1. 08 May, 2013 1 commit
  2. 04 Mar, 2013 1 commit
    • Eric W. Biederman's avatar
      fs: Limit sys_mount to only request filesystem modules. · 7f78e035
      Eric W. Biederman authored
      Modify the request_module to prefix the file system type with "fs-"
      and add aliases to all of the filesystems that can be built as modules
      to match.
      
      A common practice is to build all of the kernel code and leave code
      that is not commonly needed as modules, with the result that many
      users are exposed to any bug anywhere in the kernel.
      
      Looking for filesystems with a fs- prefix limits the pool of possible
      modules that can be loaded by mount to just filesystems trivially
      making things safer with no real cost.
      
      Using aliases means user space can control the policy of which
      filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
      with blacklist and alias directives.  Allowing simple, safe,
      well understood work-arounds to known problematic software.
      
      This also addresses a rare but unfortunate problem where the filesystem
      name is not the same as it's module name and module auto-loading
      would not work.  While writing this patch I saw a handful of such
      cases.  The most significant being autofs that lives in the module
      autofs4.
      
      This is relevant to user namespaces because we can reach the request
      module in get_fs_type() without having any special permissions, and
      people get uncomfortable when a user specified string (in this case
      the filesystem type) goes all of the way to request_module.
      
      After having looked at this issue I don't think there is any
      particular reason to perform any filtering or permission checks beyond
      making it clear in the module request that we want a filesystem
      module.  The common pattern in the kernel is to call request_module()
      without regards to the users permissions.  In general all a filesystem
      module does once loaded is call register_filesystem() and go to sleep.
      Which means there is not much attack surface exposed by loading a
      filesytem module unless the filesystem is mounted.  In a user
      namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
      which most filesystems do not set today.
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarKees Cook <keescook@google.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      7f78e035
  3. 28 Feb, 2013 8 commits
  4. 26 Feb, 2013 7 commits
  5. 23 Feb, 2013 1 commit
  6. 22 Feb, 2013 1 commit
  7. 12 Feb, 2013 5 commits
    • Eric W. Biederman's avatar
      9p: Modify v9fs_get_fsgid_for_create to return a kgid · d4ef4e35
      Eric W. Biederman authored
      Modify v9fs_get_fsgid_for_create to return a kgid and modify all of
      the variables that hold the result of v9fs_get_fsgid_for_create to be
      of type kgid_t.
      
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Ron Minnich <rminnich@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      d4ef4e35
    • Eric W. Biederman's avatar
      9p: Modify struct v9fs_session_info to use a kuids and kgids · 76ed23a5
      Eric W. Biederman authored
      Change struct v9fs_session_info and the code that popluates it to use
      kuids and kgids.  When parsing the 9p mount options convert the
      dfltuid, dflutgid, and the session uid from the current user namespace
      into kuids and kgids.  Modify V9FS_DEFUID and V9FS_DEFGUID to be kuid
      and kgid values.
      
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Ron Minnich <rminnich@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      76ed23a5
    • Eric W. Biederman's avatar
      9p: Modify struct 9p_fid to use a kuid_t not a uid_t · b4642556
      Eric W. Biederman authored
      Change struct 9p_fid and it's associated functions to
      use kuid_t's instead of uid_t.
      
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Ron Minnich <rminnich@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      b4642556
    • Eric W. Biederman's avatar
      9p: Modify the stat structures to use kuid_t and kgid_t · 447c5094
      Eric W. Biederman authored
      9p has thre strucrtures that can encode inode stat information.  Modify
      all of those structures to contain kuid_t and kgid_t values.  Modify
      he wire encoders and decoders of those structures to use 'u' and 'g' instead of
      'd' in the format string where uids and gids are present.
      
      This results in all kuid and kgid conversion to and from on the wire values
      being performed by the same code in protocol.c where the client is known
      at the time of the conversion.
      
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Ron Minnich <rminnich@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      447c5094
    • Eric W. Biederman's avatar
      9p: Transmit kuid and kgid values · f791f7c5
      Eric W. Biederman authored
      Modify the p9_client_rpc format specifiers of every function that
      directly transmits a uid or a gid from 'd' to 'u' or 'g' as
      appropriate.
      
      Modify those same functions to take kuid_t and kgid_t parameters
      instead of uid_t and gid_t parameters.
      
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Ron Minnich <rminnich@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      f791f7c5
  8. 10 Feb, 2013 3 commits
    • M. Mohan Kumar's avatar
      fs/9p: Fix atomic_open · b6f4bee0
      M. Mohan Kumar authored
      Return EEXISTS if requested file already exists, without this patch open
      call will always succeed even if the file exists and user specified
      O_CREAT|O_EXCL.
      
