diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2013-02-25 19:00:49 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-02-25 19:00:49 -0500 |
| commit | 94f2f14234178f118545a0be60a6371ddeb229b7 (patch) | |
| tree | 313af6e9e255e9060fc24c836cd71ce712502b17 /fs/ceph | |
| parent | 8d168f71551ec2a6528d01d0389b7a73c091e3e7 (diff) | |
| parent | 139321c65c0584cd65c4c87a5eb3fdb4fdbd0e19 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull user namespace and namespace infrastructure changes from Eric W Biederman:
"This set of changes starts with a few small enhnacements to the user
namespace. reboot support, allowing more arbitrary mappings, and
support for mounting devpts, ramfs, tmpfs, and mqueuefs as just the
user namespace root.
I do my best to document that if you care about limiting your
unprivileged users that when you have the user namespace support
enabled you will need to enable memory control groups.
There is a minor bug fix to prevent overflowing the stack if someone
creates way too many user namespaces.
The bulk of the changes are a continuation of the kuid/kgid push down
work through the filesystems. These changes make using uids and gids
typesafe which ensures that these filesystems are safe to use when
multiple user namespaces are in use. The filesystems converted for
3.9 are ceph, 9p, afs, ocfs2, gfs2, ncpfs, nfs, nfsd, and cifs. The
changes for these filesystems were a little more involved so I split
the changes into smaller hopefully obviously correct changes.
XFS is the only filesystem that remains. I was hoping I could get
that in this release so that user namespace support would be enabled
with an allyesconfig or an allmodconfig but it looks like the xfs
changes need another couple of days before it they are ready."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (93 commits)
cifs: Enable building with user namespaces enabled.
cifs: Convert struct cifs_ses to use a kuid_t and a kgid_t
cifs: Convert struct cifs_sb_info to use kuids and kgids
cifs: Modify struct smb_vol to use kuids and kgids
cifs: Convert struct cifsFileInfo to use a kuid
cifs: Convert struct cifs_fattr to use kuid and kgids
cifs: Convert struct tcon_link to use a kuid.
cifs: Modify struct cifs_unix_set_info_args to hold a kuid_t and a kgid_t
cifs: Convert from a kuid before printing current_fsuid
cifs: Use kuids and kgids SID to uid/gid mapping
cifs: Pass GLOBAL_ROOT_UID and GLOBAL_ROOT_GID to keyring_alloc
cifs: Use BUILD_BUG_ON to validate uids and gids are the same size
cifs: Override unmappable incoming uids and gids
nfsd: Enable building with user namespaces enabled.
nfsd: Properly compare and initialize kuids and kgids
nfsd: Store ex_anon_uid and ex_anon_gid as kuids and kgids
nfsd: Modify nfsd4_cb_sec to use kuids and kgids
nfsd: Handle kuids and kgids in the nfs4acl to posix_acl conversion
nfsd: Convert nfsxdr to use kuids and kgids
nfsd: Convert nfs3xdr to use kuids and kgids
...
