- 05 Feb, 2024 40 commits
-
-
Jeff Layton authored
Zdenek reported seeing some AVC denials due to nfsd trying to set delegations: type=AVC msg=audit(09.11.2023 09:03:46.411:496) : avc: denied { lease } for pid=5127 comm=rpc.nfsd capability=lease scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0 When setting delegations on behalf of nfsd, we don't want to do all of the normal capabilty and LSM checks. nfsd is a kernel thread and runs with CAP_LEASE set, so the uid checks end up being a no-op in most cases anyway. Some nfsd functions can end up running in normal process context when tearing down the server. At that point, the CAP_LEASE check can fail and cause the client to not tear down delegations when expected. Also, the way the per-fs ->setlease handlers work today is a little convoluted. The non-trivial ones are wrappers around generic_setlease, so when they fail due to permission problems they usually they end up doing a little extra work only to determine that they can't set the lease anyway. It would be more efficient to do those checks earlier. Transplant the permission checking from generic_setlease to vfs_setlease, which will make the permission checking happen earlier on filesystems that have a ->setlease operation. Add a new kernel_setlease function that bypasses these checks, and switch nfsd to use that instead of vfs_setlease. There is one behavioral change here: prior this patch the setlease_notifier would fire even if the lease attempt was going to fail the security checks later. With this change, it doesn't fire until the caller has passed them. I think this is a desirable change overall. nfsd is the only user of the setlease_notifier and it doesn't benefit from being notified about failed attempts. Cc: Ondrej Mosnáček <omosnacek@gmail.com> Reported-by:Zdenek Pytela <zpytela@redhat.com> Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2248830Signed-off-by:
Jeff Layton <jlayton@kernel.org> Link: https://lore.kernel.org/r/20240205-bz2248830-v1-1-d0ec0daecba1@kernel.orgAcked-by:
Tom Talpey <tom@talpey.com> Reviewed-by:
NeilBrown <neilb@suse.de> Signed-off-by:
Christian Brauner <brauner@kernel.org>
-
Christian Brauner authored
Merge series 'filelock: split file leases out of struct file_lock' of https://lore.kernel.org/r/20240131-flsplit-v3-0-c6129007ee8d@kernel.org Pull file locking series from Jeff Layton: Long ago, file locks used to hang off of a singly-linked list in struct inode. Because of this, when leases were added, they were added to the same list and so they had to be tracked using the same sort of structure. Several years ago, we added struct file_lock_context, which allowed us to use separate lists to track different types of file locks. Given that, leases no longer need to be tracked using struct file_lock. That said, a lot of the underlying infrastructure _is_ the same between file leases and locks, so we can't completely separate everything. This patchset first splits a group of fields used by both file locks and leases into a new struct file_lock_core, that is then embedded in struct file_lock. Coccinelle was then used to convert a lot of the callers to deal with the move, with the remaining 25% or so converted by hand. It then converts several internal functions in fs/locks.c to work with struct file_lock_core. Lastly, struct file_lock is split into struct file_lock and file_lease, and the lease-related APIs converted to take struct file_lease. I also added a few small helpers and converted several users over to them. That reduces the size of the per-fs conversion patches later in the series. I played with some others too, but they were too awkward or not frequently used enough to make it worthwhile. * series 'filelock: split file leases out of struct file_lock' of https://lore.kernel.org/r/20240131-flsplit-v3-0-c6129007ee8d@kernel.org: (47 commits) filelock: split leases out of struct file_lock filelock: remove temporary compatibility macros smb/server: adapt to breakup of struct file_lock smb/client: adapt to breakup of struct file_lock ocfs2: adapt to breakup of struct file_lock nfsd: adapt to breakup of struct file_lock nfs: adapt to breakup of struct file_lock lockd: adapt to breakup of struct file_lock fuse: adapt to breakup of struct file_lock gfs2: adapt to breakup of struct file_lock dlm: adapt to breakup of struct file_lock ceph: adapt to breakup of struct file_lock afs: adapt to breakup of struct file_lock 9p: adapt to breakup of struct file_lock filelock: convert seqfile handling to use file_lock_core filelock: convert locks_translate_pid to take file_lock_core filelock: convert locks_insert_lock_ctx and locks_delete_lock_ctx filelock: convert locks_wake_up_blocks to take a file_lock_core pointer filelock: make assign_type helper take a file_lock_core pointer filelock: reorganize locks_delete_block and __locks_insert_block ... Signed-off-by:
-
Jeff Layton authored
