Patch "fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fs-don-t-allow-non-init-s_user_ns-for-filesystems-wi.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 950476bbe7abec78876f2f0c16ea0436fd524623
Author: Seth Forshee (DigitalOcean) <sforshee@xxxxxxxxxx>
Date:   Wed Jul 24 09:53:59 2024 -0500

    fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
    
    [ Upstream commit e1c5ae59c0f22f7fe5c07fb5513a29e4aad868c9 ]
    
    Christian noticed that it is possible for a privileged user to mount
    most filesystems with a non-initial user namespace in sb->s_user_ns.
    When fsopen() is called in a non-init namespace the caller's namespace
    is recorded in fs_context->user_ns. If the returned file descriptor is
    then passed to a process priviliged in init_user_ns, that process can
    call fsconfig(fd_fs, FSCONFIG_CMD_CREATE), creating a new superblock
    with sb->s_user_ns set to the namespace of the process which called
    fsopen().
    
    This is problematic. We cannot assume that any filesystem which does not
    set FS_USERNS_MOUNT has been written with a non-initial s_user_ns in
    mind, increasing the risk for bugs and security issues.
    
    Prevent this by returning EPERM from sget_fc() when FS_USERNS_MOUNT is
    not set for the filesystem and a non-initial user namespace will be
    used. sget() does not need to be updated as it always uses the user
    namespace of the current context, or the initial user namespace if
    SB_SUBMOUNT is set.
    
    Fixes: cb50b348c71f ("convenience helpers: vfs_get_super() and sget_fc()")
    Reported-by: Christian Brauner <brauner@xxxxxxxxxx>
    Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240724-s_user_ns-fix-v1-1-895d07c94701@xxxxxxxxxx
    Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@xxxxxxxxxxxxx>
    Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/super.c b/fs/super.c
index 048576b19af63..39d866f7d7c6b 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -528,6 +528,17 @@ struct super_block *sget_fc(struct fs_context *fc,
 	struct user_namespace *user_ns = fc->global ? &init_user_ns : fc->user_ns;
 	int err;
 
+	/*
+	 * Never allow s_user_ns != &init_user_ns when FS_USERNS_MOUNT is
+	 * not set, as the filesystem is likely unprepared to handle it.
+	 * This can happen when fsconfig() is called from init_user_ns with
+	 * an fs_fd opened in another user namespace.
+	 */
+	if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & FS_USERNS_MOUNT)) {
+		errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed");
+		return ERR_PTR(-EPERM);
+	}
+
 retry:
 	spin_lock(&sb_lock);
 	if (test) {




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux