Skip to content

Commit 7b80010

Browse files
jtlaytonbrauner
jtlayton
authored and
brauner
committed
filelock: don't do security checks on nfsd setlease calls
Zdenek reported seeing some AVC denials due to nfsd trying to set delegations: type=AVC msg=audit(09.11.2023 09:03:46.411:496) : avc: denied { lease } for pid=5127 comm=rpc.nfsd capability=lease scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0 When setting delegations on behalf of nfsd, we don't want to do all of the normal capabilty and LSM checks. nfsd is a kernel thread and runs with CAP_LEASE set, so the uid checks end up being a no-op in most cases anyway. Some nfsd functions can end up running in normal process context when tearing down the server. At that point, the CAP_LEASE check can fail and cause the client to not tear down delegations when expected. Also, the way the per-fs ->setlease handlers work today is a little convoluted. The non-trivial ones are wrappers around generic_setlease, so when they fail due to permission problems they usually they end up doing a little extra work only to determine that they can't set the lease anyway. It would be more efficient to do those checks earlier. Transplant the permission checking from generic_setlease to vfs_setlease, which will make the permission checking happen earlier on filesystems that have a ->setlease operation. Add a new kernel_setlease function that bypasses these checks, and switch nfsd to use that instead of vfs_setlease. There is one behavioral change here: prior this patch the setlease_notifier would fire even if the lease attempt was going to fail the security checks later. With this change, it doesn't fire until the caller has passed them. I think this is a desirable change overall. nfsd is the only user of the setlease_notifier and it doesn't benefit from being notified about failed attempts. Cc: Ondrej Mosnáček <omosnacek@gmail.com> Reported-by: Zdenek Pytela <zpytela@redhat.com> Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2248830 Signed-off-by: Jeff Layton <jlayton@kernel.org> Link: https://lore.kernel.org/r/20240205-bz2248830-v1-1-d0ec0daecba1@kernel.org Acked-by: Tom Talpey <tom@talpey.com> Reviewed-by: NeilBrown <neilb@suse.de> Signed-off-by: Christian Brauner <brauner@kernel.org>
1 parent c4b3ffb commit 7b80010

4 files changed

Lines changed: 38 additions & 25 deletions

File tree

fs/locks.c

Lines changed: 25 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1925,18 +1925,6 @@ static int generic_delete_lease(struct file *filp, void *owner)
19251925
int generic_setlease(struct file *filp, int arg, struct file_lease **flp,
19261926
void **priv)
19271927
{
1928-
struct inode *inode = file_inode(filp);
1929-
vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(filp), inode);
1930-
int error;
1931-
1932-
if ((!vfsuid_eq_kuid(vfsuid, current_fsuid())) && !capable(CAP_LEASE))
1933-
return -EACCES;
1934-
if (!S_ISREG(inode->i_mode))
1935-
return -EINVAL;
1936-
error = security_file_lock(filp, arg);
1937-
if (error)
1938-
return error;
1939-
19401928
switch (arg) {
19411929
case F_UNLCK:
19421930
return generic_delete_lease(filp, *priv);
@@ -1987,6 +1975,19 @@ void lease_unregister_notifier(struct notifier_block *nb)
19871975
}
19881976
EXPORT_SYMBOL_GPL(lease_unregister_notifier);
19891977

1978+
1979+
int
1980+
kernel_setlease(struct file *filp, int arg, struct file_lease **lease, void **priv)
1981+
{
1982+
if (lease)
1983+
setlease_notifier(arg, *lease);
1984+
if (filp->f_op->setlease)
1985+
return filp->f_op->setlease(filp, arg, lease, priv);
1986+
else
1987+
return generic_setlease(filp, arg, lease, priv);
1988+
}
1989+
EXPORT_SYMBOL_GPL(kernel_setlease);
1990+
19901991
/**
19911992
* vfs_setlease - sets a lease on an open file
19921993
* @filp: file pointer
@@ -2007,12 +2008,18 @@ EXPORT_SYMBOL_GPL(lease_unregister_notifier);
20072008
int
20082009
vfs_setlease(struct file *filp, int arg, struct file_lease **lease, void **priv)
20092010
{
2010-
if (lease)
2011-
setlease_notifier(arg, *lease);
2012-
if (filp->f_op->setlease)
2013-
return filp->f_op->setlease(filp, arg, lease, priv);
2014-
else
2015-
return generic_setlease(filp, arg, lease, priv);
2011+
struct inode *inode = file_inode(filp);
2012+
vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(filp), inode);
2013+
int error;
2014+
2015+
if ((!vfsuid_eq_kuid(vfsuid, current_fsuid())) && !capable(CAP_LEASE))
2016+
return -EACCES;
2017+
if (!S_ISREG(inode->i_mode))
2018+
return -EINVAL;
2019+
error = security_file_lock(filp, arg);
2020+
if (error)
2021+
return error;
2022+
return kernel_setlease(filp, arg, lease, priv);
20162023
}
20172024
EXPORT_SYMBOL_GPL(vfs_setlease);
20182025

fs/nfsd/nfs4layouts.c

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -170,7 +170,7 @@ nfsd4_free_layout_stateid(struct nfs4_stid *stid)
170170
spin_unlock(&fp->fi_lock);
171171

172172
if (!nfsd4_layout_ops[ls->ls_layout_type]->disable_recalls)
173-
vfs_setlease(ls->ls_file->nf_file, F_UNLCK, NULL, (void **)&ls);
173+
kernel_setlease(ls->ls_file->nf_file, F_UNLCK, NULL, (void **)&ls);
174174
nfsd_file_put(ls->ls_file);
175175

176176
if (ls->ls_recalled)
@@ -199,8 +199,7 @@ nfsd4_layout_setlease(struct nfs4_layout_stateid *ls)
199199
fl->c.flc_pid = current->tgid;
200200
fl->c.flc_file = ls->ls_file->nf_file;
201201

202-
status = vfs_setlease(fl->c.flc_file, fl->c.flc_type, &fl,
203-
NULL);
202+
status = kernel_setlease(fl->c.flc_file, fl->c.flc_type, &fl, NULL);
204203
if (status) {
205204
locks_free_lease(fl);
206205
return status;

fs/nfsd/nfs4state.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1249,7 +1249,7 @@ static void nfs4_unlock_deleg_lease(struct nfs4_delegation *dp)
12491249

12501250
WARN_ON_ONCE(!fp->fi_delegees);
12511251

1252-
vfs_setlease(nf->nf_file, F_UNLCK, NULL, (void **)&dp);
1252+
kernel_setlease(nf->nf_file, F_UNLCK, NULL, (void **)&dp);
12531253
put_deleg_file(fp);
12541254
}
12551255

@@ -5532,8 +5532,8 @@ nfs4_set_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
55325532
if (!fl)
55335533
goto out_clnt_odstate;
55345534

5535-
status = vfs_setlease(fp->fi_deleg_file->nf_file,
5536-
fl->c.flc_type, &fl, NULL);
5535+
status = kernel_setlease(fp->fi_deleg_file->nf_file,
5536+
fl->c.flc_type, &fl, NULL);
55375537
if (fl)
55385538
locks_free_lease(fl);
55395539
if (status)
@@ -5571,7 +5571,7 @@ nfs4_set_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
55715571

55725572
return dp;
55735573
out_unlock:
5574-
vfs_setlease(fp->fi_deleg_file->nf_file, F_UNLCK, NULL, (void **)&dp);
5574+
kernel_setlease(fp->fi_deleg_file->nf_file, F_UNLCK, NULL, (void **)&dp);
55755575
out_clnt_odstate:
55765576
put_clnt_odstate(dp->dl_clnt_odstate);
55775577
nfs4_put_stid(&dp->dl_stid);

include/linux/filelock.h

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -208,6 +208,7 @@ struct file_lease *locks_alloc_lease(void);
208208
int __break_lease(struct inode *inode, unsigned int flags, unsigned int type);
209209
void lease_get_mtime(struct inode *, struct timespec64 *time);
210210
int generic_setlease(struct file *, int, struct file_lease **, void **priv);
211+
int kernel_setlease(struct file *, int, struct file_lease **, void **);
211212
int vfs_setlease(struct file *, int, struct file_lease **, void **);
212213
int lease_modify(struct file_lease *, int, struct list_head *);
213214

@@ -378,6 +379,12 @@ static inline int generic_setlease(struct file *filp, int arg,
378379
return -EINVAL;
379380
}
380381

382+
static inline int kernel_setlease(struct file *filp, int arg,
383+
struct file_lease **lease, void **priv)
384+
{
385+
return -EINVAL;
386+
}
387+
381388
static inline int vfs_setlease(struct file *filp, int arg,
382389
struct file_lease **lease, void **priv)
383390
{

0 commit comments

Comments
 (0)