mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-25 18:59:33 +03:00
Linux 4.10 compat: has_capability()
Stock kernels older than 4.10 do not export the has_capability()
function which is required by commit e59a377
. To avoid breaking
the build on older kernels revert to the safe legacy behavior and
return EACCES when privileges cannot be checked.
Reviewed-by: Ryan Moeller <ryan@ixsystems.com>
Reviewed-by: Matt Ahrens <matt@delphix.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #10565
Closes #10573
This commit is contained in:
parent
8fbf432ae2
commit
e862b7ecfc
@ -19,6 +19,33 @@ AC_DEFUN([ZFS_AC_KERNEL_NS_CAPABLE], [
|
|||||||
])
|
])
|
||||||
])
|
])
|
||||||
|
|
||||||
|
dnl #
|
||||||
|
dnl # 4.10 API change
|
||||||
|
dnl # has_capability() was exported.
|
||||||
|
dnl #
|
||||||
|
AC_DEFUN([ZFS_AC_KERNEL_SRC_HAS_CAPABILITY], [
|
||||||
|
ZFS_LINUX_TEST_SRC([has_capability], [
|
||||||
|
#include <linux/capability.h>
|
||||||
|
],[
|
||||||
|
struct task_struct *task = NULL;
|
||||||
|
int cap = 0;
|
||||||
|
bool result __attribute__ ((unused));
|
||||||
|
|
||||||
|
result = has_capability(task, cap);
|
||||||
|
])
|
||||||
|
])
|
||||||
|
|
||||||
|
AC_DEFUN([ZFS_AC_KERNEL_HAS_CAPABILITY], [
|
||||||
|
AC_MSG_CHECKING([whether has_capability() is available])
|
||||||
|
ZFS_LINUX_TEST_RESULT_SYMBOL([has_capability],
|
||||||
|
[has_capability], [kernel/capability.c], [
|
||||||
|
AC_MSG_RESULT(yes)
|
||||||
|
AC_DEFINE(HAVE_HAS_CAPABILITY, 1, [has_capability() is available])
|
||||||
|
],[
|
||||||
|
AC_MSG_RESULT(no)
|
||||||
|
])
|
||||||
|
])
|
||||||
|
|
||||||
dnl #
|
dnl #
|
||||||
dnl # 2.6.39 API change
|
dnl # 2.6.39 API change
|
||||||
dnl # struct user_namespace was added to struct cred_t as cred->user_ns member
|
dnl # struct user_namespace was added to struct cred_t as cred->user_ns member
|
||||||
@ -66,12 +93,14 @@ AC_DEFUN([ZFS_AC_KERNEL_KUID_HAS_MAPPING], [
|
|||||||
|
|
||||||
AC_DEFUN([ZFS_AC_KERNEL_SRC_USERNS_CAPABILITIES], [
|
AC_DEFUN([ZFS_AC_KERNEL_SRC_USERNS_CAPABILITIES], [
|
||||||
ZFS_AC_KERNEL_SRC_NS_CAPABLE
|
ZFS_AC_KERNEL_SRC_NS_CAPABLE
|
||||||
|
ZFS_AC_KERNEL_SRC_HAS_CAPABILITY
|
||||||
ZFS_AC_KERNEL_SRC_CRED_USER_NS
|
ZFS_AC_KERNEL_SRC_CRED_USER_NS
|
||||||
ZFS_AC_KERNEL_SRC_KUID_HAS_MAPPING
|
ZFS_AC_KERNEL_SRC_KUID_HAS_MAPPING
|
||||||
])
|
])
|
||||||
|
|
||||||
AC_DEFUN([ZFS_AC_KERNEL_USERNS_CAPABILITIES], [
|
AC_DEFUN([ZFS_AC_KERNEL_USERNS_CAPABILITIES], [
|
||||||
ZFS_AC_KERNEL_NS_CAPABLE
|
ZFS_AC_KERNEL_NS_CAPABLE
|
||||||
|
ZFS_AC_KERNEL_HAS_CAPABILITY
|
||||||
ZFS_AC_KERNEL_CRED_USER_NS
|
ZFS_AC_KERNEL_CRED_USER_NS
|
||||||
ZFS_AC_KERNEL_KUID_HAS_MAPPING
|
ZFS_AC_KERNEL_KUID_HAS_MAPPING
|
||||||
])
|
])
|
||||||
|
@ -249,13 +249,22 @@ secpolicy_zfs(const cred_t *cr)
|
|||||||
* Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
|
* Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
|
||||||
* the current process. Takes both cred_t and proc_t so that this can work
|
* the current process. Takes both cred_t and proc_t so that this can work
|
||||||
* easily on all platforms.
|
* easily on all platforms.
|
||||||
|
*
|
||||||
|
* The has_capability() function was first exported in the 4.10 Linux kernel
|
||||||
|
* then backported to some LTS kernels. Prior to this change there was no
|
||||||
|
* mechanism to perform this check therefore EACCES is returned when the
|
||||||
|
* functionality is not present in the kernel.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
|
secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
|
||||||
{
|
{
|
||||||
|
#if defined(HAVE_HAS_CAPABILITY)
|
||||||
if (!has_capability(proc, CAP_SYS_ADMIN))
|
if (!has_capability(proc, CAP_SYS_ADMIN))
|
||||||
return (EACCES);
|
return (EACCES);
|
||||||
return (0);
|
return (0);
|
||||||
|
#else
|
||||||
|
return (EACCES);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
@ -263,6 +263,8 @@ elif sys.platform.startswith('linux'):
|
|||||||
'cli_root/zpool_expand/zpool_expand_001_pos': ['FAIL', known_reason],
|
'cli_root/zpool_expand/zpool_expand_001_pos': ['FAIL', known_reason],
|
||||||
'cli_root/zpool_expand/zpool_expand_005_pos': ['FAIL', known_reason],
|
'cli_root/zpool_expand/zpool_expand_005_pos': ['FAIL', known_reason],
|
||||||
'cli_root/zpool_reopen/zpool_reopen_003_pos': ['FAIL', known_reason],
|
'cli_root/zpool_reopen/zpool_reopen_003_pos': ['FAIL', known_reason],
|
||||||
|
'limits/filesystem_limit': ['SKIP', known_reason],
|
||||||
|
'limits/snapshot_limit': ['SKIP', known_reason],
|
||||||
'refreserv/refreserv_raidz': ['FAIL', known_reason],
|
'refreserv/refreserv_raidz': ['FAIL', known_reason],
|
||||||
'rsend/rsend_007_pos': ['FAIL', known_reason],
|
'rsend/rsend_007_pos': ['FAIL', known_reason],
|
||||||
'rsend/rsend_010_pos': ['FAIL', known_reason],
|
'rsend/rsend_010_pos': ['FAIL', known_reason],
|
||||||
|
@ -30,6 +30,18 @@
|
|||||||
|
|
||||||
verify_runnable "both"
|
verify_runnable "both"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The has_capability() function was first exported in the 4.10 Linux kernel
|
||||||
|
# then backported to some LTS kernels. Prior to this change there was no
|
||||||
|
# mechanism to perform the needed permission check. Therefore, this test
|
||||||
|
# is expected to fail on older kernels and is skipped.
|
||||||
|
#
|
||||||
|
if is_linux; then
|
||||||
|
if [[ $(linux_version) -lt $(linux_version "4.10") ]]; then
|
||||||
|
log_unsupported "Requires has_capability() kernel function"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
function setup
|
function setup
|
||||||
{
|
{
|
||||||
# We can't delegate 'mount' privs under Linux: to avoid issues with
|
# We can't delegate 'mount' privs under Linux: to avoid issues with
|
||||||
|
@ -31,6 +31,18 @@
|
|||||||
|
|
||||||
verify_runnable "both"
|
verify_runnable "both"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The has_capability() function was first exported in the 4.10 Linux kernel
|
||||||
|
# then backported to some LTS kernels. Prior to this change there was no
|
||||||
|
# mechanism to perform the needed permission check. Therefore, this test
|
||||||
|
# is expected to fail on older kernels and is skipped.
|
||||||
|
#
|
||||||
|
if is_linux; then
|
||||||
|
if [[ $(linux_version) -lt $(linux_version "4.10") ]]; then
|
||||||
|
log_unsupported "Requires has_capability() kernel function"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
function setup
|
function setup
|
||||||
{
|
{
|
||||||
# We can't delegate 'mount' privs under Linux: to avoid issues with
|
# We can't delegate 'mount' privs under Linux: to avoid issues with
|
||||||
|
Loading…
Reference in New Issue
Block a user