c/mirror_zfs
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_zfs.git synced 2025-05-23 23:14:59 +03:00
Code Issues Packages Projects Releases Wiki Activity
1a8f5ad3b0
mirror_zfs/include/sys/zcp.h
Rob Norris c8fa39b46c
cred: properly pass and test creds on other threads (#17273) 
### Background

Various admin operations will be invoked by some userspace task, but the
work will be done on a separate kernel thread at a later time. Snapshots
are an example, which are triggered through zfs_ioc_snapshot() ->
dsl_dataset_snapshot(), but the actual work is from a task dispatched to
dp_sync_taskq.

Many such tasks end up in dsl_enforce_ds_ss_limits(), where various
limits and permissions are enforced. Among other things, it is necessary
to ensure that the invoking task (that is, the user) has permission to
do things. We can't simply check if the running task has permission; it
is a privileged kernel thread, which can do anything.

However, in the general case it's not safe to simply query the task for
its permissions at the check time, as the task may not exist any more,
or its permissions may have changed since it was first invoked. So
instead, we capture the permissions by saving CRED() in the user task,
and then using it for the check through the secpolicy_* functions.

### Current implementation

The current code calls CRED() to get the credential, which gets a
pointer to the cred_t inside the current task and passes it to the
worker task. However, it doesn't take a reference to the cred_t, and so
expects that it won't change, and that the task continues to exist. In
practice that is always the case, because we don't let the calling task
return from the kernel until the work is done.

For Linux, we also take a reference to the current task, because the
Linux credential APIs for the most part do not check an arbitrary
credential, but rather, query what a task can do. See
secpolicy_zfs_proc(). Again, we don't take a reference on the task, just
a pointer to it.

### Changes

We change to calling crhold() on the task credential, and crfree() when
we're done with it. This ensures it stays alive and unchanged for the
duration of the call.

On the Linux side, we change the main policy checking function
priv_policy_ns() to use override_creds()/revert_creds() if necessary to
make the provided credential active in the current task, allowing the
standard task-permission APIs to do the needed check. Since the task
pointer is no longer required, this lets us entirely remove
secpolicy_zfs_proc() and the need to carry a task pointer around as
well.

Sponsored-by: https://despairlabs.com/sponsor/

Signed-off-by: Rob Norris <robn@despairlabs.com>
Reviewed-by: Pavel Snajdr <snajpa@snajpa.net>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
2025-04-29 16:27:48 -07:00