Diffstat (limited to 'fs/ceph')
| -rw-r--r-- | fs/ceph/caps.c | 17 | ||||
| -rw-r--r-- | fs/ceph/inode.c | 23 | ||||
| -rw-r--r-- | fs/ceph/mds_client.c | 4 | ||||
| -rw-r--r-- | fs/ceph/mds_client.h | 4 | ||||
| -rw-r--r-- | fs/ceph/super.h | 4 |
5 files changed, 29 insertions, 23 deletions
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index a1d9bb30c1bf..ae2be696eb5b 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c | |||
| @@ -930,7 +930,7 @@ static int send_cap_msg(struct ceph_mds_session *session, | |||
| 930 | u64 size, u64 max_size, | 930 | u64 size, u64 max_size, |
| 931 | struct timespec *mtime, struct timespec *atime, | 931 | struct timespec *mtime, struct timespec *atime, |
| 932 | u64 time_warp_seq, | 932 | u64 time_warp_seq, |
| 933 | uid_t uid, gid_t gid, umode_t mode, | 933 | kuid_t uid, kgid_t gid, umode_t mode, |
| 934 | u64 xattr_version, | 934 | u64 xattr_version, |
| 935 | struct ceph_buffer *xattrs_buf, | 935 | struct ceph_buffer *xattrs_buf, |
| 936 | u64 follows) | 936 | u64 follows) |
| @@ -974,8 +974,8 @@ static int send_cap_msg(struct ceph_mds_session *session, | |||
| 974 | ceph_encode_timespec(&fc->atime, atime); | 974 | ceph_encode_timespec(&fc->atime, atime); |
| 975 | fc->time_warp_seq = cpu_to_le32(time_warp_seq); | 975 | fc->time_warp_seq = cpu_to_le32(time_warp_seq); |
| 976 | 976 | ||
| 977 | fc->uid = cpu_to_le32(uid); | 977 | fc->uid = cpu_to_le32(from_kuid(&init_user_ns, uid)); |
| 978 | fc->gid = cpu_to_le32(gid); | 978 | fc->gid = cpu_to_le32(from_kgid(&init_user_ns, gid)); |
| 979 | fc->mode = cpu_to_le32(mode); | 979 | fc->mode = cpu_to_le32(mode); |
| 980 | 980 | ||
| 981 | fc->xattr_version = cpu_to_le64(xattr_version); | 981 | fc->xattr_version = cpu_to_le64(xattr_version); |
| @@ -1081,8 +1081,8 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap, | |||
| 1081 | struct timespec mtime, atime; | 1081 | struct timespec mtime, atime; |
| 1082 | int wake = 0; | 1082 | int wake = 0; |
| 1083 | umode_t mode; | 1083 | umode_t mode; |
| 1084 | uid_t uid; | 1084 | kuid_t uid; |
| 1085 | gid_t gid; | 1085 | kgid_t gid; |
| 1086 | struct ceph_mds_session *session; | 1086 | struct ceph_mds_session *session; |
| 1087 | u64 xattr_version = 0; | 1087 | u64 xattr_version = 0; |
| 1088 | struct ceph_buffer *xattr_blob = NULL; | 1088 | struct ceph_buffer *xattr_blob = NULL; |
| @@ -2359,10 +2359,11 @@ static void handle_cap_grant(struct inode *inode, struct ceph_mds_caps *grant, | |||
| 2359 | 2359 | ||
| 2360 | if ((issued & CEPH_CAP_AUTH_EXCL) == 0) { | 2360 | if ((issued & CEPH_CAP_AUTH_EXCL) == 0) { |
| 2361 | inode->i_mode = le32_to_cpu(grant->mode); | 2361 | inode->i_mode = le32_to_cpu(grant->mode); |
| 2362 | inode->i_uid = le32_to_cpu(grant->uid); | 2362 | inode->i_uid = make_kuid(&init_user_ns, le32_to_cpu(grant->uid)); |
| 2363 | inode->i_gid = le32_to_cpu(grant->gid); | 2363 | inode->i_gid = make_kgid(&init_user_ns, le32_to_cpu(grant->gid)); |
| 2364 | dout("%p mode 0%o uid.gid %d.%d\n", inode, inode->i_mode, | 2364 | dout("%p mode 0%o uid.gid %d.%d\n", inode, inode->i_mode, |
