This is a note to let you know that I've just added the patch titled
fs: add mode_strip_sgid() helper
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
fs-add-mode_strip_sgid-helper.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable-owner@xxxxxxxxxxxxxxx Sat Mar 18 11:16:11 2023
From: Amir Goldstein <amir73il@xxxxxxxxx>
Date: Sat, 18 Mar 2023 12:15:22 +0200
Subject: fs: add mode_strip_sgid() helper
To: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: Sasha Levin <sashal@xxxxxxxxxx>, "Darrick J . Wong" <djwong@xxxxxxxxxx>, Leah Rumancik <leah.rumancik@xxxxxxxxx>, Chandan Babu R <chandan.babu@xxxxxxxxxx>, Christian Brauner <brauner@xxxxxxxxxx>, linux-fsdevel@xxxxxxxxxxxxxxx, linux-xfs@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, Yang Xu <xuyang2018.jy@xxxxxxxxxxx>, Jeff Layton <jlayton@xxxxxxxxxx>
Message-ID: <20230318101529.1361673-9-amir73il@xxxxxxxxx>
From: Yang Xu <xuyang2018.jy@xxxxxxxxxxx>
commit 2b3416ceff5e6bd4922f6d1c61fb68113dd82302 upstream.
[remove userns argument of helper for 5.10.y backport]
Add a dedicated helper to handle the setgid bit when creating a new file
in a setgid directory. This is a preparatory patch for moving setgid
stripping into the vfs. The patch contains no functional changes.
Currently the setgid stripping logic is open-coded directly in
inode_init_owner() and the individual filesystems are responsible for
handling setgid inheritance. Since this has proven to be brittle as
evidenced by old issues we uncovered over the last months (see [1] to
[3] below) we will try to move this logic into the vfs.
Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [1]
Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [2]
Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [3]
Link: https://lore.kernel.org/r/1657779088-2242-1-git-send-email-xuyang2018.jy@xxxxxxxxxxx
Reviewed-by: Darrick J. Wong <djwong@xxxxxxxxxx>
Reviewed-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx>
Reviewed-and-Tested-by: Jeff Layton <jlayton@xxxxxxxxxx>
Signed-off-by: Yang Xu <xuyang2018.jy@xxxxxxxxxxx>
Signed-off-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx>
Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/inode.c | 34 ++++++++++++++++++++++++++++++----
include/linux/fs.h | 1 +
2 files changed, 31 insertions(+), 4 deletions(-)
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -2147,10 +2147,8 @@ void inode_init_owner(struct inode *inod
/* Directories are special, and always inherit S_ISGID */
if (S_ISDIR(mode))
mode |= S_ISGID;
- else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
- !in_group_p(inode->i_gid) &&
- !capable_wrt_inode_uidgid(dir, CAP_FSETID))
- mode &= ~S_ISGID;
+ else
+ mode = mode_strip_sgid(dir, mode);
} else
inode->i_gid = current_fsgid();
inode->i_mode = mode;
@@ -2382,3 +2380,31 @@ int vfs_ioc_fssetxattr_check(struct inod
return 0;
}
EXPORT_SYMBOL(vfs_ioc_fssetxattr_check);
+
+/**
+ * mode_strip_sgid - handle the sgid bit for non-directories
+ * @dir: parent directory inode
+ * @mode: mode of the file to be created in @dir
+ *
+ * If the @mode of the new file has both the S_ISGID and S_IXGRP bit
+ * raised and @dir has the S_ISGID bit raised ensure that the caller is
+ * either in the group of the parent directory or they have CAP_FSETID
+ * in their user namespace and are privileged over the parent directory.
+ * In all other cases, strip the S_ISGID bit from @mode.
+ *
+ * Return: the new mode to use for the file
+ */
+umode_t mode_strip_sgid(const struct inode *dir, umode_t mode)
+{
+ if ((mode & (S_ISGID | S_IXGRP)) != (S_ISGID | S_IXGRP))
+ return mode;
+ if (S_ISDIR(mode) || !dir || !(dir->i_mode & S_ISGID))
+ return mode;
+ if (in_group_p(dir->i_gid))
+ return mode;
+ if (capable_wrt_inode_uidgid(dir, CAP_FSETID))
+ return mode;
+
+ return mode & ~S_ISGID;
+}
+EXPORT_SYMBOL(mode_strip_sgid);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1768,6 +1768,7 @@ extern long compat_ptr_ioctl(struct file
extern void inode_init_owner(struct inode *inode, const struct inode *dir,
umode_t mode);
extern bool may_open_dev(const struct path *path);
+umode_t mode_strip_sgid(const struct inode *dir, umode_t mode);
/*
* This is the "filldir" function type, used by readdir() to let
Patches currently in stable-queue which might be from stable-owner@xxxxxxxxxxxxxxx are
queue-5.10/xfs-fallocate-should-call-file_modified.patch
queue-5.10/attr-add-setattr_should_drop_sgid.patch
queue-5.10/xfs-set-prealloc-flag-in-xfs_alloc_file_space.patch
queue-5.10/xfs-purge-dquots-after-inode-walk-fails-during-quotacheck.patch
queue-5.10/fs-use-consistent-setgid-checks-in-is_sxid.patch
queue-5.10/xfs-remove-xfs_prealloc_sync.patch
queue-5.10/attr-add-in_group_or_capable.patch
queue-5.10/xfs-don-t-assert-fail-on-perag-references-on-teardown.patch
queue-5.10/xfs-don-t-leak-btree-cursor-when-insrec-fails-after-a-split.patch
queue-5.10/fs-move-s_isgid-stripping-into-the-vfs_-helpers.patch
queue-5.10/xfs-remove-xfs_setattr_time-declaration.patch
queue-5.10/fs-move-should_remove_suid.patch
queue-5.10/attr-use-consistent-sgid-stripping-checks.patch
queue-5.10/fs-add-mode_strip_sgid-helper.patch
queue-5.10/xfs-use-setattr_copy-to-set-vfs-inode-attributes.patch
