git.baikalelectronics.ru Git - kernel.git/commit

author	Dave Marchevsky <davemarchevsky@fb.com>
	Mon, 11 Jul 2022 17:48:08 +0000 (10:48 -0700)
committer	Miklos Szeredi <mszeredi@redhat.com>
	Thu, 21 Jul 2022 14:06:19 +0000 (16:06 +0200)
commit	46a7c26c57e83112cbd8e754e72130e4cf055d53
tree	a74a0364b8eb36b4824856ea84270a7a2967efd1	tree \| snapshot
parent	acfc2b9655634211296eed79e71f76407a25d83f	commit \| diff

fuse: Add module param for CAP_SYS_ADMIN access bypassing allow_other

Since commit 1bb3076fb442 ("fuse: Restrict allow_other to the superblock's
namespace or a descendant"), access to allow_other FUSE filesystems has
been limited to users in the mounting user namespace or descendants. This
prevents a process that is privileged in its userns - but not its parent
namespaces - from mounting a FUSE fs w/ allow_other that is accessible to
processes in parent namespaces.

While this restriction makes sense overall it breaks a legitimate usecase:
I have a tracing daemon which needs to peek into process' open files in
order to symbolicate - similar to 'perf'. The daemon is a privileged
process in the root userns, but is unable to peek into FUSE filesystems
mounted by processes in child namespaces.

This patch adds a module param, allow_sys_admin_access, to act as an escape
hatch for this descendant userns logic and for the allow_other mount option
in general. Setting allow_sys_admin_access allows processes with
CAP_SYS_ADMIN in the initial userns to access FUSE filesystems irrespective
of the mounting userns or whether allow_other was set. A sysadmin setting
this param must trust FUSEs on the host to not DoS processes as described
in 1bb3076fb442.

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

Documentation/filesystems/fuse.rst		diff \| blob \| history
fs/fuse/dir.c		diff \| blob \| history