mirror of
https://github.com/torvalds/linux.git
synced 2024-11-27 22:51:35 +00:00
93faccbbfa
To support unprivileged users mounting filesystems two permission checks have to be performed: a test to see if the user allowed to create a mount in the mount namespace, and a test to see if the user is allowed to access the specified filesystem. The automount case is special in that mounting the original filesystem grants permission to mount the sub-filesystems, to any user who happens to stumble across the their mountpoint and satisfies the ordinary filesystem permission checks. Attempting to handle the automount case by using override_creds almost works. It preserves the idea that permission to mount the original filesystem is permission to mount the sub-filesystem. Unfortunately using override_creds messes up the filesystems ordinary permission checks. Solve this by being explicit that a mount is a submount by introducing vfs_submount, and using it where appropriate. vfs_submount uses a new mount internal mount flags MS_SUBMOUNT, to let sget and friends know that a mount is a submount so they can take appropriate action. sget and sget_userns are modified to not perform any permission checks on submounts. follow_automount is modified to stop using override_creds as that has proven problemantic. do_mount is modified to always remove the new MS_SUBMOUNT flag so that we know userspace will never by able to specify it. autofs4 is modified to stop using current_real_cred that was put in there to handle the previous version of submount permission checking. cifs is modified to pass the mountpoint all of the way down to vfs_submount. debugfs is modified to pass the mountpoint all of the way down to trace_automount by adding a new parameter. To make this change easier a new typedef debugfs_automount_t is introduced to capture the type of the debugfs automount function. Cc: stable@vger.kernel.org Fixes:069d5ac9ae
("autofs: Fix automounts by using current_real_cred()->uid") Fixes:aeaa4a79ff
("fs: Call d_automount with the filesystems creds") Reviewed-by: Trond Myklebust <trond.myklebust@primarydata.com> Reviewed-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
290 lines
7.3 KiB
C
290 lines
7.3 KiB
C
/*
|
|
* linux/fs/nfs/namespace.c
|
|
*
|
|
* Copyright (C) 2005 Trond Myklebust <Trond.Myklebust@netapp.com>
|
|
* - Modified by David Howells <dhowells@redhat.com>
|
|
*
|
|
* NFS namespace
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/dcache.h>
|
|
#include <linux/gfp.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/namei.h>
|
|
#include <linux/nfs_fs.h>
|
|
#include <linux/string.h>
|
|
#include <linux/sunrpc/clnt.h>
|
|
#include <linux/vfs.h>
|
|
#include <linux/sunrpc/gss_api.h>
|
|
#include "internal.h"
|
|
|
|
#define NFSDBG_FACILITY NFSDBG_VFS
|
|
|
|
static void nfs_expire_automounts(struct work_struct *work);
|
|
|
|
static LIST_HEAD(nfs_automount_list);
|
|
static DECLARE_DELAYED_WORK(nfs_automount_task, nfs_expire_automounts);
|
|
int nfs_mountpoint_expiry_timeout = 500 * HZ;
|
|
|
|
/*
|
|
* nfs_path - reconstruct the path given an arbitrary dentry
|
|
* @base - used to return pointer to the end of devname part of path
|
|
* @dentry - pointer to dentry
|
|
* @buffer - result buffer
|
|
* @buflen - length of buffer
|
|
* @flags - options (see below)
|
|
*
|
|
* Helper function for constructing the server pathname
|
|
* by arbitrary hashed dentry.
|
|
*
|
|
* This is mainly for use in figuring out the path on the
|
|
* server side when automounting on top of an existing partition
|
|
* and in generating /proc/mounts and friends.
