linux/fs
Christian Brauner 71bc356f93
commoncap: handle idmapped mounts
When interacting with user namespace and non-user namespace aware
filesystem capabilities the vfs will perform various security checks to
determine whether or not the filesystem capabilities can be used by the
caller, whether they need to be removed and so on. The main
infrastructure for this resides in the capability codepaths but they are
called through the LSM security infrastructure even though they are not
technically an LSM or optional. This extends the existing security hooks
security_inode_removexattr(), security_inode_killpriv(),
security_inode_getsecurity() to pass down the mount's user namespace and
makes them aware of idmapped mounts.

In order to actually get filesystem capabilities from disk the
capability infrastructure exposes the get_vfs_caps_from_disk() helper.
For user namespace aware filesystem capabilities a root uid is stored
alongside the capabilities.

In order to determine whether the caller can make use of the filesystem
capability or whether it needs to be ignored it is translated according
to the superblock's user namespace. If it can be translated to uid 0
according to that id mapping the caller can use the filesystem
capabilities stored on disk. If we are accessing the inode that holds
the filesystem capabilities through an idmapped mount we map the root
uid according to the mount's user namespace. Afterwards the checks are
identical to non-idmapped mounts: reading filesystem caps from disk
enforces that the root uid associated with the filesystem capability
must have a mapping in the superblock's user namespace and that the
caller is either in the same user namespace or is a descendant of the
superblock's user namespace. For filesystems that are mountable inside
user namespace the caller can just mount the filesystem and won't
usually need to idmap it. If they do want to idmap it they can create an
idmapped mount and mark it with a user namespace they created and which
is thus a descendant of s_user_ns. For filesystems that are not
mountable inside user namespaces the descendant rule is trivially true
because the s_user_ns will be the initial user namespace.

If the initial user namespace is passed nothing changes so non-idmapped
mounts will see identical behavior as before.

