Lustre has a 'squash credentials' concept similar to the "anon_uid"
for nfsd. When accessing a file with squashed credentials, we
need to also drop capabilities.
Linux has cap_drop_fs_set() and cap_drop_nfsd_set(). Rather than
taking a completely different approach, this patch changes lustre
to use this same cap_drop_*_set() approach.
With this change we also drop CAP_MKNOD and CAP_MAC_OVERRIDE
which are probably appropriate, and don't drop
CAP_SYS_ADMIN or CAP_SYS_BOOT which should be irrelevant for
file permission checking
Calling both cap_drop_*_set() seems a bit clumsy, but gets
the job done.
Linux-commit:
f497115d4cf8a430c5d9902ce35716ba5f9c21ef
Change-Id: I2f4f691bc4ad090f6abaa4e13eb473bf8d904b23
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-on: https://review.whamcloud.com/41957
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
typedef __u32 cfs_cap_t;
-#define CFS_CAP_FS_MASK (BIT(CAP_CHOWN) | \
- BIT(CAP_DAC_OVERRIDE) | \
- BIT(CAP_DAC_READ_SEARCH) | \
- BIT(CAP_FOWNER) | \
- BIT(CAP_FSETID) | \
- BIT(CAP_LINUX_IMMUTABLE) | \
- BIT(CAP_SYS_ADMIN) | \
- BIT(CAP_SYS_BOOT) | \
- BIT(CAP_SYS_RESOURCE))
-
static inline cfs_cap_t cfs_curproc_cap_pack(void)
{
/* cfs_cap_t is only the first word of kernel_cap_t */
struct root_squash_info *squash;
struct cred *cred = NULL;
const struct cred *old_cred = NULL;
- cfs_cap_t cap;
bool squash_id = false;
ktime_t kstart = ktime_get();
cred->fsuid = make_kuid(&init_user_ns, squash->rsi_uid);
cred->fsgid = make_kgid(&init_user_ns, squash->rsi_gid);
- for (cap = 0; cap < sizeof(cfs_cap_t) * 8; cap++) {
- if (BIT(cap) & CFS_CAP_FS_MASK)
- cap_lower(cred->cap_effective, cap);
- }
+ cred->cap_effective = cap_drop_nfsd_set(cred->cap_effective);
+ cred->cap_effective = cap_drop_fs_set(cred->cap_effective);
+
old_cred = override_creds(cred);
}