1. 06 12月, 2012 1 次提交
  2. 03 11月, 2012 1 次提交
    • J
      cifs: fix potential buffer overrun in cifs.idmap handling code · 36960e44
      Jeff Layton 提交于
      The userspace cifs.idmap program generally works with the wbclient libs
      to generate binary SIDs in userspace. That program defines the struct
      that holds these values as having a max of 15 subauthorities. The kernel
      idmapping code however limits that value to 5.
      
      When the kernel copies those values around though, it doesn't sanity
      check the num_subauths value handed back from userspace or from the
      server. It's possible therefore for userspace to hand us back a bogus
      num_subauths value (or one that's valid, but greater than 5) that could
      cause the kernel to walk off the end of the cifs_sid->sub_auths array.
      
      Fix this by defining a new routine for copying sids and using that in
      all of the places that copy it. If we end up with a sid that's longer
      than expected then this approach will just lop off the "extra" subauths,
      but that's basically what the code does today already. Better approaches
      might be to fix this code to reject SIDs with >5 subauths, or fix it
      to handle the subauths array dynamically.
      
      At the same time, change the kernel to check the length of the data
      returned by userspace. If it's shorter than struct cifs_sid, reject it
      and return -EIO. If that happens we'll end up with fields that are
      basically uninitialized.
      
      Long term, it might make sense to redefine cifs_sid using a flexarray at
      the end, to allow for variable-length subauth lists, and teach the code
      to handle the case where the subauths array being passed in from
      userspace is shorter than 5 elements.
      
      Note too, that I don't consider this a security issue since you'd need
      a compromised cifs.idmap program. If you have that, you can do all sorts
      of nefarious stuff. Still, this is probably reasonable for stable.
      
      Cc: stable@kernel.org
      Reviewed-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      36960e44
  3. 08 10月, 2012 1 次提交
    • D
      KEYS: Add payload preparsing opportunity prior to key instantiate or update · cf7f601c
      David Howells 提交于
      Give the key type the opportunity to preparse the payload prior to the
      instantiation and update routines being called.  This is done with the
      provision of two new key type operations:
      
      	int (*preparse)(struct key_preparsed_payload *prep);
      	void (*free_preparse)(struct key_preparsed_payload *prep);
      
      If the first operation is present, then it is called before key creation (in
      the add/update case) or before the key semaphore is taken (in the update and
      instantiate cases).  The second operation is called to clean up if the first
      was called.
      
      preparse() is given the opportunity to fill in the following structure:
      
      	struct key_preparsed_payload {
      		char		*description;
      		void		*type_data[2];
      		void		*payload;
      		const void	*data;
      		size_t		datalen;
      		size_t		quotalen;
      	};
      
      Before the preparser is called, the first three fields will have been cleared,
      the payload pointer and size will be stored in data and datalen and the default
      quota size from the key_type struct will be stored into quotalen.
      
      The preparser may parse the payload in any way it likes and may store data in
      the type_data[] and payload fields for use by the instantiate() and update()
      ops.
      
      The preparser may also propose a description for the key by attaching it as a
      string to the description field.  This can be used by passing a NULL or ""
      description to the add_key() system call or the key_create_or_update()
      function.  This cannot work with request_key() as that required the description
      to tell the upcall about the key to be created.
      
      This, for example permits keys that store PGP public keys to generate their own
      name from the user ID and public key fingerprint in the key.
      
      The instantiate() and update() operations are then modified to look like this:
      
      	int (*instantiate)(struct key *key, struct key_preparsed_payload *prep);
      	int (*update)(struct key *key, struct key_preparsed_payload *prep);
      
      and the new payload data is passed in *prep, whether or not it was preparsed.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      cf7f601c
  4. 25 9月, 2012 1 次提交
  5. 24 7月, 2012 2 次提交
  6. 19 1月, 2012 1 次提交
  7. 13 1月, 2012 1 次提交
  8. 17 10月, 2011 1 次提交
    • S
      cifs: Call id to SID mapping functions to change owner/group (try #4 repost) · a5ff3769
      Shirish Pargaonkar 提交于
      Now build security descriptor to change either owner or group at the
      server.  Initially security descriptor was built to change only
      (D)ACL, that functionality has been extended.
      
      When either an Owner or a Group of a file object at the server is changed,
      rest of security descriptor remains same (DACL etc.).
      
      To set security descriptor, it is necessary to open that file
      with permission bits of either WRITE_DAC if DACL is being modified or
      WRITE_OWNER (Take Ownership) if Owner or Group is being changed.
      
      It is the server that decides whether a set security descriptor with
      either owner or group change succeeds or not.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      a5ff3769
  9. 13 10月, 2011 2 次提交
    • S
      cifs: Add data structures and functions for uid/gid to SID mapping (try #4) · 21fed0d5
      Shirish Pargaonkar 提交于
      Add data structures and functions necessary to map a uid and gid to SID.
      These functions are very similar to the ones used to map a SID to uid and gid.
      This time, instead of storing sid to id mapping sorted on a sid value,
      id to sid is stored, sorted on an id.
      A cifs upcall sends an id (uid or gid) and expects a SID structure
      in return, if mapping was done successfully.
      
      A failed id to sid mapping to EINVAL.
      
      This patchset aims to enable chown and chgrp commands when
      cifsacl mount option is specified, especially to Windows SMB servers.
      Currently we can't do that.  So now along with chmod command,
      chown and chgrp work.
      
