qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 01/10] virtiofsd: Limit setxattr()'s creds-dropped region

From: Max Reitz
Subject: Re: [PATCH v3 01/10] virtiofsd: Limit setxattr()'s creds-dropped region
Date: Mon, 9 Aug 2021 12:30:40 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 
On 06.08.21 16:16, Vivek Goyal wrote:

On Fri, Jul 30, 2021 at 05:01:25PM +0200, Max Reitz wrote:

We only need to drop/switch our credentials for the (f)setxattr() call
alone, not for the openat() or fchdir() around it.

(Right now, this may not be that big of a problem, but with inodes being
identified by file handles instead of an O_PATH fd, we will need
open_by_handle_at() calls here, which is really fickle when it comes to
credentials being dropped.)

Signed-off-by: Max Reitz <mreitz@redhat.com>
---
  tools/virtiofsd/passthrough_ll.c | 34 +++++++++++++++++++++++---------
  1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 38b2af8599..1f27eeabc5 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -3121,6 +3121,7 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, 
const char *in_name,
      bool switched_creds = false;
      bool cap_fsetid_dropped = false;
      struct lo_cred old = {};
+    bool open_inode;
if (block_xattr(lo, in_name)) { 
          fuse_reply_err(req, EOPNOTSUPP);
@@ -3155,7 +3156,24 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, 
const char *in_name,
      fuse_log(FUSE_LOG_DEBUG, "lo_setxattr(ino=%" PRIu64
               ", name=%s value=%s size=%zd)\n", ino, name, value, size);
+ /* 
+     * We can only open regular files or directories.  If the inode is
+     * something else, we have to enter /proc/self/fd and use
+     * setxattr() on the link's filename there.
+     */
+    open_inode = S_ISREG(inode->filetype) || S_ISDIR(inode->filetype);
      sprintf(procname, "%i", inode->fd);
+    if (open_inode) {
+        fd = openat(lo->proc_self_fd, procname, O_RDONLY);
+        if (fd < 0) {
+            saverr = errno;
+            goto out;
+        }
+    } else {
+        /* fchdir should not fail here */
+        FCHDIR_NOFAIL(lo->proc_self_fd);
+    }
+
      /*
       * If we are setting posix access acl and if SGID needs to be
       * cleared, then switch to caller's gid and drop CAP_FSETID
@@ -3176,20 +3194,13 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, 
const char *in_name,
          }
          switched_creds = true;
      }
-    if (S_ISREG(inode->filetype) || S_ISDIR(inode->filetype)) {
-        fd = openat(lo->proc_self_fd, procname, O_RDONLY);
-        if (fd < 0) {
-            saverr = errno;
-            goto out;
-        }
+    if (open_inode) {
+        assert(fd >= 0);
          ret = fsetxattr(fd, name, value, size, flags);
          saverr = ret == -1 ? errno : 0;
      } else {
-        /* fchdir should not fail here */
-        FCHDIR_NOFAIL(lo->proc_self_fd);
          ret = setxattr(procname, name, value, size, flags);
          saverr = ret == -1 ? errno : 0;
-        FCHDIR_NOFAIL(lo->root.fd);
      }
      if (switched_creds) {
          if (cap_fsetid_dropped)
@@ -3198,6 +3209,11 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, 
const char *in_name,
              lo_restore_cred(&old, false);
      }
+ if (!open_inode) { 
+        /* Change CWD back, fchdir should not fail here */
+        FCHDIR_NOFAIL(lo->root.fd);
+    }
+

This FCHDIR_NOFAIL() will also need to be called if lo_drop_cap_change_cred()
fails.

         ret = lo_drop_cap_change_cred(req, &old, false, "FSETID",
                                       &cap_fsetid_dropped);
         if (ret) {
             saverr = ret;
             goto out;
         }


Oh, right, thanks!

Max
reply via email to
[Prev in Thread] Current Thread [Next in Thread]