aboutsummaryrefslogtreecommitdiffstats
path: root/net/sunrpc
diff options
context:
space:
mode:
Diffstat (limited to 'net/sunrpc')
-rw-r--r--net/sunrpc/auth_generic.c4
-rw-r--r--net/sunrpc/auth_gss/svcauth_gss.c7
-rw-r--r--net/sunrpc/auth_unix.c15
-rw-r--r--net/sunrpc/svcauth_unix.c18
4 files changed, 33 insertions, 11 deletions
diff --git a/net/sunrpc/auth_generic.c b/net/sunrpc/auth_generic.c
index 75762f34697..6ed6f201b02 100644
--- a/net/sunrpc/auth_generic.c
+++ b/net/sunrpc/auth_generic.c
@@ -160,8 +160,8 @@ generic_match(struct auth_cred *acred, struct rpc_cred *cred, int flags)
160 if (gcred->acred.group_info->ngroups != acred->group_info->ngroups) 160 if (gcred->acred.group_info->ngroups != acred->group_info->ngroups)
161 goto out_nomatch; 161 goto out_nomatch;
162 for (i = 0; i < gcred->acred.group_info->ngroups; i++) { 162 for (i = 0; i < gcred->acred.group_info->ngroups; i++) {
163 if (GROUP_AT(gcred->acred.group_info, i) != 163 if (!gid_eq(GROUP_AT(gcred->acred.group_info, i),
164 GROUP_AT(acred->group_info, i)) 164 GROUP_AT(acred->group_info, i)))
165 goto out_nomatch; 165 goto out_nomatch;
166 } 166 }
167out_match: 167out_match:
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 1600cfb1618..28b62dbb6d1 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -41,6 +41,7 @@
41#include <linux/types.h> 41#include <linux/types.h>
42#include <linux/module.h> 42#include <linux/module.h>
43#include <linux/pagemap.h> 43#include <linux/pagemap.h>
44#include <linux/user_namespace.h>
44 45
45#include <linux/sunrpc/auth_gss.h> 46#include <linux/sunrpc/auth_gss.h>
46#include <linux/sunrpc/gss_err.h> 47#include <linux/sunrpc/gss_err.h>
@@ -470,9 +471,13 @@ static int rsc_parse(struct cache_detail *cd,
470 status = -EINVAL; 471 status = -EINVAL;
471 for (i=0; i<N; i++) { 472 for (i=0; i<N; i++) {
472 gid_t gid; 473 gid_t gid;
474 kgid_t kgid;
473 if (get_int(&mesg, &gid)) 475 if (get_int(&mesg, &gid))
474 goto out; 476 goto out;
475 GROUP_AT(rsci.cred.cr_group_info, i) = gid; 477 kgid = make_kgid(&init_user_ns, gid);
478 if (!gid_valid(kgid))
479 goto out;
480 GROUP_AT(rsci.cred.cr_group_info, i) = kgid;
476 } 481 }
477 482
478 /* mech name */ 483 /* mech name */
diff --git a/net/sunrpc/auth_unix.c b/net/sunrpc/auth_unix.c
index e50502d8ceb..52c5abdee21 100644
--- a/net/sunrpc/auth_unix.c
+++ b/net/sunrpc/auth_unix.c
@@ -12,6 +12,7 @@
12#include <linux/module.h> 12#include <linux/module.h>
13#include <linux/sunrpc/clnt.h> 13#include <linux/sunrpc/clnt.h>
14#include <linux/sunrpc/auth.h> 14#include <linux/sunrpc/auth.h>
15#include <linux/user_namespace.h>
15 16
16#define NFS_NGROUPS 16 17#define NFS_NGROUPS 16
17 18
@@ -78,8 +79,11 @@ unx_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
78 groups = NFS_NGROUPS; 79 groups = NFS_NGROUPS;
79 80
80 cred->uc_gid = acred->gid; 81 cred->uc_gid = acred->gid;
81 for (i = 0; i < groups; i++) 82 for (i = 0; i < groups; i++) {
82 cred->uc_gids[i] = GROUP_AT(acred->group_info, i); 83 gid_t gid;
84 gid = from_kgid(&init_user_ns, GROUP_AT(acred->group_info, i));
85 cred->uc_gids[i] = gid;
86 }
83 if (i < NFS_NGROUPS) 87 if (i < NFS_NGROUPS)
84 cred->uc_gids[i] = NOGROUP; 88 cred->uc_gids[i] = NOGROUP;
85 89
@@ -126,9 +130,12 @@ unx_match(struct auth_cred *acred, struct rpc_cred *rcred, int flags)
