mirror_zfs/module/os/linux/zfs/policy.c
Will Andrews 4ed5e25074 Add Linux namespace delegation support
This allows ZFS datasets to be delegated to a user/mount namespace
Within that namespace, only the delegated datasets are visible
Works very similarly to Zones/Jailes on other ZFS OSes

As a user:
```
 $ unshare -Um
 $ zfs list
no datasets available
 $ echo $$
1234
```

As root:
```
 # zfs list
NAME                            ZONED  MOUNTPOINT
containers                      off    /containers
containers/host                 off    /containers/host
containers/host/child           off    /containers/host/child
containers/host/child/gchild    off    /containers/host/child/gchild
containers/unpriv               on     /unpriv
containers/unpriv/child         on     /unpriv/child
containers/unpriv/child/gchild  on     /unpriv/child/gchild

 # zfs zone /proc/1234/ns/user containers/unpriv
```

Back to the user namespace:
```
 $ zfs list
NAME                             USED  AVAIL     REFER  MOUNTPOINT
containers                       129M  47.8G       24K  /containers
containers/unpriv                128M  47.8G       24K  /unpriv
containers/unpriv/child          128M  47.8G      128M  /unpriv/child
```

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Will Andrews <will.andrews@klarasystems.com>
Signed-off-by: Allan Jude <allan@klarasystems.com>
Signed-off-by: Mateusz Piotrowski <mateusz.piotrowski@klarasystems.com>
Co-authored-by: Allan Jude <allan@klarasystems.com>
Co-authored-by: Mateusz Piotrowski <mateusz.piotrowski@klarasystems.com>
Sponsored-by: Buddy <https://buddy.works>
Closes #12263
2022-06-10 09:51:46 -07:00

