fhandle: pull CAP_DAC_READ_SEARCH check into may_decode_fh()

There's no point in keeping it outside of that helper. This way we have
all the permission pieces in one place.

Link: https://lore.kernel.org/r/20241129-work-pidfs-file_handle-v1-4-87d803a42495@kernel.org
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/fhandle.c b/fs/fhandle.c
index f0b818f08aaa3602ef1e32d6c4ca7014520136d2..e17029b1dc4456e57846d220074345ca81b9bc2f 100644 (file)
--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -279,28 +279,32 @@ static int do_handle_to_path(struct file_handle *handle, struct path *path,
        return 0;
 }
 
-/*
- * Allow relaxed permissions of file handles if the caller has the
- * ability to mount the filesystem or create a bind-mount of the
- * provided @mountdirfd.
- *
- * In both cases the caller may be able to get an unobstructed way to
- * the encoded file handle. If the caller is only able to create a
- * bind-mount we need to verify that there are no locked mounts on top
- * of it that could prevent us from getting to the encoded file.
- *
- * In principle, locked mounts can prevent the caller from mounting the
- * filesystem but that only applies to procfs and sysfs neither of which
- * support decoding file handles.
- */
 static inline bool may_decode_fh(struct handle_to_path_ctx *ctx,
                                 unsigned int o_flags)
 {
        struct path *root = &ctx->root;
 
+       if (capable(CAP_DAC_READ_SEARCH))
+               return true;
+
        /*
-        * Restrict to O_DIRECTORY to provide a deterministic API that avoids a
-        * confusing api in the face of disconnected non-dir dentries.
+        * Allow relaxed permissions of file handles if the caller has
+        * the ability to mount the filesystem or create a bind-mount of
+        * the provided @mountdirfd.
+        *
+        * In both cases the caller may be able to get an unobstructed
+        * way to the encoded file handle. If the caller is only able to
+        * create a bind-mount we need to verify that there are no
+        * locked mounts on top of it that could prevent us from getting
+        * to the encoded file.
+        *
+        * In principle, locked mounts can prevent the caller from
+        * mounting the filesystem but that only applies to procfs and
+        * sysfs neither of which support decoding file handles.
+        *
+        * Restrict to O_DIRECTORY to provide a deterministic API that
+        * avoids a confusing api in the face of disconnected non-dir
+        * dentries.
         *
         * There's only one dentry for each directory inode (VFS rule)...
         */
@@ -337,7 +341,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
        if (retval)
                goto out_err;
 
-       if (!capable(CAP_DAC_READ_SEARCH) && !may_decode_fh(&ctx, o_flags)) {
+       if (!may_decode_fh(&ctx, o_flags)) {
                retval = -EPERM;
                goto out_path;
        }