Re: [PATCH RFC 0/1] mount: universally disallow mounting over symlinks
From: Ian Kent
Date: Fri Jan 10 2020 - 01:21:13 EST
On Fri, 2020-01-10 at 04:15 +0000, Al Viro wrote:
> On Thu, Jan 09, 2020 at 04:08:16PM -0800, Linus Torvalds wrote:
> > On Wed, Jan 8, 2020 at 1:34 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> > wrote:
> > > The point is, we'd never followed mounts on /proc/self/cwd et.al.
> > > I hadn't checked 2.0, but 2.1.100 ('97, before any changes from
> > > me)
> > > is that way.
> >
> > Hmm. If that's the case, maybe they should be marked implicitly as
> > O_PATH when opened?
>
> I thought you wanted O_PATH as starting point to have mounts
> traversed?
> Confused...
>
> > > Actually, scratch that - 2.0 behaves the same way
> > > (mountpoint crossing is done in iget() there; is that Minix
> > > influence
> > > or straight from the Lions' book?)
> >
> > I don't think I ever had access to Lions' - I've _seen_ a printout
> > of
> > it later, and obviously maybe others did,
> >
> > More likely it's from Maurice Bach: the Design of the Unix
> > Operating
> > System. I'm pretty sure that's where a lot of the FS layer stuff
> > came
> > from. Certainly the bad old buffer head interfaces, and quite
> > likely
> > the iget() stuff too.
> >
> > > 0.10: forward traversal in iget(), back traversal in
> > > fs/namei.c:find_entry()
> >
> > Whee, you _really_ went back in time.
> >
> > So I did too.
> >
> > And looking at that code in iget(), I doubt it came from anywhere.
> > Christ. It's just looping over a fixed-size array, both when
> > finding
> > the inode, and finding the superblock.
> >
> > Cute, but unbelievably stupid. It was a more innocent time.
> >
> > In other words, I think you can chalk it up to just me, because
> > blaming anybody else for that garbage would be very very unfair
> > indeed
> > ;)
>
> See
> https://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/sys/sys/iget.c
> Exactly the same algorithm, complete with linear searches over those
> fixed-sized array.
>
> <grabs Bach> Right, he simply transcribes v7 iget().
>
> So I suspect that you are right - your variant of iget was pretty
> much
> one-to-one implementation of Bach's description of v7 iget.
>
> Your namei wasn't - Bach has 'if the entry points to root and you are
> in the root and name is "..", find mount table entry (by device
> number),
> drop your directory inode, grab the inode of mountpount and restart
> the search for ".." in there', which gives back traversals to
> arbitrary
> depth. And v7 namei() (as Bach mentions) uses iget() for starting
> point
> as well as for each component. You kept pointers instead, which is
> where
> the other difference has come from (no mount traversal at the
> starting
> point)...
>
> Actually, I've misread your code in 0.10 - it does unlimited forward
> traversals; it's back traversals that go only one level. The forward
> ones got limited to one level in 0.95, but then mount-over-root had
> been banned all along. I'd read the pre-dcache variant of iget(),
> seen it go pretty much all the way back to beginning and hadn't
> sorted out the 0.12 -> 0.95 transition...
>
> > > How would your proposal deal with access("/proc/self/fd/42/foo",
> > > MAY_READ)
> > > vs. faccessat(42, "foo", MAY_READ)?
> >
> > I think that in a perfect world, the O_PATH'ness of '42' would be
> > the
> > deciding factor. Wouldn't those be the best and most consistent
> > semantics?
> >
> > And then 'cwd'/'root' always have the O_PATH behavior.
>
> See above - unless I'm misparsing you, you wanted mount traversals in
> the
> starting point if it's ...at() with O_PATH fd. With O_PATH open()
> not
> doing them.
>
> For cwd and root the situation is opposite - we do NOT traverse
> mounts
> for those. And that's really too late to change.
>
> > > The latter would trigger automount,
> > > the former would not... Or would you extend that to "traverse
> > > mounts
> > > upon following procfs links, if the file in question had been
> > > opened with
> > > O_PATH"?
> >
> > Exactly.
> >
> > But you know what? I do not believe this is all that important, and
> > I
> > doubt it will matter to anybody.
>
> FWIW, digging through the automount-related parts of that stuff has
> caught several fun issues. One (and I'm rather embarrassed by it)
> should've been caught back in commit 8aef18845266 (VFS: Fix vfsmount
> overput on simultaneous automount). To quote the commit message:
> The problem is that lock_mount() drops the caller's reference to
> the
> mountpoint's vfsmount in the case where it finds something
> already mounted on
> the mountpoint as it transits to the mounted filesystem and
> replaces path->mnt
> with the new mountpoint vfsmount.
>
> During a pathwalk, however, we don't take a reference on the
> vfsmount if it is
> the same as the one in the nameidata struct, but do_add_mount()
> doesn't know
> this.
> At which point I should've gone "what the fuck?" - lock_mount() does,
> indeed,
> drop path->mnt in this situation and replaces it with the whatever's
> come to
> cover it. For mount(2) that's the right thing to do - we _want_ to
> mount
> on top of whatever we have at the mountpoint. For automounts we very
> much
> don't want that - it's either "mount right on top of the automount
> trigger"
> or discard whatever we'd been about to mount and walk into whatever's
> got
> mounted there (presumably the same thing triggered by another
> process).
> We kinda-sorta get that effect, but in a very convoluted way:
> do_add_mount()
> will refuse to mount something on top of itself -
> /* Refuse the same filesystem on the same mount point */
> err = -EBUSY;
> if (path->mnt->mnt_sb == newmnt->mnt.mnt_sb &&
> path->mnt->mnt_root == path->dentry)
> goto unlock;
> which will end up with -EBUSY returned (and recognized by
> follow_automount()).
>
> First of all, that's unreliable. If somebody not only has triggered
> that
> automount, but managed to _mount_ something else on top (for example,
> has triggered it by lookup of mountpoint-to-be in mount(2)), we'll
> end
> up not triggering that check. In which case we'll get something like
> nfs referral point under nfs automounted there under tmpfs from
> explicit
> overmount under same nfs mount we'd automounted there - identical to
> what's
> been buried under tmpfs. It's hard to hit, but not impossibly so.
>
> What's more, the whole solution is a kludge - the root of problem is
> that lock_mount() is the wrong thing to do in case of
> finish_automount().
> We don't want to go into whatever's overmounting us there, both for
> the reasons above *and* because it's a PITA for the caller. So the
> right solution is
> * lift lock_mount() call from do_add_mount() into its callers
> (all 2 of them); while we are at it, lift unlock_mount() as well
> (makes for simpler failure exits in do_add_mount()).
> * replace the call of lock_mount() in finish_automount()
> with variant that doesn't do "unlock, walk deeper and retry locking",
> returning ERR_PTR(-EBUSY) in such case.
> * get rid of the kludge introduced in that commit. Better
> yet, don't bother with traversing into the covering mount in case
> of success - let the caller of follow_automount() do that. Which
> eliminates the need to pass need_mntput to the sucker and suggests
> an even better solution - have this analogue of lock_mount()
> return NULL instead of ERR_PTR(-EBUSY) and treat it in
> finish_automount()
> as "OK, discard what we wanted to mount and return 0". That gets
> rid of the entire
> err = finish_automount(mnt, path);
> switch (err) {
> case -EBUSY:
> /* Someone else made a mount here whilst we were busy
> */
> return 0;
> case 0:
> path_put(path);
> path->mnt = mnt;
> path->dentry = dget(mnt->mnt_root);
> return 0;
> default:
> return err;
> }
> chunk in follow_automount() - it would just be
> return finish_automount(mnt, path);
>
> Another thing (in the same area) is not a bug per se, but...
> after the call of ->d_automount() we have this:
> if (IS_ERR(mnt)) {
> /*
> * The filesystem is allowed to return -EISDIR here
> to indicate
> * it doesn't want to automount. For instance,
> autofs would do
> * this so that its userspace daemon can mount on
> this dentry.
> *
> * However, we can only permit this if it's a
> terminal point in
> * the path being looked up; if it wasn't then the
> remainder of
> * the path is inaccessible and we should say so.
> */
> if (PTR_ERR(mnt) == -EISDIR && (nd->flags &
> LOOKUP_PARENT))
> return -EREMOTE;
> return PTR_ERR(mnt);
> }
> Except that not a single instance of ->d_automount() has ever
> returned
> -EISDIR. Certainly not autofs one, despite the what the comment
> says.
> That chunk has come from dhowells, back when the whole mount trap
> series
> had been merged. After talking that thing over (fun: trying to
> figure
> out what had been intended nearly 9 years ago, when people involved
> are
> in UK, US east coast and AU west coast respectively. The only way it
> could suck more would've been if I were on the west coast - then all
> timezone deltas would be 8-hour ones)... looks like it's a rudiment
> of plans that got superseded during the series development, nobody
> quite remembers exact details. Conclusion: it's not even dead, it's
> stillborn; bury it.
Yeah, autofs ->d_automount() doesn't return -EISDIR, by the time
we get there it's not relevant any more, so that check looks
redundant. I'm not aware of any other fs automount implementation
that needs that EISDIR pass-thru function.
I didn't notice it at the time of the merge, sorry about that.
While we're at it that:
if (!path->dentry->d_op || !path->dentry->d_op->d_automount)
return -EREMOTE;
at the top of follow_automount() isn't going to be be relevant
for autofs because ->d_automount() really must always be defined
for it.
But, at the time of the merge, I didn't object to it because
there were (are) other file systems that use the VFS automount
function which may accidentally not define the method.
>
> Unfortunately, there are other interesting questions related to
> autofs-specific bits (->d_manage()) and the timezone-related fun
> is, of course, still there. I hope to sort that out today or
> tomorrow, at least enough to do a reasonable set of backportable
> fixes to put in front of follow_managed()/step_into() queue.
> Oh, well...
Yeah, I know it slows you down but I kink-off like having a chance
to look at what's going and think about your questions before trying
to answer them, rather than replying prematurely, as I usually do ...
It's been a bit of a busy day so far but I'm getting to look into
the questions you've asked.
Ian