qsZ8L3nQJ4iGiRtOvxFS0c+DpGzHtGtsfL80D6xCu1GP2K3J7O /h0QwYTHYbepg== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Kinetic, Lunar, OEM-6.1 1/3] Revert "UBUNTU: SAUCE: overlayfs: handle idmapped mounts in ovl_do_(set|remove)xattr" Date: Thu, 6 Jul 2023 17:45:14 -0300 Message-Id: <20230706204517.1071559-2-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230706204517.1071559-1-cascardo@canonical.com> References: <20230706204517.1071559-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" This reverts commit 520b4713f66b758048d921b73b2c9250d4c2a474. This is needed in order to revert "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs". CVE-2023-2640 CVE-2023-32629 Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/overlayfs/overlayfs.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index 3a85be75d64a..e523d600da4e 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -255,7 +255,7 @@ static inline int ovl_do_setxattr(struct ovl_fs *ofs, struct dentry *dentry, int err; inode_lock(inode); - err = __vfs_setxattr_noperm(ovl_upper_mnt_userns(ofs), dentry, name, value, size, flags); + err = __vfs_setxattr_noperm(&init_user_ns, dentry, name, value, size, flags); inode_unlock(inode); pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, %d) = %i\n", @@ -277,7 +277,7 @@ static inline int ovl_do_removexattr(struct ovl_fs *ofs, struct dentry *dentry, int err; inode_lock(inode); - err = __vfs_removexattr_noperm(ovl_upper_mnt_userns(ofs), dentry, name); + err = __vfs_removexattr_noperm(&init_user_ns, dentry, name); inode_unlock(inode); pr_debug("removexattr(%pd2, \"%s\") = %i\n", dentry, name, err); From patchwork Thu Jul 6 20:45:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1804500 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=O8V87jEs; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QxpTx65Qdz20bY for ; Fri, 7 Jul 2023 06:46:29 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qHVrt-0001aB-ED; Thu, 06 Jul 2023 20:46:25 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qHVrr-0001Yv-L8 for kernel-team@lists.ubuntu.com; Thu, 06 Jul 2023 20:46:23 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 7A9BE4214C for ; Thu, 6 Jul 2023 20:46:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1688676382; bh=xZOxnzqEIgaJp//dektz1ZL5lIY962SU1QtId4kupeA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=O8V87jEsMz2DIJS0zWINktLL93eTjW7+V9w9dEBs9b8YQrchDbrsZYB+A6vJn236H Mb0t/Ie0T+Hd9hEG2qINTEEPzdx+UlltM2bkUE8703zwUhGWvPIopHPAX09R7zkSut ednQG5AykyQOEN86R4Nitq864/IZmRjYW2UaeYpBahWFB1dvw2IDeFmABnshr6fQK6 pfQiZ5CkyFul7I2knqUeOYUV1VqmjhM2KjZYAJvjwR0NjIOAnj7cn3Ko1Bj7aY6kCY leF4lm5f8z0XfWNEbi2qGAFwqikl7yrrkUAOc4AUly8TnwhQBzi+1IsLnt6+MR+ky3 QNRL88AhbD5JQ== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Kinetic, Lunar, OEM-6.1 2/3] Revert "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs" Date: Thu, 6 Jul 2023 17:45:15 -0300 Message-Id: <20230706204517.1071559-3-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230706204517.1071559-1-cascardo@canonical.com> References: <20230706204517.1071559-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" This reverts commit 2c7ab1423973cfb50e1226e6608a1d454e702c90. Commit "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs" replaced the VFS calls to change xattrs to their _noperm equivalents. However, since upstream commit c914c0e27eb0 ("ovl: use wrappers to all vfs_*xattr() calls"), overlayfs started using the changed wrapper function to set any extended attributes. This means that overlayfs skips checking permissions for any extended attribute changes, not only trusted.overlayfs.