mountfsd: slightly relax restrictions on dir fds to mount

When establishing a idmapped mount for a directory with foreign mapping we so far insisted in the dir being properly opened (i.e. via a non-O_PATH fd) being passed to mountfsd. This is problematic however, since the client might not actually be able to open the dir (which after all is owned by the foreign UID, not by the user). Hence, let's relax the rules, and accept an O_PATH fd too (which the client can get even without privs). This should be safe, since the load-bearing security check is whether the dir has a parent owned by the client's UID, and for that check O_PATH or not O_PATH is not relevant.
2026-04-14 00:14:32 +09:00 · 2025-08-20 11:37:06 +02:00
parent e77566fbca
commit 1a00afe0ff
2 changed files with 2 additions and 2 deletions
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@@ -659,7 +659,7 @@ static DirectoryOwnership validate_directory_fd(int fd, uid_t peer_uid) {
        if (r < 0)
                return r;

-        fl = fd_verify_safe_flags_full(fd, O_DIRECTORY);
+        fl = fd_verify_safe_flags_full(fd, O_DIRECTORY|O_PATH);
        if (fl < 0)
                return log_debug_errno(fl, "Directory file descriptor has unsafe flags set: %m");

--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -4750,7 +4750,7 @@ int mountfsd_mount_directory(
        if (r < 0)
                return log_error_errno(r, "Failed to enable varlink fd passing for write: %m");

-        _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC);
+        _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_PATH);
        if (directory_fd < 0)
                return log_error_errno(errno, "Failed to open '%s': %m", path);