24 Jun, 2005
6 commits
-
Add a new `suid_dumpable' sysctl:
This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are0 - (default) - traditional behaviour. Any process which has changed
privilege levels or is execute only will not be dumped1 - (debug) - all processes dump core when possible. The core dump is
owned by the current user and no security is applied. This is intended
for system debugging situations only. Ptrace is unchecked.2 - (suidsafe) - any binary which normally would not be dumped is dumped
readable by root only. This allows the end user to remove such a dump but
not access it directly. For security reasons core dumps in this mode will
not overwrite one another or other files. This mode is appropriate when
adminstrators are attempting to debug problems in a normal environment.(akpm:
> > +EXPORT_SYMBOL(suid_dumpable);
>
> EXPORT_SYMBOL_GPL?No problem to me.
> > if (current->euid == current->uid && current->egid == current->gid)
> > current->mm->dumpable = 1;
>
> Should this be SUID_DUMP_USER?Actually the feedback I had from last time was that the SUID_ defines
should go because its clearer to follow the numbers. They can go
everywhere (and there are lots of places where dumpable is tested/used
as a bool in untouched code)> Maybe this should be renamed to `dump_policy' or something. Doing that
> would help us catch any code which isn't using the #defines, too.Fair comment. The patch was designed to be easy to maintain for Red Hat
rather than for merging. Changing that field would create a gigantic
diff because it is used all over the place.)
Signed-off-by: Alan Cox
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Use lookup_one_len instead of opencoding a simplified lookup using
lookup_hash with a fake hash.Also there's no need anymore for the d_invalidate as we have a completely
valid dentry now.Signed-off-by: Christoph Hellwig
Acked-by: Jan Kara
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Move some code duplicated in both callers into vfs_quota_on_mount
Signed-off-by: Christoph Hellwig
Acked-by: Jan Kara
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Various filesystem drivers have grown a get_dentry() function that's a
duplicate of lookup_one_len, except that it doesn't take a maximum length
argument and doesn't check for \0 or / in the passed in filename.Switch all these places to use lookup_one_len.
Signed-off-by: Christoph Hellwig
Cc: Greg KH
Cc: Paul Jackson
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Patch to add check to get_chrdev_list and get_blkdev_list to prevent reads
of /proc/devices from spilling over the provided page if more than 4096
bytes of string data are generated from all the registered character and
block devices in a systemSigned-off-by: Neil Horman
Cc: Christoph Hellwig
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Based on analysis and a patch from Russ Weight
There is a race condition that can occur if an inode is allocated and then
released (using iput) during the ->fill_super functions. The race
condition is between kswapd and mount.For most filesystems this can only happen in an error path when kswapd is
running concurrently. For isofs, however, the error can occur in a more
common code path (which is how the bug was found).The logic here is "we want final iput() to free inode *now* instead of
letting it sit in cache if fs is going down or had not quite come up". The
problem is with kswapd seeing such inodes in the middle of being killed and
happily taking over.The clean solution would be to tell kswapd to leave those inodes alone and
let our final iput deal with them. I.e. add a new flag
(I_FORCED_FREEING), set it before write_inode_now() there and make
prune_icache() leave those alone.Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
23 Jun, 2005
34 commits
-
Signed-off-by: Trond Myklebust
-
This shows up on running tar over NFSv4.
Signed-off-by: Manoj Naik
Signed-off-by: Trond Myklebust -
Request RDATTR_ERROR as an attribute in readdir to distinguish between a
directory being within an absent filesystem or one (or more) of its entries.Signed-off-by: Manoj Naik
Signed-off-by: Trond Myklebust -
Ensure that lock owner structures are not released prematurely.
Signed-off-by: Trond Myklebust
-
If the lock blocks, the server may send us a GRANTED message that
races with the reply to our LOCK request. Make sure that we catch
the GRANTED by queueing up our request on the nlm_blocked list
before we send off the first LOCK rpc call.Signed-off-by: Trond Myklebust
-
Signed-off-by: Trond Myklebust
-
Signed-off-by: Trond Myklebust
-
Signed-off-by: Trond Myklebust
-
Basically copies the VFS's method for tracking writebacks and applies
it to the struct nfs_page.Signed-off-by: Trond Myklebust
-
Use stable writes if we can see that we are only going to put a single
write on the wire.Signed-off-by: Trond Myklebust
-
Even if the file is open for writes.
Signed-off-by: Trond Myklebust
-
Unless we're doing O_APPEND writes, we really don't care about revalidating
the file length. Just make sure that we catch any page cache invalidations.Signed-off-by: Trond Myklebust
-
Instead of looking at whether or not the file is open for writes before
we accept to update the length using the server value, we should rather
be looking at whether or not we are currently caching any writes.Failure to do so means in particular that we're not updating the file
length correctly after obtaining a POSIX or BSD lock.Signed-off-by: Trond Myklebust
-
If we do not hold a valid stateid that is open for writes, there is little
point in doing an extra open of the file, as the RFC does not appear to
mandate this...Make setattr use the correct stateid if we're holding mandatory byte
range locks.Signed-off-by: Trond Myklebust
-
Signed-off-by: Trond Myklebust
-
Signed-off-by: Trond Myklebust
-
NFSv3 currently returns the unsigned 64-bit cookie directly to
userspace. The following patch causes the kernel to generate
loff_t offsets for the benefit of userland.
