tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
SUNRPC: Use the client user namespace when encoding creds
When encoding AUTH_UNIX creds and AUTH_GSS upcalls, use the user namespace
of the process that created the rpc client.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
authored by
Trond Myklebust
and committed by
Anna Schumaker
283ebe3e
1a58e8a0
+13
-7
+8
-3
net/sunrpc/auth_gss/auth_gss.c
+8
-3
net/sunrpc/auth_gss/auth_gss.c
···
412
412
413
413
static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg)
414
414
{
415
-
uid_t uid = from_kuid(&init_user_ns, gss_msg->uid);
415
+
struct user_namespace *userns = gss_msg->auth->client->cl_cred ?
416
+
gss_msg->auth->client->cl_cred->user_ns : &init_user_ns;
417
+
418
+
uid_t uid = from_kuid_munged(userns, gss_msg->uid);
416
419
memcpy(gss_msg->databuf, &uid, sizeof(uid));
417
420
gss_msg->msg.data = gss_msg->databuf;
418
421
gss_msg->msg.len = sizeof(uid);
···
427
424
const char *service_name,
428
425
const char *target_name)
429
426
{
427
+
struct user_namespace *userns = gss_msg->auth->client->cl_cred ?
428
+
gss_msg->auth->client->cl_cred->user_ns : &init_user_ns;
430
429
struct gss_api_mech *mech = gss_msg->auth->mech;
431
430
char *p = gss_msg->databuf;
432
431
size_t buflen = sizeof(gss_msg->databuf);
433
432
int len;
434
433
435
434
len = scnprintf(p, buflen, "mech=%s uid=%d", mech->gm_name,
436
-
from_kuid(&init_user_ns, gss_msg->uid));
435
+
from_kuid_munged(userns, gss_msg->uid));
437
436
buflen -= len;
438
437
p += len;
439
438
gss_msg->msg.len = len;
···
711
706
goto err;
712
707
}
713
708
714
-
uid = make_kuid(&init_user_ns, id);
709
+
uid = make_kuid(current_user_ns(), id);
715
710
if (!uid_valid(uid)) {
716
711
err = -EINVAL;
717
712
goto err;
+5
-4
net/sunrpc/auth_unix.c
+5
-4
net/sunrpc/auth_unix.c
···
107
107
__be32 *p, *cred_len, *gidarr_len;
108
108
int i;
109
109
struct group_info *gi = cred->cr_cred->group_info;
110
+
struct user_namespace *userns = clnt->cl_cred ?
111
+
clnt->cl_cred->user_ns : &init_user_ns;
110
112
111
113
/* Credential */
112
114
···
124
122
p = xdr_reserve_space(xdr, 3 * sizeof(*p));
125
123
if (!p)
126
124
goto marshal_failed;
127
-
*p++ = cpu_to_be32(from_kuid(&init_user_ns, cred->cr_cred->fsuid));
128
-
*p++ = cpu_to_be32(from_kgid(&init_user_ns, cred->cr_cred->fsgid));
125
+
*p++ = cpu_to_be32(from_kuid_munged(userns, cred->cr_cred->fsuid));
126
+
*p++ = cpu_to_be32(from_kgid_munged(userns, cred->cr_cred->fsgid));
129
127
130
128
gidarr_len = p++;
131
129
if (gi)
132
130
for (i = 0; i < UNX_NGROUPS && i < gi->ngroups; i++)
133
-
*p++ = cpu_to_be32(from_kgid(&init_user_ns,
134
-
gi->gid[i]));
131
+
*p++ = cpu_to_be32(from_kgid_munged(userns, gi->gid[i]));
135
132
*gidarr_len = cpu_to_be32(p - gidarr_len - 1);
136
133
*cred_len = cpu_to_be32((p - cred_len - 1) << 2);
137
134
p = xdr_reserve_space(xdr, (p - gidarr_len - 1) << 2);