|
|
*
|
|
* Supported flags:
|
|
* NFS_PATH_CANONICAL: ensure there is exactly one slash after
|
|
* the original device (export) name
|
|
* (if unset, the original name is returned verbatim)
|
|
*/
|
|
char *nfs_path(char **p, struct dentry *dentry, char *buffer, ssize_t buflen,
|
|
unsigned flags)
|
|
{
|
|
char *end;
|
|
int namelen;
|
|
unsigned seq;
|
|
const char *base;
|
|
|
|
rename_retry:
|
|
end = buffer+buflen;
|
|
*--end = '\0';
|
|
buflen--;
|
|
|
|
seq = read_seqbegin(&rename_lock);
|
|
rcu_read_lock();
|
|
while (1) {
|
|
spin_lock(&dentry->d_lock);
|
|
if (IS_ROOT(dentry))
|
|
break;
|
|
namelen = dentry->d_name.len;
|
|
buflen -= namelen + 1;
|
|
if (buflen < 0)
|
|
goto Elong_unlock;
|
|
end -= namelen;
|
|
memcpy(end, dentry->d_name.name, namelen);
|
|
*--end = '/';
|
|
spin_unlock(&dentry->d_lock);
|
|
dentry = dentry->d_parent;
|
|
}
|
|
if (read_seqretry(&rename_lock, seq)) {
|
|
spin_unlock(&dentry->d_lock);
|
|
rcu_read_unlock();
|
|
goto rename_retry;
|
|
}
|
|
if ((flags & NFS_PATH_CANONICAL) && *end != '/') {
|
|
if (--buflen < 0) {
|
|
spin_unlock(&dentry->d_lock);
|
|
rcu_read_unlock();
|
|
goto Elong;
|
|
}
|
|
*--end = '/';
|
|
}
|
|
*p = end;
|
|
base = dentry->d_fsdata;
|
|
if (!base) {
|
|
spin_unlock(&dentry->d_lock);
|
|
rcu_read_unlock();
|
|
WARN_ON(1);
|
|
return end;
|
|
}
|
|
namelen = strlen(base);
|
|
if (*end == '/') {
|
|
/* Strip off excess slashes in base string */
|
|
while (namelen > 0 && base[namelen - 1] == '/')
|
|
namelen--;
|
|
}
|
|
buflen -= namelen;
|
|
if (buflen < 0) {
|
|
spin_unlock(&dentry->d_lock);
|
|
rcu_read_unlock();
|
|
goto Elong;
|
|
}
|
|
end -= namelen;
|
|
memcpy(end, base, namelen);
|
|
spin_unlock(&dentry->d_lock);
|
|
rcu_read_unlock();
|
|
return end;
|
|
Elong_unlock:
|
|
spin_unlock(&dentry->d_lock);
|
|
rcu_read_unlock();
|
|
if (read_seqretry(&rename_lock, seq))
|
|
goto rename_retry;
|
|
Elong:
|
|
return ERR_PTR(-ENAMETOOLONG);
|
|
}
|
|
EXPORT_SYMBOL_GPL(nfs_path);
|
|
|
|
/*
|
|
* nfs_d_automount - Handle crossing a mountpoint on the server
|
|
* @path - The mountpoint
|
|
*
|
|
* When we encounter a mountpoint on the server, we want to set up
|
|
* a mountpoint on the client too, to prevent inode numbers from
|
|
* colliding, and to allow "df" to work properly.
|
|
* On NFSv4, we also want to allow for the fact that different
|
|
* filesystems may be migrated to different servers in a failover
|
|
* situation, and that different filesystems may want to use
|
|
* different security flavours.
|
|
*/
|
|
struct vfsmount *nfs_d_automount(struct path *path)
|
|
{
|
|
struct vfsmount *mnt;
|
|
struct nfs_server *server = NFS_SERVER(d_inode(path->dentry));
|
|
struct nfs_fh *fh = NULL;
|
|
struct nfs_fattr *fattr = NULL;
|
|
|
|
dprintk("--> nfs_d_automount()\n");
|
|
|
|
mnt = ERR_PTR(-ESTALE);
|
|
if (IS_ROOT(path->dentry))
|
|
goto out_nofree;
|
|
|
|
mnt = ERR_PTR(-ENOMEM);
|
|
fh = nfs_alloc_fhandle();
|
|
fattr = nfs_alloc_fattr();
|
|
if (fh == NULL || fattr == NULL)
|
|
goto out;
|
|
|
|
dprintk("%s: enter\n", __func__);
|
|
|
|
mnt = server->nfs_client->rpc_ops->submount(server, path->dentry, fh, fattr);
|
|
if (IS_ERR(mnt))
|
|
goto out;
|
|
|
|
dprintk("%s: done, success\n", __func__);
|
|
mntget(mnt); /* prevent immediate expiration */
|
|
mnt_set_expiry(mnt, &nfs_automount_list);
|
|
schedule_delayed_work(&nfs_automount_task, nfs_mountpoint_expiry_timeout);
|
|
|
|
out:
|
|
nfs_free_fattr(fattr);
|
|
nfs_free_fhandle(fh);