      Following test code can be used to verify this patch. Without this patch
      executing following test code on 9p mount will result in printing 'test case
      failed' always.
      
      main()
      {
              int fd;
      
              /* first create the file */
              fd = open("./file", O_CREAT|O_WRONLY);
              if (fd < 0) {
                      perror("open");
                      return -1;
              }
              close(fd);
      
              /* Now opening same file with O_CREAT|O_EXCL should fail */
              fd = open("./file", O_CREAT|O_EXCL);
              if (fd < 0 && errno == EEXIST)
      	        printf("test case pass\n");
              else
      	        printf("test case failed\n");
              close(fd);
              return 0;
      }
      Signed-off-by: default avatarM. Mohan Kumar <mohan@in.ibm.com>
      Signed-off-by: default avatarEric Van Hensbergen <ericvh@gmail.com>
      b6f4bee0
    • Aneesh Kumar K.V's avatar
      fs/9p: Don't use O_TRUNC flag in TOPEN and TLOPEN request · 03f0e022
      Aneesh Kumar K.V authored
      We do the truncate via setattr request, hence don't pass the O_TRUNC flag in
      open request. Without this patch we end up sending zero sized write request
      to server when we try to truncate. Some servers (VirtFS) were not handling that
      properly.
      Reported-by: default avatarM. Mohan Kumar <mohan@in.ibm.com>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarEric Van Hensbergen <ericvh@gmail.com>
      03f0e022
    • Al Viro's avatar
      locking in fs/9p ->readdir() · 7ffdea7e
      Al Viro authored
      	... is really excessive.  First of all, ->readdir() is serialized by
      file->f_path.dentry->d_inode->i_mutex; playing with file->f_path.dentry->d_lock
      is not buying you anything.  Moreover, rdir->mutex is pointless for exactly
      the same reason - you'll never see contention on it.
      
      	While we are at it, there's no point in having rdir->buf a pointer -
      you have it point just past the end of rdir, so it might as well be a flex
      array (and no, it's not a gccism).
      
      	Absolutely untested patch follows:
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarEric Van Hensbergen <ericvh@gmail.com>
      7ffdea7e
  9. 21 Jan, 2013 1 commit
  10. 09 Oct, 2012 1 commit
    • Konstantin Khlebnikov's avatar
      mm: kill vma flag VM_CAN_NONLINEAR · 0b173bc4
      Konstantin Khlebnikov authored
      Move actual pte filling for non-linear file mappings into the new special
      vma operation: ->remap_pages().
      
      Filesystems must implement this method to get non-linear mapping support,
      if it uses filemap_fault() then generic_file_remap_pages() can be used.
      
      Now device drivers can implement this method and obtain nonlinear vma support.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@openvz.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Carsten Otte <cotte@de.ibm.com>
      Cc: Chris Metcalf <cmetcalf@tilera.com>	#arch/tile
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: Jason Baron <jbaron@redhat.com>
      Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
      Cc: Matt Helsley <matthltc@us.ibm.com>
      Cc: Nick Piggin <npiggin@kernel.dk>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Robert Richter <robert.richter@amd.com>
      Cc: Suresh Siddha <suresh.b.siddha@intel.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Venkatesh Pallipadi <venki@google.com>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0b173bc4
  11. 03 Oct, 2012 1 commit
  12. 18 Sep, 2012 1 commit
    • Eric W. Biederman's avatar
      userns: Pass a userns parameter into posix_acl_to_xattr and posix_acl_from_xattr · 5f3a4a28
      Eric W. Biederman authored
       - Pass the user namespace the uid and gid values in the xattr are stored
         in into posix_acl_from_xattr.
      
       - Pass the user namespace kuid and kgid values should be converted into
         when storing uid and gid values in an xattr in posix_acl_to_xattr.
      
      - Modify all callers of posix_acl_from_xattr and posix_acl_to_xattr to
        pass in &init_user_ns.
      
      In the short term this change is not strictly needed but it makes the
      code clearer.  In the longer term this change is necessary to be able to
      mount filesystems outside of the initial user namespace that natively
      store posix acls in the linux xattr format.
      
      Cc: Theodore Tso <tytso@mit.edu>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andreas Dilger <adilger.kernel@dilger.ca>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      5f3a4a28
  13. 17 Sep, 2012 1 commit
  14. 06 Sep, 2012 1 commit
  15. 30 Jul, 2012 1 commit
  16. 14 Jul, 2012 6 commits