mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2026-05-22 02:27:36 +03:00
Fix ACL checks for NFS kernel server
This PR changes ZFS ACL checks to evaluate fsuid / fsgid rather than euid / egid to avoid accidentally granting elevated permissions to NFS clients. Reviewed-by: Serapheim Dimitropoulos <serapheim@delphix.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Co-authored-by: Andrew Walker <awalker@ixsystems.com> Signed-off-by: Ryan Moeller <freqlabs@FreeBSD.org> Closes #13221
This commit is contained in:
Ryan Moeller
+1
-1
@@ -35,7 +35,7 @@ CFLAGS+= -include ${INCDIR}/os/freebsd/spl/sys/ccompile.h
|
||||
|
||||
CFLAGS+= -D__KERNEL__ -DFREEBSD_NAMECACHE -DBUILDING_ZFS -D__BSD_VISIBLE=1 \
|
||||
-DHAVE_UIO_ZEROCOPY -DWITHOUT_NETDUMP -D__KERNEL -D_SYS_CONDVAR_H_ \
|
||||
-D_SYS_VMEM_H_ -DKDTRACE_HOOKS -DSMP -DHAVE_KSID -DCOMPAT_FREEBSD11
|
||||
-D_SYS_VMEM_H_ -DKDTRACE_HOOKS -DSMP -DCOMPAT_FREEBSD11
|
||||
|
||||
.if ${MACHINE_ARCH} == "amd64"
|
||||
CFLAGS+= -DHAVE_AVX2 -DHAVE_AVX -D__x86_64 -DHAVE_SSE2 -DHAVE_AVX512F -DHAVE_SSSE3
|
||||
|
||||
@@ -1653,8 +1653,10 @@ zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr,
|
||||
ZFS_GROUP, &acl_ids->z_fuidp);
|
||||
gid = vap->va_gid;
|
||||
} else {
|
||||
acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER,
|
||||
cr, &acl_ids->z_fuidp);
|
||||
uid_t id = crgetuid(cr);
|
||||
if (IS_EPHEMERAL(id))
|
||||
id = UID_NOBODY;
|
||||
acl_ids->z_fuid = (uint64_t)id;
|
||||
acl_ids->z_fgid = 0;
|
||||
if (vap->va_mask & AT_GID) {
|
||||
acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
|
||||
|
||||
@@ -1043,8 +1043,7 @@ zfs_create(znode_t *dzp, const char *name, vattr_t *vap, int excl, int mode,
|
||||
objset_t *os;
|
||||
dmu_tx_t *tx;
|
||||
int error;
|
||||
ksid_t *ksid;
|
||||
uid_t uid;
|
||||
uid_t uid = crgetuid(cr);
|
||||
gid_t gid = crgetgid(cr);
|
||||
uint64_t projid = ZFS_DEFAULT_PROJID;
|
||||
zfs_acl_ids_t acl_ids;
|
||||
@@ -1058,13 +1057,6 @@ zfs_create(znode_t *dzp, const char *name, vattr_t *vap, int excl, int mode,
|
||||
* If we have an ephemeral id, ACL, or XVATTR then
|
||||
* make sure file system is at proper version
|
||||
*/
|
||||
|
||||
ksid = crgetsid(cr, KSID_OWNER);
|
||||
if (ksid)
|
||||
uid = ksid_getid(ksid);
|
||||
else
|
||||
uid = crgetuid(cr);
|
||||
|
||||
if (zfsvfs->z_use_fuids == B_FALSE &&
|
||||
(vsecp || (vap->va_mask & AT_XVATTR) ||
|
||||
IS_EPHEMERAL(uid) || IS_EPHEMERAL(gid)))
|
||||
@@ -1396,8 +1388,7 @@ zfs_mkdir(znode_t *dzp, const char *dirname, vattr_t *vap, znode_t **zpp,
|
||||
uint64_t txtype;
|
||||
dmu_tx_t *tx;
|
||||
int error;
|
||||
ksid_t *ksid;
|
||||
uid_t uid;
|
||||
uid_t uid = crgetuid(cr);
|
||||
gid_t gid = crgetgid(cr);
|
||||
zfs_acl_ids_t acl_ids;
|
||||
boolean_t fuid_dirtied;
|
||||
@@ -1408,12 +1399,6 @@ zfs_mkdir(znode_t *dzp, const char *dirname, vattr_t *vap, znode_t **zpp,
|
||||
* If we have an ephemeral id, ACL, or XVATTR then
|
||||
* make sure file system is at proper version
|
||||
*/
|
||||
|
||||
ksid = crgetsid(cr, KSID_OWNER);
|
||||
if (ksid)
|
||||
uid = ksid_getid(ksid);
|
||||
else
|
||||
uid = crgetuid(cr);
|
||||
if (zfsvfs->z_use_fuids == B_FALSE &&
|
||||
((vap->va_mask & AT_XVATTR) ||
|
||||
IS_EPHEMERAL(uid) || IS_EPHEMERAL(gid)))
|
||||
|
||||
@@ -128,7 +128,7 @@ groupmember(gid_t gid, const cred_t *cr)
|
||||
uid_t
|
||||
crgetuid(const cred_t *cr)
|
||||
{
|
||||
return (KUID_TO_SUID(cr->euid));
|
||||
return (KUID_TO_SUID(cr->fsuid));
|
||||
}
|
||||
|
||||
/* Return the real user id */
|
||||
@@ -138,44 +138,9 @@ crgetruid(const cred_t *cr)
|
||||
return (KUID_TO_SUID(cr->uid));
|
||||
}
|
||||
|
||||
/* Return the saved user id */
|
||||
uid_t
|
||||
crgetsuid(const cred_t *cr)
|
||||
{
|
||||
return (KUID_TO_SUID(cr->suid));
|
||||
}
|
||||
|
||||
/* Return the filesystem user id */
