This is a follow up of LU-6528.
When "no_subtree_check" is set for NFS export, nfsd_set_fh_dentry()
doesn't set correct fsuid explicitely, but raise capability to allow
exportfs_decode_fh() to reconnect disconnected dentry into dcache.
The patch of LU-6528 fixed the issue for mdt_reint_getattr() but
missed the case for mdt_getattr_name().
LU-6528 added drop_fs_cap to old_init_ucred() to preserve
the capability but the logic was removed by LU-7199 commit
2aea469a3a, this patch reverts that.
This patch also makes sure old_init_ucred() won't fail identity check
when we have a raised capability but not a valid fsuid.
Signed-off-by: Li Dongyang <dongyang.li@anu.edu.au>
Change-Id: Ia41a8243eb18b1e469529bef186e3239fe9ebc1d
Reviewed-on: http://review.whamcloud.com/17815
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Bobi Jam <bobijam@hotmail.com>
Reviewed-by: Lai Siyao <lai.siyao@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
repbody->mbo_eadatasize = 0;
repbody->mbo_aclsize = 0;
- rc = mdt_init_ucred(info, reqbody);
+ rc = mdt_init_ucred_intent_getattr(info, reqbody);
if (unlikely(rc))
GOTO(out_shrink, rc);
identity = mdt_identity_get(mdt->mdt_identity_cache,
uc->uc_fsuid);
if (IS_ERR(identity)) {
- if (unlikely(PTR_ERR(identity) == -EREMCHG)) {
+ if (unlikely(PTR_ERR(identity) == -EREMCHG ||
+ uc->uc_cap & CFS_CAP_FS_MASK)) {
identity = NULL;
} else {
CDEBUG(D_SEC, "Deny access without identity: "
mdt_root_squash(info, mdt_info_req(info)->rq_peer.nid);
/* remove fs privilege for non-root user. */
- if (uc->uc_fsuid)
+ if (uc->uc_fsuid && drop_fs_cap)
uc->uc_cap &= ~CFS_CAP_FS_MASK;
uc->uc_valid = UCRED_OLD;
ucred_set_jobid(info, uc);