[Devel] [PATCH RHEL7 COMMIT] Revert "ms/vfs: Verify acls are valid within superblock's s_user_ns."

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 21 11:00:36 MSK 2017 

The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.12
------>
commit b12ad4a871075ef6088470bd00881b7a6379e6a1
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Jul 21 11:57:30 2017 +0400

    Revert "ms/vfs: Verify acls are valid within superblock's s_user_ns."
    
    This reverts commit 6c738c29a0251d5da3ff6457a451257aafa86ae9.
    
    Temporary revert due to
    https://jira.sw.ru/browse/PSBM-68599
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 fs/9p/acl.c               | 2 +-
 fs/btrfs/acl.c            | 3 +--
 fs/ceph/acl.c             | 3 +--
 fs/ext4/acl.c             | 2 +-
 fs/generic_acl.c          | 2 +-
 fs/gfs2/acl.c             | 2 +-
 fs/nfsd/acl.h             | 3 +--
 fs/nfsd/nfs4acl.c         | 6 +++---
 fs/nfsd/vfs.c             | 2 +-
 fs/posix_acl.c            | 6 +++---
 fs/xfs/xfs_acl.c          | 2 +-
 include/linux/posix_acl.h | 2 +-
 12 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index aae9d1a..9686c1f1 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -309,7 +309,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
 		if (IS_ERR(acl))
 			return PTR_ERR(acl);
 		else if (acl) {
-			retval = posix_acl_valid(inode->i_sb->s_user_ns, acl);
+			retval = posix_acl_valid(acl);
 			if (retval)
 				goto err_out;
 		}
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index b345b5d..9e15ea9 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -167,8 +167,7 @@ static int btrfs_xattr_acl_set(struct dentry *dentry, const char *name,
 			return PTR_ERR(acl);
 
 		if (acl) {
-			ret = posix_acl_valid(dentry->d_inode->i_sb->s_user_ns,
-					      acl);
+			ret = posix_acl_valid(acl);
 			if (ret)
 				goto out;
 		}
diff --git a/fs/ceph/acl.c b/fs/ceph/acl.c
index f9305a1..13ef95e2 100644
--- a/fs/ceph/acl.c
+++ b/fs/ceph/acl.c
@@ -365,8 +365,7 @@ static int ceph_xattr_acl_set(struct dentry *dentry, const char *name,
 		}
 
 		if (acl) {
-			ret = posix_acl_valid(dentry->d_inode->i_sb->s_user_ns,
-					      acl);
+			ret = posix_acl_valid(acl);
 			if (ret)
 				goto out_release;
 		}
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index 448042e..c844f1b 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -410,7 +410,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
 		if (IS_ERR(acl))
 			return PTR_ERR(acl);
 		else if (acl) {
-			error = posix_acl_valid(inode->i_sb->s_user_ns, acl);
+			error = posix_acl_valid(acl);
 			if (error)
 				goto release_and_out;
 		}
diff --git a/fs/generic_acl.c b/fs/generic_acl.c
index 5fa3b77..b3f3676 100644
--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
@@ -82,7 +82,7 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
 			return PTR_ERR(acl);
 	}
 	if (acl) {
-		error = posix_acl_valid(inode->i_sb->s_user_ns, acl);
+		error = posix_acl_valid(acl);
 		if (error)
 			goto failed;
 		switch (type) {
diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
index de808ad..40a5ab9 100644
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -262,7 +262,7 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
 		goto out;
 	}
 