* xattrs, as was intended by the sauce commit above. Fixes: c914c0e27eb0 ("ovl: use wrappers to all vfs_*xattr() calls") CVE-2023-2640 CVE-2023-32629 Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/overlayfs/overlayfs.h | 16 +++------------- fs/xattr.c | 36 ++++++------------------------------ include/linux/xattr.h | 1 - 3 files changed, 9 insertions(+), 44 deletions(-) diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index e523d600da4e..1df7f850ff3b 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -251,12 +251,8 @@ static inline int ovl_do_setxattr(struct ovl_fs *ofs, struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { - struct inode *inode = dentry->d_inode; - int err; - - inode_lock(inode); - err = __vfs_setxattr_noperm(&init_user_ns, dentry, name, value, size, flags); - inode_unlock(inode); + int err = vfs_setxattr(ovl_upper_mnt_userns(ofs), dentry, name, + value, size, flags); pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, %d) = %i\n", dentry, name, min((int)size, 48), value, size, flags, err); @@ -273,13 +269,7 @@ static inline int ovl_setxattr(struct ovl_fs *ofs, struct dentry *dentry, static inline int ovl_do_removexattr(struct ovl_fs *ofs, struct dentry *dentry, const char *name) { - struct inode *inode = dentry->d_inode; - int err; - - inode_lock(inode); - err = __vfs_removexattr_noperm(&init_user_ns, dentry, name); - inode_unlock(inode); - + int err = vfs_removexattr(ovl_upper_mnt_userns(ofs), dentry, name); pr_debug("removexattr(%pd2, \"%s\") = %i\n", dentry, name, err); return err; } diff --git a/fs/xattr.c b/fs/xattr.c index 76dc91ec7ae8..adab9a70b536 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -259,7 +259,6 @@ int __vfs_setxattr_noperm(struct user_namespace *mnt_userns, return error; } -EXPORT_SYMBOL_GPL(__vfs_setxattr_noperm); /** * __vfs_setxattr_locked - set an extended attribute while holding the inode @@ -500,34 +499,6 @@ __vfs_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry, } EXPORT_SYMBOL(__vfs_removexattr); -/** - * __vfs_removexattr_noperm - perform removexattr operation without - * performing permission checks. - * - * @dentry - object to perform setxattr on - * @name - xattr name to set - * - * returns the result of the internal setxattr or setsecurity operations. - * - * This function requires the caller to lock the inode's i_mutex before it - * is executed. It also assumes that the caller will make the appropriate - * permission checks. - */ -int -__vfs_removexattr_noperm(struct user_namespace *mnt_userns, - struct dentry *dentry, const char *name) -{ - int error; - - error =__vfs_removexattr(mnt_userns, dentry, name); - if (!error) { - fsnotify_xattr(dentry); - evm_inode_post_removexattr(dentry, name); - } - return error; -} -EXPORT_SYMBOL_GPL(__vfs_removexattr_noperm); - /** * __vfs_removexattr_locked - set an extended attribute while holding the inode * lock @@ -558,7 +529,12 @@ __vfs_removexattr_locked(struct user_namespace *mnt_userns, if (error) goto out; - error = __vfs_removexattr_noperm(mnt_userns, dentry, name); + error = __vfs_removexattr(mnt_userns, dentry, name); + + if (!error) { + fsnotify_xattr(dentry); + evm_inode_post_removexattr(dentry, name); + } out: return error; diff --git a/include/linux/xattr.h b/include/linux/xattr.h index 149b148625da..2e7dd44926e4 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -69,7 +69,6 @@ int __vfs_setxattr_locked(struct user_namespace *, struct dentry *, int vfs_setxattr(struct user_namespace *, struct dentry *, const char *, const void *, size_t, int); int __vfs_removexattr(struct