From: Aurelien Degremont Date: Tue, 27 Feb 2024 12:20:33 +0000 (+0100) Subject: LU-17566 mdt: move squash code in new/old_init_ucred X-Git-Url: https://git.whamcloud.com/gitweb?a=commitdiff_plain;h=8b23ceb4a652df2170c6dfe9f70ad83e5989b9c0;p=fs%2Flustre-release.git LU-17566 mdt: move squash code in new/old_init_ucred Move the uid/gid squashing code at the same place, at the bottom of the function, to make code refactoring simpler later. The squashing code is mostly clearing suppgids from ucred, and no code was using between the old and new position in the function. So that should be pretty safe. Handle suppgids clearing the same way for both function and for both UID or GID squashing. Lustre-change: https://review.whamcloud.com/54194 Lustre-commit: 1730d8093fb36e7957414d314755ae5208da1011 Signed-off-by: Aurelien Degremont Change-Id: I29669af26cf68491bf1b6020548116acf318c0c7 Reviewed-by: Andreas Dilger Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/54558 Reviewed-by: Sebastien Buisson Tested-by: jenkins Tested-by: Maloo --- diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c index 6d501e9..a5916e2 100644 --- a/lustre/mdt/mdt_lib.c +++ b/lustre/mdt/mdt_lib.c @@ -124,6 +124,10 @@ static int mdt_root_squash(struct mdt_thread_info *info, lnet_nid_t peernid) ucred->uc_cap = CAP_EMPTY_SET; ucred->uc_suppgids[0] = -1; ucred->uc_suppgids[1] = -1; + if (ucred->uc_ginfo) { + put_group_info(ucred->uc_ginfo); + ucred->uc_ginfo = NULL; + } RETURN(0); } @@ -199,7 +203,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, __u32 perm = 0; int setuid; int setgid; - bool is_nm_gid_squashed = false; int rc = 0; ENTRY; @@ -229,22 +232,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, ucred->uc_o_fsuid = pud->pud_fsuid; ucred->uc_o_fsgid = pud->pud_fsgid; - if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid) { - /* deny access before we get identity ref */ - if (nodemap->nmf_deny_unknown) { - nodemap_putref(nodemap); - RETURN(-EACCES); - } - - ucred->uc_suppgids[0] = -1; - ucred->uc_suppgids[1] = -1; - } - - if (nodemap && ucred->uc_o_gid == nodemap->nm_squash_gid) - is_nm_gid_squashed = true; - - nodemap_putref(nodemap); - if (type == BODY_INIT) { struct mdt_body *body = (struct mdt_body *)buf; @@ -259,9 +246,14 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, libcfs_nid2str(peernid), req->rq_auth_uid, pud->pud_uid, pud->pud_gid, pud->pud_fsuid, pud->pud_fsgid); - RETURN(-EACCES); + GOTO(out_nodemap, rc = -EACCES); } + if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid && + nodemap->nmf_deny_unknown) + /* deny access before we get identity ref */ + GOTO(out, rc = -EACCES); + if (is_identity_get_disabled(mdt->mdt_identity_cache)) { ucred->uc_identity = NULL; perm = CFS_SETUID_PERM | CFS_SETGID_PERM | CFS_SETGRP_PERM; @@ -279,7 +271,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, CDEBUG(D_SEC, "Deny access without identity: uid %u\n", pud->pud_uid); - RETURN(-EACCES); + GOTO(out_nodemap, rc = -EACCES); } } else { ucred->uc_identity = identity; @@ -310,42 +302,45 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, GOTO(out, rc = -EACCES); } - if (perm & CFS_SETGRP_PERM) { - /* only set groups if GID is not squashed */ - if (pud->pud_ngroups && !is_nm_gid_squashed) { - /* setgroups for local client */ - ucred->uc_ginfo = groups_alloc(pud->pud_ngroups); - if (!ucred->uc_ginfo) { - CERROR("failed to alloc %d groups\n", - pud->pud_ngroups); - GOTO(out, rc = -ENOMEM); - } - - lustre_groups_from_list(ucred->uc_ginfo, - pud->pud_groups); - lustre_groups_sort(ucred->uc_ginfo); - } else { - ucred->uc_suppgids[0] = -1; - ucred->uc_suppgids[1] = -1; - ucred->uc_ginfo = NULL; + if (perm & CFS_SETGRP_PERM && pud->pud_ngroups) { + /* setgroups for local client */ + ucred->uc_ginfo = groups_alloc(pud->pud_ngroups); + if (!ucred->uc_ginfo) { + CERROR("failed to alloc %d groups\n", + pud->pud_ngroups); + GOTO(out, rc = -ENOMEM); } + + lustre_groups_from_list(ucred->uc_ginfo, pud->pud_groups); + lustre_groups_sort(ucred->uc_ginfo); } else { ucred->uc_suppgids[0] = -1; ucred->uc_suppgids[1] = -1; ucred->uc_ginfo = NULL; } + ll_set_capability_u32(&ucred->uc_cap, pud->pud_cap); + ucred->uc_uid = pud->pud_uid; ucred->uc_gid = pud->pud_gid; - ucred->uc_cap = CAP_EMPTY_SET; - if (!nodemap || ucred->uc_o_uid != nodemap->nm_squash_uid) - ll_set_capability_u32(&ucred->uc_cap, pud->pud_cap); - ucred->uc_fsuid = pud->pud_fsuid; ucred->uc_fsgid = pud->pud_fsgid; - /* process root_squash here. */ + /* clear suppgids if uid or gid was squashed. */ + if (nodemap && + (ucred->uc_o_uid == nodemap->nm_squash_uid || + ucred->uc_o_gid == nodemap->nm_squash_gid)) { + + ucred->uc_cap = CAP_EMPTY_SET; + ucred->uc_suppgids[0] = -1; + ucred->uc_suppgids[1] = -1; + if (ucred->uc_ginfo) { + put_group_info(ucred->uc_ginfo); + ucred->uc_ginfo = NULL; + } + } + mdt_root_squash(info, peernid); if (ucred->uc_fsuid) { @@ -383,6 +378,8 @@ out: } } +out_nodemap: + nodemap_putref(nodemap); return rc; } @@ -503,15 +500,10 @@ static int old_init_ucred_common(struct mdt_thread_info *info, struct mdt_device *mdt = info->mti_mdt; struct md_identity *identity = NULL; - if (nodemap && uc->uc_o_uid == nodemap->nm_squash_uid) { + if (nodemap && uc->uc_o_uid == nodemap->nm_squash_uid + && nodemap->nmf_deny_unknown) /* deny access before we get identity ref */ - if (nodemap->nmf_deny_unknown) - RETURN(-EACCES); - - uc->uc_cap = CAP_EMPTY_SET; - uc->uc_suppgids[0] = -1; - uc->uc_suppgids[1] = -1; - } + RETURN(-EACCES); if (!is_identity_get_disabled(mdt->mdt_identity_cache)) { identity = mdt_identity_get(mdt->mdt_identity_cache, @@ -530,6 +522,15 @@ static int old_init_ucred_common(struct mdt_thread_info *info, } uc->uc_identity = identity; + if (nodemap && + (uc->uc_o_uid == nodemap->nm_squash_uid || + uc->uc_o_gid == nodemap->nm_squash_gid)) { + + uc->uc_cap = CAP_EMPTY_SET; + uc->uc_suppgids[0] = -1; + uc->uc_suppgids[1] = -1; + } + /* process root_squash here. */ mdt_root_squash(info, mdt_info_req(info)->rq_peer.nid);