rpms / kernel

Clone
Source Code
GIT

Blame fs-call-security_d_instantiate-in-d_obtain_alias.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   7cfb2e418c06ab0433b31bbe2dde851b741ab9db
  2.   fs-call-security_d_instantiate-in-d_obtain_alias.patch
Blob History Raw
Kyle McMartin bb75611 
From linux-fsdevel-owner@vger.kernel.org Thu Nov 18 21:03:11 2010
Kyle McMartin bb75611 
From:	Josef Bacik <josef@redhat.com>
Kyle McMartin bb75611 
To:	linux-fsdevel@vger.kernel.org, eparis@redhat.com,
Kyle McMartin bb75611 
	linux-kernel@vger.kernel.org, sds@tycho.nsa.gov,
Kyle McMartin bb75611 
	selinux@tycho.nsa.gov, bfields@fieldses.org
Kyle McMartin bb75611 
Subject: [PATCH] fs: call security_d_instantiate in d_obtain_alias V2
Kyle McMartin bb75611 
Date:	Thu, 18 Nov 2010 20:52:55 -0500
Kyle McMartin bb75611 
Message-Id: <1290131575-2489-1-git-send-email-josef@redhat.com>
Kyle McMartin bb75611 
X-Mailing-List:	linux-fsdevel@vger.kernel.org
Kyle McMartin bb75611
Kyle McMartin bb75611 
While trying to track down some NFS problems with BTRFS, I kept noticing I was
Kyle McMartin bb75611 
getting -EACCESS for no apparent reason.  Eric Paris and printk() helped me
Kyle McMartin bb75611 
figure out that it was SELinux that was giving me grief, with the following
Kyle McMartin bb75611 
denial
Kyle McMartin bb75611
Kyle McMartin bb75611 
type=AVC msg=audit(1290013638.413:95): avc:  denied  { 0x800000 } for  pid=1772
Kyle McMartin bb75611 
comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0
Kyle McMartin bb75611 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Kyle McMartin bb75611
Kyle McMartin bb75611 
Turns out this is because in d_obtain_alias if we can't find an alias we create
Kyle McMartin bb75611 
one and do all the normal instantiation stuff, but we don't do the
Kyle McMartin bb75611 
security_d_instantiate.
Kyle McMartin bb75611
Kyle McMartin bb75611 
Usually we are protected from getting a hashed dentry that hasn't yet run
Kyle McMartin bb75611 
security_d_instantiate() by the parent's i_mutex, but obviously this isn't an
Kyle McMartin bb75611 
option there, so in order to deal with the case that a second thread comes in
Kyle McMartin bb75611 
and finds our new dentry before we get to run security_d_instantiate(), we go
Kyle McMartin bb75611 
ahead and call it if we find a dentry already.  Eric assures me that this is ok
Kyle McMartin bb75611 
as the code checks to see if the dentry has been initialized already so calling
Kyle McMartin bb75611 
security_d_instantiate() against the same dentry multiple times is ok.  With
Kyle McMartin bb75611 
this patch I'm no longer getting errant -EACCESS values.
Kyle McMartin bb75611
Kyle McMartin bb75611 
Signed-off-by: Josef Bacik <josef@redhat.com>
Kyle McMartin bb75611 
---
Kyle McMartin bb75611 
V1->V2:
Kyle McMartin bb75611 
-added second security_d_instantiate() call
Kyle McMartin bb75611
Kyle McMartin bb75611 
 fs/dcache.c |    3 +++
Kyle McMartin bb75611 
 1 files changed, 3 insertions(+), 0 deletions(-)
Kyle McMartin bb75611
Kyle McMartin bb75611 
diff --git a/fs/dcache.c b/fs/dcache.c
Kyle McMartin 4f86024 
index 5699d4c..85388fc 100644
Kyle McMartin bb75611 
--- a/fs/dcache.c
Kyle McMartin bb75611 
+++ b/fs/dcache.c
Kyle McMartin 4f86024 
@@ -1577,9 +1577,13 @@ struct dentry *d_obtain_alias(struct inode *inode)
Kyle McMartin bb75611 
 	spin_unlock(&tmp->d_lock);
Kyle McMartin 4f86024 
 	spin_unlock(&inode->i_lock);
Kyle McMartin bb75611
Kyle McMartin bb75611 
+	security_d_instantiate(tmp, inode);
Kyle McMartin 4f86024 
+
Kyle McMartin bb75611 
 	return tmp;
Kyle McMartin bb75611
Kyle McMartin bb75611 
  out_iput:
Kyle McMartin bb75611 
+	if (res && !IS_ERR(res))
Kyle McMartin bb75611 
+		security_d_instantiate(res, inode);
Kyle McMartin bb75611 
 	iput(inode);
Kyle McMartin bb75611 
 	return res;
Kyle McMartin bb75611 
 }
Kyle McMartin bb75611
Kyle McMartin bb75611 
--
Kyle McMartin bb75611 
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
Kyle McMartin bb75611 
the body of a message to majordomo@vger.kernel.org
Kyle McMartin bb75611 
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Kyle McMartin bb75611
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.