From: Li Xi <lixi@ddn.com>
Date: Tue, 4 Mar 2014 08:48:43 +0000 (+0800)
Subject: LU-4704 acl: fix permission problem of setfacl
X-Git-Tag: 2.5.57~29
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=59fb3523a2adaa5e0234ba5b63a3a672aa0b9f2e

LU-4704 acl: fix permission problem of setfacl

Setxattr does not check the permission when setting ACL xattrs. This
will cause security problem because any user can walk around
permission checking by changing ACL rules.

Signed-off-by: Li Xi <lixi@ddn.com>
Change-Id: I1e5c44674f2e22ecbe29a589a219bed52d037b9b
Reviewed-on: http://review.whamcloud.com/9473
Tested-by: Jenkins
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Reviewed-by: Bob Glossman <bob.glossman@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---

diff --git a/lustre/autoconf/lustre-core.m4 b/lustre/autoconf/lustre-core.m4
index e8802dc..804b6e0 100644
--- a/lustre/autoconf/lustre-core.m4
+++ b/lustre/autoconf/lustre-core.m4
@@ -765,6 +765,24 @@ AC_DEFUN([LC_HAVE_FHANDLE_SYSCALLS],
 ])
 
 #
+# 2.6.39 renames is_owner_or_cap to inode_owner_or_capable
+#
+AC_DEFUN([LC_HAVE_INODE_OWNER_OR_CAPABLE],
+[AC_MSG_CHECKING([if inode_owner_or_capable exist])
+LB_LINUX_TRY_COMPILE([
+	#include <linux/fs.h>
+],[
+	inode_owner_or_capable(NULL);
+],[
+	AC_DEFINE(HAVE_INODE_OWNER_OR_CAPABLE, 1,
+		[inode_owner_or_capable exist])
+	AC_MSG_RESULT([yes])
+],[
+	AC_MSG_RESULT([no])
+])
+])
+
+#
 # 3.0 dirty_inode() has a flag parameter
 # see kernel commit aa38572954ade525817fe88c54faebf85e5a61c0
 #
@@ -1487,6 +1505,7 @@ AC_DEFUN([LC_PROG_LINUX],
 	 LC_HAVE_FHANDLE_SYSCALLS
 	 LC_HAVE_FSTYPE_MOUNT
 	 LC_IOP_TRUNCATE
+	 LC_HAVE_INODE_OWNER_OR_CAPABLE
 
 	 # 3.0
 	 LC_DIRTY_INODE_WITH_FLAG
diff --git a/lustre/llite/xattr.c b/lustre/llite/xattr.c
index bde8a35..509d9c8 100644
--- a/lustre/llite/xattr.c
+++ b/lustre/llite/xattr.c
@@ -123,6 +123,15 @@ int ll_setxattr_common(struct inode *inode, const char *name,
         if (rc)
                 RETURN(rc);
 
+	if ((xattr_type == XATTR_ACL_ACCESS_T ||
+	     xattr_type == XATTR_ACL_DEFAULT_T) &&
+#ifdef HAVE_INODE_OWNER_OR_CAPABLE
+	    !inode_owner_or_capable(inode))
+#else
+	    !is_owner_or_cap(inode))
+#endif
+		return -EPERM;
+
         /* b10667: ignore lustre special xattr for now */
         if ((xattr_type == XATTR_TRUSTED_T && strcmp(name, "trusted.lov") == 0) ||
             (xattr_type == XATTR_LUSTRE_T && strcmp(name, "lustre.lov") == 0))