fs: Refuse uid/gid changes which don't map into s_user_ns

Add checks to notify_change to verify that uid and gid changes
will map into the superblock's user namespace. If they do not
fail with -EOVERFLOW.

This is mandatory so that fileystems don't have to even think
of dealing with ia_uid and ia_gid that

--EWB Moved the test from inode_change_ok to notify_change

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

diff --git a/fs/attr.c b/fs/attr.c
index 25b24d0f6c8810c86ef79319e091fc65231733d0..dd723578ddce7c6e1a536df3ceda92750e04fb26 100644 (file)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -255,6 +255,17 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
        if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
                return 0;
 
+       /*
+        * Verify that uid/gid changes are valid in the target
+        * namespace of the superblock.
+        */
+       if (ia_valid & ATTR_UID &&
+           !kuid_has_mapping(inode->i_sb->s_user_ns, attr->ia_uid))
+               return -EOVERFLOW;
+       if (ia_valid & ATTR_GID &&
+           !kgid_has_mapping(inode->i_sb->s_user_ns, attr->ia_gid))
+               return -EOVERFLOW;
+
        error = security_inode_setattr(dentry, attr);
        if (error)
                return error;