[PATCH v4 6/7] xfs: check that eofblocks ioctl caller can write matched inodes

Dwight Engen dwight.engen at oracle.com
Fri Jul 19 11:13:21 CDT 2013 

On Fri, 19 Jul 2013 16:02:21 +1000
Dave Chinner <david at fromorbit.com> wrote:

> On Wed, Jul 17, 2013 at 11:47:46AM -0400, Dwight Engen wrote:
> > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> 
> What's the reason for this patch?

Its trying to ensure we only allow the XFS_IOC_FREE_EOFBLOCKS
caller to affect the indoes they should be able to.
http://oss.sgi.com/archives/xfs/2013-06/msg00955.html has a bit more
background. This isn't really related to user namespaces per-se, so I
guess it should be a separate patch, but since I modified the
eofblocks structure I was trying to fix this as well.

> > ---
> >  fs/xfs/xfs_fs.h     | 1 +
> >  fs/xfs/xfs_icache.c | 4 ++++
> >  fs/xfs/xfs_ioctl.c  | 2 ++
> >  3 files changed, 7 insertions(+)
> > 
> > diff --git a/fs/xfs/xfs_fs.h b/fs/xfs/xfs_fs.h
> > index 7eb4a5e..aee4b12 100644
> > --- a/fs/xfs/xfs_fs.h
> > +++ b/fs/xfs/xfs_fs.h
> > @@ -361,6 +361,7 @@ struct xfs_fs_eofblocks {
> >  #define XFS_EOF_FLAGS_GID		(1 << 2) /* filter by gid
> > */ #define XFS_EOF_FLAGS_PRID		(1 << 3) /* filter by
> > project id */ #define XFS_EOF_FLAGS_MINFILESIZE	(1 << 4) /*
> > filter by min file size */ +#define XFS_EOF_FLAGS_PERM_CHECK
> > (1 << 5) /* check can write inode */ #define
> > XFS_EOF_FLAGS_VALID	\ (XFS_EOF_FLAGS_SYNC |	\
> >  	 XFS_EOF_FLAGS_UID |	\
> > diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
> > index d873ab9e..728283a 100644
> > --- a/fs/xfs/xfs_icache.c
> > +++ b/fs/xfs/xfs_icache.c
> > @@ -1247,6 +1247,10 @@ xfs_inode_free_eofblocks(
> >  		if (!xfs_inode_match_id(ip, eofb))
> >  			return 0;
> >  
> > +		if (eofb->eof_flags & XFS_EOF_FLAGS_PERM_CHECK &&
> > +		    inode_permission(VFS_I(ip), MAY_WRITE))
> > +			return 0;
> 
> This assumes we are walking fully instantiated VFS inodes. That's
> not necessarily true - we may be walking inodes that have already
> been dropped from the VFS and are waiting for background reclaim to
> clean them up. I suspect that this doesn't need to be done - we
> normally stop background modification processes like this when we
> convert the filesystem to read-only. I suspect the eof-blocks scan
> code is missing that, and so it can potentially run on a RO
> filesystem. That needs fixing similar to the way we stop and start
> the periodic log work...

So if there isn't a good way to check per-inode, maybe for now we
should just restrict the ioctl caller to be capable(CAP_SYS_ADMIN)?

> Also, gcc should throw warnings on that code (strange, it didn't
> here on gcc-4.7) as it needs more parenthesis. i.e

I don't think it needs them (& is higher precedence than &&), but I can
add them for clarity if you like.

> 		if ((eofb->eof_flags & XFS_EOF_FLAGS_PERM_CHECK) &&
> 
> >  		/* skip the inode if the file size is too small */
> >  		if (eofb->eof_flags & XFS_EOF_FLAGS_MINFILESIZE &&
> >  		    XFS_ISIZE(ip) < eofb->eof_min_file_size)
> 
> Oh, I see you are just copying other code. How did I miss that in a
> past review? :( 
> 
> Hmmm - it looks like there's a bunch of them in xfs_inode_match_id()
> as well, and you touched all those if() statements in a previous
> patch. can you go back to the patch that touches
> xfs_inode_match_id() and add the extra () there as well?
 
Yep, I'll update those too.
 
> > diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
> > index abbbdcf..e63e359 100644
> > --- a/fs/xfs/xfs_ioctl.c
> > +++ b/fs/xfs/xfs_ioctl.c
> > @@ -1636,6 +1636,8 @@ xfs_file_ioctl(
> >  		    !gid_valid(keofb.eof_gid))
> >  			return XFS_ERROR(EINVAL);
> >  
> > +		keofb.eof_flags |= XFS_EOF_FLAGS_PERM_CHECK;
> 
> We should be checking for the fs being RO here and aborting if it
> is.

inode_permission() would catch that but I agree there is no point
waiting till then to find out.

> Cheers,
> 
> Dave.

More information about the xfs mailing list