From owner-svn-src-projects@freebsd.org Tue Sep 3 14:06:18 2019 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 00210DC6C7 for ; Tue, 3 Sep 2019 14:06:17 +0000 (UTC) (envelope-from yuripv@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46N7zF24gcz4PNj; Tue, 3 Sep 2019 14:06:17 +0000 (UTC) (envelope-from yuripv@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1452) id F2FCC1A415; Tue, 3 Sep 2019 14:06:03 +0000 (UTC) X-Original-To: yuripv@localmail.freebsd.org Delivered-To: yuripv@localmail.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by freefall.freebsd.org (Postfix) with ESMTPS id 59944FA72; Fri, 5 Apr 2019 17:21:27 +0000 (UTC) (envelope-from owner-src-committers@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 26E346C406; Fri, 5 Apr 2019 17:21:27 +0000 (UTC) (envelope-from owner-src-committers@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 538) id 17014FA71; Fri, 5 Apr 2019 17:21:27 +0000 (UTC) Delivered-To: src-committers@localmail.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [96.47.72.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by freefall.freebsd.org (Postfix) with ESMTPS id 8A027FA6C for ; Fri, 5 Apr 2019 17:21:24 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DFCE6C3F8; Fri, 5 Apr 2019 17:21:24 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 244C618314; Fri, 5 Apr 2019 17:21:24 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x35HLOwT020008; Fri, 5 Apr 2019 17:21:24 GMT (envelope-from asomers@FreeBSD.org) Received: (from asomers@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x35HLNIX020006; Fri, 5 Apr 2019 17:21:23 GMT (envelope-from asomers@FreeBSD.org) Message-Id: <201904051721.x35HLNIX020006@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: asomers set sender to asomers@FreeBSD.org using -f From: Alan Somers To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r345958 - in projects/fuse2: sys/fs/fuse tests/sys/fs/fusefs X-SVN-Group: projects X-SVN-Commit-Author: asomers X-SVN-Commit-Paths: in projects/fuse2: sys/fs/fuse tests/sys/fs/fusefs X-SVN-Commit-Revision: 345958 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk X-Loop: FreeBSD.org Sender: owner-src-committers@freebsd.org X-Rspamd-Queue-Id: 26E346C406 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0]; NEURAL_HAM_SHORT(-0.98)[-0.983,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Status: O X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 03 Sep 2019 14:06:18 -0000 X-Original-Date: Fri, 5 Apr 2019 17:21:23 +0000 (UTC) X-List-Received-Date: Tue, 03 Sep 2019 14:06:18 -0000 Author: asomers Date: Fri Apr 5 17:21:23 2019 New Revision: 345958 URL: https://svnweb.freebsd.org/changeset/base/345958 Log: fusefs: enforce -onoallow_other even beneath the mountpoint When -o allow_other is not in use, fusefs is supposed to prevent access to the filesystem by any user other than the one who owns the daemon. Our fusefs implementation was only enforcing that restriction at the mountpoint itself. That was usually good enough because lookup usually descends from the mountpoint. However, there are cases when it doesn't, such as when using openat relative to a file beneath the mountpoint. PR: 237052 Sponsored by: The FreeBSD Foundation Modified: projects/fuse2/sys/fs/fuse/fuse_internal.c projects/fuse2/tests/sys/fs/fusefs/allow_other.cc Modified: projects/fuse2/sys/fs/fuse/fuse_internal.c ============================================================================== --- projects/fuse2/sys/fs/fuse/fuse_internal.c Fri Apr 5 16:54:20 2019 (r345957) +++ projects/fuse2/sys/fs/fuse/fuse_internal.c Fri Apr 5 17:21:23 2019 (r345958) @@ -140,7 +140,7 @@ fuse_internal_access(struct vnode *vp, return EROFS; } /* Unless explicitly permitted, deny everyone except the fs owner. */ - if (vnode_isvroot(vp) && !(facp->facc_flags & FACCESS_NOCHECKSPY)) { + if (!(facp->facc_flags & FACCESS_NOCHECKSPY)) { if (!(dataflags & FSESS_DAEMON_CAN_SPY)) { int denied = fuse_match_cred(data->daemoncred, cred); @@ -149,6 +149,10 @@ fuse_internal_access(struct vnode *vp, return EPERM; } } + /* + * Set the "skip cred check" flag so future callers that share + * facp can skip fuse_match_cred. + */ facp->facc_flags |= FACCESS_NOCHECKSPY; } if (!(facp->facc_flags & FACCESS_DO_ACCESS)) { Modified: projects/fuse2/tests/sys/fs/fusefs/allow_other.cc ============================================================================== --- projects/fuse2/tests/sys/fs/fusefs/allow_other.cc Fri Apr 5 16:54:20 2019 (r345957) +++ projects/fuse2/tests/sys/fs/fusefs/allow_other.cc Fri Apr 5 17:21:23 2019 (r345958) @@ -179,3 +179,48 @@ TEST_F(NoAllowOther, disallowed) } ); } + +/* + * When -o allow_other is not used, users other than the owner aren't allowed + * to open anything inside of the mount point, not just the mountpoint itself + * This is a regression test for bug 237052 + */ +TEST_F(NoAllowOther, disallowed_beneath_root) +{ + const static char FULLPATH[] = "mountpoint/some_dir"; + const static char RELPATH[] = "some_dir"; + const static char RELPATH2[] = "other_dir"; + const static uint64_t ino = 42; + const static uint64_t ino2 = 43; + int dfd; + + expect_lookup(RELPATH, ino, S_IFDIR | 0755, 0, 1); + EXPECT_LOOKUP(ino, RELPATH2) + .WillRepeatedly(Invoke(ReturnImmediate([=](auto in __unused, auto out) { + SET_OUT_HEADER_LEN(out, entry); + out->body.entry.attr.mode = S_IFREG | 0644; + out->body.entry.nodeid = ino2; + out->body.entry.attr.nlink = 1; + out->body.entry.attr_valid = UINT64_MAX; + }))); + expect_opendir(ino); + dfd = open(FULLPATH, O_DIRECTORY); + ASSERT_LE(0, dfd) << strerror(errno); + + fork(true, [] { + }, [&]() { + int fd; + + fd = openat(dfd, RELPATH2, O_RDONLY); + if (fd >= 0) { + fprintf(stderr, "openat should've failed\n"); + return(1); + } else if (errno != EPERM) { + fprintf(stderr, "Unexpected error: %s\n", + strerror(errno)); + return(1); + } + return 0; + } + ); +}