Commit cac36f70 authored by Jeff Mahoney's avatar Jeff Mahoney Committed by Linus Torvalds

reiserfs: fix permissions on .reiserfs_priv

Commit 677c9b2e ("reiserfs: remove
privroot hiding in lookup") removed the magic from the lookup code to hide
the .reiserfs_priv directory since it was getting loaded at mount-time
instead.  The intent was that the entry would be hidden from the user via
a poisoned d_compare, but this was faulty.

This introduced a security issue where unprivileged users could access and
modify extended attributes or ACLs belonging to other users, including
root.

This patch resolves the issue by properly hiding .reiserfs_priv.  This was
the intent of the xattr poisoning code, but it appears to have never
worked as expected.  This is fixed by using d_revalidate instead of
d_compare.

This patch makes -oexpose_privroot a no-op.  I'm fine leaving it this way.
The effort involved in working out the corner cases wrt permissions and
caching outweigh the benefit of the feature.
Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
Acked-by: default avatarEdward Shishkin <edward.shishkin@gmail.com>
Reported-by: default avatarMatt McCutchen <matt@mattmccutchen.net>
Tested-by: default avatarMatt McCutchen <matt@mattmccutchen.net>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 33eaf788
...@@ -46,8 +46,6 @@ static inline bool is_privroot_deh(struct dentry *dir, ...@@ -46,8 +46,6 @@ static inline bool is_privroot_deh(struct dentry *dir,
struct reiserfs_de_head *deh) struct reiserfs_de_head *deh)
{ {
struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root; struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root;
if (reiserfs_expose_privroot(dir->d_sb))
return 0;
return (dir == dir->d_parent && privroot->d_inode && return (dir == dir->d_parent && privroot->d_inode &&
deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid); deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid);
} }
......
...@@ -973,21 +973,13 @@ int reiserfs_permission(struct inode *inode, int mask) ...@@ -973,21 +973,13 @@ int reiserfs_permission(struct inode *inode, int mask)
return generic_permission(inode, mask, NULL); return generic_permission(inode, mask, NULL);
} }
/* This will catch lookups from the fs root to .reiserfs_priv */ static int xattr_hide_revalidate(struct dentry *dentry, struct nameidata *nd)
static int
xattr_lookup_poison(struct dentry *dentry, struct qstr *q1, struct qstr *name)
{ {
struct dentry *priv_root = REISERFS_SB(dentry->d_sb)->priv_root; return -EPERM;
if (container_of(q1, struct dentry, d_name) == priv_root)
return -ENOENT;
if (q1->len == name->len &&
!memcmp(q1->name, name->name, name->len))
return 0;
return 1;
} }
static const struct dentry_operations xattr_lookup_poison_ops = { static const struct dentry_operations xattr_lookup_poison_ops = {
.d_compare = xattr_lookup_poison, .d_revalidate = xattr_hide_revalidate,
}; };
int reiserfs_lookup_privroot(struct super_block *s) int reiserfs_lookup_privroot(struct super_block *s)
...@@ -1001,8 +993,7 @@ int reiserfs_lookup_privroot(struct super_block *s) ...@@ -1001,8 +993,7 @@ int reiserfs_lookup_privroot(struct super_block *s)
strlen(PRIVROOT_NAME)); strlen(PRIVROOT_NAME));
if (!IS_ERR(dentry)) { if (!IS_ERR(dentry)) {
REISERFS_SB(s)->priv_root = dentry; REISERFS_SB(s)->priv_root = dentry;
if (!reiserfs_expose_privroot(s)) dentry->d_op = &xattr_lookup_poison_ops;
s->s_root->d_op = &xattr_lookup_poison_ops;
if (dentry->d_inode) if (dentry->d_inode)
dentry->d_inode->i_flags |= S_PRIVATE; dentry->d_inode->i_flags |= S_PRIVATE;
} else } else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment