Commit db785458 authored by Luis Henriques's avatar Luis Henriques

Revert "(namespace) vfs: Verify acls are valid within superblock's s_user_ns."

BugLink: https://bugs.launchpad.net/bugs/1644165

This reverts commit 392767a8.

The kernel fix for bug #1634964 breaks LXD userspace, in particular the
following commits:

ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs
ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs

LXD 2.0.6 will include changes to support these kernel changes, but it isn't
available yet on xenial, so for now we just revert these commits.
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent c1280730
...@@ -433,7 +433,7 @@ static int mdc_unpack_acl(struct ptlrpc_request *req, struct lustre_md *md) ...@@ -433,7 +433,7 @@ static int mdc_unpack_acl(struct ptlrpc_request *req, struct lustre_md *md)
return rc; return rc;
} }
rc = posix_acl_valid(&init_user_ns, acl); rc = posix_acl_valid(acl);
if (rc) { if (rc) {
CERROR("validate acl: %d\n", rc); CERROR("validate acl: %d\n", rc);
posix_acl_release(acl); posix_acl_release(acl);
......
...@@ -272,7 +272,7 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler, ...@@ -272,7 +272,7 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler,
if (IS_ERR(acl)) if (IS_ERR(acl))
return PTR_ERR(acl); return PTR_ERR(acl);
else if (acl) { else if (acl) {
retval = posix_acl_valid(inode->i_sb->s_user_ns, acl); retval = posix_acl_valid(acl);
if (retval) if (retval)
goto err_out; goto err_out;
} }
......
...@@ -171,7 +171,7 @@ posix_acl_clone(const struct posix_acl *acl, gfp_t flags) ...@@ -171,7 +171,7 @@ posix_acl_clone(const struct posix_acl *acl, gfp_t flags)
* Check if an acl is valid. Returns 0 if it is, or -E... otherwise. * Check if an acl is valid. Returns 0 if it is, or -E... otherwise.
*/ */
int int
posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl) posix_acl_valid(const struct posix_acl *acl)
{ {
const struct posix_acl_entry *pa, *pe; const struct posix_acl_entry *pa, *pe;
int state = ACL_USER_OBJ; int state = ACL_USER_OBJ;
...@@ -191,7 +191,7 @@ posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl) ...@@ -191,7 +191,7 @@ posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl)
case ACL_USER: case ACL_USER:
if (state != ACL_USER) if (state != ACL_USER)
return -EINVAL; return -EINVAL;
if (!kuid_has_mapping(user_ns, pa->e_uid)) if (!uid_valid(pa->e_uid))
return -EINVAL; return -EINVAL;
needs_mask = 1; needs_mask = 1;
break; break;
...@@ -206,7 +206,7 @@ posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl) ...@@ -206,7 +206,7 @@ posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl)
case ACL_GROUP: case ACL_GROUP:
if (state != ACL_GROUP) if (state != ACL_GROUP)
return -EINVAL; return -EINVAL;
if (!kgid_has_mapping(user_ns, pa->e_gid)) if (!gid_valid(pa->e_gid))
return -EINVAL; return -EINVAL;
needs_mask = 1; needs_mask = 1;
break; break;
...@@ -833,7 +833,7 @@ set_posix_acl(struct inode *inode, int type, struct posix_acl *acl) ...@@ -833,7 +833,7 @@ set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
return -EPERM; return -EPERM;
if (acl) { if (acl) {
int ret = posix_acl_valid(inode->i_sb->s_user_ns, acl); int ret = posix_acl_valid(acl);
if (ret) if (ret)
return ret; return ret;
} }
......
...@@ -81,7 +81,7 @@ posix_acl_release(struct posix_acl *acl) ...@@ -81,7 +81,7 @@ posix_acl_release(struct posix_acl *acl)
extern void posix_acl_init(struct posix_acl *, int); extern void posix_acl_init(struct posix_acl *, int);
extern struct posix_acl *posix_acl_alloc(int, gfp_t); extern struct posix_acl *posix_acl_alloc(int, gfp_t);
extern int posix_acl_valid(struct user_namespace *, const struct posix_acl *); extern int posix_acl_valid(const struct posix_acl *);
extern int posix_acl_permission(struct inode *, const struct posix_acl *, int); extern int posix_acl_permission(struct inode *, const struct posix_acl *, int);
extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t); extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *); extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
......
...@@ -1281,7 +1281,7 @@ __zpl_xattr_acl_set_access(struct inode *ip, const char *name, ...@@ -1281,7 +1281,7 @@ __zpl_xattr_acl_set_access(struct inode *ip, const char *name,
if (IS_ERR(acl)) if (IS_ERR(acl))
return (PTR_ERR(acl)); return (PTR_ERR(acl));
else if (acl) { else if (acl) {
error = posix_acl_valid(ip->i_sb->s_user_ns, acl); error = posix_acl_valid(acl);
if (error) { if (error) {
zpl_posix_acl_release(acl); zpl_posix_acl_release(acl);
return (error); return (error);
...@@ -1320,7 +1320,7 @@ __zpl_xattr_acl_set_default(struct inode *ip, const char *name, ...@@ -1320,7 +1320,7 @@ __zpl_xattr_acl_set_default(struct inode *ip, const char *name,
if (IS_ERR(acl)) if (IS_ERR(acl))
return (PTR_ERR(acl)); return (PTR_ERR(acl));
else if (acl) { else if (acl) {
error = posix_acl_valid(ip->i_sb->s_user_ns, acl); error = posix_acl_valid(acl);
if (error) { if (error) {
zpl_posix_acl_release(acl); zpl_posix_acl_release(acl);
return (error); return (error);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment