fusefs: enforce -onoallow_other even beneath the mountpoint

When -o allow_other is not in use, fusefs is supposed to prevent access to the filesystem by any user other than the one who owns the daemon. Our fusefs implementation was only enforcing that restriction at the mountpoint itself. That was usually good enough because lookup usually descends from the mountpoint. However, there are cases when it doesn't, such as when using openat relative to a file beneath the mountpoint. PR: 237052 Sponsored by: The FreeBSD Foundation
svn path=/projects/fuse2/; revision=345958
2024-12-17 10:26:15 +00:00 · 2019-04-05 17:21:23 +00:00 · 2019-04-05 17:21:23 +00:00 · efa23d9784 · 2020-12-20 02:59:44 +00:00
commit efa23d9784
parent 140bb4927a
2 changed files with 50 additions and 1 deletions
--- a/sys/fs/fuse/fuse_internal.c
+++ b/sys/fs/fuse/fuse_internal.c
@ -140,7 +140,7 @@ fuse_internal_access(struct vnode *vp,
 		return EROFS;
 	}
 	/* Unless explicitly permitted, deny everyone except the fs owner. */
-	    if (vnode_isvroot(vp) && !(facp->facc_flags & FACCESS_NOCHECKSPY)) {
+	if (!(facp->facc_flags & FACCESS_NOCHECKSPY)) {
 		if (!(dataflags & FSESS_DAEMON_CAN_SPY)) {
 			int denied = fuse_match_cred(data->daemoncred,
 			    cred);
@ -149,6 +149,10 @@ fuse_internal_access(struct vnode *vp,
 				return EPERM;
 			}
 		}
+		/* 
+		 * Set the "skip cred check" flag so future callers that share
+		 * facp can skip fuse_match_cred.
+		 */
 		facp->facc_flags |= FACCESS_NOCHECKSPY;
 	}
 	if (!(facp->facc_flags & FACCESS_DO_ACCESS)) {
--- a/tests/sys/fs/fusefs/allow_other.cc
+++ b/tests/sys/fs/fusefs/allow_other.cc
@ -179,3 +179,48 @@ TEST_F(NoAllowOther, disallowed)
 		}
 	);
 }
+
+/* 
+ * When -o allow_other is not used, users other than the owner aren't allowed
+ * to open anything inside of the mount point, not just the mountpoint itself
+ * This is a regression test for bug 237052
+ */
+TEST_F(NoAllowOther, disallowed_beneath_root)
+{
+	const static char FULLPATH[] = "mountpoint/some_dir";
+	const static char RELPATH[] = "some_dir";
+	const static char RELPATH2[] = "other_dir";
+	const static uint64_t ino = 42;
+	const static uint64_t ino2 = 43;
+	int dfd;
+
+	expect_lookup(RELPATH, ino, S_IFDIR | 0755, 0, 1);
+	EXPECT_LOOKUP(ino, RELPATH2)
+	.WillRepeatedly(Invoke(ReturnImmediate([=](auto in __unused, auto out) {
+		SET_OUT_HEADER_LEN(out, entry);
+		out->body.entry.attr.mode = S_IFREG | 0644;
+		out->body.entry.nodeid = ino2;
+		out->body.entry.attr.nlink = 1;
+		out->body.entry.attr_valid = UINT64_MAX;
+	})));
+	expect_opendir(ino);
+	dfd = open(FULLPATH, O_DIRECTORY);
+	ASSERT_LE(0, dfd) << strerror(errno);
+
+	fork(true, [] {
+		}, [&]() {
+			int fd;
+
+			fd = openat(dfd, RELPATH2, O_RDONLY);
+			if (fd >= 0) {
+				fprintf(stderr, "openat should've failed\n");
+				return(1);
+			} else if (errno != EPERM) {
+				fprintf(stderr, "Unexpected error: %s\n",
+					strerror(errno));
+				return(1);
+			}
+			return 0;
+		}
+	);
+}