[PATCH v2] afs, bash: Fix open(O_CREAT) on an extant AFS file in a sticky dir

David Howells dhowells at redhat.com
Tue May 13 01:30:39 PDT 2025 

Christian Brauner <brauner at kernel.org> wrote:

> There's a few other places where we compare vfsuids:
> 
> * may_delete()
>   -> check_sticky()
>      -> __check_sticky()
> 
> * may_follow_link()
> 
> * may_linkat()
> 
> * fsuidgid_has_mapping()
> 
> Anyone of those need special treatment on AFS as well?

That's a good question.  I think it might be better to switch back to the v1
patch - which gives me two separate ops and provide a couple of vfs wrappers
for them and use them more widely.

So, perhaps:

	vfs_have_same_owner(inode1, inode2)

which indicates if the two inodes have the same ownership and:

	vfs_is_owned_by_me(inode)

which compares the inode's ownership to current_fsuid() by default.

The following places need to be considered for being changed:

 (*) chown_ok()
 (*) chgrp_ok()

     Should call vfs_is_owned_by_me().  Possibly these need to defer all their
     checks to the network filesystem as the interpretation of the target
     UID/GID depends on the netfs.

 (*) do_coredump()

     Should probably call vfs_is_owned_by_me() to check that the file created
     is owned by the caller - but the check that's there might be sufficient.

 (*) inode_owner_or_capable()

     Should call vfs_is_owned_by_me().  I'm not sure whether the namespace
     mapping makes sense in such a case, but it probably could be used.

 (*) vfs_setlease()

     Should call vfs_is_owned_by_me().  Actually, it should query if leasing
     is permitted.

     Also, setting locks could perhaps do with a permission call to the
     filesystem driver as AFS, for example, has a lock permission bit in the
     ACL, but since the AFS server checks that when the RPC call is made, it's
     probably unnecessary.

 (*) acl_permission_check()
 (*) posix_acl_permission()

     UIDs are part of these ACLs, so no change required.  AFS implements its
     own ACLs and evaluates them in ->permission() and on the server.

 (*) may_follow_link()

     Should call vfs_is_owned_by_me() and also vfs_have_same_owner() on the
     the link and its parent dir.  The latter only applies on world-writable
     sticky dirs.

 (*) may_create_in_sticky()

     The initial subject of this patch.  Should call vfs_is_owned_by_me() and
     also vfs_have_same_owner() both.

 (*) __check_sticky()

     Should call vfs_is_owned_by_me() on both the dir and the inode.

 (*) may_dedupe_file()

     Should call vfs_is_owned_by_me().

 (*) IMA policy ops.

     No idea.

David

More information about the linux-afs mailing list