Skip to content

Commit 22bdf3d

Browse files
braunerbrauner
committed
anon_inode: explicitly block ->setattr()
It is currently possible to change the mode and owner of the single anonymous inode in the kernel: int main(int argc, char *argv[]) { int ret, sfd; sigset_t mask; struct signalfd_siginfo fdsi; sigemptyset(&mask); sigaddset(&mask, SIGINT); sigaddset(&mask, SIGQUIT); ret = sigprocmask(SIG_BLOCK, &mask, NULL); if (ret < 0) _exit(1); sfd = signalfd(-1, &mask, 0); if (sfd < 0) _exit(2); ret = fchown(sfd, 5555, 5555); if (ret < 0) _exit(3); ret = fchmod(sfd, 0777); if (ret < 0) _exit(3); _exit(4); } This is a bug. It's not really a meaningful one because anonymous inodes don't really figure into path lookup and they cannot be reopened via /proc/<pid>/fd/<nr> and can't be used for lookup itself. So they can only ever serve as direct references. But it is still completely bogus to allow the mode and ownership or any of the properties of the anonymous inode to be changed. Block this! Link: https://lore.kernel.org/[email protected] Reviewed-by: Jeff Layton <[email protected]> Cc: [email protected] # all LTS kernels Signed-off-by: Christian Brauner <[email protected]>
1 parent 37e62da commit 22bdf3d

File tree

2 files changed

+9
-0
lines changed

2 files changed

+9
-0
lines changed

fs/anon_inodes.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,8 +57,15 @@ int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
5757
return 0;
5858
}
5959

60+
int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
61+
struct iattr *attr)
62+
{
63+
return -EOPNOTSUPP;
64+
}
65+
6066
static const struct inode_operations anon_inode_operations = {
6167
.getattr = anon_inode_getattr,
68+
.setattr = anon_inode_setattr,
6269
};
6370

6471
/*

fs/internal.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -346,3 +346,5 @@ int statmount_mnt_idmap(struct mnt_idmap *idmap, struct seq_file *seq, bool uid_
346346
int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
347347
struct kstat *stat, u32 request_mask,
348348
unsigned int query_flags);
349+
int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
350+
struct iattr *attr);

0 commit comments

Comments
 (0)