1. 15 2月, 2008 1 次提交
  2. 02 2月, 2008 2 次提交
    • J
      nfsd: allow root to set uid and gid on create · 5c002b3b
      J. Bruce Fields 提交于
      The server silently ignores attempts to set the uid and gid on create.
      Based on the comment, this appears to have been done to prevent some
      overly-clever IRIX client from causing itself problems.
      
      Perhaps we should remove that hack completely.  For now, at least, it
      makes sense to allow root (when no_root_squash is set) to set uid and
      gid.
      
      While we're there, since nfsd_create and nfsd_create_v3 share the same
      logic, pull that out into a separate function.  And spell out the
      individual modifications of ia_valid instead of doing them both at once
      inside a conditional.
      
      Thanks to Roger Willcocks <roger@filmlight.ltd.uk> for the bug report
      and original patch on which this is based.
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      5c002b3b
    • C
      NFSD: Adjust filename length argument of nfsd_lookup · 5a022fc8
      Chuck Lever 提交于
      Clean up: adjust the sign of the length argument of nfsd_lookup and
      nfsd_lookup_dentry, for consistency with recent changes.  NFSD version
      4 callers already pass an unsigned file name length.
      Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
      Acked-By: NNeilBrown <neilb@suse.de>
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      5a022fc8
  3. 20 10月, 2007 1 次提交
  4. 19 10月, 2007 1 次提交
  5. 17 10月, 2007 2 次提交
    • S
      Implement file posix capabilities · b5376771
      Serge E. Hallyn 提交于
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      http://www.friedhoff.org/fscaps.html.
      
      Changelog:
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	security-introduce-file-caps-warning-fix)
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Dobriyan.
      
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	function.
      
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html.
      
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	check_cap_sanity().
      
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	cpuset?
      
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      
      	     task_setscheduler
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      	     task_setioprio
      	     task_setnice
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	d_instantiate.
      
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: NAndrew Morgan <morgan@kernel.org>
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b5376771
    • D
      r/o bind mounts: create cleanup helper svc_msnfs() · a8754bee
      Dave Hansen 提交于
      I'm going to be modifying nfsd_rename() shortly to support read-only bind
      mounts.  This #ifdef is around the area I'm patching, and it starts to get
      really ugly if I just try to add my new code by itself.  Using this little
      helper makes things a lot cleaner to use.
      Signed-off-by: NDave Hansen <haveblue@us.ibm.com>
      Acked-by: NChristoph Hellwig <hch@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a8754bee
  6. 10 10月, 2007 3 次提交
  7. 11 9月, 2007 1 次提交
  8. 01 8月, 2007 1 次提交
  9. 20 7月, 2007 4 次提交
  10. 18 7月, 2007 7 次提交
  11. 14 7月, 2007 1 次提交
  12. 10 7月, 2007 3 次提交
  13. 17 2月, 2007 1 次提交
  14. 31 1月, 2007 1 次提交
  15. 27 1月, 2007 3 次提交
    • N
      [PATCH] knfsd: Fix type mismatch with filldir_t used by nfsd · a0ad13ef
      NeilBrown 提交于
      nfsd defines a type 'encode_dent_fn' which is much like 'filldir_t' except
      that the first pointer is 'struct readdir_cd *' rather than 'void *'.  It
      then casts encode_dent_fn points to 'filldir_t' as needed.  This hides any
      other type mismatches between the two such as the fact that the 'ino' arg
      recently changed from ino_t to u64.
      
      So: get rid of 'encode_dent_fn', get rid of the cast of the function type,
      change the first arg of various functions from 'struct readdir_cd *' to
      'void *', and live with the fact that we have a little less type checking
      on the calling of these functions now.  Less internal (to nfsd) checking
      offset by more external checking, which is more important.
      
      Thanks to Gabriel Paubert <paubert@iram.es> for discovering this and
      providing an initial patch.
      Signed-off-by: NGabriel Paubert <paubert@iram.es>
      Signed-off-by: NNeil Brown <neilb@suse.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a0ad13ef
    • P
      [PATCH] knfsd: Don't mess with the 'mode' when storing a exclusive-create cookie · c397852c
      Peter Staubach 提交于
      NFS V3 (and V4) support exclusive create by passing a 'cookie' which can get
      stored with the file.  If the file exists but has exactly the right cookie
      stored, then we assume this is a retransmit and the exclusive create was
      successful.
      
      The cookie is 64bits and is traditionally stored in the mtime and atime
      fields.  This causes a problem with Solaris7 as negative mtime or atime
      confuse it.  So we moved two bits into the mode word instead.
      
      But inherited ACLs sometimes overwrite the mode word on create, so this is a
      problem.
      
      So we give up and just store 62 of the 64 bits and assume that is close
      enough.
      Signed-off-by: NNeil Brown <neilb@suse.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c397852c
    • N
      [PATCH] knfsd: fix an NFSD bug with full sized, non-page-aligned reads · 250f3915
      NeilBrown 提交于
      NFSd assumes that largest number of pages that will be needed for a
      request+response is 2+N where N pages is the size of the largest permitted
      read/write request.  The '2' are 1 for the non-data part of the request, and 1
      for the non-data part of the reply.
      
      However, when a read request is not page-aligned, and we choose to use
      ->sendfile to send it directly from the page cache, we may need N+1 pages to
      hold the whole reply.  This can overflow and array and cause an Oops.
      
      This patch increases size of the array for holding pages by one and makes sure
      that entry is NULL when it is not in use.
      Signed-off-by: NNeil Brown <neilb@suse.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      250f3915
  16. 14 12月, 2006 1 次提交
    • J
      [PATCH] knfsd: nfsd: don't drop silently on upcall deferral · e0bb89ef
      J.Bruce Fields 提交于
      To avoid tying up server threads when nfsd makes an upcall (to mountd, to get
      export options, to idmapd, for nfsv4 name<->id mapping, etc.), we temporarily
      "drop" the request and save enough information so that we can revisit it
      later.
      
      Certain failures during the deferral process can cause us to really drop the
      request and never revisit it.
      
      This is often less than ideal, and is unacceptable in the NFSv4 case--rfc 3530
      forbids the server from dropping a request without also closing the
      connection.
      
      As a first step, we modify the deferral code to return -ETIMEDOUT (which is
      translated to nfserr_jukebox in the v3 and v4 cases, and remains a drop in the
      v2 case).
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      Signed-off-by: NNeil Brown <neilb@suse.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      e0bb89ef
  17. 09 12月, 2006 2 次提交
  18. 09 11月, 2006 2 次提交
  19. 21 10月, 2006 1 次提交
  20. 04 10月, 2006 2 次提交