kernel_optimize_test/fs/afs
Eric W. Biederman 93faccbbfa fs: Better permission checking for submounts
To support unprivileged users mounting filesystems two permission
checks have to be performed: a test to see if the user allowed to
create a mount in the mount namespace, and a test to see if
the user is allowed to access the specified filesystem.

The automount case is special in that mounting the original filesystem
grants permission to mount the sub-filesystems, to any user who
happens to stumble across the their mountpoint and satisfies the
ordinary filesystem permission checks.

Attempting to handle the automount case by using override_creds
almost works.  It preserves the idea that permission to mount
the original filesystem is permission to mount the sub-filesystem.
Unfortunately using override_creds messes up the filesystems
ordinary permission checks.

Solve this by being explicit that a mount is a submount by introducing
vfs_submount, and using it where appropriate.

vfs_submount uses a new mount internal mount flags MS_SUBMOUNT, to let
sget and friends know that a mount is a submount so they can take appropriate
action.

sget and sget_userns are modified to not perform any permission checks
on submounts.

follow_automount is modified to stop using override_creds as that
has proven problemantic.

do_mount is modified to always remove the new MS_SUBMOUNT flag so
that we know userspace will never by able to specify it.

autofs4 is modified to stop using current_real_cred that was put in
there to handle the previous version of submount permission checking.

cifs is modified to pass the mountpoint all of the way down to vfs_submount.

debugfs is modified to pass the mountpoint all of the way down to
trace_automount by adding a new parameter.  To make this change easier
a new typedef debugfs_automount_t is introduced to capture the type of
the debugfs automount function.

Cc: stable@vger.kernel.org
Fixes: 069d5ac9ae ("autofs:  Fix automounts by using current_real_cred()->uid")
Fixes: aeaa4a79ff ("fs: Call d_automount with the filesystems creds")
Reviewed-by: Trond Myklebust <trond.myklebust@primarydata.com>
Reviewed-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-02-02 04:36:12 +13:00
..
afs_cm.h
afs_fs.h
afs_vl.h
afs.h
cache.c
callback.c fs/afs/callback: Remove deprecated create_singlethread_workqueue 2016-09-04 21:41:39 +01:00
cell.c
cmservice.c afs: call->operation_ID sometimes used as __be32 sometimes as u32 2016-10-13 17:03:52 +01:00
dir.c fs: rename "rename2" i_op to "rename" 2016-09-27 11:03:58 +02:00
file.c mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
flock.c fs/afs/flock: Remove deprecated create_singlethread_workqueue 2016-09-04 21:41:39 +01:00
fsclient.c afs: unmapping the wrong buffer 2016-10-13 08:33:28 +01:00
inode.c don't put symlink bodies in pagecache into highmem 2015-12-08 22:41:36 -05:00
internal.h afs: call->operation_ID sometimes used as __be32 sometimes as u32 2016-10-13 17:03:52 +01:00
Kconfig
main.c afs: Need linux/random.h 2016-08-30 16:07:53 +01:00
Makefile
misc.c kafs: Add more "unified AFS" error codes 2015-04-01 21:36:15 +01:00
mntpt.c fs: Better permission checking for submounts 2017-02-02 04:36:12 +13:00
netdevices.c
proc.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
rxrpc.c afs: call->operation_ID sometimes used as __be32 sometimes as u32 2016-10-13 17:03:52 +01:00
security.c
server.c rxrpc: Provide a way for AFS to ask for the peer address of a call 2016-08-30 16:07:53 +01:00
super.c mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
vlclient.c rxrpc: Don't expose skbs to in-kernel users [ver #2] 2016-09-01 16:43:27 -07:00
vlocation.c fs/afs/vlocation: Remove deprecated create_singlethread_workqueue 2016-09-04 21:41:39 +01:00
vnode.c
volume.c
write.c fs: use mapping_set_error instead of opencoded set_bit 2016-10-11 15:06:33 -07:00