# git rev-parse -q --verify 426b4ca2d6a5ab51f6b6175d06e4f8ddea434cdf^{commit} 426b4ca2d6a5ab51f6b6175d06e4f8ddea434cdf already have revision, skipping fetch # git checkout -q -f -B kisskb 426b4ca2d6a5ab51f6b6175d06e4f8ddea434cdf # git clean -qxdf # < git log -1 # commit 426b4ca2d6a5ab51f6b6175d06e4f8ddea434cdf # Merge: b8dcef877ab5 5fadbd992996 # Author: Linus Torvalds # Date: Tue Aug 9 09:52:28 2022 -0700 # # Merge tag 'fs.setgid.v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux # # Pull setgid updates from Christian Brauner: # "This contains the work to move setgid stripping out of individual # filesystems and into the VFS itself. # # Creating files that have both the S_IXGRP and S_ISGID bit raised in # directories that themselves have the S_ISGID bit set requires # additional privileges to avoid security issues. # # When a filesystem creates a new inode it needs to take care that the # caller is either in the group of the newly created inode or they have # CAP_FSETID in their current user namespace and are privileged over the # parent directory of the new inode. If any of these two conditions is # true then the S_ISGID bit can be raised for an S_IXGRP file and if not # it needs to be stripped. # # However, there are several key issues with the current implementation: # # - S_ISGID stripping logic is entangled with umask stripping. # # For example, if the umask removes the S_IXGRP bit from the file # about to be created then the S_ISGID bit will be kept. # # The inode_init_owner() helper is responsible for S_ISGID stripping # and is called before posix_acl_create(). So we can end up with two # different orderings: # # 1. FS without POSIX ACL support # # First strip umask then strip S_ISGID in inode_init_owner(). # # In other words, if a filesystem doesn't support or enable POSIX # ACLs then umask stripping is done directly in the vfs before # calling into the filesystem: # # 2. FS with POSIX ACL support # # First strip S_ISGID in inode_init_owner() then strip umask in # posix_acl_create(). # # In other words, if the filesystem does support POSIX ACLs then # unmask stripping may be done in the filesystem itself when # calling posix_acl_create(). # # Note that technically filesystems are free to impose their own # ordering between posix_acl_create() and inode_init_owner() meaning # that there's additional ordering issues that influence S_ISGID # inheritance. # # (Note that the commit message of commit 1639a49ccdce ("fs: move # S_ISGID stripping into the vfs_*() helpers") gets the ordering # between inode_init_owner() and posix_acl_create() the wrong way # around. I realized this too late.) # # - Filesystems that don't rely on inode_init_owner() don't get S_ISGID # stripping logic. # # While that may be intentional (e.g. network filesystems might just # defer setgid stripping to a server) it is often just a security # issue. # # Note that mandating the use of inode_init_owner() was proposed as # an alternative solution but that wouldn't fix the ordering issues # and there are examples such as afs where the use of # inode_init_owner() isn't possible. # # In any case, we should also try the cleaner and generalized # solution first before resorting to this approach. # # - We still have S_ISGID inheritance bugs years after the initial # round of S_ISGID inheritance fixes: # # e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") # 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") # fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") # # All of this led us to conclude that the current state is too messy. # While we won't be able to make it completely clean as # posix_acl_create() is still a filesystem specific call we can improve # the S_SIGD stripping situation quite a bit by hoisting it out of # inode_init_owner() and into the respective vfs creation operations. # # The obvious advantage is that we don't need to rely on individual # filesystems getting S_ISGID stripping right