Commit aabb34e7 authored by Christian Brauner's avatar Christian Brauner Committed by David Sterba

btrfs: relax restrictions for SNAP_DESTROY_V2 with subvolids

So far we prevented the deletion of subvolumes and snapshots using
subvolume ids possible with the BTRFS_SUBVOL_SPEC_BY_ID flag.

This restriction is necessary on idmapped mounts as this allows
filesystem wide subvolume and snapshot deletions and thus can escape the
scope of what's exposed under the mount identified by the fd passed with
the ioctl.

Deletion by subvolume id works by looking for an alias of the parent of
the subvolume or snapshot to be deleted. The parent alias can be
anywhere in the filesystem. However, as long as the alias of the parent
that is found is the same as the one identified by the file descriptor
passed through the ioctl we can allow the deletion.
Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
parent c4ed533b
...@@ -2936,17 +2936,7 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file, ...@@ -2936,17 +2936,7 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
if (err) if (err)
goto out; goto out;
} else { } else {
/* struct inode *old_dir;
* Deleting by subvolume id can be used to delete
* subvolumes/snapshots anywhere in the filesystem.
* Ensure that users can't abuse idmapped mounts of
* btrfs subvolumes/snapshots to perform operations in
* the whole filesystem.
*/
if (mnt_userns != &init_user_ns) {
err = -EOPNOTSUPP;
goto out;
}
if (vol_args2->subvolid < BTRFS_FIRST_FREE_OBJECTID) { if (vol_args2->subvolid < BTRFS_FIRST_FREE_OBJECTID) {
err = -EINVAL; err = -EINVAL;
...@@ -2984,6 +2974,7 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file, ...@@ -2984,6 +2974,7 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
err = PTR_ERR(parent); err = PTR_ERR(parent);
goto out_drop_write; goto out_drop_write;
} }
old_dir = dir;
dir = d_inode(parent); dir = d_inode(parent);
/* /*
...@@ -2994,6 +2985,20 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file, ...@@ -2994,6 +2985,20 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
*/ */
destroy_parent = true; destroy_parent = true;
/*
* On idmapped mounts, deletion via subvolid is
* restricted to subvolumes that are immediate
* ancestors of the inode referenced by the file
* descriptor in the ioctl. Otherwise the idmapping
* could potentially be abused to delete subvolumes
* anywhere in the filesystem the user wouldn't be able
* to delete without an idmapped mount.
*/
if (old_dir != dir && mnt_userns != &init_user_ns) {
err = -EOPNOTSUPP;
goto free_parent;
}
subvol_name_ptr = btrfs_get_subvol_name_from_objectid( subvol_name_ptr = btrfs_get_subvol_name_from_objectid(
fs_info, vol_args2->subvolid); fs_info, vol_args2->subvolid);
if (IS_ERR(subvol_name_ptr)) { if (IS_ERR(subvol_name_ptr)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment