From patchwork Thu Dec 21 03:09:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ahelenia_Ziemia=C5=84ska?= X-Patchwork-Id: 181964 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:2483:b0:fb:cd0c:d3e with SMTP id q3csp156932dyi; Wed, 20 Dec 2023 19:12:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IF+J+OHReSjGM749mlXTlxxE5FtelE4d3nweyrnfjdbXTE+u3P2hDugBBwUvENx+4Hxe5DU X-Received: by 2002:a17:90a:d50c:b0:28b:d964:73d7 with SMTP id t12-20020a17090ad50c00b0028bd96473d7mr906804pju.61.1703128364635; Wed, 20 Dec 2023 19:12:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703128364; cv=none; d=google.com; s=arc-20160816; b=ckN19eMihcWFLfLvdCEjkdT95jcAqN7w5fBKuagBJn/1vgWnm8fyZFgxF/7/Gc3MC9 Nc8lP263Ftv8KxosMbuB9CjCqOiQJi5Jd/a6aIevlaJizoXqSbQdhFSPjLEXKR0Aku60 eDUDj9EA/3qZT4kJauCrSOa1NbzOf9hK2fHSaYg6xmF7NT7C2+dmpT2LDipWwVkSMHRL rF1qh/aheuV52ua0ri96A/BnXYjh5IhFKUHYKxUYBEHFs+o8xVQ2qBxG0qKqOlZPlXnY QF1LH5mjvFnGT7y1IViKZfumM4Kvn86as+mro0/ZYYuaURkCJwNlTpHlh5s8KlxjJa7E 0jSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:from:date:dkim-signature; bh=72K3NaBiO+PH4/tSV754wKsgaAeYQq0egoWpoq8fk2Y=; fh=LsYxcfBPSHypNIB9mx6HIShKBua9eb1Phu1SAMWLUSA=; b=WPsMwhDMtkvpvC94zzRhEEz8+FOWKmF6HRuR5wH60Z2tfDfO0P0JCUWM4x4+RHbcO2 6mH8C8MJkpVkNPiTE4eye+e7J/KLZk3aLjjVb1nTNGMKiciCjGGsHxJXIXEJms8KPmnl p3SMFchGgv5WYDslqMkM45M69ty9GeknfhFzRATPZXXsc4GQZ4PG//UxPzjf6r/28lIs yRPamkZG1ubs0M5/hDVtHqoSkVn5zJjjD8hFwftfzViw9BFrPx7cwKI3pWn+sNcHcQbg 28o5v52cq9svLsrSqn76veMfCCZYg0C5yE4QpNzkqgH5y1/jkEL4142uLesyU0TGwDV2 PLUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nabijaczleweli.xyz header.s=202305 header.b=am0OQY2u; spf=pass (google.com: domain of linux-kernel+bounces-7784-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7784-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id t4-20020a17090b018400b0028bdf9b0a8csi1372957pjs.167.2023.12.20.19.12.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Dec 2023 19:12:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-7784-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@nabijaczleweli.xyz header.s=202305 header.b=am0OQY2u; spf=pass (google.com: domain of linux-kernel+bounces-7784-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7784-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 090AB28861E for ; Thu, 21 Dec 2023 03:12:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7A1228C01; Thu, 21 Dec 2023 03:09:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nabijaczleweli.xyz header.i=@nabijaczleweli.xyz header.b="am0OQY2u" X-Original-To: linux-kernel@vger.kernel.org Received: from tarta.nabijaczleweli.xyz (tarta.nabijaczleweli.xyz [139.28.40.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA69C1C6A1; Thu, 21 Dec 2023 03:09:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nabijaczleweli.xyz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nabijaczleweli.xyz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz; s=202305; t=1703128155; bh=v1LDSBFECKp55cHcJgliRFwG+eK4aIOtUl+IUjCyXZY=; h=Date:From:Cc:Subject:References:In-Reply-To:From; b=am0OQY2uHQDPfoEgBreevZIYAovUOsivpLozXpHY6pDWjxDYLTNFj7NA0QFY2Vfx6 L/+q4JL2V27Lw/bDmDgn2EarKldnDeXiFRghJDXzVLw7ADErJaTDoVQv6YicHiC8kS QRXkdMg5g3felN1IFwhEprDyplJ/m/QB5gBdiRDcKy5kOgcm16GOeUwGw/HF7SISk9 8W3AUt1HClvnSG5JqSMNiKlnkNorwtWjOiZo9IZMm1MouZvR8rFDfgptFyyYWSZsW7 njK2XgAtXofLjlKDiVQqFkCRtI9Oivf+FVruSRmFAaFPLgkqqnQ6bRc5VlVE2/cnyb Mem/xPS8Kep7g== Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250]) by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id E2DA913D44; Thu, 21 Dec 2023 04:09:15 +0100 (CET) Date: Thu, 21 Dec 2023 04:09:15 +0100 From: Ahelenia =?utf-8?q?Ziemia=C5=84ska?= Cc: Jens Axboe , Christian Brauner , Alexander Viro , linux-fsdevel@vger.kernel.org, Miklos Szeredi , linux-kernel@vger.kernel.org Subject: [PATCH v2 10/11] fuse: allow splicing from filesystems mounted by real root Message-ID: <7a160b52d8fa53a9257a2383021a5279d2628edb.1703126594.git.nabijaczleweli@nabijaczleweli.xyz> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20231103-116-3b855e-dirty X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1785859528042776852 X-GMAIL-MSGID: 1785859528042776852 FUSE tends to be installed suid 0: this allows normal users to mount anything, including a program whose read implementation consists of for(;;) sleep(1);, which, if splice were allowed, would sleep forever with the pipe lock held. Normal filesystems can only be mounted by root, and are thus deemed safe. Extend this to when root mounts a FUSE filesystem with an explicit check. Signed-off-by: Ahelenia ZiemiaƄska --- fs/fuse/fuse_i.h | 1 + fs/fuse/inode.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index 463c5d4ad8b4..a9ceaf10c1d2 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -532,6 +532,7 @@ struct fuse_fs_context { bool no_control:1; bool no_force_umount:1; bool legacy_opts_show:1; + bool trusted:1; enum fuse_dax_mode dax_mode; unsigned int max_read; unsigned int blksize; diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 2a6d44f91729..91108ba9acec 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -1779,6 +1779,7 @@ static int fuse_get_tree(struct fs_context *fsc) fuse_conn_init(fc, fm, fsc->user_ns, &fuse_dev_fiq_ops, NULL); fc->release = fuse_free_conn; + fc->trusted = ctx->trusted; fsc->s_fs_info = fm; @@ -1840,6 +1841,7 @@ static int fuse_init_fs_context(struct fs_context *fsc) ctx->max_read = ~0; ctx->blksize = FUSE_DEFAULT_BLKSIZE; ctx->legacy_opts_show = true; + ctx->trusted = uid_eq(current_uid(), GLOBAL_ROOT_UID); #ifdef CONFIG_BLOCK if (fsc->fs_type == &fuseblk_fs_type) {