linux/fs/afs
Eric W. Biederman 93faccbbfa fs: Better permission checking for submounts
To support unprivileged users mounting filesystems two permission
checks have to be performed: a test to see if the user allowed to
create a mount in the mount namespace, and a test to see if
the user is allowed to access the specified filesystem.

The automount case is special in that mounting the original filesystem
grants permission to mount the sub-filesystems, to any user who
happens to stumble across the their mountpoint and satisfies the
ordinary filesystem permission checks.

Attempting to handle the automount case by using override_creds
almost works.  It preserves the idea that permission to mount
the original filesystem is permission to mount the sub-filesystem.
Unfortunately using override_creds messes up the filesystems
ordinary permission checks.

Solve this by being explicit that a mount is a submount by introducing
vfs_submount, and using it where appropriate.

vfs_submount uses a new mount internal mount flags MS_SUBMOUNT, to let
sget and friends know that a mount is a submount so they can take appropriate
action.

sget and sget_userns are modified to not perform any permission checks
on submounts.

follow_automount is modified to stop using override_creds as that
has proven problemantic.

do_mount is modified to always remove the new MS_SUBMOUNT flag so
that we know userspace will never by able to specify it.

autofs4 is modified to stop using current_real_cred that was put in
there to handle the previous version of submount permission checking.

cifs is modified to pass the mountpoint all of the way down to vfs_submount.

debugfs is modified to pass the mountpoint all of the way down to
trace_automount by adding a new parameter.  To make this change easier
a new typedef debugfs_automount_t is introduced to capture the type of
the debugfs automount function.

Cc: stable@vger.kernel.org
Fixes: 069d5ac9ae ("autofs:  Fix automounts by using current_real_cred()->uid")
Fixes: aeaa4a79ff ("fs: Call d_automount with the filesystems creds")
Reviewed-by: Trond Myklebust <trond.myklebust@primarydata.com>
Reviewed-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-02-02 04:36:12 +13:00
..
afs_cm.h
afs_fs.h
afs_vl.h AFS: Fix silly characters in a comment 2011-07-20 20:48:03 -04:00
afs.h afs: Support interacting with multiple user namespaces 2013-02-13 06:00:51 -08:00
cache.c Fix common misspellings 2011-03-31 11:26:23 -03:00
callback.c fs/afs/callback: Remove deprecated create_singlethread_workqueue 2016-09-04 21:41:39 +01:00
cell.c FS-Cache: Provide the ability to enable/disable cookies 2013-09-27 18:40:25 +01:00
cmservice.c afs: call->operation_ID sometimes used as __be32 sometimes as u32 2016-10-13 17:03:52 +01:00
dir.c fs: rename "rename2" i_op to "rename" 2016-09-27 11:03:58 +02:00
file.c mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
flock.c fs/afs/flock: Remove deprecated create_singlethread_workqueue 2016-09-04 21:41:39 +01:00
fsclient.c afs: unmapping the wrong buffer 2016-10-13 08:33:28 +01:00
inode.c don't put symlink bodies in pagecache into highmem 2015-12-08 22:41:36 -05:00
internal.h afs: call->operation_ID sometimes used as __be32 sometimes as u32 2016-10-13 17:03:52 +01:00
Kconfig fs/afs: remove depends on CONFIG_EXPERIMENTAL 2013-01-21 14:39:04 -08:00
main.c afs: Need linux/random.h 2016-08-30 16:07:53 +01:00
Makefile FS-Cache: Make kAFS use FS-Cache 2009-04-03 16:42:41 +01:00
misc.c kafs: Add more "unified AFS" error codes 2015-04-01 21:36:15 +01:00
mntpt.c fs: Better permission checking for submounts 2017-02-02 04:36:12 +13:00
netdevices.c afs: BUG to BUG_ON changes 2009-04-09 10:41:19 -07:00
proc.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
rxrpc.c afs: call->operation_ID sometimes used as __be32 sometimes as u32 2016-10-13 17:03:52 +01:00
security.c ->permission() sanitizing: don't pass flags to ->permission() 2011-07-20 01:43:24 -04:00
server.c rxrpc: Provide a way for AFS to ask for the peer address of a call 2016-08-30 16:07:53 +01:00
super.c mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
vlclient.c rxrpc: Don't expose skbs to in-kernel users [ver #2] 2016-09-01 16:43:27 -07:00
vlocation.c fs/afs/vlocation: Remove deprecated create_singlethread_workqueue 2016-09-04 21:41:39 +01:00
vnode.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
volume.c fs: introduce f_op->mmap_capabilities for nommu mmap support 2015-01-20 14:02:58 -07:00
write.c fs: use mapping_set_error instead of opencoded set_bit 2016-10-11 15:06:33 -07:00