security: pass down mount idmapping to setattr hook

Before this change we used to take a shortcut and place the actual
values that would be written to inode->i_{g,u}id into struct iattr. This
had the advantage that we moved idmappings mostly out of the picture
early on but it made reasoning about changes more difficult than it
should be.

The filesystem was never explicitly told that it dealt with an idmapped
mount. The transition to the value that needed to be stored in
inode->i_{g,u}id appeared way too early and increased the probability of
bugs in various codepaths.

We know place the same value in struct iattr no matter if this is an
idmapped mount or not. The vfs will only deal with type safe
vfs{g,u}id_t. This makes it massively safer to perform permission checks
as the type will tell us what checks we need to perform and what helpers
we need to use.

Adapt the security_inode_setattr() helper to pass down the mount's
idmapping to account for that change.

Link: https://lore.kernel.org/r/20220621141454.2914719-8-brauner@kernel.org
Cc: Seth Forshee <sforshee@digitalocean.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
CC: linux-fsdevel@vger.kernel.org
Reviewed-by: Seth Forshee <sforshee@digitalocean.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>

diff --git a/fs/attr.c b/fs/attr.c
index 2e180dd9460f943c1434d8872f4192f27ef85894..88e2ca30d42e2bef15e1513b91d109fc84d0a940 100644 (file)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -411,7 +411,7 @@ int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry,
            !gid_valid(i_gid_into_mnt(mnt_userns, inode)))
                return -EOVERFLOW;
 
-       error = security_inode_setattr(dentry, attr);
+       error = security_inode_setattr(&init_user_ns, dentry, attr);
        if (error)
                return error;
        error = try_break_deleg(inode, delegated_inode);

diff --git a/fs/fat/file.c b/fs/fat/file.c
index 3dae3ed60f3a3652709dac70ea74c7bc9300f50f..530f18173db223d1790649c0d9aec88775a16721 100644 (file)
--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -90,7 +90,8 @@ static int fat_ioctl_set_attributes(struct file *file, u32 __user *user_attr)
         * out the RO attribute for checking by the security
         * module, just because it maps to a file mode.
         */
-       err = security_inode_setattr(file->f_path.dentry, &ia);
+       err = security_inode_setattr(&init_user_ns,
+                                    file->f_path.dentry, &ia);
        if (err)
                goto out_unlock_inode;
 

diff --git a/include/linux/evm.h b/include/linux/evm.h
index 4c374be702472a393894f6659757b2b899082d0e..aa63e0b3c0a296bf62d1ebf880a0c493ba3f5b18 100644 (file)
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -21,7 +21,8 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
                                             void *xattr_value,
                                             size_t xattr_value_len,
                                             struct integrity_iint_cache *iint);
-extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);
+extern int evm_inode_setattr(struct user_namespace *mnt_userns,
+                            struct dentry *dentry, struct iattr *attr);
 extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
 extern int evm_inode_setxattr(struct user_namespace *mnt_userns,
                              struct dentry *dentry, const char *name,
@@ -68,7 +69,8 @@ static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
 }
 #endif
 
-static inline int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
+static inline int evm_inode_setattr(struct user_namespace *mnt_userns,
+                                   struct dentry *dentry, struct iattr *attr)
 {
        return 0;
 }

diff --git a/include/linux/security.h b/include/linux/security.h
index 7fc4e9f49f542b521afb53514f1229bca0683edc..4d0baf30266ed52edbc0dc54f94305b463affa43 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -353,7 +353,8 @@ int security_inode_readlink(struct dentry *dentry);
 int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
                               bool rcu);
 int security_inode_permission(struct inode *inode, int mask);
-int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
+int security_inode_setattr(struct user_namespace *mnt_userns,
+                          struct dentry *dentry, struct iattr *attr);
 int security_inode_getattr(const struct path *path);
 int security_inode_setxattr(struct user_namespace *mnt_userns,
                            struct dentry *dentry, const char *name,
@@ -848,8 +849,9 @@ static inline int security_inode_permission(struct inode *inode, int mask)
        return 0;
 }
 
-static inline int security_inode_setattr(struct dentry *dentry,
-                                         struct iattr *attr)
+static inline int security_inode_setattr(struct user_namespace *mnt_userns,
+                                        struct dentry *dentry,
+                                        struct iattr *attr)
 {
        return 0;
 }

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index bcde6bc2a2cefb875acab10a90b6c6077c24bab9..7f4af5b5858317d1e68793618744fff9d2b2bf10 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -755,7 +755,8 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
        evm_update_evmxattr(dentry, xattr_name, NULL, 0);
 }
 
-static int evm_attr_change(struct dentry *dentry, struct iattr *attr)
+static int evm_attr_change(struct user_namespace *mnt_userns,
+                          struct dentry *dentry, struct iattr *attr)
 {
        struct inode *inode = d_backing_inode(dentry);
        unsigned int ia_valid = attr->ia_valid;
@@ -775,7 +776,8 @@ static int evm_attr_change(struct dentry *dentry, struct iattr *attr)
  * Permit update of file attributes when files have a valid EVM signature,
  * except in the case of them having an immutable portable signature.
  */
-int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
+int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry,
+                     struct iattr *attr)
 {
        unsigned int ia_valid = attr->ia_valid;
        enum integrity_status evm_status;
@@ -801,7 +803,7 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
                return 0;
 
        if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
-           !evm_attr_change(dentry, attr))
+           !evm_attr_change(mnt_userns, dentry, attr))
                return 0;
 
        integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),

diff --git a/security/security.c b/security/security.c
index 188b8f7822206042dfbefb2764e611029a0b78a0..f85afb02ea1c22c8b66720687dd9f0e77dcee629 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -1324,7 +1324,8 @@ int security_inode_permission(struct inode *inode, int mask)
        return call_int_hook(inode_permission, 0, inode, mask);
 }
 
-int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
+int security_inode_setattr(struct user_namespace *mnt_userns,
+                          struct dentry *dentry, struct iattr *attr)
 {
        int ret;
 
@@ -1333,7 +1334,7 @@ int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
        ret = call_int_hook(inode_setattr, 0, dentry, attr);
        if (ret)
                return ret;
-       return evm_inode_setattr(dentry, attr);
+       return evm_inode_setattr(mnt_userns, dentry, attr);
 }
 EXPORT_SYMBOL_GPL(security_inode_setattr);