1. 27 Jul, 2008 21 commits
    • Miklos Szeredi's avatar
      [patch 1/4] vfs: utimes: move owner check into inode_change_ok() · 9767d749
      Miklos Szeredi authored
      Add a new ia_valid flag: ATTR_TIMES_SET, to handle the
      UTIMES_OMIT/UTIMES_NOW and UTIMES_NOW/UTIMES_OMIT cases.  In these
      cases neither ATTR_MTIME_SET nor ATTR_ATIME_SET is in the flags, yet
      the POSIX draft specifies that permission checking is performed the
      same way as if one or both of the times was explicitly set to a
      timestamp.
      
      See the path "vfs: utimensat(): fix error checking for
      {UTIME_NOW,UTIME_OMIT} case" by Michael Kerrisk for the patch
      introducing this behavior.
      
      This is a cleanup, as well as allowing filesystems (NFS/fuse/...) to
      perform their own permission checking instead of the default.
      
      CC: Ulrich Drepper <drepper@redhat.com>
      CC: Michael Kerrisk <mtk.manpages@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9767d749
    • Li Zefan's avatar
      [PATCH] vfs: use kstrdup() and check failing allocation · 88b38782
      Li Zefan authored
      - use kstrdup() instead of kmalloc() + memcpy()
      - return NULL if allocating ->mnt_devname failed
      - mnt_devname should be const
      Signed-off-by: default avatarLi Zefan <lizf@cn.fujitsu.com>
      Acked-by: default avatarCyrill Gorcunov <gorcunov@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      88b38782
    • Al Viro's avatar
    • Al Viro's avatar
      [PATCH] pass MAY_OPEN to vfs_permission() explicitly · b77b0646
      Al Viro authored
      ... and get rid of the last "let's deduce mask from nameidata->flags"
      bit.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b77b0646
    • Al Viro's avatar
      [PATCH] fix MAY_CHDIR/MAY_ACCESS/LOOKUP_ACCESS mess · a110343f
      Al Viro authored
      * MAY_CHDIR is redundant - it's an equivalent of MAY_ACCESS
      * MAY_ACCESS on fuse should affect only the last step of pathname resolution
      * fchdir() and chroot() should pass MAY_ACCESS, for the same reason why
        chdir() needs that.
      * now that we pass MAY_ACCESS explicitly in all cases, LOOKUP_ACCESS can be
        removed; it has no business being in nameidata.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a110343f
    • Al Viro's avatar
      [PATCH] kill altroot · 7f2da1e7
      Al Viro authored
      long overdue...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7f2da1e7
    • Al Viro's avatar
      [PATCH] permission checks for chdir need special treatment only on the last step · 8bb79224
      Al Viro authored
      ... so we ought to pass MAY_CHDIR to vfs_permission() instead of having
      it triggered on every step of preceding pathname resolution.  LOOKUP_CHDIR
      is killed by that.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8bb79224
    • Miklos Szeredi's avatar
      [patch 5/5] vfs: remove mode parameter from vfs_symlink() · db2e747b
      Miklos Szeredi authored
      Remove the unused mode parameter from vfs_symlink and callers.
      
      Thanks to Tetsuo Handa for noticing.
      
      CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      db2e747b
    • Tetsuo Handa's avatar
      [patch 4/5] vfs: reuse local variable in vfs_link() · 7e79eedb
      Tetsuo Handa authored
      Why not reuse "inode" which is assigned as
      
        struct inode *inode = old_dentry->d_inode;
      
      in the beginning of vfs_link() ?
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      7e79eedb
    • Miklos Szeredi's avatar
      [patch 3/5] vfs: change remove_suid() to file_remove_suid() · 2f1936b8
      Miklos Szeredi authored
      All calls to remove_suid() are made with a file pointer, because
      (similarly to file_update_time) it is called when the file is written.
      
      Clean up callers by passing in a file instead of a dentry.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      2f1936b8
    • Miklos Szeredi's avatar
      [patch 1/5] vfs: truncate: dont check immutable twice · c82e42da
      Miklos Szeredi authored
      vfs_permission(MAY_WRITE) already checked for the inode being
      immutable, so no need to repeat it.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Acked-by: default avatarChristoph Hellwig <hch@infradead.org>
      c82e42da
    • Al Viro's avatar
      [PATCH] sanitize ->permission() prototype · e6305c43
      Al Viro authored
      * kill nameidata * argument; map the 3 bits in ->flags anybody cares
        about to new MAY_... ones and pass with the mask.
      * kill redundant gfs2_iop_permission()
      * sanitize ecryptfs_permission()
      * fix remaining places where ->permission() instances might barf on new
        MAY_... found in mask.
      
      The obvious next target in that direction is permission(9)
      
      folded fix for nfs_permission() breakage from Miklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e6305c43
    • Miklos Szeredi's avatar
      [patch 05/14] hpfs: dont call permission() · 1bd5191d
      Miklos Szeredi authored
      hpfs_unlink() calls permission() prior to truncating the file.  HPFS
      doesn't define a .permission method, so replace with explicit call to
      generic_permission().
      
      This is equivalent, except that devcgroup_inode_permission() and
      security_inode_permission() are not called.
      
      The truncation is just an implementation detail of the unlink, so
      these security checks are unnecessary.
      