-	error = posix_acl_valid(inode->i_sb->s_user_ns, acl);
+	error = posix_acl_valid(acl);
 	if (error)
 		goto out_release;
 
diff --git a/fs/nfsd/acl.h b/fs/nfsd/acl.h
index 5b15770..051ffcb7 100644
--- a/fs/nfsd/acl.h
+++ b/fs/nfsd/acl.h
@@ -54,8 +54,7 @@ __be32 nfs4_acl_write_who(struct xdr_stream *xdr, int who);
 #define NFS4_ACL_OWNER		0x04
 
 struct nfs4_acl *nfs4_acl_posix_to_nfsv4(struct posix_acl *,
-				struct posix_acl *, unsigned int flags,
-				struct inode *);
+				struct posix_acl *, unsigned int flags);
 int nfs4_acl_nfsv4_to_posix(struct nfs4_acl *, struct posix_acl **,
 				struct posix_acl **, unsigned int flags);
 
diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
index 4e3359e..7b3ef8d 100644
--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -122,18 +122,18 @@ static void _posix_to_nfsv4_one(struct posix_acl *, struct nfs4_acl *,
 
 struct nfs4_acl *
 nfs4_acl_posix_to_nfsv4(struct posix_acl *pacl, struct posix_acl *dpacl,
-			unsigned int flags, struct inode *inode)
+			unsigned int flags)
 {
 	struct nfs4_acl *acl;
 	int size = 0;
 
 	if (pacl) {
-		if (posix_acl_valid(inode->i_sb->s_user_ns, pacl) < 0)
+		if (posix_acl_valid(pacl) < 0)
 			return ERR_PTR(-EINVAL);
 		size += 2*pacl->a_count;
 	}
 	if (dpacl) {
-		if (posix_acl_valid(inode->i_sb->s_user_ns, dpacl) < 0)
+		if (posix_acl_valid(dpacl) < 0)
 			return ERR_PTR(-EINVAL);
 		size += 2*dpacl->a_count;
 	}
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 06f0309..7176ff7 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -591,7 +591,7 @@ nfsd4_get_nfs4_acl(struct svc_rqst *rqstp, struct dentry *dentry, struct nfs4_ac
 		flags = NFS4_ACL_DIR;
 	}
 
-	*acl = nfs4_acl_posix_to_nfsv4(pacl, dpacl, flags, inode);
+	*acl = nfs4_acl_posix_to_nfsv4(pacl, dpacl, flags);
 	if (IS_ERR(*acl)) {
 		error = PTR_ERR(*acl);
 		*acl = NULL;
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index a5994e9..6777b5d 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -74,7 +74,7 @@ posix_acl_clone(const struct posix_acl *acl, gfp_t flags)
  * Check if an acl is valid. Returns 0 if it is, or -E... otherwise.
  */
 int
-posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl)
+posix_acl_valid(const struct posix_acl *acl)
 {
 	const struct posix_acl_entry *pa, *pe;
 	int state = ACL_USER_OBJ;
@@ -96,7 +96,7 @@ posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl)
 			case ACL_USER:
 				if (state != ACL_USER)
 					return -EINVAL;
-				if (!kuid_has_mapping(user_ns, pa->e_uid))
+				if (!uid_valid(pa->e_uid))
 					return -EINVAL;
 				if (uid_valid(prev_uid) &&
 				    uid_lte(pa->e_uid, prev_uid))
@@ -115,7 +115,7 @@ posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl)
 			case ACL_GROUP:
 				if (state != ACL_GROUP)
 					return -EINVAL;
-				if (!kgid_has_mapping(user_ns, pa->e_gid))
+				if (!gid_valid(pa->e_gid))
 					return -EINVAL;
 				if (gid_valid(prev_gid) &&
 				    gid_lte(pa->e_gid, prev_gid))
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
index 4b76d96..271d7c2 100644
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -395,7 +395,7 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
 		goto out;
 	}
 
-	error = posix_acl_valid(inode->i_sb->s_user_ns, acl);
+	error = posix_acl_valid(acl);
 	if (error)
 		goto out_release;
 
diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
index 0b45833..93985d3 100644
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -84,7 +84,7 @@ posix_acl_release(struct posix_acl *acl)
 
 extern void posix_acl_init(struct posix_acl *, int);
 extern struct posix_acl *posix_acl_alloc(int, gfp_t);
-extern int posix_acl_valid(struct user_namespace *, const struct posix_acl *);
+extern int posix_acl_valid(const struct posix_acl *);
 extern int posix_acl_permission(struct inode *, const struct posix_acl *, int);
 extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
 extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);

More information about the Devel mailing list