git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jann Horn <jannh@google.com>
	Tue, 6 Aug 2024 14:07:16 +0000 (16:07 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 4 Oct 2024 14:29:54 +0000 (16:29 +0200)
commit	5e0de753bfe87768ebe6744d869caa92f35e5731
tree	62d8020d96e1048474329e3cec9c5a2b9ee00956	tree \| snapshot
parent	56d8651679921d70f1fb81fa78680624457d9306	commit \| diff

f2fs: Require FMODE_WRITE for atomic write ioctls

commit 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e upstream.

The F2FS ioctls for starting and committing atomic writes check for
inode_owner_or_capable(), but this does not give LSMs like SELinux or
Landlock an opportunity to deny the write access - if the caller's FSUID
matches the inode's UID, inode_owner_or_capable() immediately returns true.

There are scenarios where LSMs want to deny a process the ability to write
particular files, even files that the FSUID of the process owns; but this
can currently partially be bypassed using atomic write ioctls in two ways:

- F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can
truncate an inode to size 0
- F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert
changes another process concurrently made to a file

Fix it by requiring FMODE_WRITE for these operations, just like for
F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these
ioctls when intending to write into the file, that seems unlikely to break
anything.

Fixes: 88b88a667971 ("f2fs: support atomic writes")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>