Commit 0e844efe authored by Christian Brauner's avatar Christian Brauner Committed by Steve French

ksmbd: fix translation in acl entries

The ksmbd server performs translation of posix acls to smb acls.
Currently the translation is wrong since the idmapping of the mount is
used to map the ids into raw userspace ids but what is relevant is the
user namespace of ksmbd itself. The user namespace of ksmbd itself which
is the initial user namespace. The operation is similar to asking "What
*ids would a userspace process see given that k*id in the relevant user
namespace?". Before the final translation we need to apply the idmapping
of the mount in case any is used. Add two simple helpers for ksmbd.

Cc: Steve French <stfrench@microsoft.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Namjae Jeon <namjae.jeon@samsung.com>
Cc: Hyunchul Lee <hyc.lee@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: linux-cifs@vger.kernel.org
Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 43205ca7
...@@ -587,14 +587,14 @@ static void set_posix_acl_entries_dacl(struct user_namespace *user_ns, ...@@ -587,14 +587,14 @@ static void set_posix_acl_entries_dacl(struct user_namespace *user_ns,
uid_t uid; uid_t uid;
unsigned int sid_type = SIDOWNER; unsigned int sid_type = SIDOWNER;
uid = from_kuid(user_ns, pace->e_uid); uid = posix_acl_uid_translate(user_ns, pace);
if (!uid) if (!uid)
sid_type = SIDUNIX_USER; sid_type = SIDUNIX_USER;
id_to_sid(uid, sid_type, sid); id_to_sid(uid, sid_type, sid);
} else if (pace->e_tag == ACL_GROUP) { } else if (pace->e_tag == ACL_GROUP) {
gid_t gid; gid_t gid;
gid = from_kgid(user_ns, pace->e_gid); gid = posix_acl_gid_translate(user_ns, pace);
id_to_sid(gid, SIDUNIX_GROUP, sid); id_to_sid(gid, SIDUNIX_GROUP, sid);
} else if (pace->e_tag == ACL_OTHER && !nt_aces_num) { } else if (pace->e_tag == ACL_OTHER && !nt_aces_num) {
smb_copy_sid(sid, &sid_everyone); smb_copy_sid(sid, &sid_everyone);
...@@ -653,12 +653,12 @@ static void set_posix_acl_entries_dacl(struct user_namespace *user_ns, ...@@ -653,12 +653,12 @@ static void set_posix_acl_entries_dacl(struct user_namespace *user_ns,
if (pace->e_tag == ACL_USER) { if (pace->e_tag == ACL_USER) {
uid_t uid; uid_t uid;
uid = from_kuid(user_ns, pace->e_uid); uid = posix_acl_uid_translate(user_ns, pace);
id_to_sid(uid, SIDCREATOR_OWNER, sid); id_to_sid(uid, SIDCREATOR_OWNER, sid);
} else if (pace->e_tag == ACL_GROUP) { } else if (pace->e_tag == ACL_GROUP) {
gid_t gid; gid_t gid;
gid = from_kgid(user_ns, pace->e_gid); gid = posix_acl_gid_translate(user_ns, pace);
id_to_sid(gid, SIDCREATOR_GROUP, sid); id_to_sid(gid, SIDCREATOR_GROUP, sid);
} else { } else {
kfree(sid); kfree(sid);
...@@ -1234,11 +1234,9 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, ...@@ -1234,11 +1234,9 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path,
pa_entry = posix_acls->a_entries; pa_entry = posix_acls->a_entries;
for (i = 0; i < posix_acls->a_count; i++, pa_entry++) { for (i = 0; i < posix_acls->a_count; i++, pa_entry++) {
if (pa_entry->e_tag == ACL_USER) if (pa_entry->e_tag == ACL_USER)
id = from_kuid(user_ns, id = posix_acl_uid_translate(user_ns, pa_entry);
pa_entry->e_uid);
else if (pa_entry->e_tag == ACL_GROUP) else if (pa_entry->e_tag == ACL_GROUP)
id = from_kgid(user_ns, id = posix_acl_gid_translate(user_ns, pa_entry);
pa_entry->e_gid);
else else
continue; continue;
......
...@@ -209,4 +209,29 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, ...@@ -209,4 +209,29 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon,
bool type_check); bool type_check);
void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid);
void ksmbd_init_domain(u32 *sub_auth); void ksmbd_init_domain(u32 *sub_auth);
static inline uid_t posix_acl_uid_translate(struct user_namespace *mnt_userns,
struct posix_acl_entry *pace)
{
kuid_t kuid;
/* If this is an idmapped mount, apply the idmapping. */
kuid = kuid_into_mnt(mnt_userns, pace->e_uid);
/* Translate the kuid into a userspace id ksmbd would see. */
return from_kuid(&init_user_ns, kuid);
}
static inline gid_t posix_acl_gid_translate(struct user_namespace *mnt_userns,
struct posix_acl_entry *pace)
{
kgid_t kgid;
/* If this is an idmapped mount, apply the idmapping. */
kgid = kgid_into_mnt(mnt_userns, pace->e_gid);
/* Translate the kgid into a userspace id ksmbd would see. */
return from_kgid(&init_user_ns, kgid);
}
#endif /* _SMBACL_H */ #endif /* _SMBACL_H */
...@@ -1390,14 +1390,14 @@ static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct user_namespac ...@@ -1390,14 +1390,14 @@ static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct user_namespac
switch (pa_entry->e_tag) { switch (pa_entry->e_tag) {
case ACL_USER: case ACL_USER:
xa_entry->type = SMB_ACL_USER; xa_entry->type = SMB_ACL_USER;
xa_entry->uid = from_kuid(user_ns, pa_entry->e_uid); xa_entry->uid = posix_acl_uid_translate(user_ns, pa_entry);
break; break;
case ACL_USER_OBJ: case ACL_USER_OBJ:
xa_entry->type = SMB_ACL_USER_OBJ; xa_entry->type = SMB_ACL_USER_OBJ;
break; break;
case ACL_GROUP: case ACL_GROUP:
xa_entry->type = SMB_ACL_GROUP; xa_entry->type = SMB_ACL_GROUP;
xa_entry->gid = from_kgid(user_ns, pa_entry->e_gid); xa_entry->gid = posix_acl_gid_translate(user_ns, pa_entry);
break; break;
case ACL_GROUP_OBJ: case ACL_GROUP_OBJ:
xa_entry->type = SMB_ACL_GROUP_OBJ; xa_entry->type = SMB_ACL_GROUP_OBJ;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment