LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: Trond.Myklebust@netapp.com, chuck.lever@oracle.com,
	casey@schaufler-ca.com
Cc: nfsv4@linux-nfs.org, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, selinux@tycho.nsa.gov,
	linux-security-module@vger.kernel.org, dhowells@redhat.com
Subject: [PATCH 10/37] Security: Make NFSD work with detached security [ver #34]
Date: Fri, 29 Feb 2008 00:44:27 +0000	[thread overview]
Message-ID: <20080229004427.4142.82540.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20080229004332.4142.51771.stgit@warthog.procyon.org.uk>

Make NFSD work with detached security, using the patches that excise the
security information from task_struct to struct task_security as a base.

Each time NFSD wants a new security descriptor (to do NFS4 recovery or just to
do NFS operations), a task_security record is derived from NFSD's *objective*
security, modified and then applied as the *subjective* security.  This means
(a) the changes are not visible to anyone looking at NFSD through /proc, (b)
there is no leakage between two consecutive ops with different security
configurations.

Consideration should probably be given to caching the task_security record on
the basis that there'll probably be several ops that will want to use any
particular security configuration.

Furthermore, nfs4recover.c perhaps ought to set an appropriate LSM context on
the record pointed to by rec_security so that the disk is accessed
appropriately (see set_security_override[_from_ctx]()).

NOTE!  This patch must be rolled in to one of the earlier security patches to
make it compile fully.

Signed-off-by: David Howells <dhowells@redhat.com>
---

 fs/nfsd/auth.c        |   37 +++++++++++++++++++---------
 fs/nfsd/nfs4recover.c |   64 +++++++++++++++++++++++++++++++------------------
 2 files changed, 65 insertions(+), 36 deletions(-)


diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
index 5586157..ebdc562 100644
--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -6,6 +6,7 @@
 
 #include <linux/types.h>
 #include <linux/sched.h>
+#include <linux/cred.h>
 #include <linux/sunrpc/svc.h>
 #include <linux/sunrpc/svcauth.h>
 #include <linux/nfsd/nfsd.h>
@@ -26,12 +27,17 @@ int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)
 
 int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
 {
-	struct task_security *act_as = current->act_as;
+	struct task_security *sec, *old;
 	struct svc_cred	cred = rqstp->rq_cred;
 	int i;
 	int flags = nfsexp_flags(rqstp, exp);
 	int ret;
 
+	/* derive the new security record from nfsd's objective security */
+	sec = get_kernel_security(current);
+	if (!sec)
+		return -ENOMEM;
+
 	if (flags & NFSEXP_ALLSQUASH) {
 		cred.cr_uid = exp->ex_anon_uid;
 		cred.cr_gid = exp->ex_anon_gid;
@@ -55,26 +61,33 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
 		get_group_info(cred.cr_group_info);
 
 	if (cred.cr_uid != (uid_t) -1)
-		act_as->fsuid = cred.cr_uid;
+		sec->fsuid = cred.cr_uid;
 	else
-		act_as->fsuid = exp->ex_anon_uid;
+		sec->fsuid = exp->ex_anon_uid;
 	if (cred.cr_gid != (gid_t) -1)
-		act_as->fsgid = cred.cr_gid;
+		sec->fsgid = cred.cr_gid;
 	else
-		act_as->fsgid = exp->ex_anon_gid;
+		sec->fsgid = exp->ex_anon_gid;
 
-	if (!cred.cr_group_info)
+	if (!cred.cr_group_info) {
+		put_task_security(sec);
 		return -ENOMEM;
-	ret = set_groups(act_as, cred.cr_group_info);
+	}
+	ret = set_groups(sec, cred.cr_group_info);
 	put_group_info(cred.cr_group_info);
 	if ((cred.cr_uid)) {
-		act_as->cap_effective =
-			cap_drop_nfsd_set(act_as->cap_effective);
+		sec->cap_effective =
+			cap_drop_nfsd_set(sec->cap_effective);
 	} else {
-		act_as->cap_effective =
-			cap_raise_nfsd_set(act_as->cap_effective,
-					   act_as->cap_permitted);
+		sec->cap_effective =
+			cap_raise_nfsd_set(sec->cap_effective,
+					   sec->cap_permitted);
 	}
+
+	/* set the new security as nfsd's subjective security */
+	old = current->act_as;
+	current->act_as = sec;
+	put_task_security(old);
 	return ret;
 }
 
diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index afddc9b..c86aa92 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -46,27 +46,37 @@
 #include <linux/scatterlist.h>
 #include <linux/crypto.h>
 #include <linux/sched.h>
+#include <linux/cred.h>
 
 #define NFSDDBG_FACILITY                NFSDDBG_PROC
 
 /* Globals */
 static struct nameidata rec_dir;
 static int rec_dir_init = 0;
+static struct task_security *rec_security;
 
+/*
+ * switch the special recovery access security in on the current task's
+ * subjective security
+ */
 static void
-nfs4_save_user(uid_t *saveuid, gid_t *savegid)
+nfs4_begin_secure(struct task_security **saved_sec)
 {
-	*saveuid = current->act_as->fsuid;
-	*savegid = current->act_as->fsgid;
-	current->act_as->fsuid = 0;
-	current->act_as->fsgid = 0;
+	*saved_sec = current->act_as;
+	current->act_as = get_task_security(rec_security);
 }
 
+/*
+ * return the current task's subjective security to its former glory
+ */
 static void
-nfs4_reset_user(uid_t saveuid, gid_t savegid)
+nfs4_end_secure(struct task_security *saved_sec)
 {
-	current->act_as->fsuid = saveuid;
-	current->act_as->fsgid = savegid;
+	struct task_security *discard;
+
+	discard = current->act_as;
+	current->act_as = saved_sec;
+	put_task_security(discard);
 }
 
 static void
@@ -128,10 +138,9 @@ nfsd4_sync_rec_dir(void)
 int
 nfsd4_create_clid_dir(struct nfs4_client *clp)
 {
+	struct task_security *saved_sec;
 	char *dname = clp->cl_recdir;
 	struct dentry *dentry;
-	uid_t uid;
-	gid_t gid;
 	int status;
 
 	dprintk("NFSD: nfsd4_create_clid_dir for \"%s\"\n", dname);
@@ -139,7 +148,7 @@ nfsd4_create_clid_dir(struct nfs4_client *clp)
 	if (!rec_dir_init || clp->cl_firststate)
 		return 0;
 
-	nfs4_save_user(&uid, &gid);
+	nfs4_begin_secure(&saved_sec);
 
 	/* lock the parent */
 	mutex_lock(&rec_dir.path.dentry->d_inode->i_mutex);
@@ -163,7 +172,7 @@ out_unlock:
 		clp->cl_firststate = 1;
 		nfsd4_sync_rec_dir();
 	}
-	nfs4_reset_user(uid, gid);
+	nfs4_end_secure(saved_sec);
 	dprintk("NFSD: nfsd4_create_clid_dir returns %d\n", status);
 	return status;
 }
@@ -206,20 +215,19 @@ nfsd4_build_dentrylist(void *arg, const char *name, int namlen,
 static int
 nfsd4_list_rec_dir(struct dentry *dir, recdir_func *f)
 {
+	struct task_security *saved_sec;
 	struct file *filp;
 	struct dentry_list_arg dla = {
 		.parent = dir,
 	};
 	struct list_head *dentries = &dla.dentries;
 	struct dentry_list *child;
-	uid_t uid;
-	gid_t gid;
 	int status;
 
 	if (!rec_dir_init)
 		return 0;
 
-	nfs4_save_user(&uid, &gid);
+	nfs4_begin_secure(&saved_sec);
 
 	filp = dentry_open(dget(dir), mntget(rec_dir.path.mnt), O_RDONLY);
 	status = PTR_ERR(filp);
@@ -244,7 +252,7 @@ out:
 		dput(child->dentry);
 		kfree(child);
 	}
-	nfs4_reset_user(uid, gid);
+	nfs4_end_secure(saved_sec);
 	return status;
 }
 
@@ -306,17 +314,16 @@ out:
 void
 nfsd4_remove_clid_dir(struct nfs4_client *clp)
 {
-	uid_t uid;
-	gid_t gid;
+	struct task_security *saved_sec;
 	int status;
 
 	if (!rec_dir_init || !clp->cl_firststate)
 		return;
 
 	clp->cl_firststate = 0;
-	nfs4_save_user(&uid, &gid);
+	nfs4_begin_secure(&saved_sec);
 	status = nfsd4_unlink_clid_dir(clp->cl_recdir, HEXDIR_LEN-1);
-	nfs4_reset_user(uid, gid);
+	nfs4_end_secure(saved_sec);
 	if (status == 0)
 		nfsd4_sync_rec_dir();
 	if (status)
@@ -387,8 +394,7 @@ nfsd4_recdir_load(void) {
 void
 nfsd4_init_recdir(char *rec_dirname)
 {
-	uid_t			uid = 0;
-	gid_t			gid = 0;
+	struct task_security	*saved_sec;
 	int 			status;
 
 	printk("NFSD: Using %s as the NFSv4 state recovery directory\n",
@@ -396,7 +402,15 @@ nfsd4_init_recdir(char *rec_dirname)
 
 	BUG_ON(rec_dir_init);
 
