7 years ago · 8cb08329b0
--- a/fs/fuse/acl.c
+++ b/fs/fuse/acl.c
@@ -34,7 +34,7 @@ struct posix_acl *fuse_get_acl(struct inode *inode, int type)
 
				 		return ERR_PTR(-ENOMEM);
			
 
				 	size = fuse_getxattr(inode, name, value, PAGE_SIZE);
			
 
				 	if (size > 0)
			
 
				-		acl = posix_acl_from_xattr(&init_user_ns, value, size);
			
 
				+		acl = posix_acl_from_xattr(fc->user_ns, value, size);
			
 
				 	else if ((size == 0) || (size == -ENODATA) ||
			
 
				 		 (size == -EOPNOTSUPP && fc->no_getxattr))
			
 
				 		acl = NULL;
			
@@ -81,7 +81,7 @@ int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 
				 		if (!value)
			
 
				 			return -ENOMEM;
			
 
				 
			
 
				-		ret = posix_acl_to_xattr(&init_user_ns, acl, value, size);
			
 
				+		ret = posix_acl_to_xattr(fc->user_ns, acl, value, size);
			
 
				 		if (ret < 0) {
			
 
				 			kfree(value);
			
 
				 			return ret;
			
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -48,6 +48,7 @@
 
				 #include <linux/stat.h>
			
 
				 #include <linux/module.h>
			
 
				 #include <linux/uio.h>
			
 
				+#include <linux/user_namespace.h>
			
 
				 
			
 
				 #include "fuse_i.h"
			
 
				 
			
@@ -498,7 +499,11 @@ static int cuse_channel_open(struct inode *inode, struct file *file)
 
				 	if (!cc)
			
 
				 		return -ENOMEM;
			
 
				 
			
 
				-	fuse_conn_init(&cc->fc);
			
 
				+	/*
			
 
				+	 * Limit the cuse channel to requests that can
			
 
				+	 * be represented in file->f_cred->user_ns.
			
 
				+	 */
			
 
				+	fuse_conn_init(&cc->fc, file->f_cred->user_ns);
			
 
				 
			
 
				 	fud = fuse_dev_alloc(&cc->fc);
			
 
				 	if (!fud) {
			
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -156,8 +156,8 @@ static struct fuse_req *__fuse_get_req(struct fuse_conn *fc, unsigned npages,
 
				 		goto out;
			
 
				 	}
			
 
				 
			
 
				-	req->in.h.uid = from_kuid(&init_user_ns, current_fsuid());
			
 
				-	req->in.h.gid = from_kgid(&init_user_ns, current_fsgid());
			
 
				+	req->in.h.uid = from_kuid(fc->user_ns, current_fsuid());
			
 
				+	req->in.h.gid = from_kgid(fc->user_ns, current_fsgid());
			
 
				 	req->in.h.pid = pid_nr_ns(task_pid(current), fc->pid_ns);
			
 
				 
			
 
				 	__set_bit(FR_WAITING, &req->flags);
			
@@ -257,8 +257,8 @@ struct fuse_req *fuse_get_req_nofail_nopages(struct fuse_conn *fc,
 
				 	if (!req)
			
 
				 		req = get_reserved_req(fc, file);
			
 
				 
			
 
				-	req->in.h.uid = from_kuid_munged(&init_user_ns, current_fsuid());
			
 
				-	req->in.h.gid = from_kgid_munged(&init_user_ns, current_fsgid());
			
 
				+	req->in.h.uid = from_kuid_munged(fc->user_ns, current_fsuid());
			
 
				+	req->in.h.gid = from_kgid_munged(fc->user_ns, current_fsgid());
			
 
				 	req->in.h.pid = pid_nr_ns(task_pid(current), fc->pid_ns);
			
 
				 
			
 
				 	__set_bit(FR_WAITING, &req->flags);
			
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -858,8 +858,8 @@ static void fuse_fillattr(struct inode *inode, struct fuse_attr *attr,
 
				 	stat->ino = attr->ino;
			
 
				 	stat->mode = (inode->i_mode & S_IFMT) | (attr->mode & 07777);
			
 
				 	stat->nlink = attr->nlink;
			
 
				-	stat->uid = make_kuid(&init_user_ns, attr->uid);
			
 
				-	stat->gid = make_kgid(&init_user_ns, attr->gid);
			
 
				+	stat->uid = make_kuid(fc->user_ns, attr->uid);
			
 
				+	stat->gid = make_kgid(fc->user_ns, attr->gid);
			
 
				 	stat->rdev = inode->i_rdev;
			
 
				 	stat->atime.tv_sec = attr->atime;
			
 
				 	stat->atime.tv_nsec = attr->atimensec;
			
@@ -1475,17 +1475,17 @@ static bool update_mtime(unsigned ivalid, bool trust_local_mtime)
 
				 	return true;
			
 
				 }
			
 
				 
			
 
				-static void iattr_to_fattr(struct iattr *iattr, struct fuse_setattr_in *arg,
			
 
				-			   bool trust_local_cmtime)
			
 
				+static void iattr_to_fattr(struct fuse_conn *fc, struct iattr *iattr,
			
 
				+			   struct fuse_setattr_in *arg, bool trust_local_cmtime)
			
 
				 {
			
 
				 	unsigned ivalid = iattr->ia_valid;
			
 
				 
			
 
				 	if (ivalid & ATTR_MODE)
			
 
				 		arg->valid |= FATTR_MODE,   arg->mode = iattr->ia_mode;
			
 
				 	if (ivalid & ATTR_UID)
			
 
				-		arg->valid |= FATTR_UID,    arg->uid = from_kuid(&init_user_ns, iattr->ia_uid);
			
 
				+		arg->valid |= FATTR_UID,    arg->uid = from_kuid(fc->user_ns, iattr->ia_uid);
			
 
				 	if (ivalid & ATTR_GID)
			
 
				-		arg->valid |= FATTR_GID,    arg->gid = from_kgid(&init_user_ns, iattr->ia_gid);
			
 
				+		arg->valid |= FATTR_GID,    arg->gid = from_kgid(fc->user_ns, iattr->ia_gid);
			
 
				 	if (ivalid & ATTR_SIZE)
			
 
				 		arg->valid |= FATTR_SIZE,   arg->size = iattr->ia_size;
			
 
				 	if (ivalid & ATTR_ATIME) {
			
@@ -1657,7 +1657,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 
				 
			
 
				 	memset(&inarg, 0, sizeof(inarg));
			
 
				 	memset(&outarg, 0, sizeof(outarg));
			
 
				-	iattr_to_fattr(attr, &inarg, trust_local_cmtime);
			
 
				+	iattr_to_fattr(fc, attr, &inarg, trust_local_cmtime);
			
 
				 	if (file) {
			
 
				 		struct fuse_file *ff = file->private_data;
			
 
				 		inarg.valid |= FATTR_FH;
			
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -26,6 +26,7 @@
 
				 #include <linux/xattr.h>
			
 
				 #include <linux/pid_namespace.h>
			
 
				 #include <linux/refcount.h>
			
 
				+#include <linux/user_namespace.h>
			
 
				 
			
 
				 /** Max number of pages that can be used in a single read request */
			
 
				 #define FUSE_MAX_PAGES_PER_REQ 32
			
@@ -466,6 +467,9 @@ struct fuse_conn {
 
				 	/** The pid namespace for this mount */
			
 
				 	struct pid_namespace *pid_ns;
			
 
				 
			
 
				+	/** The user namespace for this mount */
			
 
				+	struct user_namespace *user_ns;
			
 
				+
			
 
				 	/** Maximum read size */
			
 
				 	unsigned max_read;
			
 
				 
			
@@ -876,7 +880,7 @@ struct fuse_conn *fuse_conn_get(struct fuse_conn *fc);
 
				 /**
			
 
				  * Initialize fuse_conn
			
 
				  */
			
 
				-void fuse_conn_init(struct fuse_conn *fc);
			
 
				+void fuse_conn_init(struct fuse_conn *fc, struct user_namespace *user_ns);
			
 
				 
			
 
				 /**
			
 
				  * Release reference to fuse_conn
			
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -171,8 +171,8 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
 
				 	inode->i_ino     = fuse_squash_ino(attr->ino);
			
 
				 	inode->i_mode    = (inode->i_mode & S_IFMT) | (attr->mode & 07777);
			
 
				 	set_nlink(inode, attr->nlink);
			
 
				-	inode->i_uid     = make_kuid(&init_user_ns, attr->uid);
			
 
				-	inode->i_gid     = make_kgid(&init_user_ns, attr->gid);
			
 
				+	inode->i_uid     = make_kuid(fc->user_ns, attr->uid);
			
 
				+	inode->i_gid     = make_kgid(fc->user_ns, attr->gid);
			
 
				 	inode->i_blocks  = attr->blocks;
			
 
				 	inode->i_atime.tv_sec   = attr->atime;
			
 
				 	inode->i_atime.tv_nsec  = attr->atimensec;
			
@@ -477,7 +477,8 @@ static int fuse_match_uint(substring_t *s, unsigned int *res)
 
				 	return err;
			
 
				 }
			
 
				 
			
 
				-static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
			
 
				+static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev,
			
 
				+			  struct user_namespace *user_ns)
			
 
				 {
			
 
				 	char *p;
			
 
				 	memset(d, 0, sizeof(struct fuse_mount_data));
			
@@ -513,7 +514,7 @@ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
 
				 		case OPT_USER_ID:
			
 
				 			if (fuse_match_uint(&args[0], &uv))
			
 
				 				return 0;
			
