rpms / kernel

Clone
Source Code
GIT

Blame fs-call-security_d_instantiate-in-d_obtain_alias.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   2f8c0be373525111501b862b88b6d17eef9d93f6
  2.   fs-call-security_d_instantiate-in-d_obtain_alias.patch
Blob History Raw
Kyle McMartin 5bd23aa 
From linux-fsdevel-owner@vger.kernel.org Thu Nov 18 21:03:11 2010
Kyle McMartin 5bd23aa 
From:	Josef Bacik <josef@redhat.com>
Kyle McMartin 5bd23aa 
To:	linux-fsdevel@vger.kernel.org, eparis@redhat.com,
Kyle McMartin 5bd23aa 
	linux-kernel@vger.kernel.org, sds@tycho.nsa.gov,
Kyle McMartin 5bd23aa 
	selinux@tycho.nsa.gov, bfields@fieldses.org
Kyle McMartin 5bd23aa 
Subject: [PATCH] fs: call security_d_instantiate in d_obtain_alias V2
Kyle McMartin 5bd23aa 
Date:	Thu, 18 Nov 2010 20:52:55 -0500
Kyle McMartin 5bd23aa 
Message-Id: <1290131575-2489-1-git-send-email-josef@redhat.com>
Kyle McMartin 5bd23aa 
X-Mailing-List:	linux-fsdevel@vger.kernel.org
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
While trying to track down some NFS problems with BTRFS, I kept noticing I was
Kyle McMartin 5bd23aa 
getting -EACCESS for no apparent reason.  Eric Paris and printk() helped me
Kyle McMartin 5bd23aa 
figure out that it was SELinux that was giving me grief, with the following
Kyle McMartin 5bd23aa 
denial
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
type=AVC msg=audit(1290013638.413:95): avc:  denied  { 0x800000 } for  pid=1772
Kyle McMartin 5bd23aa 
comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0
Kyle McMartin 5bd23aa 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
Turns out this is because in d_obtain_alias if we can't find an alias we create
Kyle McMartin 5bd23aa 
one and do all the normal instantiation stuff, but we don't do the
Kyle McMartin 5bd23aa 
security_d_instantiate.
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
Usually we are protected from getting a hashed dentry that hasn't yet run
Kyle McMartin 5bd23aa 
security_d_instantiate() by the parent's i_mutex, but obviously this isn't an
Kyle McMartin 5bd23aa 
option there, so in order to deal with the case that a second thread comes in
Kyle McMartin 5bd23aa 
and finds our new dentry before we get to run security_d_instantiate(), we go
Kyle McMartin 5bd23aa 
ahead and call it if we find a dentry already.  Eric assures me that this is ok
Kyle McMartin 5bd23aa 
as the code checks to see if the dentry has been initialized already so calling
Kyle McMartin 5bd23aa 
security_d_instantiate() against the same dentry multiple times is ok.  With
Kyle McMartin 5bd23aa 
this patch I'm no longer getting errant -EACCESS values.
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
Signed-off-by: Josef Bacik <josef@redhat.com>
Kyle McMartin 5bd23aa 
---
Kyle McMartin 5bd23aa 
V1->V2:
Kyle McMartin 5bd23aa 
-added second security_d_instantiate() call
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
 fs/dcache.c |    3 +++
Kyle McMartin 5bd23aa 
 1 files changed, 3 insertions(+), 0 deletions(-)
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
diff --git a/fs/dcache.c b/fs/dcache.c
Kyle McMartin 5bd23aa 
index 23702a9..119d489 100644
Kyle McMartin 5bd23aa 
--- a/fs/dcache.c
Kyle McMartin 5bd23aa 
+++ b/fs/dcache.c
Kyle McMartin 5bd23aa 
@@ -1201,9 +1201,12 @@ struct dentry *d_obtain_alias(struct inode *inode)
Kyle McMartin 5bd23aa 
 	spin_unlock(&tmp->d_lock);
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
 	spin_unlock(&dcache_lock);
Kyle McMartin 5bd23aa 
+	security_d_instantiate(tmp, inode);
Kyle McMartin 5bd23aa 
 	return tmp;
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
  out_iput:
Kyle McMartin 5bd23aa 
+	if (res && !IS_ERR(res))
Kyle McMartin 5bd23aa 
+		security_d_instantiate(res, inode);
Kyle McMartin 5bd23aa 
 	iput(inode);
Kyle McMartin 5bd23aa 
 	return res;
Kyle McMartin 5bd23aa 
 }
Kyle McMartin 5bd23aa 
--
Kyle McMartin 5bd23aa 
1.6.6.1
Kyle McMartin 5bd23aa
Kyle McMartin 5bd23aa 
--
Kyle McMartin 5bd23aa 
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
Kyle McMartin 5bd23aa 
the body of a message to majordomo@vger.kernel.org
Kyle McMartin 5bd23aa 
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Kyle McMartin 5bd23aa
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.