and instead can # standardize the ordering between S_ISGID and umask stripping directly # in the VFS. # # A few short implementation notes: # # - The stripping logic needs to happen in vfs_*() helpers for the sake # of stacking filesystems such as overlayfs that rely on these # helpers taking care of S_ISGID stripping. # # - Security hooks have never seen the mode as it is ultimately seen by # the filesystem because of the ordering issue we mentioned. Nothing # is changed for them. We simply continue to strip the umask before # passing the mode down to the security hooks. # # - The following filesystems use inode_init_owner() and thus relied on # S_ISGID stripping: spufs, 9p, bfs, btrfs, ext2, ext4, f2fs, # hfsplus, hugetlbfs, jfs, minix, nilfs2, ntfs3, ocfs2, omfs, # overlayfs, ramfs, reiserfs, sysv, ubifs, udf, ufs, xfs, zonefs, # bpf, tmpfs. # # We've audited all callchains as best as we could. More details can # be found in the commit message to 1639a49ccdce ("fs: move S_ISGID # stripping into the vfs_*() helpers")" # # * tag 'fs.setgid.v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: # ceph: rely on vfs for setgid stripping # fs: move S_ISGID stripping into the vfs_*() helpers # fs: Add missing umask strip in vfs_tmpfile # fs: add mode_strip_sgid() helper # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sh4-linux/bin/sh4-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sh4-linux/bin/sh4-linux-ld --version # < git log --format=%s --max-count=1 426b4ca2d6a5ab51f6b6175d06e4f8ddea434cdf # < make -s -j 32 ARCH=sh O=/kisskb/build/linus_sh-allyesconfig_sh4-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sh4-linux/bin/sh4-linux- allyesconfig # Added to kconfig CONFIG_BUILD_DOCSRC=n # Added to kconfig CONFIG_MODULE_SIG=n # < make -s -j 32 ARCH=sh O=/kisskb/build/linus_sh-allyesconfig_sh4-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sh4-linux/bin/sh4-linux- help # make -s -j 32 ARCH=sh O=/kisskb/build/linus_sh-allyesconfig_sh4-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sh4-linux/bin/sh4-linux- olddefconfig # make -s -j 32 ARCH=sh O=/kisskb/build/linus_sh-allyesconfig_sh4-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sh4-linux/bin/sh4-linux- Generating include/generated/machtypes.h :1517:2: warning: #warning syscall clone3 not implemented [-Wcpp] /kisskb/src/arch/sh/kernel/cpu/sh2/../../entry-common.S: Assembler messages: /kisskb/src/arch/sh/kernel/cpu/sh2/../../entry-common.S:85: Warning: overflow in branch to __restore_all; converted into longer instruction sequence /kisskb/src/arch/sh/kernel/cpu/sh2/../../entry-common.S:357: Warning: overflow in branch to syscall_exit_work; converted into longer instruction sequence /kisskb/src/arch/sh/kernel/cpu/sh2/../../entry-common.S:360: Warning: overflow in branch to syscall_exit_work; converted into longer instruction sequence In file included from /kisskb/src/arch/sh/include/asm/hw_irq.h:6, from /kisskb/src/include/linux/irq.h:596, from /kisskb/src/include/asm-generic/hardirq.h:17, from /kisskb/src/arch/sh/include/asm/hardirq.h:9, from /kisskb/src/include/linux/hardirq.h:11, from /kisskb/src/include/linux/interrupt.h:11, from /kisskb/src/include/linux/serial_core.h:13, from /kisskb/src/include/linux/serial_sci.h:6, from /kisskb/src/arch/sh/kernel/cpu/sh2/setup-sh7619.c:11: /kisskb/src/include/linux/sh_intc.h:100:63: error: division 'sizeof (void *) / sizeof (void)' does not compute the number of array elements [-Werror=sizeof-pointer-div] 100 | #define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) | ^ /kisskb/src/include/linux/sh_intc.h:105:31: note: in expansion of macro '_INTC_ARRAY' 105 | _INTC_ARRAY(vectors), _INTC_ARRAY(groups), \ | ^~~~~~~~~~~ /kisskb/src/include/linux/sh_intc.h:124:15: note: in expansion of macro 'INTC_HW_DESC' 124 | .hw = INTC_HW_DESC(vectors, groups, mask_regs, \ | ^~~~~~~~~~~~ /kisskb/src/arch/sh/kernel/cpu/sh2/setup-sh7619.c:58:8: note: in expansion of macro 'DECLARE_INTC_DESC' 