      I suspect that even calling generic_permission() is unnecessary, since
      we shouldn't mind if the file isn't writable.  But I leave that to the
      maintainer to decide.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      CC: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
      1bd5191d
    • Al Viro's avatar
      [PATCH] sanitize proc_sysctl · 9043476f
      Al Viro authored
      * keep references to ctl_table_head and ctl_table in /proc/sys inodes
      * grab the former during operations, use the latter for access to
        entry if that succeeds
      * have ->d_compare() check if table should be seen for one who does lookup;
        that allows us to avoid flipping inodes - if we have the same name resolve
        to different things, we'll just keep several dentries and ->d_compare()
        will reject the wrong ones.
      * have ->lookup() and ->readdir() scan the table of our inode first, then
        walk all ctl_table_header and scan ->attached_by for those that are
        attached to our directory.
      * implement ->getattr().
      * get rid of insane amounts of tree-walking
      * get rid of the need to know dentry in ->permission() and of the contortions
        induced by that.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9043476f
    • Al Viro's avatar
      [PATCH] sysctl: keep track of tree relationships · ae7edecc
      Al Viro authored
      In a sense, that's the heart of the series.  It's based on the following
      property of the trees we are actually asked to add: they can be split into
      stem that is already covered by registered trees and crown that is entirely
      new.  IOW, if a/b and a/c/d are introduced by our tree, then a/c is also
      introduced by it.
      
      That allows to associate tree and table entry with each node in the union;
      while directory nodes might be covered by many trees, only one will cover
      the node by its crown.  And that will allow much saner logics for /proc/sys
      in the next patches.  This patch introduces the data structures needed to
      keep track of that.
      
      When adding a sysctl table, we find a "parent" one.  Which is to say,
      find the deepest node on its stem that already is present in one of the
      tables from our table set or its ancestor sets.  That table will be our
      parent and that node in it - attachment point.  Add our table to list
      anchored in parent, have it refer the parent and contents of attachment
      point.  Also remember where its crown lives.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ae7edecc
    • Al Viro's avatar
      [PATCH] sysctl: make sure that /proc/sys/net/ipv4 appears before per-ns ones · bd7b1533
      Al Viro authored
      Massage ipv4 initialization - make sure that net.ipv4 appears as
      non-per-net-namespace before it shows up in per-net-namespace sysctls.
      That's the only change outside of sysctl.c needed to get sane ordering
      rules and data structures for sysctls (esp. for procfs side of that
      mess).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      bd7b1533
    • Al Viro's avatar
      [PATCH] allow delayed freeing of ctl_table_header · f7e6ced4
      Al Viro authored
      Refcount the sucker; instead of freeing it by the end of unregistration
      just drop the refcount and free only when it hits zero.  Make sure that
      we _always_ make ->unregistering non-NULL in start_unregistering().
      
      That allows anybody to get a reference to such puppy, preventing its
      freeing and reuse.  It does *not* block unregistration.  Anybody who
      holds such a reference can
      	* try to grab a "use" reference (ctl_head_grab()); that will
      succeeds if and only if it hadn't entered unregistration yet.  If it
      succeeds, we can use it in all normal ways until we release the "use"
      reference (with ctl_head_finish()).  Note that this relies on having
      ->unregistering become non-NULL in all cases when one starts to unregister
      the sucker.
      	* keep pointers to ctl_table entries; they *can* be freed if
      the entire thing is unregistered.  However, if ctl_head_grab() succeeds,
      we know that unregistration had not happened (and will not happen until
      ctl_head_finish()) and such pointers can be used safely.
      
      IOW, now we can have inodes under /proc/sys keep references to ctl_table
      entries, protecting them with references to ctl_table_header and
      grabbing the latter for the duration of operations that require access
      to ctl_table.  That won't cause deadlocks, since unregistration will not
      be stopped by mere keeping a reference to ctl_table_header.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f7e6ced4
    • Al Viro's avatar
      [PATCH] beginning of sysctl cleanup - ctl_table_set · 73455092
      Al Viro authored
      New object: set of sysctls [currently - root and per-net-ns].
      Contains: pointer to parent set, list of tables and "should I see this set?"
      method (->is_seen(set)).
      Current lists of tables are subsumed by that; net-ns contains such a beast.
      ->lookup() for ctl_table_root returns pointer to ctl_table_set instead of
      that to ->list of that ctl_table_set.
      
      [folded compile fixes by rdd for configs without sysctl]
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      73455092
    • Miklos Szeredi's avatar
      [patch] hppfs: remove hppfs_permission · 7ac6cd65
      Miklos Szeredi authored
      hppfs_permission() is equivalent to the '.permission == NULL' case.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7ac6cd65
    • Denys Vlasenko's avatar
      [PATCH] reuse xxx_fifo_fops for xxx_pipe_fops · d2d9648e
      Denys Vlasenko authored
      Merge fifo and pipe file_operations.
      Signed-off-by: default avatarDenys Vlasenko <vda.linux@googlemail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d2d9648e
    • Miklos Szeredi's avatar
      [patch] vfs: fix lookup on deleted directory · d70b67c8
      Miklos Szeredi authored
      Lookup can install a child dentry for a deleted directory.  This keeps
      the directory dentry alive, and the inode pinned in the cache and on
      disk, even after all external references have gone away.
      
      This isn't a big problem normally, since memory pressure or umount
      will clear out the directory dentry and its children, releasing the
      inode.  But for UBIFS this causes problems because its orphan area can
      overflow.
      
      Fix this by returning ENOENT for all lookups on a S_DEAD directory
      before creating a child dentry.
      
      Thanks to Zoltan Sogor for noticing this while testing UBIFS, and
      Artem for the excellent analysis of the problem and testing.
      Reported-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Tested-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d70b67c8
  2. 26 Jul, 2008 19 commits