btrfs: check whether fsgid/fsuid are mapped during subvolume creation

When a new subvolume is created btrfs currently doesn't check whether
the fsgid/fsuid of the caller actually have a mapping in the user
namespace attached to the filesystem. The VFS always checks this to make
sure that the caller's fsgid/fsuid can be represented on-disk. This is
most relevant for filesystems that can be mounted inside user namespaces
but it is in general a good hardening measure to prevent unrepresentable
gid/uid from being written to disk.

Since we want to support idmapped mounts for btrfs ioctls to create
subvolumes in follow-up patches this becomes important since we want to
make sure the fsgid/fsuid of the caller as mapped according to the
idmapped mount can be represented on-disk. Simply add the missing
fsuidgid_has_mapping() line from the VFS may_create() version to
btrfs_may_create().

Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index d09eaa83b5d27f8e237b9d617580d4cc2bf21466..3661d2ce8ef6696212562d2df165c3e4d2848ffa 100644 (file)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -877,6 +877,8 @@ static inline int btrfs_may_create(struct inode *dir, struct dentry *child)
                return -EEXIST;
        if (IS_DEADDIR(dir))
                return -ENOENT;
+       if (!fsuidgid_has_mapping(dir->i_sb, &init_user_ns))
+               return -EOVERFLOW;
        return inode_permission(&init_user_ns, dir, MAY_WRITE | MAY_EXEC);
 }