Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 18f335af authored by Dave Hansen's avatar Dave Hansen Committed by Al Viro
Browse files

[PATCH] r/o bind mounts: elevate write count for xattr_permission() callers 



This basically audits the callers of xattr_permission(), which calls
permission() and can perform writes to the filesystem.

[AV: add missing parts - removexattr() and nfsd posix acls, plug for a leak
spotted by Miklos]

Acked-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarDave Hansen <haveblue@us.ibm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 9079b1eb

fs/nfsd/nfs4proc.c

+6 −1
Original line number Diff line number Diff line
@@ -658,14 +658,19 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, 
			return status;

		}

	}

	status = mnt_want_write(cstate->current_fh.fh_export->ex_path.mnt);

	if (status)

		return status;

	status = nfs_ok;

	if (setattr->sa_acl != NULL)

		status = nfsd4_set_nfs4_acl(rqstp, &cstate->current_fh,

					    setattr->sa_acl);

	if (status)

		return status;

		goto out;

	status = nfsd_setattr(rqstp, &cstate->current_fh, &setattr->sa_iattr,

				0, (time_t)0);

out:

	mnt_drop_write(cstate->current_fh.fh_export->ex_path.mnt);

	return status;

}

fs/nfsd/vfs.c

+4 −0
Original line number Diff line number Diff line
@@ -2086,6 +2086,9 @@ nfsd_set_posix_acl(struct svc_fh *fhp, int type, struct posix_acl *acl) 
	} else

		size = 0;



	error = mnt_want_write(fhp->fh_export->ex_path.mnt);

	if (error)

		goto getout;

	if (size)

		error = vfs_setxattr(fhp->fh_dentry, name, value, size, 0);

	else {
@@ -2097,6 +2100,7 @@ nfsd_set_posix_acl(struct svc_fh *fhp, int type, struct posix_acl *acl) 
				error = 0;

		}

	}

	mnt_drop_write(fhp->fh_export->ex_path.mnt);



getout:

	kfree(value);

fs/xattr.c

+32 −8
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ 
#include <linux/slab.h>

#include <linux/file.h>

#include <linux/xattr.h>

#include <linux/mount.h>

#include <linux/namei.h>

#include <linux/security.h>

#include <linux/syscalls.h>
@@ -32,8 +33,6 @@ xattr_permission(struct inode *inode, const char *name, int mask) 
	 * filesystem  or on an immutable / append-only inode.

	 */

	if (mask & MAY_WRITE) {

		if (IS_RDONLY(inode))

			return -EROFS;

		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))

			return -EPERM;

	}
@@ -262,7 +261,11 @@ sys_setxattr(char __user *path, char __user *name, void __user *value, 
	error = user_path_walk(path, &nd);

	if (error)

		return error;

	error = mnt_want_write(nd.path.mnt);

	if (!error) {

		error = setxattr(nd.path.dentry, name, value, size, flags);

		mnt_drop_write(nd.path.mnt);

	}

	path_put(&nd.path);

	return error;

}
@@ -277,7 +280,11 @@ sys_lsetxattr(char __user *path, char __user *name, void __user *value, 
	error = user_path_walk_link(path, &nd);

	if (error)

		return error;

	error = mnt_want_write(nd.path.mnt);

	if (!error) {

		error = setxattr(nd.path.dentry, name, value, size, flags);

		mnt_drop_write(nd.path.mnt);

	}

	path_put(&nd.path);

	return error;

}
@@ -295,7 +302,12 @@ sys_fsetxattr(int fd, char __user *name, void __user *value, 
		return error;

	dentry = f->f_path.dentry;

	audit_inode(NULL, dentry);

	error = mnt_want_write(f->f_path.mnt);

	if (!error) {

		error = setxattr(dentry, name, value, size, flags);

		mnt_drop_write(f->f_path.mnt);

	}

out_fput:

	fput(f);

	return error;

}
@@ -482,7 +494,11 @@ sys_removexattr(char __user *path, char __user *name) 
	error = user_path_walk(path, &nd);

	if (error)

		return error;

	error = mnt_want_write(nd.path.mnt);

	if (!error) {

		error = removexattr(nd.path.dentry, name);

		mnt_drop_write(nd.path.mnt);

	}

	path_put(&nd.path);

	return error;

}
@@ -496,7 +512,11 @@ sys_lremovexattr(char __user *path, char __user *name) 
	error = user_path_walk_link(path, &nd);

	if (error)

		return error;

	error = mnt_want_write(nd.path.mnt);

	if (!error) {

		error = removexattr(nd.path.dentry, name);

		mnt_drop_write(nd.path.mnt);

	}

	path_put(&nd.path);

	return error;

}
@@ -513,7 +533,11 @@ sys_fremovexattr(int fd, char __user *name) 
		return error;

	dentry = f->f_path.dentry;

	audit_inode(NULL, dentry);

	error = mnt_want_write(f->f_path.mnt);

	if (!error) {

		error = removexattr(dentry, name);

		mnt_drop_write(f->f_path.mnt);

	}

	fput(f);

	return error;

}