Merge tag 'fuse-update-6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse

	the filesystem or not.

	Note that the *ptrace* check is not strictly necessary to

	prevent B/2/i, it is enough to check if mount owner has enough

	prevent C/2/i, it is enough to check if mount owner has enough

	privilege to send signal to the process accessing the

	filesystem, since *SIGSTOP* can be used to get a similar effect.

If a sysadmin trusts the users enough, or can ensure through other

measures, that system processes will never enter non-privileged

mounts, it can relax the last limitation with a 'user_allow_other'

config option.  If this config option is set, the mounting user can

add the 'allow_other' mount option which disables the check for other

users' processes.

mounts, it can relax the last limitation in several ways:

  - With the 'user_allow_other' config option. If this config option is

    set, the mounting user can add the 'allow_other' mount option which

    disables the check for other users' processes.

    User namespaces have an unintuitive interaction with 'allow_other':

    an unprivileged user - normally restricted from mounting with

    'allow_other' - could do so in a user namespace where they're

    privileged. If any process could access such an 'allow_other' mount

    this would give the mounting user the ability to manipulate

    processes in user namespaces where they're unprivileged. For this

    reason 'allow_other' restricts access to users in the same userns

    or a descendant.

  - With the 'allow_sys_admin_access' module option. If this option is

    set, super user's processes have unrestricted access to mounts

    irrespective of allow_other setting or user namespace of the

    mounting user.

Note that both of these relaxations expose the system to potential

information leak or *DoS* as described in points B and C/2/i-ii in the

preceding section.

Kernel - userspace interface

============================

	struct dentry *parent;

	char name[32];

	if (!fuse_control_sb)

	if (!fuse_control_sb || fc->no_control)

		return 0;

	parent = fuse_control_sb->s_root;

{

	int i;

	if (!fuse_control_sb)

	if (!fuse_control_sb || fc->no_control)

		return;

	for (i = fc->ctl_ndents - 1; i >= 0; i--) {

		WARN_ON(fcd->nr_free_ranges <= 0);

		fcd->nr_free_ranges--;

	}

	__kick_dmap_free_worker(fcd, 0);

	spin_unlock(&fcd->lock);

	kick_dmap_free_worker(fcd, 0);

	return dmap;

}

#include <linux/pagemap.h>

#include <linux/file.h>

#include <linux/fs_context.h>

#include <linux/moduleparam.h>

#include <linux/sched.h>

#include <linux/namei.h>

#include <linux/slab.h>

#include <linux/types.h>

#include <linux/kernel.h>

static bool __read_mostly allow_sys_admin_access;

module_param(allow_sys_admin_access, bool, 0644);

MODULE_PARM_DESC(allow_sys_admin_access,

		 "Allow users with CAP_SYS_ADMIN in initial userns to bypass allow_other access check");

static void fuse_advise_use_readdirplus(struct inode *dir)

{

	struct fuse_inode *fi = get_fuse_inode(dir);

	struct fuse_file *ff;

	void *security_ctx = NULL;

	u32 security_ctxlen;

	bool trunc = flags & O_TRUNC;

	/* Userspace expects S_IFREG in create mode */

	BUG_ON((mode & S_IFMT) != S_IFREG);

	inarg.mode = mode;

	inarg.umask = current_umask();

	if (fm->fc->handle_killpriv_v2 && (flags & O_TRUNC) &&

	if (fm->fc->handle_killpriv_v2 && trunc &&

	    !(flags & O_EXCL) && !capable(CAP_FSETID)) {

		inarg.open_flags |= FUSE_OPEN_KILL_SUIDGID;

	}

	} else {

		file->private_data = ff;

		fuse_finish_open(inode, file);

		if (fm->fc->atomic_o_trunc && trunc)

			truncate_pagecache(inode, 0);

		else if (!(ff->open_flags & FOPEN_KEEP_CACHE))

			invalidate_inode_pages2(inode->i_mapping);

	}

	return err;

{

	const struct cred *cred;

	if (allow_sys_admin_access && capable(CAP_SYS_ADMIN))

		return 1;

	if (fc->allow_other)

		return current_in_userns(fc->user_ns);

		fi->attr_version = atomic64_inc_return(&fc->attr_version);

		i_size_write(inode, 0);

		spin_unlock(&fi->lock);

		truncate_pagecache(inode, 0);

		file_update_time(file);

		fuse_invalidate_attr_mask(inode, FUSE_STATX_MODSIZE);

	} else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) {

		invalidate_inode_pages2(inode->i_mapping);

	}

	if ((file->f_mode & FMODE_WRITE) && fc->writeback_cache)

		fuse_link_write_file(file);

}

	if (err)

		return err;

	if (is_wb_truncate || dax_truncate) {

	if (is_wb_truncate || dax_truncate)

		inode_lock(inode);

		fuse_set_nowrite(inode);

	}

	if (dax_truncate) {

		filemap_invalidate_lock(inode->i_mapping);

		err = fuse_dax_break_layouts(inode, 0, 0);

		if (err)

			goto out;

			goto out_inode_unlock;

	}

	if (is_wb_truncate || dax_truncate)

		fuse_set_nowrite(inode);

	err = fuse_do_open(fm, get_node_id(inode), file, isdir);

	if (!err)

		fuse_finish_open(inode, file);

out:

	if (is_wb_truncate || dax_truncate)

		fuse_release_nowrite(inode);

	if (!err) {

		struct fuse_file *ff = file->private_data;

		if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC))

			truncate_pagecache(inode, 0);

		else if (!(ff->open_flags & FOPEN_KEEP_CACHE))

			invalidate_inode_pages2(inode->i_mapping);

	}

	if (dax_truncate)

		filemap_invalidate_unlock(inode->i_mapping);

	if (is_wb_truncate | dax_truncate) {

		fuse_release_nowrite(inode);

out_inode_unlock:

	if (is_wb_truncate || dax_truncate)

		inode_unlock(inode);

	}

	return err;

}

static int fuse_release(struct inode *inode, struct file *file)

{

	struct fuse_conn *fc = get_fuse_conn(inode);

	/*

	 * Dirty pages might remain despite write_inode_now() call from

	 * fuse_flush() due to writes racing with the close.

	 */

	if (fc->writeback_cache)

		write_inode_now(inode, 1);

	fuse_release_common(file, false);

	/* return value is ignored by VFS */