Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.17 2022-01-17T07:40:29Z 2022-01-17T07:40:29Z NeilBrown neilb@suse.de 2022-01-16T22:07:26Z urn:sha1:a6097180d884ddab769fb25588ea8598589c218c Prior to Linux v5.4 devtmpfs used mount_single() which treats the given mount options as "remount" options, so it updates the configuration of the single super_block on each mount. Since that was changed, the mount options used for devtmpfs are ignored. This is a regression which affect systemd - which mounts devtmpfs with "-o mode=755,size=4m,nr_inodes=1m". This patch restores the "remount" effect by calling reconfigure_single() Fixes: d401727ea0d7 ("devtmpfs: don't mix {ramfs,shmem}_fill_super() with mount_single()") Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2021-12-30T12:54:42Z Kees Cook keescook@chromium.org 2021-12-22T12:50:20Z urn:sha1:28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 devtmpfs is writable. Add the noexec and nosuid as default mount flags to prevent code execution from /dev. The systems who don't use systemd and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by this patch. Other systems are fine with the udev solution. No sane program should be relying on executing from /dev. So this patch reduces the attack surface. It doesn't prevent any specific attack, but it reduces the possibility that someone can use /dev as a place to put executable code. Chrome OS has been carrying this patch for several years. It seems trivial and simple solution to improve the protection of /dev when CONFIG_DEVTMPFS_MOUNT=y. Original patch: https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ Cc: ellyjones@chromium.org Cc: Kay Sievers <kay@vrfy.org> Cc: Roland Eggner <edvx1@systemanalysen.net> Co-developed-by: Muhammad Usama Anjum <usama.anjum@collabora.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com> Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-03-23T13:57:35Z Rasmus Villemoes linux@rasmusvillemoes.dk 2021-03-12T10:30:27Z urn:sha1:01085e24ff0ae775e7407a6e40c2156a724ae884 Currently gcc seems to inline devtmpfs_setup() into devtmpfsd(), so its memory footprint isn't reclaimed as intended. Mark it noinline to make sure it gets put in .init.text. While here, setup_done can also be put in .init.data: After complete() releases the internal spinlock, the completion object is never touched again by that thread, and the waiting thread doesn't proceed until it observes ->done while holding that spinlock. This is now the same pattern as for kthreadd_done in init/main.c: complete() is done in a __ref function, while the corresponding wait_for_completion() is in an __init function. Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Link: https://lore.kernel.org/r/20210312103027.2701413-2-linux@rasmusvillemoes.dk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-03-23T13:57:35Z Rasmus Villemoes linux@rasmusvillemoes.dk 2021-03-12T10:30:26Z urn:sha1:38f087de8947700d3b06d3d1594490e0f611c5d1 Calling complete() from within the __init function is wrong - theoretically, the init process could proceed all the way to freeing the init mem before the devtmpfsd thread gets to execute the return instruction in devtmpfs_setup(). In practice, it seems to be harmless as gcc inlines devtmpfs_setup() into devtmpfsd(). So the calls of the __init functions init_chdir() etc. actually happen from devtmpfs_setup(), but the __ref on that one silences modpost (it's all right, because those calls happen before the complete()). But it does make the __init annotation of the setup function moot, which we'll fix in a subsequent patch. Fixes: bcbacc4909f1 ("devtmpfs: refactor devtmpfsd()") Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Link: https://lore.kernel.org/r/20210312103027.2701413-1-linux@rasmusvillemoes.dk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-24T13:27:18Z Christian Brauner christian.brauner@ubuntu.com 2021-01-21T13:19:33Z urn:sha1:6521f8917082928a4cb637eb64b77b5f2f5b30fc The various vfs_*() helpers are called by filesystems or by the vfs itself to perform core operations such as create, link, mkdir, mknod, rename, rmdir, tmpfile and unlink. Enable them to handle idmapped mounts. If the inode is accessed through an idmapped mount map it into the mount's user namespace and pass it down. Afterwards the checks and operations are identical to non-idmapped mounts. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-15-christian.brauner@ubuntu.com Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> 2021-01-24T13:27:16Z Christian Brauner christian.brauner@ubuntu.com 2021-01-21T13:19:26Z urn:sha1:2f221d6f7b881d95de1f356a3097d755ab1e47d4 When file attributes are changed most filesystems rely on the setattr_prepare(), setattr_copy(), and notify_change() helpers for initialization and permission checking. Let them handle idmapped mounts. If the inode is accessed through an idmapped mount map it into the mount's user namespace. Afterwards the checks are identical to non-idmapped mounts. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Helpers that perform checks on the ia_uid and ia_gid fields in struct iattr assume that ia_uid and ia_gid are intended values and have already been mapped correctly at the userspace-kernelspace boundary as we already do today. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-8-christian.brauner@ubuntu.com Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> 2020-07-31T06:17:52Z Christoph Hellwig hch@lst.de 2020-07-22T09:26:13Z urn:sha1:4b7ca5014cbef51cdb99fd644eae4f3773747a05 Add a simple helper to chroot with a kernel space file name and switch the early init code over to it. Remove the now unused ksys_chroot. Signed-off-by: Christoph Hellwig <hch@lst.de> 2020-07-31T06:17:52Z Christoph Hellwig hch@lst.de 2020-07-22T09:25:21Z urn:sha1:db63f1e315384590b979f8f74abd1b5363b69894 Add a simple helper to chdir with a kernel space file name and switch the early init code over to it. Remove the now unused ksys_chdir. Signed-off-by: Christoph Hellwig <hch@lst.de> 2020-07-31T06:17:51Z Christoph Hellwig hch@lst.de 2020-07-21T09:12:08Z urn:sha1:c60166f04283ffba7b88b45d824bbfb2bfccee24 Like do_mount, but takes a kernel pointer for the destination path. Switch over the mounts in the init code and devtmpfs to it, which just happen to work due to the implicit set_fs(KERNEL_DS) during early init right now. Signed-off-by: Christoph Hellwig <hch@lst.de> 2020-07-31T06:17:51Z Christoph Hellwig hch@lst.de 2020-07-22T08:48:25Z urn:sha1:bcbacc4909f1b93242ba2894d0282c151c9d0e68 Split the main worker loop into a separate function. This allows devtmpfsd_setup to be marked __init, which will allows us to call __init routines for the setup work. devtmpfѕ itself needs a __ref marker for that to work, and a comment explaining why it works. Signed-off-by: Christoph Hellwig <hch@lst.de>