|
|
out_nofree:
|
|
if (IS_ERR(mnt))
|
|
dprintk("<-- %s(): error %ld\n", __func__, PTR_ERR(mnt));
|
|
else
|
|
dprintk("<-- %s() = %p\n", __func__, mnt);
|
|
return mnt;
|
|
}
|
|
|
|
static int
|
|
nfs_namespace_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
|
|
{
|
|
if (NFS_FH(d_inode(dentry))->size != 0)
|
|
return nfs_getattr(mnt, dentry, stat);
|
|
generic_fillattr(d_inode(dentry), stat);
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
nfs_namespace_setattr(struct dentry *dentry, struct iattr *attr)
|
|
{
|
|
if (NFS_FH(d_inode(dentry))->size != 0)
|
|
return nfs_setattr(dentry, attr);
|
|
return -EACCES;
|
|
}
|
|
|
|
const struct inode_operations nfs_mountpoint_inode_operations = {
|
|
.getattr = nfs_getattr,
|
|
.setattr = nfs_setattr,
|
|
};
|
|
|
|
const struct inode_operations nfs_referral_inode_operations = {
|
|
.getattr = nfs_namespace_getattr,
|
|
.setattr = nfs_namespace_setattr,
|
|
};
|
|
|
|
static void nfs_expire_automounts(struct work_struct *work)
|
|
{
|
|
struct list_head *list = &nfs_automount_list;
|
|
|
|
mark_mounts_for_expiry(list);
|
|
if (!list_empty(list))
|
|
schedule_delayed_work(&nfs_automount_task, nfs_mountpoint_expiry_timeout);
|
|
}
|
|
|
|
void nfs_release_automount_timer(void)
|
|
{
|
|
if (list_empty(&nfs_automount_list))
|
|
cancel_delayed_work(&nfs_automount_task);
|
|
}
|
|
|
|
/*
|
|
* Clone a mountpoint of the appropriate type
|
|
*/
|
|
static struct vfsmount *nfs_do_clone_mount(struct nfs_server *server,
|
|
const char *devname,
|
|
struct nfs_clone_mount *mountdata)
|
|
{
|
|
return vfs_submount(mountdata->dentry, &nfs_xdev_fs_type, devname, mountdata);
|
|
}
|
|
|
|
/**
|
|
* nfs_do_submount - set up mountpoint when crossing a filesystem boundary
|
|
* @dentry - parent directory
|
|
* @fh - filehandle for new root dentry
|
|
* @fattr - attributes for new root inode
|
|
* @authflavor - security flavor to use when performing the mount
|
|
*
|
|
*/
|
|
struct vfsmount *nfs_do_submount(struct dentry *dentry, struct nfs_fh *fh,
|
|
struct nfs_fattr *fattr, rpc_authflavor_t authflavor)
|
|
{
|
|
struct nfs_clone_mount mountdata = {
|
|
.sb = dentry->d_sb,
|
|
.dentry = dentry,
|
|
.fh = fh,
|
|
.fattr = fattr,
|
|
.authflavor = authflavor,
|
|
};
|
|
struct vfsmount *mnt = ERR_PTR(-ENOMEM);
|
|
char *page = (char *) __get_free_page(GFP_USER);
|
|
char *devname;
|
|
|
|
dprintk("--> nfs_do_submount()\n");
|
|
|
|
dprintk("%s: submounting on %pd2\n", __func__,
|
|
dentry);
|
|
if (page == NULL)
|
|
goto out;
|
|
devname = nfs_devname(dentry, page, PAGE_SIZE);
|
|
mnt = (struct vfsmount *)devname;
|
|
if (IS_ERR(devname))
|
|
goto free_page;
|
|
mnt = nfs_do_clone_mount(NFS_SB(dentry->d_sb), devname, &mountdata);
|
|
free_page:
|
|
free_page((unsigned long)page);
|
|
out:
|
|
dprintk("%s: done\n", __func__);
|
|
|
|
dprintk("<-- nfs_do_submount() = %p\n", mnt);
|
|
return mnt;
|
|
}
|
|
EXPORT_SYMBOL_GPL(nfs_do_submount);
|
|
|
|
struct vfsmount *nfs_submount(struct nfs_server *server, struct dentry *dentry,
|
|
struct nfs_fh *fh, struct nfs_fattr *fattr)
|
|
{
|
|
int err;
|
|
struct dentry *parent = dget_parent(dentry);
|
|
|
|
/* Look it up again to get its attributes */
|
|
err = server->nfs_client->rpc_ops->lookup(d_inode(parent), &dentry->d_name, fh, fattr, NULL);
|
|
dput(parent);
|
|
if (err != 0)
|
|
return ERR_PTR(err);
|
|
|
|
return nfs_do_submount(dentry, fh, fattr, server->client->cl_auth->au_flavor);
|
|
}
|
|
EXPORT_SYMBOL_GPL(nfs_submount);
|