On Fri, 2024-10-11 at 11:00 +0200, Amir Goldstein wrote: > Teach open_by_handle_at(2) about the type format of "explicit connectable" > file handles that were created using the AT_HANDLE_CONNECTABLE flag to > name_to_handle_at(2). > > When decoding an "explicit connectable" file handles, name_to_handle_at(2) > should fail if it cannot open a "connected" fd with known path, which is > accessible (to capable user) from mount fd path. > > Note that this does not check if the path is accessible to the calling > user, just that it is accessible wrt the mount namesapce, so if there > is no "connected" alias, or if parts of the path are hidden in the > mount namespace, open_by_handle_at(2) will return -ESTALE. > > Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx> > --- > fs/fhandle.c | 20 +++++++++++++++++++- > include/linux/exportfs.h | 2 +- > 2 files changed, 20 insertions(+), 2 deletions(-) > > diff --git a/fs/fhandle.c b/fs/fhandle.c > index 8339a1041025..75cfd190cd69 100644 > --- a/fs/fhandle.c > +++ b/fs/fhandle.c > @@ -246,7 +246,13 @@ static int vfs_dentry_acceptable(void *context, struct dentry *dentry) > > if (!(ctx->flags & HANDLE_CHECK_SUBTREE) || d == root) > retval = 1; > - WARN_ON_ONCE(d != root && d != root->d_sb->s_root); > + /* > + * exportfs_decode_fh_raw() does not call acceptable() callback with > + * a disconnected directory dentry, so we should have reached either > + * mount fd directory or sb root. > + */ > + if (ctx->fh_flags & EXPORT_FH_DIR_ONLY) > + WARN_ON_ONCE(d != root && d != root->d_sb->s_root); > dput(d); > return retval; > } > @@ -350,6 +356,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, > retval = -EINVAL; > goto out_path; > } > + > handle = kmalloc(struct_size(handle, f_handle, f_handle.handle_bytes), > GFP_KERNEL); > if (!handle) { > @@ -365,6 +372,17 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, > goto out_handle; > } > > + /* > + * If handle was encoded with AT_HANDLE_CONNECTABLE, verify that we > + * are decoding an fd with connected path, which is accessible from > + * the mount fd path. > + */ > + if (f_handle.handle_type & FILEID_IS_CONNECTABLE) { > + ctx.fh_flags |= EXPORT_FH_CONNECTABLE; > + ctx.flags |= HANDLE_CHECK_SUBTREE; > + } > + if (f_handle.handle_type & FILEID_IS_DIR) > + ctx.fh_flags |= EXPORT_FH_DIR_ONLY; > /* Filesystem code should not be exposed to user flags */ > handle->handle_type &= ~FILEID_USER_FLAGS_MASK; > retval = do_handle_to_path(handle, path, &ctx); > diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h > index 4ee42b2cf4ab..fcab6ab1d38a 100644 > --- a/include/linux/exportfs.h > +++ b/include/linux/exportfs.h > @@ -171,7 +171,7 @@ struct fid { > /* Flags supported in encoded handle_type that is exported to user */ > #define FILEID_IS_CONNECTABLE 0x10000 > #define FILEID_IS_DIR 0x20000 > -#define FILEID_VALID_USER_FLAGS (0) > +#define FILEID_VALID_USER_FLAGS (FILEID_IS_CONNECTABLE | FILEID_IS_DIR) > > /** > * struct export_operations - for nfsd to communicate with file systems Thought I had sent this last week, but I got sidetracked: Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>