Unverified Commit 6ebb05b4 authored by Christian Brauner's avatar Christian Brauner
Browse files

fhandle: pull CAP_DAC_READ_SEARCH check into may_decode_fh() 

There's no point in keeping it outside of that helper. This way we have
all the permission pieces in one place.

Link: https://lore.kernel.org/r/20241129-work-pidfs-file_handle-v1-4-87d803a42495@kernel.org


Reviewed-by: default avatarAmir Goldstein <amir73il@gmail.com>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 50166d57

fs/fhandle.c

+21 −17
Original line number Diff line number Diff line
@@ -279,28 +279,32 @@ static int do_handle_to_path(struct file_handle *handle, struct path *path, 
	return 0;

}



/*

 * Allow relaxed permissions of file handles if the caller has the

 * ability to mount the filesystem or create a bind-mount of the

 * provided @mountdirfd.

 *

 * In both cases the caller may be able to get an unobstructed way to

 * the encoded file handle. If the caller is only able to create a

 * bind-mount we need to verify that there are no locked mounts on top

 * of it that could prevent us from getting to the encoded file.

 *

 * In principle, locked mounts can prevent the caller from mounting the

 * filesystem but that only applies to procfs and sysfs neither of which

 * support decoding file handles.

 */

static inline bool may_decode_fh(struct handle_to_path_ctx *ctx,

				 unsigned int o_flags)

{

	struct path *root = &ctx->root;



	if (capable(CAP_DAC_READ_SEARCH))

		return true;



	/*

	 * Restrict to O_DIRECTORY to provide a deterministic API that avoids a

	 * confusing api in the face of disconnected non-dir dentries.

	 * Allow relaxed permissions of file handles if the caller has

	 * the ability to mount the filesystem or create a bind-mount of

	 * the provided @mountdirfd.

	 *

	 * In both cases the caller may be able to get an unobstructed

	 * way to the encoded file handle. If the caller is only able to

	 * create a bind-mount we need to verify that there are no

	 * locked mounts on top of it that could prevent us from getting

	 * to the encoded file.

	 *

	 * In principle, locked mounts can prevent the caller from

	 * mounting the filesystem but that only applies to procfs and

	 * sysfs neither of which support decoding file handles.

	 *

	 * Restrict to O_DIRECTORY to provide a deterministic API that

	 * avoids a confusing api in the face of disconnected non-dir

	 * dentries.

	 *

	 * There's only one dentry for each directory inode (VFS rule)...

	 */
@@ -337,7 +341,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, 
	if (retval)

		goto out_err;



	if (!capable(CAP_DAC_READ_SEARCH) && !may_decode_fh(&ctx, o_flags)) {

	if (!may_decode_fh(&ctx, o_flags)) {

		retval = -EPERM;

		goto out_path;

	}