Add a new struct file_lease and move the lease-specific fields from struct file_lock to it. Convert the appropriate API calls to take struct file_lease instead, and convert the callers to use them. There is zero overlap between the lock manager operations for file locks and the ones for file leases, so split the lease-related operations off into a new lease_manager_operations struct. Signed-off-by:
-
Jeff Layton authored
Everything has been converted to access fl_core fields directly, so we can now drop these. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Most of the existing APIs have remained the same, but subsystems that access file_lock fields directly need to reach into struct file_lock_core now. Signed-off-by:
-
Jeff Layton authored
Reduce some pointer manipulation by just using file_lock_core where we can and only translate to a file_lock when needed. Signed-off-by:
-
Jeff Layton authored
locks_translate_pid is used on both locks and leases, so have that take struct file_lock_core. Signed-off-by:
-
Jeff Layton authored
Have these functions take a file_lock_core pointer instead of a file_lock. Signed-off-by:
-
Jeff Layton authored
Have locks_wake_up_blocks take a file_lock_core pointer, and fix up the callers to pass one in. Signed-off-by:
-
Jeff Layton authored
Have assign_type take struct file_lock_core instead of file_lock. Signed-off-by:
-
Jeff Layton authored
Rename the old __locks_delete_block to __locks_unlink_lock. Rename change old locks_delete_block function to __locks_delete_block and have it take a file_lock_core. Make locks_delete_block a simple wrapper around __locks_delete_block. Also, change __locks_insert_block to take struct file_lock_core, and fix up its callers. Signed-off-by:
-
Jeff Layton authored
Rework the internals of locks_delete_block to use struct file_lock_core (mostly just for clarity's sake). The prototype is not changed. Signed-off-by:
-
Jeff Layton authored
Both locks and leases deal with fl_blocker. Switch the fl_blocker pointer in struct file_lock_core to point to the file_lock_core of the blocker instead of a file_lock structure. Signed-off-by:
-
Jeff Layton authored
Have both __locks_insert_block and the deadlock and conflict checking functions take a struct file_lock_core pointer instead of a struct file_lock one. Also, change posix_locks_deadlock to return bool. Signed-off-by:
-
Jeff Layton authored
Convert __locks_delete_block and __locks_wake_up_blocks to take a struct file_lock_core pointer. While we could do this in another way, we're going to need to add a file_lock() helper function later anyway, so introduce and use it now. Signed-off-by:
-
Jeff Layton authored
Have locks_insert_global_blocked and locks_delete_global_blocked take a struct file_lock_core pointer. Signed-off-by:
-
Jeff Layton authored
Convert these functions to take a file_lock_core instead of a file_lock. Signed-off-by:
-
Jeff Layton authored
Convert posix_owner_key to take struct file_lock_core pointer, and fix up the callers to pass one in. Signed-off-by:
-
Jeff Layton authored
Change posix_same_owner to take struct file_lock_core pointers, and convert the callers to pass those in. Signed-off-by:
-
Jeff Layton authored
Convert more internal fs/locks.c functions to take and deal with struct file_lock_core instead of struct file_lock: - locks_dump_ctx_list - locks_check_ctx_file_list - locks_release_private - locks_owner_has_blockers Signed-off-by:
-
Jeff Layton authored
Convert fs/locks.c to access fl_core fields direcly rather than using the backward-compatibility macros. Most of this was done with coccinelle, with a few by-hand fixups. Signed-off-by:
-
Jeff Layton authored
In a future patch, we're going to split file leases into their own structure. Since a lot of the underlying machinery uses the same fields move those into a new file_lock_core, and embed that inside struct file_lock. For now, add some macros to ensure that we can continue to build while the conversion is in progress. Signed-off-by:
-
Jeff Layton authored
These don't add a lot of value over just open-coding the flag check. Suggested-by:
-
Jeff Layton authored
Convert to using the new file locking helper functions. Signed-off-by:
-
Jeff Layton authored
Convert to using the new file locking helper functions. Signed-off-by:
-
Jeff Layton authored
Convert to using the new file locking helper functions. Signed-off-by:
-
Jeff Layton authored
Convert to using the new file locking helper functions. Also, in later patches we're going to introduce some macros with names that clash with the variable names in nfsd4_lock. Rename them. Signed-off-by:
-
Jeff Layton authored
Convert to using the new file locking helper functions. Also, in later patches we're going to introduce some temporary macros with names that clash with the variable name in nfs4_proc_unlck. Rename it. Signed-off-by:
-
Jeff Layton authored
Convert to using the new file locking helper functions. Also in later patches we're going to introduce some macros with names that clash with the variable names in nlmclnt_lock. Rename them. Signed-off-by:
-