126 groups = acred->group_info->ngroups; 130 groups = acred->group_info->ngroups;
127 if (groups > NFS_NGROUPS) 131 if (groups > NFS_NGROUPS)
128 groups = NFS_NGROUPS; 132 groups = NFS_NGROUPS;
129 for (i = 0; i < groups ; i++) 133 for (i = 0; i < groups ; i++) {
130 if (cred->uc_gids[i] != GROUP_AT(acred->group_info, i)) 134 gid_t gid;
135 gid = from_kgid(&init_user_ns, GROUP_AT(acred->group_info, i));
136 if (cred->uc_gids[i] != gid)
131 return 0; 137 return 0;
138 }
132 if (groups < NFS_NGROUPS && 139 if (groups < NFS_NGROUPS &&
133 cred->uc_gids[groups] != NOGROUP) 140 cred->uc_gids[groups] != NOGROUP)
134 return 0; 141 return 0;
diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index 521d8f7dc83..71ec8530ec8 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -14,6 +14,7 @@
14#include <net/sock.h> 14#include <net/sock.h>
15#include <net/ipv6.h> 15#include <net/ipv6.h>
16#include <linux/kernel.h> 16#include <linux/kernel.h>
17#include <linux/user_namespace.h>
17#define RPCDBG_FACILITY RPCDBG_AUTH 18#define RPCDBG_FACILITY RPCDBG_AUTH
18 19
19#include <linux/sunrpc/clnt.h> 20#include <linux/sunrpc/clnt.h>
@@ -530,11 +531,15 @@ static int unix_gid_parse(struct cache_detail *cd,
530 531
531 for (i = 0 ; i < gids ; i++) { 532 for (i = 0 ; i < gids ; i++) {
532 int gid; 533 int gid;
534 kgid_t kgid;
533 rv = get_int(&mesg, &gid); 535 rv = get_int(&mesg, &gid);
534 err = -EINVAL; 536 err = -EINVAL;
535 if (rv) 537 if (rv)
536 goto out; 538 goto out;
537 GROUP_AT(ug.gi, i) = gid; 539 kgid = make_kgid(&init_user_ns, gid);
540 if (!gid_valid(kgid))
541 goto out;
542 GROUP_AT(ug.gi, i) = kgid;
538 } 543 }
539 544
540 ugp = unix_gid_lookup(cd, uid); 545 ugp = unix_gid_lookup(cd, uid);
@@ -563,6 +568,7 @@ static int unix_gid_show(struct seq_file *m,
563 struct cache_detail *cd, 568 struct cache_detail *cd,
564 struct cache_head *h) 569 struct cache_head *h)
565{ 570{
571 struct user_namespace *user_ns = current_user_ns();
566 struct unix_gid *ug; 572 struct unix_gid *ug;
567 int i; 573 int i;
568 int glen; 574 int glen;
@@ -580,7 +586,7 @@ static int unix_gid_show(struct seq_file *m,
580 586
581 seq_printf(m, "%u %d:", ug->uid, glen); 587 seq_printf(m, "%u %d:", ug->uid, glen);
582 for (i = 0; i < glen; i++) 588 for (i = 0; i < glen; i++)
583 seq_printf(m, " %d", GROUP_AT(ug->gi, i)); 589 seq_printf(m, " %d", from_kgid_munged(user_ns, GROUP_AT(ug->gi, i)));
584 seq_printf(m, "\n"); 590 seq_printf(m, "\n");
585 return 0; 591 return 0;
586} 592}
@@ -831,8 +837,12 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
831 cred->cr_group_info = groups_alloc(slen); 837 cred->cr_group_info = groups_alloc(slen);
832 if (cred->cr_group_info == NULL) 838 if (cred->cr_group_info == NULL)
833 return SVC_CLOSE; 839 return SVC_CLOSE;
834 for (i = 0; i < slen; i++) 840 for (i = 0; i < slen; i++) {
835 GROUP_AT(cred->cr_group_info, i) = svc_getnl(argv); 841 kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
842 if (!gid_valid(kgid))
843 goto badcred;
844 GROUP_AT(cred->cr_group_info, i) = kgid;
845 }
836 if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { 846 if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
837 *authp = rpc_autherr_badverf; 847 *authp = rpc_autherr_badverf;
838 return SVC_DENIED; 848 return SVC_DENIED;
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-15 13:18:52 -0400