The current server-generated READDIR cookie is cached in the
nfs_open_context instead of in filp->f_pos, so we still end up work
correctly under directory insertions/deletion.Signed-off-by: Olivier Galibert
Signed-off-by: Trond Myklebust -
The changeset "trond.myklebust@fys.uio.no|ChangeSet|20050322152404|16979"
(RPC: Ensure XDR iovec length is initialized correctly in call_header)
causes the NFSv4 callback code to BUG() due to an incorrectly initialized
scratch buffer.Signed-off-by: Trond Myklebust
-
From: Reuben Farrelly
With gcc-4.0:
fs/nfs/nfs4proc.c:2976: error: static declaration of
'nfs4_file_inode_operations' follows non-static declaration
fs/nfs/nfs4_fs.h:179: error: previous declaration of
'nfs4_file_inode_operations' was hereSigned-off-by: Andrew Morton
Signed-off-by: Trond Myklebust -
Older gcc's don't like this.
fs/nfs/nfs4proc.c:2194: field `data' has incomplete type
Signed-off-by: Andrew Morton
Signed-off-by: Trond Myklebust -
The Coverity checker noticed that such a simplification was possible.
Signed-off-by: Adrian Bunk
Signed-off-by: Trond Myklebust -
* Pointer arithmetic bug: p is in word units. This fixes a memory
corruption with big acls.
* Initialize pg_class to prevent a NULL pointer access.Signed-off-by: Andreas Gruenbacher
Signed-off-by: Trond Myklebust -
Initialize the inode cache values correctly.
Clean up __nfs3_forget_cached_acls()Signed-off-by: Trond Myklebust
-
Attach acls to inodes in the icache to avoid unnecessary GETACL RPC
round-trips. As long as the client doesn't retrieve any acls itself, only the
default acls of exiting directories and the default and access acls of new
directories will end up in the cache, which preserves some memory compared to
always caching the access and default acl of all files.Signed-off-by: Andreas Gruenbacher
Acked-by: Olaf Kirch
Signed-off-by: Andrew Morton
Signed-off-by: Trond Myklebust -
NFSv3 has no concept of a umask on the server side: The client applies
the umask locally, and sends the effective permissions to the server.
This behavior is wrong when files are created in a directory that has a
default ACL. In this case, the umask is supposed to be ignored, and
only the default ACL determines the file's effective permissions.Usually its the server's task to conditionally apply the umask. But
since the server knows nothing about the umask, we have to do it on the
client side. This patch tries to fetch the parent directory's default
ACL before creating a new file, computes the appropriate create mode to
send to the server, and finally sets the new file's access and default
acl appropriately.Many thanks to Buck Huppmann for sending the initial
version of this patch, as well as for arguing why we need this change.Signed-off-by: Andreas Gruenbacher
Acked-by: Olaf Kirch
Signed-off-by: Andrew Morton
Signed-off-by: Trond Myklebust -
This adds acl support fo nfs clients via the NFSACL protocol extension, by
implementing the getxattr, listxattr, setxattr, and removexattr iops for the
system.posix_acl_access and system.posix_acl_default attributes. This patch
implements a dumb version that uses no caching (and thus adds some overhead).
(Another patch in this patchset adds caching as well.)Signed-off-by: Andreas Gruenbacher
Acked-by: Olaf Kirch
Signed-off-by: Andrew Morton
Signed-off-by: Trond Myklebust -
This adds functions for encoding and decoding POSIX ACLs for the NFSACL
protocol extension, and the GETACL and SETACL RPCs. The implementation is
compatible with NFSACL in Solaris.Signed-off-by: Andreas Gruenbacher
Acked-by: Olaf Kirch
Signed-off-by: Andrew Morton
Signed-off-by: Trond Myklebust -
Add the missing NFS3ERR_NOTSUPP error code (defined in NFSv3) to the
system-to-protocol-error table in nfsd. The nfsacl extension uses this error
code.Signed-off-by: Andreas Gruenbacher
Signed-off-by: Olaf Kirch
Signed-off-by: Andrew Morton
Signed-off-by: Trond Myklebust -
Currently we return -ENOMEM for every single failure to create a new auth.
This is actually accurate for auth_null and auth_unix, but for auth_gss it's a
bit confusing.Allow rpcauth_create (and the ->create methods) to return errors. With this
patch, the user may sometimes see an EINVAL instead. Whee.Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
Add nfs4_acl field to the nfs_inode, and use it to cache acls. Only cache
acls of size up to a page. Also prepare for up to a page of acl data even
when the user doesn't pass in a buffer, as when they want to get the acl
length to decide what size buffer to allocate.Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
Client-side write support for NFSv4 ACLs.
Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
Client-side support for NFSv4 acls: xdr encoding and decoding routines for
writing aclsSigned-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
Client-side support for NFSv4 ACLs. Exports the raw xdr code via the
system.nfs4_acl extended attribute. It is up to userspace to decode the acl
(and to provide correctly xdr'd acls on setxattr), and to convert to/from
POSIX ACLs if desired.This patch provides only the read support.
Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
Client-side support for NFSv4 acls: xdr encoding and decoding routines for
reading aclsSigned-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust
