xfs: hide private inodes from bulkstat and handle functions

We're about to start adding functionality that uses internal inodes that
are private to XFS.  What this means is that userspace should never be
able to access any information about these files, and should not be able
to open these files by handle.

To prevent users from ever finding the file or mis-interactions with the
security apparatus, set S_PRIVATE on the inode.  Don't allow bulkstat,
open-by-handle, or linking of S_PRIVATE files into the directory tree.
This should keep private inodes actually private.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
This commit is contained in:
Darrick J. Wong 2024-04-15 14:54:27 -07:00
parent 0730e8d8ba
commit cab23a4233
3 changed files with 12 additions and 1 deletions

View File

@ -160,7 +160,7 @@ xfs_nfs_get_inode(
} }
} }
if (VFS_I(ip)->i_generation != generation) { if (VFS_I(ip)->i_generation != generation || IS_PRIVATE(VFS_I(ip))) {
xfs_irele(ip); xfs_irele(ip);
return ERR_PTR(-ESTALE); return ERR_PTR(-ESTALE);
} }

View File

@ -365,6 +365,9 @@ xfs_vn_link(
if (unlikely(error)) if (unlikely(error))
return error; return error;
if (IS_PRIVATE(inode))
return -EPERM;
error = xfs_link(XFS_I(dir), XFS_I(inode), &name); error = xfs_link(XFS_I(dir), XFS_I(inode), &name);
if (unlikely(error)) if (unlikely(error))
return error; return error;

View File

@ -97,6 +97,14 @@ xfs_bulkstat_one_int(
vfsuid = i_uid_into_vfsuid(idmap, inode); vfsuid = i_uid_into_vfsuid(idmap, inode);
vfsgid = i_gid_into_vfsgid(idmap, inode); vfsgid = i_gid_into_vfsgid(idmap, inode);
/* If this is a private inode, don't leak its details to userspace. */
if (IS_PRIVATE(inode)) {
xfs_iunlock(ip, XFS_ILOCK_SHARED);
xfs_irele(ip);
error = -EINVAL;
goto out_advance;
}
/* xfs_iget returns the following without needing /* xfs_iget returns the following without needing
* further change. * further change.
*/ */