58 | static DECLARE_INTC_DESC(intc_desc, "sh7619", vectors, NULL, | ^~~~~~~~~~~~~~~~~ /kisskb/src/include/linux/sh_intc.h:100:63: error: division 'sizeof (void *) / sizeof (void)' does not compute the number of array elements [-Werror=sizeof-pointer-div] 100 | #define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) | ^ /kisskb/src/include/linux/sh_intc.h:106:9: note: in expansion of macro '_INTC_ARRAY' 106 | _INTC_ARRAY(mask_regs), _INTC_ARRAY(prio_regs), \ | ^~~~~~~~~~~ /kisskb/src/include/linux/sh_intc.h:124:15: note: in expansion of macro 'INTC_HW_DESC' 124 | .hw = INTC_HW_DESC(vectors, groups, mask_regs, \ | ^~~~~~~~~~~~ /kisskb/src/arch/sh/kernel/cpu/sh2/setup-sh7619.c:58:8: note: in expansion of macro 'DECLARE_INTC_DESC' 58 | static DECLARE_INTC_DESC(intc_desc, "sh7619", vectors, NULL, | ^~~~~~~~~~~~~~~~~ /kisskb/src/include/linux/sh_intc.h:100:63: error: division 'sizeof (void *) / sizeof (void)' does not compute the number of array elements [-Werror=sizeof-pointer-div] 100 | #define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) | ^ /kisskb/src/include/linux/sh_intc.h:107:9: note: in expansion of macro '_INTC_ARRAY' 107 | _INTC_ARRAY(sense_regs), _INTC_ARRAY(ack_regs), \ | ^~~~~~~~~~~ /kisskb/src/include/linux/sh_intc.h:124:15: note: in expansion of macro 'INTC_HW_DESC' 124 | .hw = INTC_HW_DESC(vectors, groups, mask_regs, \ | ^~~~~~~~~~~~ /kisskb/src/arch/sh/kernel/cpu/sh2/setup-sh7619.c:58:8: note: in expansion of macro 'DECLARE_INTC_DESC' 58 | static DECLARE_INTC_DESC(intc_desc, "sh7619", vectors, NULL, | ^~~~~~~~~~~~~~~~~ /kisskb/src/include/linux/sh_intc.h:100:63: error: division 'sizeof (void *) / sizeof (void)' does not compute the number of array elements [-Werror=sizeof-pointer-div] 100 | #define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) | ^ /kisskb/src/include/linux/sh_intc.h:107:34: note: in expansion of macro '_INTC_ARRAY' 107 | _INTC_ARRAY(sense_regs), _INTC_ARRAY(ack_regs), \ | ^~~~~~~~~~~ /kisskb/src/include/linux/sh_intc.h:124:15: note: in expansion of macro 'INTC_HW_DESC' 124 | .hw = INTC_HW_DESC(vectors, groups, mask_regs, \ | ^~~~~~~~~~~~ /kisskb/src/arch/sh/kernel/cpu/sh2/setup-sh7619.c:58:8: note: in expansion of macro 'DECLARE_INTC_DESC' 58 | static DECLARE_INTC_DESC(intc_desc, "sh7619", vectors, NULL, | ^~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[5]: *** [/kisskb/src/scripts/Makefile.build:249: arch/sh/kernel/cpu/sh2/setup-sh7619.o] Error 1 make[5]: *** Waiting for unfinished jobs.... /kisskb/src/arch/sh/kernel/machvec.c: In function 'sh_mv_setup': /kisskb/src/arch/sh/kernel/machvec.c:105:33: error: array subscript 'struct sh_machine_vector[0]' is partly outside array bounds of 'long int[1]' [-Werror=array-bounds] 105 | sh_mv = *(struct sh_machine_vector *)&__machvec_start; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from /kisskb/src/arch/sh/kernel/machvec.c:13: /kisskb/src/arch/sh/include/asm/sections.h:7:13: note: while referencing '__machvec_start' 7 | extern long __machvec_start, __machvec_end; | ^~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[3]: *** [/kisskb/src/scripts/Makefile.build:249: arch/sh/kernel/machvec.o] Error 1 make[3]: *** Waiting for unfinished jobs.... make[4]: *** [/kisskb/src/scripts/Makefile.build:466: arch/sh/kernel/cpu/sh2] Error 2 make[4]: *** Waiting for unfinished jobs.... make[3]: *** [/kisskb/src/scripts/Makefile.build:466: arch/sh/kernel/cpu] Error 2 make[2]: *** [/kisskb/src/scripts/Makefile.build:466: arch/sh/kernel] Error 2 make[2]: *** Waiting for unfinished jobs.... make[1]: *** [/kisskb/src/Makefile:1844: arch/sh] Error 2 make[1]: *** Waiting for unfinished jobs.... make: *** [Makefile:219: __sub-make] Error 2 Command 'make -s -j 32 ARCH=sh O=/kisskb/build/linus_sh-allyesconfig_sh4-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sh4-linux/bin/sh4-linux- ' returned non-zero exit status 2 # rm -rf /kisskb/build/linus_sh-allyesconfig_sh4-gcc11 # Build took: 0:01:56.690481