Commit dc7ac6c4 authored by Wang Shilong's avatar Wang Shilong Committed by Theodore Ts'o
Browse files

ext4: fix setattr project check in fssetxattr ioctl 



Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.

This patch try to follow same regular of xfs project
quota:

"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."

Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().

Signed-off-by: default avatarWang Shilong <wshilong@ddn.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
parent c0e3e040

fs/ext4/ioctl.c

+37 −23
Original line number Diff line number Diff line
@@ -360,19 +360,14 @@ static int ext4_ioctl_setproject(struct file *filp, __u32 projid) 
	if (projid_eq(kprojid, EXT4_I(inode)->i_projid))

		return 0;



	err = mnt_want_write_file(filp);

	if (err)

		return err;



	err = -EPERM;

	inode_lock(inode);

	/* Is it quota file? Do not allow user to mess with it */

	if (ext4_is_quota_file(inode))

		goto out_unlock;

		return err;



	err = ext4_get_inode_loc(inode, &iloc);

	if (err)

		goto out_unlock;

		return err;



	raw_inode = ext4_raw_inode(&iloc);

	if (!EXT4_FITS_IN_INODE(raw_inode, ei, i_projid)) {
@@ -380,7 +375,7 @@ static int ext4_ioctl_setproject(struct file *filp, __u32 projid) 
					      EXT4_SB(sb)->s_want_extra_isize,

					      &iloc);

		if (err)

			goto out_unlock;

			return err;

	} else {

		brelse(iloc.bh);

	}
@@ -390,10 +385,8 @@ static int ext4_ioctl_setproject(struct file *filp, __u32 projid) 
	handle = ext4_journal_start(inode, EXT4_HT_QUOTA,

		EXT4_QUOTA_INIT_BLOCKS(sb) +

		EXT4_QUOTA_DEL_BLOCKS(sb) + 3);

	if (IS_ERR(handle)) {

		err = PTR_ERR(handle);

		goto out_unlock;

	}

	if (IS_ERR(handle))

		return PTR_ERR(handle);



	err = ext4_reserve_inode_write(handle, inode, &iloc);

	if (err)
@@ -421,9 +414,6 @@ out_dirty: 
		err = rc;

out_stop:

	ext4_journal_stop(handle);

out_unlock:

	inode_unlock(inode);

	mnt_drop_write_file(filp);

	return err;

}

#else
@@ -647,6 +637,30 @@ group_add_out: 
	return err;

}



static int ext4_ioctl_check_project(struct inode *inode, struct fsxattr *fa)

{

	/*

	 * Project Quota ID state is only allowed to change from within the init

	 * namespace. Enforce that restriction only if we are trying to change

	 * the quota ID state. Everything else is allowed in user namespaces.

	 */

	if (current_user_ns() == &init_user_ns)

		return 0;



	if (__kprojid_val(EXT4_I(inode)->i_projid) != fa->fsx_projid)

		return -EINVAL;



	if (ext4_test_inode_flag(inode, EXT4_INODE_PROJINHERIT)) {

		if (!(fa->fsx_xflags & FS_XFLAG_PROJINHERIT))

			return -EINVAL;

	} else {

		if (fa->fsx_xflags & FS_XFLAG_PROJINHERIT)

			return -EINVAL;

	}



	return 0;

}



long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)

{

	struct inode *inode = file_inode(filp);
@@ -1046,19 +1060,19 @@ resizefs_out: 
			return err;



		inode_lock(inode);

		err = ext4_ioctl_check_project(inode, &fa);

		if (err)

			goto out;

		flags = (ei->i_flags & ~EXT4_FL_XFLAG_VISIBLE) |

			 (flags & EXT4_FL_XFLAG_VISIBLE);

		err = ext4_ioctl_setflags(inode, flags);

		inode_unlock(inode);

		mnt_drop_write_file(filp);

		if (err)

			return err;



			goto out;

		err = ext4_ioctl_setproject(filp, fa.fsx_projid);

		if (err)

out:

		inode_unlock(inode);

		mnt_drop_write_file(filp);

		return err;



		return 0;

	}

	case EXT4_IOC_SHUTDOWN:

		return ext4_shutdown(sb, arg);

CRA Git | Maintained and supported by SUSTech CRA and CCSE