      Winbind is used to map id to a SID.  chown and chgrp use an upcall
      to provide an id to winbind and upcall returns with corrosponding
      SID if any exists. That SID is used to build security descriptor.
      The DACL part of a security descriptor is not changed by either
      chown or chgrp functionality.
      
      cifs client maintains a separate caches for uid to SID and
      gid to SID mapping. This is similar to the one used earlier
      to map SID to id (as part of ID mapping code).
      
      I tested it by mounting shares from a Windows (2003) server by
      authenticating as two users, one at a time, as Administrator and
      as a ordinary user.
      And then attempting to change owner of a file on the share.
      
      Depending on the permissions/privileges at the server for that file,
      chown request fails to either open a file (to change the ownership)
      or to set security descriptor.
      So it all depends on privileges on the file at the server and what
      user you are authenticated as at the server, cifs client is just a
      conduit.
      
      I compared the security descriptor during chown command to that
      what smbcacls sends when it is used with -M OWNNER: option
      and they are similar.
      
      This patchset aim to enable chown and chgrp commands when
      cifsacl mount option is specified, especially to Windows SMB servers.
      Currently we can't do that.  So now along with chmod command,
      chown and chgrp work.
      
      I tested it by mounting shares from a Windows (2003) server by
      authenticating as two users, one at a time, as Administrator and
      as a ordinary user.
      And then attempting to change owner of a file on the share.
      
      Depending on the permissions/privileges at the server for that file,
      chown request fails to either open a file (to change the ownership)
      or to set security descriptor.
      So it all depends on privileges on the file at the server and what
      user you are authenticated as at the server, cifs client is just a
      conduit.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      21fed0d5
    • S
      cifs: Add mount options for backup intent (try #6) · 3d3ea8e6
      Shirish Pargaonkar 提交于
      Add mount options backupuid and backugid.
      
      It allows an authenticated user to access files with the intent to back them
      up including their ACLs, who may not have access permission but has
      "Backup files and directories user right" on them (by virtue of being part
      of the built-in group Backup Operators.
      
      When mount options backupuid is specified, cifs client restricts the
      use of backup intents to the user whose effective user id is specified
      along with the mount option.
      
      When mount options backupgid is specified, cifs client restricts the
      use of backup intents to the users whose effective user id belongs to the
      group id specified along with the mount option.
      
      If an authenticated user is not part of the built-in group Backup Operators
      at the server, access to such files is denied, even if allowed by the client.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Reviewed-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      3d3ea8e6
  10. 12 8月, 2011 1 次提交
    • S
      cifs: Do not set cifs/ntfs acl using a file handle (try #4) · e22906c5
      Shirish Pargaonkar 提交于
      Set security descriptor using path name instead of a file handle.
      We can't be sure that the file handle has adequate permission to
      set a security descriptor (to modify DACL).
      
      Function set_cifs_acl_by_fid() has been removed since we can't be
      sure how a file was opened for writing, a valid request can fail
      if the file was not opened with two above mentioned permissions.
      We could have opted to add on WRITE_DAC and WRITE_OWNER permissions
      to file opens and then use that file handle but adding addtional
      permissions such as WRITE_DAC and WRITE_OWNER could cause an
      any open to fail.
      
      And it was incorrect to look for read file handle to set a
      security descriptor anyway.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      e22906c5
  11. 30 5月, 2011 1 次提交
  12. 28 5月, 2011 1 次提交
  13. 27 5月, 2011 2 次提交
  14. 19 5月, 2011 5 次提交
  15. 06 2月, 2011 1 次提交
  16. 20 1月, 2011 1 次提交
  17. 07 12月, 2010 1 次提交
  18. 30 11月, 2010 2 次提交
  19. 11 11月, 2010 1 次提交
  20. 07 10月, 2010 2 次提交
  21. 30 9月, 2010 1 次提交
  22. 21 4月, 2010 1 次提交
    • J
      [CIFS] Neaten cERROR and cFYI macros, reduce text space · b6b38f70
      Joe Perches 提交于
      Neaten cERROR and cFYI macros, reduce text space
      ~2.5K
      
      Convert '__FILE__ ": " fmt' to '"%s: " fmt', __FILE__' to save text space
      Surround macros with do {} while
      Add parentheses to macros
      Make statement expression macro from macro with assign
      Remove now unnecessary parentheses from cFYI and cERROR uses
      
      defconfig with CIFS support old
      $ size fs/cifs/built-in.o
         text	   data	    bss	    dec	    hex	filename
       156012	   1760	    148	 157920	  268e0	fs/cifs/built-in.o
      
      defconfig with CIFS support old
      $ size fs/cifs/built-in.o
         text	   data	    bss	    dec	    hex	filename
       153508	   1760	    148	 155416	  25f18	fs/cifs/built-in.o
      
      allyesconfig old:
      $ size fs/cifs/built-in.o
         text	   data	    bss	    dec	    hex	filename
       309138	   3864	  74824	 387826	  5eaf2	fs/cifs/built-in.o
      
      allyesconfig new
      $ size fs/cifs/built-in.o
         text	   data	    bss	    dec	    hex	filename
       305655	   3864	  74824	 384343	  5dd57	fs/cifs/built-in.o
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      b6b38f70
  23. 30 3月, 2010 1 次提交
    • T
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo 提交于
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Guess-its-ok-by: NChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  24. 02 9月, 2009 1 次提交
  25. 10 7月, 2009 1 次提交
  26. 29 5月, 2009 2 次提交
  27. 24 7月, 2008 2 次提交
  28. 13 7月, 2008 1 次提交
  29. 09 5月, 2008 1 次提交