+ /* check permission of setgid */
+ if (setgid && !(perm & CFS_SETGID_PERM)) {
+ CDEBUG(D_SEC, "mdt blocked setgid attempt (%u:%u/%u:%u -> %u) "
+ "from %s\n", pud->pud_uid, pud->pud_gid,
+ pud->pud_fsuid, pud->pud_fsgid, identity->mi_gid,
+ libcfs_nid2str(peernid));
+ GOTO(out, rc = -EACCES);
+ }
+
+ EXIT;
+
+out:
+ mdt_identity_put(mdt->mdt_identity_cache, identity);
+ return rc;
+}
+
+static int old_init_ucred(struct mdt_thread_info *info,
+ struct mdt_body *body)
+{
+ struct lu_ucred *uc = mdt_ucred(info);
+ struct mdt_device *mdt = info->mti_mdt;
+ struct md_identity *identity = NULL;
+
+ ENTRY;
+
+ LASSERT(uc != NULL);
+ uc->uc_valid = UCRED_INVALID;
+ uc->uc_o_uid = uc->uc_uid = body->uid;
+ uc->uc_o_gid = uc->uc_gid = body->gid;
+ uc->uc_o_fsuid = uc->uc_fsuid = body->fsuid;
+ uc->uc_o_fsgid = uc->uc_fsgid = body->fsgid;
+ uc->uc_suppgids[0] = body->suppgid;
+ uc->uc_suppgids[1] = -1;
+ uc->uc_ginfo = NULL;
+ if (!is_identity_get_disabled(mdt->mdt_identity_cache)) {
+ identity = mdt_identity_get(mdt->mdt_identity_cache,
+ uc->uc_fsuid);
+ if (IS_ERR(identity)) {
+ if (unlikely(PTR_ERR(identity) == -EREMCHG)) {
+ identity = NULL;
+ } else {
+ CDEBUG(D_SEC, "Deny access without identity: "
+ "uid %u\n", uc->uc_fsuid);
+ RETURN(-EACCES);
+ }
+ }
+ }
+ uc->uc_identity = identity;
+
+ /* process root_squash here. */
+ mdt_root_squash(info, mdt_info_req(info)->rq_peer.nid);
+
+ /* remove fs privilege for non-root user. */
+ if (uc->uc_fsuid)
+ uc->uc_cap = body->capability & ~CFS_CAP_FS_MASK;
+ else
+ uc->uc_cap = body->capability;
+ uc->uc_valid = UCRED_OLD;
+
+ RETURN(0);
+}
+
+static int old_init_ucred_reint(struct mdt_thread_info *info)
+{
+ struct lu_ucred *uc = mdt_ucred(info);
+ struct mdt_device *mdt = info->mti_mdt;
+ struct md_identity *identity = NULL;
+
+ ENTRY;
+
+ LASSERT(uc != NULL);
+ uc->uc_valid = UCRED_INVALID;
+ uc->uc_o_uid = uc->uc_o_fsuid = uc->uc_uid = uc->uc_fsuid;
+ uc->uc_o_gid = uc->uc_o_fsgid = uc->uc_gid = uc->uc_fsgid;
+ uc->uc_ginfo = NULL;
+ if (!is_identity_get_disabled(mdt->mdt_identity_cache)) {
+ identity = mdt_identity_get(mdt->mdt_identity_cache,
+ uc->uc_fsuid);
+ if (IS_ERR(identity)) {
+ if (unlikely(PTR_ERR(identity) == -EREMCHG)) {
+ identity = NULL;
+ } else {
+ CDEBUG(D_SEC, "Deny access without identity: "
+ "uid %u\n", uc->uc_fsuid);
+ RETURN(-EACCES);
+ }
+ }
+ }
+ uc->uc_identity = identity;
+
+ /* process root_squash here. */
+ mdt_root_squash(info, mdt_info_req(info)->rq_peer.nid);
+
+ /* remove fs privilege for non-root user. */
+ if (uc->uc_fsuid)
+ uc->uc_cap &= ~CFS_CAP_FS_MASK;
+ uc->uc_valid = UCRED_OLD;
+
+ RETURN(0);