195 lines
4.9 KiB
C
Raw Blame History

// SPDX-License-Identifier: CDDL-1.0
/*
* CDDL HEADER START
*
* This file and its contents are supplied under the terms of the
* Common Development and Distribution License ("CDDL"), version 1.0.
* You may only use this file in accordance with the terms of version
* 1.0 of the CDDL.
*
* A full copy of the text of the CDDL should have accompanied this
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2016, 2018 by Delphix. All rights reserved.
*/
#ifndef _SYS_ZCP_H
#define _SYS_ZCP_H
#include <sys/dmu_tx.h>
#include <sys/dsl_pool.h>
#include <sys/lua/lua.h>
#include <sys/lua/lualib.h>
#include <sys/lua/lauxlib.h>
#ifdef __cplusplus
extern "C" {
#endif
#define ZCP_RUN_INFO_KEY "runinfo"
extern uint64_t zfs_lua_max_instrlimit;
extern uint64_t zfs_lua_max_memlimit;
int zcp_argerror(lua_State *, int, const char *, ...);
int zcp_eval(const char *, const char *, boolean_t, uint64_t, uint64_t,
nvpair_t *, nvlist_t *);
int zcp_load_list_lib(lua_State *);
int zcp_load_synctask_lib(lua_State *, boolean_t);
typedef void (zcp_cleanup_t)(void *);
typedef struct zcp_cleanup_handler {
zcp_cleanup_t *zch_cleanup_func;
void *zch_cleanup_arg;
list_node_t zch_node;
} zcp_cleanup_handler_t;
typedef struct zcp_alloc_arg {
boolean_t aa_must_succeed;
int64_t aa_alloc_remaining;
int64_t aa_alloc_limit;
} zcp_alloc_arg_t;
typedef struct zcp_run_info {
dsl_pool_t *zri_pool;
/*
* An estimate of the total amount of space consumed by all
* synctasks we have successfully performed so far in this
* channel program. Used to generate ENOSPC errors for syncfuncs.
*/
int zri_space_used;
/*
* The credentials of the thread which originally invoked the channel
* program. Since channel programs are always invoked from the synctask
* thread they should always do permissions checks against this cred
* rather than the 'current' thread's.
*/
cred_t *zri_cred;
/*
* The tx in which this channel program is running.
*/
dmu_tx_t *zri_tx;
/*
* The maximum number of Lua instructions the channel program is allowed
* to execute. If it takes longer than this it will time out. A value
* of 0 indicates no instruction limit.
*/
uint64_t zri_maxinstrs;
/*
* The number of Lua instructions the channel program has executed.
*/
uint64_t zri_curinstrs;
/*
* Boolean indicating whether or not the channel program exited
* because it timed out.
*/
boolean_t zri_timed_out;
/*
* Channel program was canceled by user
*/
boolean_t zri_canceled;
/*
* Boolean indicating whether or not we are running in syncing
* context.
*/
boolean_t zri_sync;
/*
* List of currently registered cleanup handlers, which will be
* triggered in the event of a fatal error.
*/
list_t zri_cleanup_handlers;
/*
* The Lua state context of our channel program.
*/
lua_State *zri_state;
/*
* Lua memory allocator arguments.
*/
zcp_alloc_arg_t *zri_allocargs;
/*
* Contains output values from zcp script or error string.
*/
nvlist_t *zri_outnvl;
/*
* The keys of this nvlist are datasets which may be zvols and may need
* to have device minor nodes created. This information is passed from
* syncing context (where the zvol is created) to open context (where we
* create the minor nodes).
*/
nvlist_t *zri_new_zvols;
/*
* The errno number returned to caller of zcp_eval().
*/
int zri_result;
} zcp_run_info_t;
zcp_run_info_t *zcp_run_info(lua_State *);
zcp_cleanup_handler_t *zcp_register_cleanup(lua_State *, zcp_cleanup_t, void *);
void zcp_deregister_cleanup(lua_State *, zcp_cleanup_handler_t *);
void zcp_cleanup(lua_State *);
/*
* Argument parsing routines for channel program callback functions.
*/
typedef struct zcp_arg {
/*
* The name of this argument. For keyword arguments this is the name
* functions will use to set the argument. For positional arguments
* the name has no programmatic meaning, but will appear in error
* messages and help output.
*/
const char *za_name;
/*
* The Lua type this argument should have (e.g. LUA_TSTRING,
* LUA_TBOOLEAN) see the lua_type() function documentation for a
* complete list. Calling a function with an argument that does
* not match the expected type will result in the program terminating.
*/
const int za_lua_type;
} zcp_arg_t;
void zcp_parse_args(lua_State *, const char *, const zcp_arg_t *,
const zcp_arg_t *);
int zcp_nvlist_to_lua(lua_State *, nvlist_t *, char *, int);
int zcp_dataset_hold_error(lua_State *, dsl_pool_t *, const char *, int);
struct dsl_dataset *zcp_dataset_hold(lua_State *, dsl_pool_t *,
const char *, const void *);
typedef int (zcp_lib_func_t)(lua_State *);
typedef struct zcp_lib_info {
const char *name;
zcp_lib_func_t *func;
const zcp_arg_t pargs[4];
const zcp_arg_t kwargs[2];
} zcp_lib_info_t;
#ifdef __cplusplus
}
#endif
#endif /* _SYS_ZCP_H */
Reference in New Issue View Git Blame Copy Permalink