From 7e5f7bb08b8cefd3a7e8961861f47fe1f0e830d4 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 20 May 2019 13:44:57 +0100 Subject: unexport simple_dname() Signed-off-by: Al Viro --- fs/internal.h | 1 + 1 file changed, 1 insertion(+) (limited to 'fs/internal.h') diff --git a/fs/internal.h b/fs/internal.h index 0010889f2e85..1ac2b8f6c621 100644 --- a/fs/internal.h +++ b/fs/internal.h @@ -160,6 +160,7 @@ extern int d_set_mounted(struct dentry *dentry); extern long prune_dcache_sb(struct super_block *sb, struct shrink_control *sc); extern struct dentry *d_alloc_cursor(struct dentry *); extern struct dentry * d_alloc_pseudo(struct super_block *, const struct qstr *); +extern char *simple_dname(struct dentry *, char *, int); /* * read_write.c -- cgit v1.2.3-55-g7522 From 2527b284defaeadf74829b0b0bd3207ca7f165eb Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 12 May 2019 17:09:01 -0400 Subject: move the capability checks from sget_userns() to legacy_get_tree() 1) all call chains leading to sget_userns() pass through ->mount() instances. 2) none of ->mount() instances is ever called directly - the only call site is legacy_get_tree() 3) all remaining ->mount() instances end up calling sget_userns() IOW, we might as well do the capability checks just before calling ->mount(). As for the arguments passed to mount_capable(), in case of call chains to sget_userns() going through sget(), we either don't call mount_capable() at all, or pass current_user_ns() to it. The call chains going through mount_pseudo_xattr() don't call mount_capable() at all (SB_KERNMOUNT in flags on those). That could've been split into smaller steps (lifting the checks into sget(), then callers of sget(), then all the way to the entries of every ->mount() out there, then to the sole caller), but that would be too much churn for little benefit... Signed-off-by: Al Viro --- fs/fs_context.c | 5 +++++ fs/internal.h | 2 ++ fs/super.c | 4 ---- 3 files changed, 7 insertions(+), 4 deletions(-) (limited to 'fs/internal.h') diff --git a/fs/fs_context.c b/fs/fs_context.c index a47ccd5a4a78..746a5871959c 100644 --- a/fs/fs_context.c +++ b/fs/fs_context.c @@ -662,6 +662,11 @@ static int legacy_get_tree(struct fs_context *fc) struct super_block *sb; struct dentry *root; + if (!(fc->sb_flags & (SB_KERNMOUNT|SB_SUBMOUNT))) { + if (!mount_capable(fc->fs_type, current_user_ns())) + return -EPERM; + } + root = fc->fs_type->mount(fc->fs_type, fc->sb_flags, fc->source, ctx->legacy_data); if (IS_ERR(root)) diff --git a/fs/internal.h b/fs/internal.h index 1ac2b8f6c621..65db901420af 100644 --- a/fs/internal.h +++ b/fs/internal.h @@ -18,6 +18,7 @@ struct path; struct mount; struct shrink_control; struct fs_context; +struct user_namespace; /* * block_dev.c @@ -113,6 +114,7 @@ extern struct file *alloc_empty_file_noaccount(int, const struct cred *); extern int reconfigure_super(struct fs_context *); extern bool trylock_super(struct super_block *sb); extern struct super_block *user_get_super(dev_t); +extern bool mount_capable(struct file_system_type *, struct user_namespace *); /* * open.c diff --git a/fs/super.c b/fs/super.c index 6919f5c728f0..bdb03255c7ea 100644 --- a/fs/super.c +++ b/fs/super.c @@ -583,10 +583,6 @@ struct super_block *sget_userns(struct file_system_type *type, struct super_block *old; int err; - if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT))) { - if (!mount_capable(type, user_ns)) - return ERR_PTR(-EPERM); - } retry: spin_lock(&sb_lock); if (test) { -- cgit v1.2.3-55-g7522 From 20284ab7427ffac514faf44fd9eb50e5745f4474 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 12 May 2019 17:31:45 -0400 Subject: switch mount_capable() to fs_context now both callers of mount_capable() have access to fs_context; the only difference is that for sget_fc() we have the possibility of fc->global being true, while for legacy_get_tree() it's guaranteed to be impossible. Unify to more generic variant... Signed-off-by: Al Viro --- fs/fs_context.c | 2 +- fs/internal.h | 2 +- fs/super.c | 11 +++++++---- 3 files changed, 9 insertions(+), 6 deletions(-) (limited to 'fs/internal.h') diff --git a/fs/fs_context.c b/fs/fs_context.c index d75ba0eb8c5b..bc5a5f5f1853 100644 --- a/fs/fs_context.c +++ b/fs/fs_context.c @@ -663,7 +663,7 @@ static int legacy_get_tree(struct fs_context *fc) struct dentry *root; if (!(fc->sb_flags & (SB_KERNMOUNT|SB_SUBMOUNT))) { - if (!mount_capable(fc->fs_type, fc->user_ns)) + if (!mount_capable(fc)) return -EPERM; } diff --git a/fs/internal.h b/fs/internal.h index 65db901420af..b089a489da1f 100644 --- a/fs/internal.h +++ b/fs/internal.h @@ -114,7 +114,7 @@ extern struct file *alloc_empty_file_noaccount(int, const struct cred *); extern int reconfigure_super(struct fs_context *); extern bool trylock_super(struct super_block *sb); extern struct super_block *user_get_super(dev_t); -extern bool mount_capable(struct file_system_type *, struct user_namespace *); +extern bool mount_capable(struct fs_context *); /* * open.c diff --git a/fs/super.c b/fs/super.c index bdb03255c7ea..d1e2f46bad7e 100644 --- a/fs/super.c +++ b/fs/super.c @@ -476,12 +476,15 @@ void generic_shutdown_super(struct super_block *sb) EXPORT_SYMBOL(generic_shutdown_super); -bool mount_capable(struct file_system_type *type, struct user_namespace *userns) +bool mount_capable(struct fs_context *fc) { - if (!(type->fs_flags & FS_USERNS_MOUNT)) + struct user_namespace *user_ns = fc->global ? &init_user_ns + : fc->user_ns; + + if (!(fc->fs_type->fs_flags & FS_USERNS_MOUNT)) return capable(CAP_SYS_ADMIN); else - return ns_capable(userns, CAP_SYS_ADMIN); + return ns_capable(user_ns, CAP_SYS_ADMIN); } /** @@ -513,7 +516,7 @@ struct super_block *sget_fc(struct fs_context *fc, if (!(fc->sb_flags & SB_KERNMOUNT) && fc->purpose != FS_CONTEXT_FOR_SUBMOUNT) { - if (!mount_capable(fc->fs_type, user_ns)) + if (!mount_capable(fc)) return ERR_PTR(-EPERM); } -- cgit v1.2.3-55-g7522