diff options
Diffstat (limited to 'fs/nfs/nfs4idmap.c')
| -rw-r--r-- | fs/nfs/nfs4idmap.c | 30 |
1 files changed, 6 insertions, 24 deletions
diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c index 69679f4f2e6c..1e7296395d71 100644 --- a/fs/nfs/nfs4idmap.c +++ b/fs/nfs/nfs4idmap.c | |||
| @@ -72,25 +72,6 @@ struct idmap { | |||
| 72 | const struct cred *cred; | 72 | const struct cred *cred; |
| 73 | }; | 73 | }; |
| 74 | 74 | ||
| 75 | static struct key_acl nfs_idmap_key_acl = { | ||
| 76 | .usage = REFCOUNT_INIT(1), | ||
| 77 | .nr_ace = 2, | ||
| 78 | .possessor_viewable = true, | ||
| 79 | .aces = { | ||
| 80 | KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ), | ||
| 81 | KEY_OWNER_ACE(KEY_ACE_VIEW), | ||
| 82 | } | ||
| 83 | }; | ||
| 84 | |||
| 85 | static struct key_acl nfs_idmap_keyring_acl = { | ||
| 86 | .usage = REFCOUNT_INIT(1), | ||
| 87 | .nr_ace = 2, | ||
| 88 | .aces = { | ||
| 89 | KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE), | ||
| 90 | KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ), | ||
| 91 | } | ||
| 92 | }; | ||
| 93 | |||
| 94 | static struct user_namespace *idmap_userns(const struct idmap *idmap) | 75 | static struct user_namespace *idmap_userns(const struct idmap *idmap) |
| 95 | { | 76 | { |
| 96 | if (idmap && idmap->cred) | 77 | if (idmap && idmap->cred) |
| @@ -227,7 +208,8 @@ int nfs_idmap_init(void) | |||
| 227 | 208 | ||
| 228 | keyring = keyring_alloc(".id_resolver", | 209 | keyring = keyring_alloc(".id_resolver", |
| 229 | GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, | 210 | GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, |
| 230 | &nfs_idmap_keyring_acl, | 211 | (KEY_POS_ALL & ~KEY_POS_SETATTR) | |
| 212 | KEY_USR_VIEW | KEY_USR_READ, | ||
| 231 | KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); | 213 | KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); |
| 232 | if (IS_ERR(keyring)) { | 214 | if (IS_ERR(keyring)) { |
| 233 | ret = PTR_ERR(keyring); | 215 | ret = PTR_ERR(keyring); |
| @@ -305,13 +287,11 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen, | |||
| 305 | return ERR_PTR(ret); | 287 | return ERR_PTR(ret); |
| 306 | 288 | ||
| 307 | if (!idmap->cred || idmap->cred->user_ns == &init_user_ns) | 289 | if (!idmap->cred || idmap->cred->user_ns == &init_user_ns) |
| 308 | rkey = request_key(&key_type_id_resolver, desc, "", | 290 | rkey = request_key(&key_type_id_resolver, desc, ""); |
| 309 | &nfs_idmap_key_acl); | ||
| 310 | if (IS_ERR(rkey)) { | 291 | if (IS_ERR(rkey)) { |
| 311 | mutex_lock(&idmap->idmap_mutex); | 292 | mutex_lock(&idmap->idmap_mutex); |
| 312 | rkey = request_key_with_auxdata(&key_type_id_resolver_legacy, | 293 | rkey = request_key_with_auxdata(&key_type_id_resolver_legacy, |
| 313 | desc, NULL, "", 0, idmap, | 294 | desc, NULL, "", 0, idmap); |
| 314 | &nfs_idmap_key_acl); | ||
| 315 | mutex_unlock(&idmap->idmap_mutex); | 295 | mutex_unlock(&idmap->idmap_mutex); |
| 316 | } | 296 | } |
| 317 | if (!IS_ERR(rkey)) | 297 | if (!IS_ERR(rkey)) |
| @@ -340,6 +320,8 @@ static ssize_t nfs_idmap_get_key(const char *name, size_t namelen, | |||
| 340 | } | 320 | } |
| 341 | 321 | ||
| 342 | rcu_read_lock(); | 322 | rcu_read_lock(); |
| 323 | rkey->perm |= KEY_USR_VIEW; | ||
| 324 | |||
| 343 | ret = key_validate(rkey); | 325 | ret = key_validate(rkey); |
| 344 | if (ret < 0) | 326 | if (ret < 0) |
| 345 | goto out_up; | 327 | goto out_up; |