 
				-			d->user_id = make_kuid(current_user_ns(), uv);
			
 
				+			d->user_id = make_kuid(user_ns, uv);
			
 
				 			if (!uid_valid(d->user_id))
			
 
				 				return 0;
			
 
				 			d->user_id_present = 1;
			
@@ -522,7 +523,7 @@ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
 
				 		case OPT_GROUP_ID:
			
 
				 			if (fuse_match_uint(&args[0], &uv))
			
 
				 				return 0;
			
 
				-			d->group_id = make_kgid(current_user_ns(), uv);
			
 
				+			d->group_id = make_kgid(user_ns, uv);
			
 
				 			if (!gid_valid(d->group_id))
			
 
				 				return 0;
			
 
				 			d->group_id_present = 1;
			
@@ -565,8 +566,8 @@ static int fuse_show_options(struct seq_file *m, struct dentry *root)
 
				 	struct super_block *sb = root->d_sb;
			
 
				 	struct fuse_conn *fc = get_fuse_conn_super(sb);
			
 
				 
			
 
				-	seq_printf(m, ",user_id=%u", from_kuid_munged(&init_user_ns, fc->user_id));
			
 
				-	seq_printf(m, ",group_id=%u", from_kgid_munged(&init_user_ns, fc->group_id));
			
 
				+	seq_printf(m, ",user_id=%u", from_kuid_munged(fc->user_ns, fc->user_id));
			
 
				+	seq_printf(m, ",group_id=%u", from_kgid_munged(fc->user_ns, fc->group_id));
			
 
				 	if (fc->default_permissions)
			
 
				 		seq_puts(m, ",default_permissions");
			
 
				 	if (fc->allow_other)
			
@@ -597,7 +598,7 @@ static void fuse_pqueue_init(struct fuse_pqueue *fpq)
 
				 	fpq->connected = 1;
			
 
				 }
			
 
				 
			
 
				-void fuse_conn_init(struct fuse_conn *fc)
			
 
				+void fuse_conn_init(struct fuse_conn *fc, struct user_namespace *user_ns)
			
 
				 {
			
 
				 	memset(fc, 0, sizeof(*fc));
			
 
				 	spin_lock_init(&fc->lock);
			
@@ -621,6 +622,7 @@ void fuse_conn_init(struct fuse_conn *fc)
 
				 	fc->attr_version = 1;
			
 
				 	get_random_bytes(&fc->scramble_key, sizeof(fc->scramble_key));
			
 
				 	fc->pid_ns = get_pid_ns(task_active_pid_ns(current));
			
 
				+	fc->user_ns = get_user_ns(user_ns);
			
 
				 }
			
 
				 EXPORT_SYMBOL_GPL(fuse_conn_init);
			
 
				 
			
@@ -630,6 +632,7 @@ void fuse_conn_put(struct fuse_conn *fc)
 
				 		if (fc->destroy_req)
			
 
				 			fuse_request_free(fc->destroy_req);
			
 
				 		put_pid_ns(fc->pid_ns);
			
 
				+		put_user_ns(fc->user_ns);
			
 
				 		fc->release(fc);
			
 
				 	}
			
 
				 }
			
@@ -1064,7 +1067,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 
				 
			
 
				 	sb->s_flags &= ~(SB_NOSEC | SB_I_VERSION);
			
 
				 
			
 
				-	if (!parse_fuse_opt(data, &d, is_bdev))
			
 
				+	if (!parse_fuse_opt(data, &d, is_bdev, sb->s_user_ns))
			
 
				 		goto err;
			
 
				 
			
 
				 	if (is_bdev) {
			
@@ -1089,8 +1092,12 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 
				 	if (!file)
			
 
				 		goto err;
			
 
				 
			
 
				-	if ((file->f_op != &fuse_dev_operations) ||
			
 
				-	    (file->f_cred->user_ns != &init_user_ns))
			
 
				+	/*
			
 
				+	 * Require mount to happen from the same user namespace which
			
 
				+	 * opened /dev/fuse to prevent potential attacks.
			
 
				+	 */
			
 
				+	if (file->f_op != &fuse_dev_operations ||
			
 
				+	    file->f_cred->user_ns != sb->s_user_ns)
			
 
				 		goto err_fput;
			
 
				 
			
 
				 	fc = kmalloc(sizeof(*fc), GFP_KERNEL);
			
@@ -1098,7 +1105,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 
				 	if (!fc)
			
 
				 		goto err_fput;
			
 
				 
			
 
				-	fuse_conn_init(fc);
			
 
				+	fuse_conn_init(fc, sb->s_user_ns);
			
 
				 	fc->release = fuse_free_conn;
			
 
				 
			
 
				 	fud = fuse_dev_alloc(fc);