| 2365 | inode->i_uid, inode->i_gid); | 2365 | from_kuid(&init_user_ns, inode->i_uid), |
| 2366 | from_kgid(&init_user_ns, inode->i_gid)); | ||
| 2366 | } | 2367 | } |
| 2367 | 2368 | ||
| 2368 | if ((issued & CEPH_CAP_LINK_EXCL) == 0) | 2369 | if ((issued & CEPH_CAP_LINK_EXCL) == 0) |
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index 2971eaa65cdc..d45895f4a04d 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c | |||
| @@ -612,10 +612,11 @@ static int fill_inode(struct inode *inode, | |||
| 612 | 612 | ||
| 613 | if ((issued & CEPH_CAP_AUTH_EXCL) == 0) { | 613 | if ((issued & CEPH_CAP_AUTH_EXCL) == 0) { |
| 614 | inode->i_mode = le32_to_cpu(info->mode); | 614 | inode->i_mode = le32_to_cpu(info->mode); |
| 615 | inode->i_uid = le32_to_cpu(info->uid); | 615 | inode->i_uid = make_kuid(&init_user_ns, le32_to_cpu(info->uid)); |
| 616 | inode->i_gid = le32_to_cpu(info->gid); | 616 | inode->i_gid = make_kgid(&init_user_ns, le32_to_cpu(info->gid)); |
| 617 | dout("%p mode 0%o uid.gid %d.%d\n", inode, inode->i_mode, | 617 | dout("%p mode 0%o uid.gid %d.%d\n", inode, inode->i_mode, |
| 618 | inode->i_uid, inode->i_gid); | 618 | from_kuid(&init_user_ns, inode->i_uid), |
| 619 | from_kgid(&init_user_ns, inode->i_gid)); | ||
| 619 | } | 620 | } |
| 620 | 621 | ||
| 621 | if ((issued & CEPH_CAP_LINK_EXCL) == 0) | 622 | if ((issued & CEPH_CAP_LINK_EXCL) == 0) |
| @@ -1565,26 +1566,30 @@ int ceph_setattr(struct dentry *dentry, struct iattr *attr) | |||
| 1565 | 1566 | ||
| 1566 | if (ia_valid & ATTR_UID) { | 1567 | if (ia_valid & ATTR_UID) { |
| 1567 | dout("setattr %p uid %d -> %d\n", inode, | 1568 | dout("setattr %p uid %d -> %d\n", inode, |
| 1568 | inode->i_uid, attr->ia_uid); | 1569 | from_kuid(&init_user_ns, inode->i_uid), |
| 1570 | from_kuid(&init_user_ns, attr->ia_uid)); | ||
| 1569 | if (issued & CEPH_CAP_AUTH_EXCL) { | 1571 | if (issued & CEPH_CAP_AUTH_EXCL) { |
| 1570 | inode->i_uid = attr->ia_uid; | 1572 | inode->i_uid = attr->ia_uid; |
| 1571 | dirtied |= CEPH_CAP_AUTH_EXCL; | 1573 | dirtied |= CEPH_CAP_AUTH_EXCL; |
| 1572 | } else if ((issued & CEPH_CAP_AUTH_SHARED) == 0 || | 1574 | } else if ((issued & CEPH_CAP_AUTH_SHARED) == 0 || |
| 1573 | attr->ia_uid != inode->i_uid) { | 1575 | !uid_eq(attr->ia_uid, inode->i_uid)) { |
| 1574 | req->r_args.setattr.uid = cpu_to_le32(attr->ia_uid); | 1576 | req->r_args.setattr.uid = cpu_to_le32( |
| 1577 | from_kuid(&init_user_ns, attr->ia_uid)); | ||
| 1575 | mask |= CEPH_SETATTR_UID; | 1578 | mask |= CEPH_SETATTR_UID; |
| 1576 | release |= CEPH_CAP_AUTH_SHARED; | 1579 | release |= CEPH_CAP_AUTH_SHARED; |
| 1577 | } | 1580 | } |
| 1578 | } | 1581 | } |
| 1579 | if (ia_valid & ATTR_GID) { | 1582 | if (ia_valid & ATTR_GID) { |
| 1580 | dout("setattr %p gid %d -> %d\n", inode, | 1583 | dout("setattr %p gid %d -> %d\n", inode, |
| 1581 | inode->i_gid, attr->ia_gid); | 1584 | from_kgid(&init_user_ns, inode->i_gid), |
| 1585 | from_kgid(&init_user_ns, attr->ia_gid)); | ||
| 1582 | if (issued & CEPH_CAP_AUTH_EXCL) { | 1586 | if (issued & CEPH_CAP_AUTH_EXCL) { |
| 1583 | inode->i_gid = attr->ia_gid; | 1587 | inode->i_gid = attr->ia_gid; |
| 1584 | dirtied |= CEPH_CAP_AUTH_EXCL; | 1588 | dirtied |= CEPH_CAP_AUTH_EXCL; |
| 1585 | } else if ((issued & CEPH_CAP_AUTH_SHARED) == 0 || | 1589 | } else if ((issued & CEPH_CAP_AUTH_SHARED) == 0 || |
| 1586 | attr->ia_gid != inode->i_gid) { | 1590 | !gid_eq(attr->ia_gid, inode->i_gid)) { |
| 1587 | req->r_args.setattr.gid = cpu_to_le32(attr->ia_gid); | 1591 | req->r_args.setattr.gid = cpu_to_le32( |
| 1592 | from_kgid(&init_user_ns, attr->ia_gid)); | ||
| 1588 | mask |= CEPH_SETATTR_GID; | 1593 | mask |= CEPH_SETATTR_GID; |
| 1589 | release |= CEPH_CAP_AUTH_SHARED; | 1594 | release |= CEPH_CAP_AUTH_SHARED; |
| 1590 | } | 1595 | } |
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 9165eb8309eb..7a3dfe0a9a80 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c | |||
| @@ -1658,8 +1658,8 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc, | |||
| 1658 | 1658 | ||
| 1659 | head->mdsmap_epoch = cpu_to_le32(mdsc->mdsmap->m_epoch); | 1659 | head->mdsmap_epoch = cpu_to_le32(mdsc->mdsmap->m_epoch); |
| 1660 | head->op = cpu_to_le32(req->r_op); | 1660 | head->op = cpu_to_le32(req->r_op); |
| 1661 | head->caller_uid = cpu_to_le32(req->r_uid); | 1661 | head->caller_uid = cpu_to_le32(from_kuid(&init_user_ns, req->r_uid)); |
| 1662 | head->caller_gid = cpu_to_le32(req->r_gid); | 1662 | head->caller_gid = cpu_to_le32(from_kgid(&init_user_ns, req->r_gid)); |
| 1663 | head->args = req->r_args; | 1663 | head->args = req->r_args; |
| 1664 | 1664 | ||
| 1665 | ceph_encode_filepath(&p, end, ino1, path1); | 1665 | ceph_encode_filepath(&p, end, ino1, path1); |
diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h index dd26846dd71d..ff4188bf6199 100644 --- a/fs/ceph/mds_client.h +++ b/fs/ceph/mds_client.h | |||
| @@ -184,8 +184,8 @@ struct ceph_mds_request { | |||
| 184 | 184 | ||
| 185 | union ceph_mds_request_args r_args; | 185 | union ceph_mds_request_args r_args; |
| 186 | int r_fmode; /* file mode, if expecting cap */ | 186 | int r_fmode; /* file mode, if expecting cap */ |
| 187 | uid_t r_uid; | 187 | kuid_t r_uid; |
| 188 | gid_t r_gid; | 188 | kgid_t r_gid; |
| 189 | 189 | ||
| 190 | /* for choosing which mds to send this request to */ | 190 | /* for choosing which mds to send this request to */ |
| 191 | int r_direct_mode; | 191 | int r_direct_mode; |
diff --git a/fs/ceph/super.h b/fs/ceph/super.h index 66ebe720e40d..f053bbd1886f 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h | |||
| @@ -138,8 +138,8 @@ struct ceph_cap_snap { | |||
| 138 | struct ceph_snap_context *context; | 138 | struct ceph_snap_context *context; |
| 139 | 139 | ||
| 140 | umode_t mode; | 140 | umode_t mode; |
| 141 | uid_t uid; | 141 | kuid_t uid; |
| 142 | gid_t gid; | 142 | kgid_t gid; |
| 143 | 143 | ||
| 144 | struct ceph_buffer *xattr_blob; | 144 | struct ceph_buffer *xattr_blob; |
| 145 | u64 xattr_version; | 145 | u64 xattr_version; |