Skip to content

Commit 58c6cbd

Browse files
braunerbrauner
committed
Merge patch series "nsfs: validate ioctls"
Christian Brauner <brauner@kernel.org> says: This series ensures that nsfs protects against ioctl overloading. * patches from https://lore.kernel.org/r/20250219-work-nsfs-v1-0-21128d73c5e8@kernel.org: selftests/nsfs: add ioctl validation tests nsfs: validate ioctls Link: https://lore.kernel.org/r/20250219-work-nsfs-v1-0-21128d73c5e8@kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org>
2 parents 2014c95 + 540dcf0 commit 58c6cbd

File tree

2 files changed

+45
-1
lines changed

2 files changed

+45
-1
lines changed

fs/nsfs.c

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,19 +152,49 @@ static int copy_ns_info_to_user(const struct mnt_namespace *mnt_ns,
152152
return 0;
153153
}
154154

155+
static bool nsfs_ioctl_valid(unsigned int cmd)
156+
{
157+
switch (cmd) {
158+
case NS_GET_USERNS:
159+
case NS_GET_PARENT:
160+
case NS_GET_NSTYPE:
161+
case NS_GET_OWNER_UID:
162+
case NS_GET_MNTNS_ID:
163+
case NS_GET_PID_FROM_PIDNS:
164+
case NS_GET_TGID_FROM_PIDNS:
165+
case NS_GET_PID_IN_PIDNS:
166+
case NS_GET_TGID_IN_PIDNS:
167+
return (_IOC_TYPE(cmd) == _IOC_TYPE(cmd));
168+
}
169+
170+
/* Extensible ioctls require some extra handling. */
171+
switch (_IOC_NR(cmd)) {
172+
case _IOC_NR(NS_MNT_GET_INFO):
173+
case _IOC_NR(NS_MNT_GET_NEXT):
174+
case _IOC_NR(NS_MNT_GET_PREV):
175+
return (_IOC_TYPE(cmd) == _IOC_TYPE(cmd));
176+
}
177+
178+
return false;
179+
}
180+
155181
static long ns_ioctl(struct file *filp, unsigned int ioctl,
156182
unsigned long arg)
157183
{
158184
struct user_namespace *user_ns;
159185
struct pid_namespace *pid_ns;
160186
struct task_struct *tsk;
161-
struct ns_common *ns = get_proc_ns(file_inode(filp));
187+
struct ns_common *ns;
162188
struct mnt_namespace *mnt_ns;
163189
bool previous = false;
164190
uid_t __user *argp;
165191
uid_t uid;
166192
int ret;
167193

194+
if (!nsfs_ioctl_valid(ioctl))
195+
return -ENOIOCTLCMD;
196+
197+
ns = get_proc_ns(file_inode(filp));
168198
switch (ioctl) {
169199
case NS_GET_USERNS:
170200
return open_related_ns(ns, ns_get_owner);

tools/testing/selftests/filesystems/nsfs/iterate_mntns.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@
33

44
#define _GNU_SOURCE
55
#include <fcntl.h>
6+
#include <linux/auto_dev-ioctl.h>
7+
#include <linux/errno.h>
68
#include <sched.h>
79
#include <stdio.h>
810
#include <string.h>
@@ -146,4 +148,16 @@ TEST_F(iterate_mount_namespaces, iterate_backward)
146148
}
147149
}
148150

151+
TEST_F(iterate_mount_namespaces, nfs_valid_ioctl)
152+
{
153+
ASSERT_NE(ioctl(self->fd_mnt_ns[0], AUTOFS_DEV_IOCTL_OPENMOUNT, NULL), 0);
154+
ASSERT_EQ(errno, ENOTTY);
155+
156+
ASSERT_NE(ioctl(self->fd_mnt_ns[0], AUTOFS_DEV_IOCTL_CLOSEMOUNT, NULL), 0);
157+
ASSERT_EQ(errno, ENOTTY);
158+
159+
ASSERT_NE(ioctl(self->fd_mnt_ns[0], AUTOFS_DEV_IOCTL_READY, NULL), 0);
160+
ASSERT_EQ(errno, ENOTTY);
161+
}
162+
149163
TEST_HARNESS_MAIN

0 commit comments

Comments
 (0)