376 lines
8.9 KiB
C

/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2013, Joyent, Inc. All rights reserved.
* Copyright (C) 2016 Lawrence Livermore National Security, LLC.
*
* For Linux the vast majority of this enforcement is already handled via
* the standard Linux VFS permission checks. However certain administrative
* commands which bypass the standard mechanisms may need to make use of
* this functionality.
*/
#include <sys/policy.h>
#include <linux/security.h>
#include <linux/vfs_compat.h>
/*
* The passed credentials cannot be directly verified because Linux only
* provides and interface to check the *current* process credentials. In
* order to handle this the capable() test is only run when the passed
* credentials match the current process credentials or the kcred. In
* all other cases this function must fail and return the passed err.
*/
static int
priv_policy_ns(const cred_t *cr, int capability, int err,
struct user_namespace *ns)
{
if (cr != CRED() && (cr != kcred))
return (err);
#if defined(CONFIG_USER_NS)
if (!(ns ? ns_capable(ns, capability) : capable(capability)))
#else
if (!capable(capability))
#endif
return (err);
return (0);
}
static int
priv_policy(const cred_t *cr, int capability, int err)
{
return (priv_policy_ns(cr, capability, err, cr->user_ns));
}
static int
priv_policy_user(const cred_t *cr, int capability, int err)
{
/*
* All priv_policy_user checks are preceded by kuid/kgid_has_mapping()
* checks. If we cannot do them, we shouldn't be using ns_capable()
* since we don't know whether the affected files are valid in our
* namespace.
*/
#if defined(CONFIG_USER_NS)
return (priv_policy_ns(cr, capability, err, cr->user_ns));
#else
return (priv_policy_ns(cr, capability, err, NULL));
#endif
}
/*
* Checks for operations that are either client-only or are used by
* both clients and servers.
*/
int
secpolicy_nfs(const cred_t *cr)
{
return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
}
/*
* Catch all system configuration.
*/
int
secpolicy_sys_config(const cred_t *cr, boolean_t checkonly)
{
return (priv_policy(cr, CAP_SYS_ADMIN, EPERM));
}
/*
* Like secpolicy_vnode_access() but we get the actual wanted mode and the
* current mode of the file, not the missing bits.
*
* Enforced in the Linux VFS.
*/
int
secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
mode_t curmode, mode_t wantmode)
{
return (0);
}
/*
* This is a special routine for ZFS; it is used to determine whether
* any of the privileges in effect allow any form of access to the
* file. There's no reason to audit this or any reason to record
* this. More work is needed to do the "KPLD" stuff.
*/
int
secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
{
if (crgetuid(cr) == owner)
return (0);
if (zpl_inode_owner_or_capable(kcred->user_ns, ip))
return (0);
#if defined(CONFIG_USER_NS)
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);
#endif
if (priv_policy_user(cr, CAP_DAC_OVERRIDE, EPERM) == 0)
return (0);
if (priv_policy_user(cr, CAP_DAC_READ_SEARCH, EPERM) == 0)
return (0);
return (EPERM);
}
/*
* Determine if subject can chown owner of a file.
*/
int
secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
{
if (crgetuid(cr) == owner)
return (0);
#if defined(CONFIG_USER_NS)
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);
#endif
return (priv_policy_user(cr, CAP_FOWNER, EPERM));
}
/*
* Determine if subject can change group ownership of a file.
*/
int
secpolicy_vnode_create_gid(const cred_t *cr)
{
return (priv_policy(cr, CAP_SETGID, EPERM));
}
/*
* Policy determines whether we can remove an entry from a directory,
* regardless of permission bits.
*/
int
secpolicy_vnode_remove(const cred_t *cr)
{
return (priv_policy(cr, CAP_FOWNER, EPERM));
}
/*
* Determine that subject can modify the mode of a file. allzone privilege
* needed when modifying root owned object.
*/
int
secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
{
if (crgetuid(cr) == owner)
return (0);
#if defined(CONFIG_USER_NS)
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);
#endif
return (priv_policy_user(cr, CAP_FOWNER, EPERM));
}
/*
* Are we allowed to retain the set-uid/set-gid bits when
* changing ownership or when writing to a file?
* "issuid" should be true when set-uid; only in that case
* root ownership is checked (setgid is assumed).
*
* Enforced in the Linux VFS.
*/
int
secpolicy_vnode_setid_retain(struct znode *zp __maybe_unused, const cred_t *cr,
boolean_t issuidroot)
{
return (priv_policy_user(cr, CAP_FSETID, EPERM));
}
/*
* Determine that subject can set the file setgid flag.
*/
int
secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
{
#if defined(CONFIG_USER_NS)
if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
return (EPERM);
#endif
if (crgetgid(cr) != gid && !groupmember(gid, cr))
return (priv_policy_user(cr, CAP_FSETID, EPERM));
return (0);
}
/*
* Determine if the subject can inject faults in the ZFS fault injection
* framework. Requires all privileges.
*/
int
secpolicy_zinject(const cred_t *cr)
{
return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
}
/*
* Determine if the subject has permission to manipulate ZFS datasets
* (not pools). Equivalent to the SYS_MOUNT privilege.
*/
int
secpolicy_zfs(const cred_t *cr)
{
return (priv_policy(cr, CAP_SYS_ADMIN, EACCES));
}
/*
* Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
* the current process. Takes both cred_t and proc_t so that this can work
* easily on all platforms.
*
* The has_capability() function was first exported in the 4.10 Linux kernel
* then backported to some LTS kernels. Prior to this change there was no
* mechanism to perform this check therefore EACCES is returned when the
* functionality is not present in the kernel.
*/
int
secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
{
#if defined(HAVE_HAS_CAPABILITY)
if (!has_capability(proc, CAP_SYS_ADMIN))
return (EACCES);
return (0);
#else
return (EACCES);
#endif
}
void
secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
{
if ((vap->va_mode & (S_ISUID | S_ISGID)) != 0 &&
secpolicy_vnode_setid_retain(NULL, cr,
(vap->va_mode & S_ISUID) != 0 &&
(vap->va_mask & AT_UID) != 0 && vap->va_uid == 0) != 0) {
vap->va_mask |= AT_MODE;
vap->va_mode &= ~(S_ISUID|S_ISGID);
}
}
/*
* Determine that subject can set the file setid flags.
*/
static int
secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
{
if (crgetuid(cr) == owner)
return (0);
#if defined(CONFIG_USER_NS)
if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
return (EPERM);
#endif
return (priv_policy_user(cr, CAP_FSETID, EPERM));
}
/*
* Determine that subject can make a file a "sticky".
*
* Enforced in the Linux VFS.
*/
static int
secpolicy_vnode_stky_modify(const cred_t *cr)
{
return (0);
}
int
secpolicy_setid_setsticky_clear(struct inode *ip, vattr_t *vap,
const vattr_t *ovap, cred_t *cr)
{
int error;
if ((vap->va_mode & S_ISUID) != 0 &&
(error = secpolicy_vnode_setid_modify(cr,
ovap->va_uid)) != 0) {
return (error);
}
/*
* Check privilege if attempting to set the
* sticky bit on a non-directory.
*/
if (!S_ISDIR(ip->i_mode) && (vap->va_mode & S_ISVTX) != 0 &&
secpolicy_vnode_stky_modify(cr) != 0) {
vap->va_mode &= ~S_ISVTX;
}
/*
* Check for privilege if attempting to set the
* group-id bit.
*/
if ((vap->va_mode & S_ISGID) != 0 &&
secpolicy_vnode_setids_setgids(cr, ovap->va_gid) != 0) {
vap->va_mode &= ~S_ISGID;
}
return (0);
}
/*
* Check privileges for setting xvattr attributes
*/
int
secpolicy_xvattr(xvattr_t *xvap, uid_t owner, cred_t *cr, mode_t type)
{
return (secpolicy_vnode_chown(cr, owner));
}
/*
* Check privileges for setattr attributes.
*
* Enforced in the Linux VFS.
*/
int
secpolicy_vnode_setattr(cred_t *cr, struct inode *ip, struct vattr *vap,
const struct vattr *ovap, int flags,
int unlocked_access(void *, int, cred_t *), void *node)
{
return (0);
}
/*
* Check privileges for links.
*
* Enforced in the Linux VFS.
*/
int
secpolicy_basic_link(const cred_t *cr)
{
return (0);
}