mountfsd: slightly relax restrictions on dir fds to mount

When establishing a idmapped mount for a directory with foreign mapping
we so far insisted in the dir being properly opened (i.e. via a
non-O_PATH fd) being passed to mountfsd. This is problematic however,
since the client might not actually be able to open the dir (which after
all is owned by the foreign UID, not by the user). Hence, let's relax
the rules, and accept an O_PATH fd too (which the client can get even
without privs). This should be safe, since the load-bearing security
check is whether the dir has a parent owned by the client's UID, and
for that check O_PATH or not O_PATH is not relevant.

diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c
index fb1d8ebcb48bfa581563dbe211b874d7f3145eb0..4f37bbd0815262e01e4eaf07c483319e3a52c9f2 100644 (file)
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@@ -659,7 +659,7 @@ static DirectoryOwnership validate_directory_fd(int fd, uid_t peer_uid) {
         if (r < 0)
                 return r;
 
-        fl = fd_verify_safe_flags_full(fd, O_DIRECTORY);
+        fl = fd_verify_safe_flags_full(fd, O_DIRECTORY|O_PATH);
         if (fl < 0)
                 return log_debug_errno(fl, "Directory file descriptor has unsafe flags set: %m");
 

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 672c6a65cd56899230a5bbc852f254928e91b13e..0bc750bafef85f67879c99d9212b6c032d733f85 100644 (file)
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -4750,7 +4750,7 @@ int mountfsd_mount_directory(
         if (r < 0)
                 return log_error_errno(r, "Failed to enable varlink fd passing for write: %m");
 
-        _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC);
+        _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_PATH);
         if (directory_fd < 0)
                 return log_error_errno(errno, "Failed to open '%s': %m", path);