-	nfs4_save_user(&uid, &gid);
+	/* derive the security record from this task's objective security */
+	rec_security = get_kernel_security(current);
+	if (!rec_security) {
+		printk("NFSD:"
+		       " unable to allocate recovery directory security\n");
+		return;
+	}
+
+	nfs4_begin_secure(&saved_sec);
 
 	status = path_lookup(rec_dirname, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
 			&rec_dir);
@@ -406,7 +420,8 @@ nfsd4_init_recdir(char *rec_dirname)
 
 	if (!status)
 		rec_dir_init = 1;
-	nfs4_reset_user(uid, gid);
+
+	nfs4_end_secure(saved_sec);
 }
 
 void
@@ -416,4 +431,5 @@ nfsd4_shutdown_recdir(void)
 		return;
 	rec_dir_init = 0;
 	path_put(&rec_dir.path);
+	put_task_security(rec_security);
 }


  parent reply	other threads:[~2008-02-29  0:50 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-29  0:43 [PATCH 00/37] Permit filesystem local caching " David Howells
2008-02-29  0:43 ` [PATCH 01/37] KEYS: Increase the payload size when instantiating a key " David Howells
2008-02-29  0:43 ` [PATCH 02/37] KEYS: Check starting keyring as part of search " David Howells
2008-02-29  0:43 ` [PATCH 03/37] KEYS: Allow the callout data to be passed as a blob rather than a string " David Howells
2008-02-29  0:43 ` [PATCH 04/37] KEYS: Add keyctl function to get a security label " David Howells
2008-02-29  0:44 ` [PATCH 05/37] Security: Change current->fs[ug]id to current_fs[ug]id() " David Howells
2008-02-29  0:44 ` [PATCH 06/37] Security: Separate task security context from task_struct " David Howells
2008-02-29  0:44 ` [PATCH 07/37] Security: De-embed task security record from task and use refcounting " David Howells
2008-02-29  0:44 ` [PATCH 08/37] Security: Add a kernel_service object class to SELinux " David Howells
2008-02-29  0:44 ` [PATCH 09/37] Security: Allow kernel services to override LSM settings for task actions " David Howells
2008-02-29  0:44 ` David Howells [this message]
2008-02-29  0:44 ` [PATCH 11/37] FS-Cache: Release page->private after failed readahead " David Howells
2008-02-29  0:44 ` [PATCH 12/37] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2008-02-29  0:44 ` [PATCH 13/37] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2008-02-29  0:44 ` [PATCH 14/37] FS-Cache: Generic filesystem caching facility " David Howells
2008-02-29  0:44 ` [PATCH 15/37] CacheFiles: Add missing copy_page export for ia64 " David Howells
2008-02-29  0:44 ` [PATCH 16/37] CacheFiles: Be consistent about the use of mapping vs file->f_mapping in Ext3 " David Howells
2008-02-29  0:45 ` [PATCH 17/37] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2008-02-29  0:45 ` [PATCH 18/37] CacheFiles: Permit the page lock state to be monitored " David Howells
2008-02-29  0:45 ` [PATCH 19/37] CacheFiles: Export things for CacheFiles " David Howells
2008-02-29  0:45 ` [PATCH 20/37] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2008-02-29  0:45 ` [PATCH 21/37] NFS: Add comment banners to some NFS functions " David Howells
2008-02-29  0:45 ` [PATCH 22/37] NFS: Add FS-Cache option bit and debug bit " David Howells
2008-02-29  0:45 ` [PATCH 23/37] NFS: Permit local filesystem caching to be enabled for NFS " David Howells
2008-02-29  0:45 ` [PATCH 24/37] NFS: Register NFS for caching and retrieve the top-level index " David Howells
2008-02-29  0:45 ` [PATCH 25/37] NFS: Define and create server-level objects " David Howells
2008-02-29  0:45 ` [PATCH 26/37] NFS: Define and create superblock-level " David Howells
2008-02-29  0:45 ` [PATCH 27/37] NFS: Define and create inode-level cache " David Howells
2008-02-29  0:46 ` [PATCH 28/37] NFS: Use local disk inode cache " David Howells
2008-02-29  0:46 ` [PATCH 29/37] NFS: Invalidate FsCache page flags when cache removed " David Howells
2008-02-29  0:46 ` [PATCH 30/37] NFS: Add some new I/O event counters for FS-Cache events " David Howells
2008-02-29  0:46 ` [PATCH 31/37] NFS: FS-Cache page management " David Howells
2008-02-29  0:46 ` [PATCH 32/37] NFS: Add read context retention for FS-Cache to call back with " David Howells
2008-02-29  0:46 ` [PATCH 33/37] NFS: nfs_readpage_async() needs to be accessible as a fallback for local caching " David Howells
2008-02-29  0:46 ` [PATCH 34/37] NFS: Read pages from FS-Cache into an NFS inode " David Howells
2008-02-29  0:46 ` [PATCH 35/37] NFS: Store pages from an NFS inode into a local cache " David Howells
2008-02-29  0:46 ` [PATCH 36/37] NFS: Display local caching state " David Howells
2008-02-29  0:46 ` [PATCH 37/37] NFS: Add mount options to enable local caching on NFS " David Howells
2008-03-19 17:12 ` Performance degradation measurement [was Re: [PATCH 06/37] Security: Separate task security context from task_struct [ver #34]] David Howells
2008-03-23  5:17   ` Valdis.Kletnieks
2008-03-23 12:40   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080229004427.4142.82540.stgit@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=Trond.Myklebust@netapp.com \
    --cc=casey@schaufler-ca.com \
    --cc=chuck.lever@oracle.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nfsv4@linux-nfs.org \
    --cc=selinux@tycho.nsa.gov \
    --subject='Re: [PATCH 10/37] Security: Make NFSD work with detached security [ver #34]' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).