diff options
| author | Amir Goldstein <amir73il@gmail.com> | 2025-08-27 21:43:09 +0200 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2025-08-29 09:48:31 +0200 |
| commit | bb585591ebf00fb1f6a1fdd1ea96b5848bd9112d (patch) | |
| tree | d11af7547a5618d1c612245733c0effe0e9316f8 /scripts/rustdoc_test_builder.rs | |
| parent | be1e0283021ec73c2eb92839db9a471a068709d9 (diff) | |
fhandle: use more consistent rules for decoding file handle from userns
Commit 620c266f39493 ("fhandle: relax open_by_handle_at() permission
checks") relaxed the coditions for decoding a file handle from non init
userns.
The conditions are that that decoded dentry is accessible from the user
provided mountfd (or to fs root) and that all the ancestors along the
path have a valid id mapping in the userns.
These conditions are intentionally more strict than the condition that
the decoded dentry should be "lookable" by path from the mountfd.
For example, the path /home/amir/dir/subdir is lookable by path from
unpriv userns of user amir, because /home perms is 755, but the owner of
/home does not have a valid id mapping in unpriv userns of user amir.
The current code did not check that the decoded dentry itself has a
valid id mapping in the userns. There is no security risk in that,
because that final open still performs the needed permission checks,
but this is inconsistent with the checks performed on the ancestors,
so the behavior can be a bit confusing.
Add the check for the decoded dentry itself, so that the entire path,
including the last component has a valid id mapping in the userns.
Fixes: 620c266f39493 ("fhandle: relax open_by_handle_at() permission checks")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Link: https://lore.kernel.org/20250827194309.1259650-1-amir73il@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'scripts/rustdoc_test_builder.rs')
0 files changed, 0 insertions, 0 deletions