[PATCH v2] afs, bash: Fix open(O_CREAT) on an extant AFS file in a sticky dir
David Howells
dhowells at redhat.com
Tue May 13 01:30:39 PDT 2025
Christian Brauner <brauner at kernel.org> wrote:
> There's a few other places where we compare vfsuids:
>
> * may_delete()
> -> check_sticky()
> -> __check_sticky()
>
> * may_follow_link()
>
> * may_linkat()
>
> * fsuidgid_has_mapping()
>
> Anyone of those need special treatment on AFS as well?
That's a good question. I think it might be better to switch back to the v1
patch - which gives me two separate ops and provide a couple of vfs wrappers
for them and use them more widely.
So, perhaps:
vfs_have_same_owner(inode1, inode2)
which indicates if the two inodes have the same ownership and:
vfs_is_owned_by_me(inode)
which compares the inode's ownership to current_fsuid() by default.
The following places need to be considered for being changed:
(*) chown_ok()
(*) chgrp_ok()
Should call vfs_is_owned_by_me(). Possibly these need to defer all their
checks to the network filesystem as the interpretation of the target
UID/GID depends on the netfs.
(*) do_coredump()
Should probably call vfs_is_owned_by_me() to check that the file created
is owned by the caller - but the check that's there might be sufficient.
(*) inode_owner_or_capable()
Should call vfs_is_owned_by_me(). I'm not sure whether the namespace
mapping makes sense in such a case, but it probably could be used.
(*) vfs_setlease()
Should call vfs_is_owned_by_me(). Actually, it should query if leasing
is permitted.
Also, setting locks could perhaps do with a permission call to the
filesystem driver as AFS, for example, has a lock permission bit in the
ACL, but since the AFS server checks that when the RPC call is made, it's
probably unnecessary.
(*) acl_permission_check()
(*) posix_acl_permission()
UIDs are part of these ACLs, so no change required. AFS implements its
own ACLs and evaluates them in ->permission() and on the server.
(*) may_follow_link()
Should call vfs_is_owned_by_me() and also vfs_have_same_owner() on the
the link and its parent dir. The latter only applies on world-writable
sticky dirs.
(*) may_create_in_sticky()
The initial subject of this patch. Should call vfs_is_owned_by_me() and
also vfs_have_same_owner() both.
(*) __check_sticky()
Should call vfs_is_owned_by_me() on both the dir and the inode.
(*) may_dedupe_file()
Should call vfs_is_owned_by_me().
(*) IMA policy ops.
No idea.
David
More information about the linux-afs
mailing list