fuse: Restrict allow_other to the superblock's namespace or a descendant

Unprivileged users are normally restricted from mounting with the
allow_other option by system policy, but this could be bypassed for a mount
done with user namespace root permissions. In such cases allow_other should
not allow users outside the userns to access the mount as doing so would
give the unprivileged user the ability to manipulate processes it would
otherwise be unable to manipulate. Restrict allow_other to apply to users
in the same userns used at mount or a descendant of that namespace. Also
export current_in_userns() for use by fuse when built as a module.

Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index cf8a1cd7a62ea9f7b0d842806f49decd66bb45fe..fa4009761a7ac8c51bd8bf93325c3b3e9aebf971 100644 (file)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1030,7 +1030,7 @@ int fuse_allow_current_process(struct fuse_conn *fc)
        const struct cred *cred;
 
        if (fc->allow_other)
-               return 1;
+               return current_in_userns(fc->user_ns);
 
        cred = current_cred();
        if (uid_eq(cred->euid, fc->user_id) &&

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 246d4d4ce5c70cde4b5c9ed7fd33f54c1efe5a3e..492c255e6c5a31ee135004123193310a8e6e3ce2 100644 (file)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -1235,6 +1235,7 @@ bool current_in_userns(const struct user_namespace *target_ns)
 {
        return in_userns(target_ns, current_user_ns());
 }
+EXPORT_SYMBOL(current_in_userns);
 
 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
 {