fuse: Add module param for CAP_SYS_ADMIN access bypassing allow_other (9ccf47b2) · Commits · EulixOS / Software / Kernel

Documentation/filesystems/fuse.rst

+24 −5

Original line number	Original line	Diff line number	Diff line
	@@ -279,7 +279,7 @@ How are requirements fulfilled?
	the filesystem or not.		the filesystem or not.

	Note that the ptrace check is not strictly necessary to		Note that the ptrace check is not strictly necessary to
	prevent B/2/i, it is enough to check if mount owner has enough		prevent C/2/i, it is enough to check if mount owner has enough
	privilege to send signal to the process accessing the		privilege to send signal to the process accessing the
	filesystem, since SIGSTOP can be used to get a similar effect.		filesystem, since SIGSTOP can be used to get a similar effect.

	@@ -288,10 +288,29 @@ I think these limitations are unacceptable?

	If a sysadmin trusts the users enough, or can ensure through other		If a sysadmin trusts the users enough, or can ensure through other
	measures, that system processes will never enter non-privileged		measures, that system processes will never enter non-privileged
	mounts, it can relax the last limitation with a 'user_allow_other'		mounts, it can relax the last limitation in several ways:
	config option. If this config option is set, the mounting user can
	add the 'allow_other' mount option which disables the check for other		- With the 'user_allow_other' config option. If this config option is
	users' processes.		set, the mounting user can add the 'allow_other' mount option which
			disables the check for other users' processes.

			User namespaces have an unintuitive interaction with 'allow_other':
			an unprivileged user - normally restricted from mounting with
			'allow_other' - could do so in a user namespace where they're
			privileged. If any process could access such an 'allow_other' mount
			this would give the mounting user the ability to manipulate
			processes in user namespaces where they're unprivileged. For this
			reason 'allow_other' restricts access to users in the same userns
			or a descendant.

			- With the 'allow_sys_admin_access' module option. If this option is
			set, super user's processes have unrestricted access to mounts
			irrespective of allow_other setting or user namespace of the
			mounting user.

			Note that both of these relaxations expose the system to potential
			information leak or DoS as described in points B and C/2/i-ii in the
			preceding section.

	Kernel - userspace interface		Kernel - userspace interface
	============================		============================

fs/fuse/dir.c

+9 −0

Original line number	Original line	Diff line number	Diff line
	@@ -11,6 +11,7 @@
	#include <linux/pagemap.h>		#include <linux/pagemap.h>
	#include <linux/file.h>		#include <linux/file.h>
	#include <linux/fs_context.h>		#include <linux/fs_context.h>
			#include <linux/moduleparam.h>
	#include <linux/sched.h>		#include <linux/sched.h>
	#include <linux/namei.h>		#include <linux/namei.h>
	#include <linux/slab.h>		#include <linux/slab.h>
	@@ -21,6 +22,11 @@
	#include <linux/types.h>		#include <linux/types.h>
	#include <linux/kernel.h>		#include <linux/kernel.h>

			static bool __read_mostly allow_sys_admin_access;
			module_param(allow_sys_admin_access, bool, 0644);
			MODULE_PARM_DESC(allow_sys_admin_access,
			"Allow users with CAP_SYS_ADMIN in initial userns to bypass allow_other access check");

	static void fuse_advise_use_readdirplus(struct inode *dir)		static void fuse_advise_use_readdirplus(struct inode *dir)
	{		{
	struct fuse_inode *fi = get_fuse_inode(dir);		struct fuse_inode *fi = get_fuse_inode(dir);
	@@ -1229,6 +1235,9 @@ int fuse_allow_current_process(struct fuse_conn *fc)
	{		{
	const struct cred *cred;		const struct cred *cred;

			if (allow_sys_admin_access && capable(CAP_SYS_ADMIN))
			return 1;

	if (fc->allow_other)		if (fc->allow_other)
	return current_in_userns(fc->user_ns);		return current_in_userns(fc->user_ns);