From 1a00afe0ffc8255a7c9ed725a373384784f6d4aa Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 20 Aug 2025 11:37:06 +0200 Subject: [PATCH] mountfsd: slightly relax restrictions on dir fds to mount When establishing a idmapped mount for a directory with foreign mapping we so far insisted in the dir being properly opened (i.e. via a non-O_PATH fd) being passed to mountfsd. This is problematic however, since the client might not actually be able to open the dir (which after all is owned by the foreign UID, not by the user). Hence, let's relax the rules, and accept an O_PATH fd too (which the client can get even without privs). This should be safe, since the load-bearing security check is whether the dir has a parent owned by the client's UID, and for that check O_PATH or not O_PATH is not relevant. --- src/mountfsd/mountwork.c | 2 +- src/shared/dissect-image.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c index fb1d8ebcb4..4f37bbd081 100644 --- a/src/mountfsd/mountwork.c +++ b/src/mountfsd/mountwork.c @@ -659,7 +659,7 @@ static DirectoryOwnership validate_directory_fd(int fd, uid_t peer_uid) { if (r < 0) return r; - fl = fd_verify_safe_flags_full(fd, O_DIRECTORY); + fl = fd_verify_safe_flags_full(fd, O_DIRECTORY|O_PATH); if (fl < 0) return log_debug_errno(fl, "Directory file descriptor has unsafe flags set: %m"); diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 672c6a65cd..0bc750bafe 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -4750,7 +4750,7 @@ int mountfsd_mount_directory( if (r < 0) return log_error_errno(r, "Failed to enable varlink fd passing for write: %m"); - _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC); + _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_PATH); if (directory_fd < 0) return log_error_errno(errno, "Failed to open '%s': %m", path);