• Christian Brauner's avatar
    security: pass down mount idmapping to setattr hook · 0e363cf3
    Christian Brauner authored
    Before this change we used to take a shortcut and place the actual
    values that would be written to inode->i_{g,u}id into struct iattr. This
    had the advantage that we moved idmappings mostly out of the picture
    early on but it made reasoning about changes more difficult than it
    should be.
    
    The filesystem was never explicitly told that it dealt with an idmapped
    mount. The transition to the value that needed to be stored in
    inode->i_{g,u}id appeared way too early and increased the probability of
    bugs in various codepaths.
    
    We know place the same value in struct iattr no matter if this is an
    idmapped mount or not. The vfs will only deal with type safe
    vfs{g,u}id_t. This makes it massively safer to perform permission checks
    as the type will tell us what checks we need to perform and what helpers
    we need to use.
    
    Adapt the security_inode_setattr() helper to pass down the mount's
    idmapping to account for that change.
    
    Link: https://lore.kernel.org/r/20220621141454.2914719-8-brauner@kernel.org
    Cc: Seth Forshee <sforshee@digitalocean.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Aleksa Sarai <cyphar@cyphar.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    CC: linux-fsdevel@vger.kernel.org
    Reviewed-by: default avatarSeth Forshee <sforshee@digitalocean.com>
    Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
    0e363cf3
security.c 66.4 KB