From 1730d8093fb36e7957414d314755ae5208da1011 Mon Sep 17 00:00:00 2001 From: Aurelien Degremont Date: Tue, 27 Feb 2024 13:20:33 +0100 Subject: [PATCH] LU-17566 mdt: move squash code in new/old_init_ucred Move the uid/gid squashing code at the same place, at the bottom of the function, to make code refactoring simpler later. The squashing code is mostly clearing suppgids from ucred, and no code was using between the old and new position in the function. So that should be pretty safe. Handle suppgids clearing the same way for both function and for both UID or GID squashing. Signed-off-by: Aurelien Degremont Change-Id: I29669af26cf68491bf1b6020548116acf318c0c7 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/54194 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Sebastien Buisson Reviewed-by: Andreas Dilger Reviewed-by: Oleg Drokin --- lustre/mdt/mdt_lib.c | 101 ++++++++++++++++++++++++++------------------------- 1 file changed, 51 insertions(+), 50 deletions(-) diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c index 68d420e..ffb950e 100644 --- a/lustre/mdt/mdt_lib.c +++ b/lustre/mdt/mdt_lib.c @@ -124,6 +124,10 @@ static int mdt_root_squash(struct mdt_thread_info *info, ucred->uc_cap = CAP_EMPTY_SET; ucred->uc_suppgids[0] = -1; ucred->uc_suppgids[1] = -1; + if (ucred->uc_ginfo) { + put_group_info(ucred->uc_ginfo); + ucred->uc_ginfo = NULL; + } RETURN(0); } @@ -200,7 +204,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, __u32 perm = 0; int setuid; int setgid; - bool is_nm_gid_squashed = false; int rc = 0; ENTRY; @@ -230,22 +233,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, ucred->uc_o_fsuid = pud->pud_fsuid; ucred->uc_o_fsgid = pud->pud_fsgid; - if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid) { - /* deny access before we get identity ref */ - if (nodemap->nmf_deny_unknown) { - nodemap_putref(nodemap); - RETURN(-EACCES); - } - - ucred->uc_suppgids[0] = -1; - ucred->uc_suppgids[1] = -1; - } - - if (nodemap && ucred->uc_o_gid == nodemap->nm_squash_gid) - is_nm_gid_squashed = true; - - nodemap_putref(nodemap); - if (type == BODY_INIT) { struct mdt_body *body = (struct mdt_body *)buf; @@ -260,9 +247,14 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, libcfs_nidstr(&peernid), req->rq_auth_uid, pud->pud_uid, pud->pud_gid, pud->pud_fsuid, pud->pud_fsgid); - RETURN(-EACCES); + GOTO(out_nodemap, rc = -EACCES); } + if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid && + nodemap->nmf_deny_unknown) + /* deny access before we get identity ref */ + GOTO(out, rc = -EACCES); + if (is_identity_get_disabled(mdt->mdt_identity_cache)) { ucred->uc_identity = NULL; perm = CFS_SETUID_PERM | CFS_SETGID_PERM | CFS_SETGRP_PERM; @@ -280,7 +272,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, CDEBUG(D_SEC, "Deny access without identity: uid %u\n", pud->pud_uid); - RETURN(-EACCES); + GOTO(out_nodemap, rc = -EACCES); } } else { ucred->uc_identity = identity; @@ -311,42 +303,45 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, GOTO(out, rc = -EACCES); } - if (perm & CFS_SETGRP_PERM) { - /* only set groups if GID is not squashed */ - if (pud->pud_ngroups && !is_nm_gid_squashed) { - /* setgroups for local client */ - ucred->uc_ginfo = groups_alloc(pud->pud_ngroups); - if (!ucred->uc_ginfo) { - CERROR("failed to alloc %d groups\n", - pud->pud_ngroups); - GOTO(out, rc = -ENOMEM); - } - - lustre_groups_from_list(ucred->uc_ginfo, - pud->pud_groups); - lustre_groups_sort(ucred->uc_ginfo); - } else { - ucred->uc_suppgids[0] = -1; - ucred->uc_suppgids[1] = -1; - ucred->uc_ginfo = NULL; + if (perm & CFS_SETGRP_PERM && pud->pud_ngroups) { + /* setgroups for local client */ + ucred->uc_ginfo = groups_alloc(pud->pud_ngroups); + if (!ucred->uc_ginfo) { + CERROR("failed to alloc %d groups\n", + pud->pud_ngroups); + GOTO(out, rc = -ENOMEM); } + + lustre_groups_from_list(ucred->uc_ginfo, pud->pud_groups); + lustre_groups_sort(ucred->uc_ginfo); } else { ucred->uc_suppgids[0] = -1; ucred->uc_suppgids[1] = -1; ucred->uc_ginfo = NULL; } + ll_set_capability_u32(&ucred->uc_cap, pud->pud_cap); + ucred->uc_uid = pud->pud_uid; ucred->uc_gid = pud->pud_gid; - ucred->uc_cap = CAP_EMPTY_SET; - if (!nodemap || ucred->uc_o_uid != nodemap->nm_squash_uid) - ll_set_capability_u32(&ucred->uc_cap, pud->pud_cap); - ucred->uc_fsuid = pud->pud_fsuid; ucred->uc_fsgid = pud->pud_fsgid; - /* process root_squash here. */ + /* clear suppgids if uid or gid was squashed. */ + if (nodemap && + (ucred->uc_o_uid == nodemap->nm_squash_uid || + ucred->uc_o_gid == nodemap->nm_squash_gid)) { + + ucred->uc_cap = CAP_EMPTY_SET; + ucred->uc_suppgids[0] = -1; + ucred->uc_suppgids[1] = -1; + if (ucred->uc_ginfo) { + put_group_info(ucred->uc_ginfo); + ucred->uc_ginfo = NULL; + } + } + mdt_root_squash(info, &peernid); if (ucred->uc_fsuid) { @@ -385,6 +380,8 @@ out: } } +out_nodemap: + nodemap_putref(nodemap); return rc; } @@ -506,15 +503,10 @@ static int old_init_ucred_common(struct mdt_thread_info *info, struct mdt_device *mdt = info->mti_mdt; struct md_identity *identity = NULL; - if (nodemap && uc->uc_o_uid == nodemap->nm_squash_uid) { + if (nodemap && uc->uc_o_uid == nodemap->nm_squash_uid + && nodemap->nmf_deny_unknown) /* deny access before we get identity ref */ - if (nodemap->nmf_deny_unknown) - RETURN(-EACCES); - - uc->uc_cap = CAP_EMPTY_SET; - uc->uc_suppgids[0] = -1; - uc->uc_suppgids[1] = -1; - } + RETURN(-EACCES); if (!is_identity_get_disabled(mdt->mdt_identity_cache)) { identity = mdt_identity_get(mdt->mdt_identity_cache, @@ -533,6 +525,15 @@ static int old_init_ucred_common(struct mdt_thread_info *info, } uc->uc_identity = identity; + if (nodemap && + (uc->uc_o_uid == nodemap->nm_squash_uid || + uc->uc_o_gid == nodemap->nm_squash_gid)) { + + uc->uc_cap = CAP_EMPTY_SET; + uc->uc_suppgids[0] = -1; + uc->uc_suppgids[1] = -1; + } + /* process root_squash here. */ mdt_root_squash(info, &mdt_info_req(info)->rq_peer.nid); -- 1.8.3.1