crosvm/seccomp/x86_64/fs_device.policy
Chirantan Ekbote 814a8da0ed devices: fs: Use 2 stage create and mkdir
When creating a file or directory the virtio-fs server changes its
effective uid and gid to the uid and gid of the process that made the
call.  This ensures that the file or directory has the correct owner and
group when it is created and also serves as an access check to ensure
that the process that made the call has permission to modify the parent
directory.

However, this causes an EACCES error when the following conditions are
met:

  * The parent directory has g+rw permissions with gid A
  * The process has gid B but has A in its list of supplementary groups

In this case the fuse context only contains gid B, which doesn't have
permission to modify the parent directory.

Unfortunately there's no way for us to detect this on the server side so
instead we just have to rely on the permission checks carried out by the
kernel driver. If the server receives a create call, then assume that
the kernel has verified that the process is allowed to create that
file/directory and just create it without changing the server thread's
uid and gid.

Additionally, in order to ensure that a newly created file appears
atomically in the parent directory with the proper owner and group,
change the create implementation to use `O_TMPFILE` and `linkat` as
described in the open(2) manpage.  There is no `O_TMPFILE` equivalent
for directories so create a "hidden" directory with a randomly generated
name, modify the uid/gid and mode, and then rename it into place.

BUG=b:156696212
TEST=tast run $DUT vm.Virtiofs
TEST=Create a test directory with group wayland and permissions g+rw.
     Then run `su -s /bin/bash -c 'touch ${dir}/foo' - crosvm` and
     `su -s /bin/bash -c 'mkdir ${dir}/bar' - crosvm`.

Change-Id: If5fbcb1b011664c7c1ac29542a2f90d129c34962
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2217534
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
2020-06-04 12:49:49 +00:00

43 lines
No EOL
743 B
Text

# Copyright 2019 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
@include /usr/share/policy/crosvm/common_device.policy
copy_file_range: 1
fallocate: 1
fchmod: 1
fchmodat: 1
fchown: 1
fchownat: 1
fdatasync: 1
lgetxattr: 1
lsetxattr: 1
llistxattr: 1
lremovexattr: 1
fstatfs: 1
fsync: 1
ftruncate: 1
getdents64: 1
getegid: 1
geteuid: 1
ioctl: arg1 == FS_IOC_GET_ENCRYPTION_POLICY || arg1 == FS_IOC_SET_ENCRYPTION_POLICY
linkat: 1
lseek: 1
mkdir: 1
mkdirat: 1
mknodat: 1
newfstatat: 1
open: return ENOENT
openat: 1
preadv: 1
pwritev: 1
readlinkat: 1
renameat2: 1
setresgid: 1
setresuid: 1
symlinkat: 1
statx: 1
umask: 1
unlinkat: 1
utimensat: 1