From patchwork Wed Nov 29 21:50:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Seth Forshee (DigitalOcean)" X-Patchwork-Id: 17296 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:6359:296:b0:164:83eb:24d7 with SMTP id ek22csp2270rwb; Wed, 29 Nov 2023 13:51:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IEAUwfKoFOOY1iLoUEald8lXkajdZujF3GuMMjvEL9lxdTtnimZT+lZYfgovgnl/tRESKx5 X-Received: by 2002:a17:902:dacf:b0:1cf:edd5:f786 with SMTP id q15-20020a170902dacf00b001cfedd5f786mr9922115plx.21.1701294667634; Wed, 29 Nov 2023 13:51:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701294667; cv=none; d=google.com; s=arc-20160816; b=ZZXwaEC0CzuUlZFdlJvF41Wj9YeFJSNTQgVsP+2hm9eIz1epq6CkgpDGm4Bvm3fYzX qIiWoONkvDuPBg+/2LIyCzJrXiw0WkBA+Jc5gcRgj3bcfAY2slMALrn4Mg4Lj3cxlYf5 YDSNgVIjhl6f9DSlVrMfvjGvU0NLq9zJ5tCoxrEdQ9KMHMKGlhP6TuEROmUEy0uoJW5N OgTrGi/amA1q4Q3rRwP8nSskJE8vM0wIuxU5c5L/KaaVbksu6v6VmeuKSGBdnR5JsGno kARjOcZgAL8mKv2MgKJpL9raERGASCE1ZySSCTqoJ/NsDF55HComxKMJcF9cc6tfDkT6 GWTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:content-transfer-encoding:mime-version :message-id:date:subject:from:dkim-signature; bh=Ngp8eOLmrwPpQQm0hUgGVKDhAPJNVhX9JP1ZVEB+X0o=; fh=4HVRO6f3g8DInYYG3BlLnBn0oEBT/lWvUFCM3YKQyDw=; b=QgLQWz9qd52qzeSy9Ta4sDHAv/cLtZczljHCLJ7X9GGuNm3N7pxjm0W/bkU91zScSH ZqhP9lefPD6dXmWOPSAL7uZX5ztBPdhRZEXs/3oIr/SVTtFhIYbnTDPpHhruDPY+kD7t skGJxM2tp70TQ6vTZSFrXs1AHCi3saLgYKXooXSl6AJv46333ces/69EGUkEAIy/eAmF j4rJ574vue4u0a6ttfiYPFa/Ed0Kr6p9A32uACqTQAdBIOwkSkrin6vQ7+WRfUXAeVuo dNB1LGWg6EiF3D+OpdSbHaMrU5G3hBVr3UW8ChZk/g8SgCiNXqOotE4aCsMar3318U6s sSBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=W4BAlXK0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id e7-20020a170902744700b001cfb43d6b36si10541988plt.619.2023.11.29.13.51.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 13:51:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=W4BAlXK0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 8766C803549E; Wed, 29 Nov 2023 13:51:03 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234427AbjK2Vux (ORCPT + 99 others); Wed, 29 Nov 2023 16:50:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229611AbjK2Vuv (ORCPT ); Wed, 29 Nov 2023 16:50:51 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 100729A for ; Wed, 29 Nov 2023 13:50:58 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPS id A015EC433C8; Wed, 29 Nov 2023 21:50:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1701294657; bh=e1bNk2Y02IUrvPq3JW/J0kW9YOkEkHQ2aztr89JaGE4=; h=From:Subject:Date:To:Cc:From; b=W4BAlXK08iPXH0COup9QFgLk6G49L7sRK2PXOO21jAo/qR2LGnWJrnXkK8VDY82PV IGoz3DawT/VmzsKrAVoiNQKe9MISc/2hm0kl3HDLbS1UN57/HT08KwuIqFzf4uMkHx aZnITikONFuj8yXduittb0f3Agj2gJpYJ8NriikUxNJs6/7pwgUWPiTDGffiDWOneP y335tOEMg7FQIU5JlNaSXWePyt5cBg6G8TkpHQs1OL++xMhydITncxPBUbsIPWQGQi DYTR3Md2Nr9P8HglHsiqUUXTCL7giFDx3G8qK2SLXiSUOgDQdDpgluvX9RllvHid6h zYUGf1GaisjMw== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86865C07CB1; Wed, 29 Nov 2023 21:50:57 +0000 (UTC) From: "Seth Forshee (DigitalOcean)" Subject: [PATCH 00/16] fs: use type-safe uid representation for filesystem capabilities Date: Wed, 29 Nov 2023 15:50:18 -0600 Message-Id: <20231129-idmap-fscap-refactor-v1-0-da5a26058a5b@kernel.org> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIABqyZ2UC/x2NSwrDMAxErxK0rsEf6kWvUrqQXbkRpE6Q2hAwu XtFNwNvmMcMUBImhds0QGhn5bUbhMsEdcb+IsdPY4g+Jn8N0fCNm2taLYUa1s8qLqeSQ0OPKTc wtaCSK4K9zib377JYudmcj//X/XGeP3LapMJ7AAAA To: Christian Brauner , Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Miklos Szeredi , Amir Goldstein Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, linux-unionfs@vger.kernel.org, "Seth Forshee (DigitalOcean)" X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=3944; i=sforshee@kernel.org; h=from:subject:message-id; bh=e1bNk2Y02IUrvPq3JW/J0kW9YOkEkHQ2aztr89JaGE4=; =?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBlZ7IvK9HzszM2i/QraAFHa/VAD?= =?utf-8?q?mqY0TX3S+lGLdmx_3rXykB2JATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?= =?utf-8?q?QUCZWeyLwAKCRBTA5mu5fQxybUeB/_9SuaWrirztZmjFyIZj0l9JjtT/BlFqVDMNE?= =?utf-8?q?Q9u0K8av0oIJB6M4C+/RxW2HovO6Ze3et6gPlXNVVM+_EyGFKVn7W875FYmmGCEKw?= =?utf-8?q?dZ5VTyO8dFom9t8Upy/gl3rgVv3iFFG80ZtQ72B70/tsyKRSYzuyxsdDR_ey1cN6W?= =?utf-8?q?7S85ZBKF84pbR/CEiAhHNjFRYjh5iPJbyGtjvx32qKGcgDYtKJYP3csznkYGd+lEb?= =?utf-8?q?9aF5T1_dzpudoFlnW4B3oA67kMhTd5ptj+WVZwhfHNdslqbEBFad389VfZho7Y38Q?= =?utf-8?q?05t8pxDSg+hFsHv9OvKa?= iAd8bRVxTYQ7QQByaZ4+SebYPCa48r X-Developer-Key: i=sforshee@kernel.org; a=openpgp; fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A X-Endpoint-Received: by B4 Relay for sforshee@kernel.org/default with auth_id=103 X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 29 Nov 2023 13:51:03 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783936757217105876 X-GMAIL-MSGID: 1783936757217105876 This series converts filesystem capabilities from passing around raw xattr data to using a kernel-internal representation with type safe uids, similar to the conversion done previously for posix ACLs. Currently fscaps representations in the kernel have two different instances of unclear or confused types: - fscaps are generally passed around in the raw xattr form, with the rootid sometimes containing the user uid value and at other times containing the filesystem value. - The existing kernel-internal representation of fscaps, cpu_vfs_cap_data, uses the kuid_t type, but the value stored is actually a vfsuid. This series eliminates this confusion by converting the xattr data to the kernel representation near the userspace and filesystem boundaries, using the kernel representation within the vfs and commoncap code. The internal representation is renamed to vfs_caps to reflect this broader use, and the rootid is changed to a vfsuid_t to correctly identify the type of uid which it contains. New vfs interfaces are added to allow for getting and setting fscaps using the kernel representation. This requires the addition of new inode operations to allow overlayfs to handle fscaps properly; all other filesystems fall back to a generic implementation. The top-level vfs xattr interfaces will now reject fscaps xattrs, though the lower-level interfaces continue to accept them for reading and writing the raw xattr data. The existing xattr security hooks can continue to be used for fscaps. There is some awkwardness here, as EVM requires the on-disk fscaps data to compare with any existing on-disk value. Security checks need to happen before calling into filesystem inode operations, when the fscaps are still in the kernel-internal format, so an extra conversion to the on-disk format is necessary for EVM's setxattr checks. The remainder of the changes are preparatory work and addition of helpers for converting between the xattr and kernel fscaps representation. I have tested this code with xfstests, ltp, libcap2, and libcap-ng with no regressions found. Signed-off-by: Seth Forshee (DigitalOcean) --- Seth Forshee (DigitalOcean) (16): mnt_idmapping: split out core vfs[ug]id_t definitions into vfsid.h mnt_idmapping: include cred.h capability: rename cpu_vfs_cap_data to vfs_caps capability: use vfsuid_t for vfs_caps rootids capability: provide helpers for converting between xattrs and vfs_caps capability: provide a helper for converting vfs_caps to xattr for userspace fs: add inode operations to get/set/remove fscaps fs: add vfs_get_fscaps() fs: add vfs_set_fscaps() fs: add vfs_remove_fscaps() ovl: add fscaps handlers ovl: use vfs_{get,set}_fscaps() for copy-up fs: use vfs interfaces for capabilities xattrs commoncap: remove cap_inode_getsecurity() commoncap: use vfs fscaps interfaces for killpriv checks vfs: return -EOPNOTSUPP for fscaps from vfs_*xattr() MAINTAINERS | 1 + fs/overlayfs/copy_up.c | 72 +++--- fs/overlayfs/dir.c | 3 + fs/overlayfs/inode.c | 84 +++++++ fs/overlayfs/overlayfs.h | 6 + fs/xattr.c | 286 ++++++++++++++++++++++- include/linux/capability.h | 23 +- include/linux/fs.h | 13 ++ include/linux/mnt_idmapping.h | 67 +----- include/linux/security.h | 5 +- include/linux/vfsid.h | 74 ++++++ kernel/auditsc.c | 9 +- security/commoncap.c | 519 ++++++++++++++++++++++-------------------- 13 files changed, 802 insertions(+), 360 deletions(-) --- base-commit: 2cc14f52aeb78ce3f29677c2de1f06c0e91471ab change-id: 20230512-idmap-fscap-refactor-63b61fa0a36f Best regards,