user_namespace *, struct dentry *, const char *); -int __vfs_removexattr_noperm(struct user_namespace *, struct dentry *, const char *); int __vfs_removexattr_locked(struct user_namespace *, struct dentry *, const char *, struct inode **); int vfs_removexattr(struct user_namespace *, struct dentry *, const char *); From patchwork Thu Jul 6 20:45:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1804502 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=qD6R/nKA; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QxpV41N3sz20bY for ; Fri, 7 Jul 2023 06:46:36 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qHVrz-0001ha-TV; Thu, 06 Jul 2023 20:46:31 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qHVrz-0001gq-5U for kernel-team@lists.ubuntu.com; Thu, 06 Jul 2023 20:46:31 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id A48F74214C for ; Thu, 6 Jul 2023 20:46:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1688676390; bh=dj+tCVjYYoUGyq0k+LEU+HwT2ogQ5cfnxsIAOBYo7iU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qD6R/nKAd6HFyOqfhi2L/UxbU1Ol5kM6RFh2cuqH0U/pJQ13nn2YkaO3SPmGXBq1g Ja2lH+0l5+O9c8ZKI0RSTj5tutBwfKMn4HuyZwDEToiVjDQl3frz62g4mvU7XoiyHz 8BxOUkii+XkhLxHvvcbijWQ8ZjIl+5I9xsXyUCpLAGsSkD5sIdLCvsSSNRHgp5TAQT siBqpsZ3ig6VW7NLmBzTk/DmglNzxEkNgJorxJMKc62LjkZSaoLctbYI/E3Mp2Nvf6 yRY7sGtCd+Iey60VBMZlxVDxZX1hxtMLYMU1Yfp8e1hur/d8Ke2kThCgpnmb/sANt6 YhlZPwPRmazsQ== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Kinetic, Lunar, OEM-6.0, OEM-6.1 3/3] UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non initial user namespace Date: Thu, 6 Jul 2023 17:45:17 -0300 Message-Id: <20230706204517.1071559-5-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230706204517.1071559-1-cascardo@canonical.com> References: <20230706204517.1071559-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Also add a nouserxattr for the cases where it is desirable to mount without userxattr under such namespaces. This allows cases where such xattrs are necessary for certain operations to work out, instead of failing due to not being able to use the trusted.overlay.* xattrs. CVE-2023-2640 CVE-2023-32629 LP: #1531747 Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/overlayfs/super.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index 85b891152a2c..bf031d88a842 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -391,6 +391,8 @@ static int ovl_show_options(struct seq_file *m, struct dentry *dentry) seq_puts(m, ",volatile"); if (ofs->config.userxattr) seq_puts(m, ",userxattr"); + else + seq_puts(m, ",nouserxattr"); return 0; } @@ -439,6 +441,7 @@ enum { OPT_UUID_OFF, OPT_NFS_EXPORT_ON, OPT_USERXATTR, + OPT_NOUSERXATTR, OPT_NFS_EXPORT_OFF, OPT_XINO_ON, OPT_XINO_OFF, @@ -458,6 +461,7 @@ static const match_table_t ovl_tokens = { {OPT_INDEX_ON, "index=on"}, {OPT_INDEX_OFF, "index=off"}, {OPT_USERXATTR, "userxattr"}, + {OPT_NOUSERXATTR, "nouserxattr"}, {OPT_UUID_ON, "uuid=on"}, {OPT_UUID_OFF, "uuid=off"}, {OPT_NFS_EXPORT_ON, "nfs_export=on"}, @@ -628,6 +632,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config) config->userxattr = true; break; + case OPT_NOUSERXATTR: + config->userxattr = false; + break; + default: pr_err("unrecognized mount option \"%s\" or missing value\n", p); @@ -1926,6 +1934,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) ofs->config.nfs_export = ovl_nfs_export_def; ofs->config.xino = ovl_xino_def(); ofs->config.metacopy = ovl_metacopy_def; + if (sb->s_user_ns != &init_user_ns) + ofs->config.userxattr = true; err = ovl_parse_opt((char *) data, &ofs->config); if (err) goto out_err;