|
||||
uid_t
|
||||
crgetfsuid(const cred_t *cr)
|
||||
{
|
||||
return (KUID_TO_SUID(cr->fsuid));
|
||||
}
|
||||
|
||||
/* Return the effective group id */
|
||||
gid_t
|
||||
crgetgid(const cred_t *cr)
|
||||
{
|
||||
return (KGID_TO_SGID(cr->egid));
|
||||
}
|
||||
|
||||
/* Return the real group id */
|
||||
gid_t
|
||||
crgetrgid(const cred_t *cr)
|
||||
{
|
||||
return (KGID_TO_SGID(cr->gid));
|
||||
}
|
||||
|
||||
/* Return the saved group id */
|
||||
gid_t
|
||||
crgetsgid(const cred_t *cr)
|
||||
{
|
||||
return (KGID_TO_SGID(cr->sgid));
|
||||
}
|
||||
|
||||
/* Return the filesystem group id */
|
||||
gid_t
|
||||
crgetfsgid(const cred_t *cr)
|
||||
{
|
||||
return (KGID_TO_SGID(cr->fsgid));
|
||||
}
|
||||
@@ -184,12 +149,7 @@ EXPORT_SYMBOL(crhold);
|
||||
EXPORT_SYMBOL(crfree);
|
||||
EXPORT_SYMBOL(crgetuid);
|
||||
EXPORT_SYMBOL(crgetruid);
|
||||
EXPORT_SYMBOL(crgetsuid);
|
||||
EXPORT_SYMBOL(crgetfsuid);
|
||||
EXPORT_SYMBOL(crgetgid);
|
||||
EXPORT_SYMBOL(crgetrgid);
|
||||
EXPORT_SYMBOL(crgetsgid);
|
||||
EXPORT_SYMBOL(crgetfsgid);
|
||||
EXPORT_SYMBOL(crgetngroups);
|
||||
EXPORT_SYMBOL(crgetgroups);
|
||||
EXPORT_SYMBOL(groupmember);
|
||||
|
||||
@@ -121,7 +121,7 @@ secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
|
||||
int
|
||||
secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
|
||||
{
|
||||
if (crgetfsuid(cr) == owner)
|
||||
if (crgetuid(cr) == owner)
|
||||
return (0);
|
||||
|
||||
if (zpl_inode_owner_or_capable(kcred->user_ns, ip))
|
||||
@@ -147,7 +147,7 @@ secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip, uid_t owner)
|
||||
int
|
||||
secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
|
||||
{
|
||||
if (crgetfsuid(cr) == owner)
|
||||
if (crgetuid(cr) == owner)
|
||||
return (0);
|
||||
|
||||
#if defined(CONFIG_USER_NS)
|
||||
@@ -184,7 +184,7 @@ secpolicy_vnode_remove(const cred_t *cr)
|
||||
int
|
||||
secpolicy_vnode_setdac(const cred_t *cr, uid_t owner)
|
||||
{
|
||||
if (crgetfsuid(cr) == owner)
|
||||
if (crgetuid(cr) == owner)
|
||||
return (0);
|
||||
|
||||
#if defined(CONFIG_USER_NS)
|
||||
@@ -220,7 +220,7 @@ secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
|
||||
if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
|
||||
return (EPERM);
|
||||
#endif
|
||||
if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
|
||||
if (crgetgid(cr) != gid && !groupmember(gid, cr))
|
||||
return (priv_policy_user(cr, CAP_FSETID, EPERM));
|
||||
|
||||
return (0);
|
||||
@@ -286,7 +286,7 @@ secpolicy_setid_clear(vattr_t *vap, cred_t *cr)
|
||||
static int
|
||||
secpolicy_vnode_setid_modify(const cred_t *cr, uid_t owner)
|
||||
{
|
||||
if (crgetfsuid(cr) == owner)
|
||||
if (crgetuid(cr) == owner)
|
||||
return (0);
|
||||
|
||||
#if defined(CONFIG_USER_NS)
|
||||
|
||||
@@ -116,14 +116,14 @@ zpl_vap_init(vattr_t *vap, struct inode *dir, umode_t mode, cred_t *cr)
|
||||
{
|
||||
vap->va_mask = ATTR_MODE;
|
||||
vap->va_mode = mode;
|
||||
vap->va_uid = crgetfsuid(cr);
|
||||
vap->va_uid = crgetuid(cr);
|
||||
|
||||
if (dir && dir->i_mode & S_ISGID) {
|
||||
vap->va_gid = KGID_TO_SGID(dir->i_gid);
|
||||
if (S_ISDIR(mode))
|
||||
vap->va_mode |= S_ISGID;
|
||||
} else {
|
||||
vap->va_gid = crgetfsgid(cr);
|
||||
vap->va_gid = crgetgid(cr);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -492,8 +492,8 @@ zpl_xattr_set_dir(struct inode *ip, const char *name, const void *value,
|
||||
vap = kmem_zalloc(sizeof (vattr_t), KM_SLEEP);
|
||||
vap->va_mode = xattr_mode;
|
||||
vap->va_mask = ATTR_MODE;
|
||||
vap->va_uid = crgetfsuid(cr);
|
||||
vap->va_gid = crgetfsgid(cr);
|
||||
vap->va_uid = crgetuid(cr);
|
||||
vap->va_gid = crgetgid(cr);
|
||||
|
||||
error = -zfs_create(dxzp, (char *)name, vap, 0, 0644, &xzp,
|
||||
cr, 0, NULL);
|
||||
|
||||
Reference in New Issue
Block a user