Link: https://lore.kernel.org/r/20210121131959.646623-11-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2021-01-24 14:27:17 +01:00
..
9p acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
adfs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
affs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
afs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
autofs file: Replace ksys_close with close_fd 2020-12-10 12:42:59 -06:00
befs
bfs inode: make init and permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
btrfs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
cachefiles xattr: handle idmapped mounts 2021-01-24 14:27:17 +01:00
ceph acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
cifs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
coda
configfs namei: make permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
cramfs
crypto inode: make init and permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
debugfs debugfs: remove return value of debugfs_create_devm_seqfile() 2020-10-30 08:37:39 +01:00
devpts
dlm fs: dlm: check on existing node address 2020-11-10 12:14:20 -06:00
ecryptfs xattr: handle idmapped mounts 2021-01-24 14:27:17 +01:00
efivarfs inode: make init and permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
efs
erofs erofs: avoid using generic_block_bmap 2020-12-10 11:07:40 +08:00
exfat attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
exportfs exportfs: Add a function to return the raw output from fh_to_dentry() 2020-12-09 09:39:38 -05:00
ext2 acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
ext4 acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
f2fs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
fat attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
freevxfs
fscache
fuse acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
gfs2 acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
hfs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
hfsplus acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
hostfs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
hpfs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
hugetlbfs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
iomap mm: memcontrol: Use helpers to read page's memcg data 2020-12-02 18:28:05 -08:00
isofs fs: Replace zero-length array with flexible-array member 2020-10-29 17:22:59 -05:00
jbd2 jbd2: add a helper to find out number of fast commit blocks 2020-12-17 13:30:45 -05:00
jffs2 acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
jfs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
kernfs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
lockd fs/lockd: convert comma to semicolon 2020-12-16 07:57:37 -05:00
minix attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
nfs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
nfs_common nfs_common: need lock during iterate through the list 2020-12-09 09:38:34 -05:00
nfsd xattr: handle idmapped mounts 2021-01-24 14:27:17 +01:00
nilfs2 attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
nls
notify fs: add file and path permissions helpers 2021-01-24 14:27:16 +01:00
ntfs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
ocfs2 acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
omfs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
openpromfs
orangefs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
overlayfs xattr: handle idmapped mounts 2021-01-24 14:27:17 +01:00
proc attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
pstore Tracing updates for 5.11 2020-12-17 13:22:17 -08:00
qnx4
qnx6
quota \n 2020-12-17 11:00:37 -08:00
ramfs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
reiserfs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
romfs Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-10-24 12:26:05 -07:00
squashfs Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-10-24 12:26:05 -07:00
sysfs
sysv attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
tracefs
ubifs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
udf attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
ufs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
unicode
vboxsf Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2020-10-15 15:11:56 -07:00
verity fs: add file and path permissions helpers 2021-01-24 14:27:16 +01:00
xfs acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
zonefs attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
aio.c Merge branch 'akpm' (patches from Andrew) 2020-12-15 12:53:37 -08:00
anon_inodes.c
attr.c commoncap: handle idmapped mounts 2021-01-24 14:27:17 +01:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot 2020-10-16 11:11:21 -07:00
binfmt_elf.c Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-12-15 19:29:43 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c block: pre-initialize struct block_device in bdev_alloc_inode 2021-01-07 20:57:53 -07:00
buffer.c for-5.11/block-2020-12-14 2020-12-16 12:57:51 -08:00
char_dev.c
compat_binfmt_elf.c elf: Expose ELF header on arch_setup_additional_pages() 2020-10-26 13:46:47 +01:00
coredump.c Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-12-15 19:29:43 -08:00
d_path.c fs: fix NULL dereference due to data race in prepend_path() 2020-10-14 14:54:45 -07:00
dax.c mm: simplify follow_pte{,pmd} 2020-12-15 22:46:19 -08:00
dcache.c fs: Kill DCACHE_DONTCACHE dentry even if DCACHE_REFERENCED is set 2020-12-10 17:33:17 -05:00
dcookies.c
direct-io.c \n 2020-10-15 15:03:10 -07:00
drop_caches.c
eventfd.c eventfd: Export eventfd_ctx_do_read() 2020-11-15 09:49:10 -05:00
eventpoll.c epoll: add syscall epoll_pwait2 2020-12-19 11:18:38 -08:00
exec.c namei: make permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
fcntl.c inode: make init and permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
fhandle.c
file_table.c epoll: take epitem list out of struct file 2020-10-25 20:02:08 -04:00
file.c kernel/io_uring: cancel io_uring before task works 2020-12-30 19:36:54 -07:00
filesystems.c
fs_context.c
fs_parser.c fs_parse: mark fs_param_bad_value() as static 2020-10-13 18:38:27 -07:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c writeback: don't warn on an unregistered BDI in __mark_inode_dirty 2020-12-16 11:56:02 +01:00
fsopen.c
init.c fs: add file and path permissions helpers 2021-01-24 14:27:16 +01:00
inode.c attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
internal.h for-5.11/block-2020-12-14 2020-12-16 12:57:51 -08:00
io_uring.c io_uring: ensure finish_wait() is always called in __io_uring_task_cancel() 2021-01-15 16:04:23 -07:00
io-wq.c io-wq: kill now unused io_wq_cancel_all() 2020-12-20 10:47:42 -07:00
io-wq.h io-wq: kill now unused io_wq_cancel_all() 2020-12-20 10:47:42 -07:00
ioctl.c
Kconfig
Kconfig.binfmt
kernel_read_file.c
libfs.c attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
locks.c Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-12-15 19:29:43 -08:00
Makefile Refactored code for 5.10: 2020-10-23 11:33:41 -07:00
mbcache.c
mount.h
mpage.c
namei.c inode: make init and permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
namespace.c mount: attach mappings to mounts 2021-01-24 14:27:15 +01:00
no-block.c
nsfs.c
open.c attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
pipe.c block: remove i_bdev 2020-12-01 14:53:39 -07:00
pnode.c
pnode.h fs/namespace.c: WARN if mnt_count has become negative 2020-12-10 17:33:17 -05:00
posix_acl.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
proc_namespace.c proc mountinfo: make splice available again 2020-12-27 12:00:36 -08:00
read_write.c Refactored code for 5.10: 2020-10-23 11:33:41 -07:00
readdir.c
remap_range.c namei: make permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
select.c poll: fix performance regression due to out-of-line __put_user() 2021-01-08 11:06:29 -08:00
seq_file.c fix return values of seq_read_iter() 2020-11-15 22:12:53 -05:00
signalfd.c
splice.c io_uring-5.10-2020-10-24 2020-10-24 12:40:18 -07:00
stack.c
stat.c
statfs.c block: remove i_bdev 2020-12-01 14:53:39 -07:00
super.c block: remove i_bdev 2020-12-01 14:53:39 -07:00
sync.c
timerfd.c
userfaultfd.c userfaultfd: add user-mode only option to unprivileged_userfaultfd sysctl knob 2020-12-15 12:13:46 -08:00
utimes.c attr: handle idmapped mounts 2021-01-24 14:27:16 +01:00
xattr.c commoncap: handle idmapped mounts 2021-01-24 14:27:17 +01:00