rpms/kernel/F-12 btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch, NONE, 1.1 btrfs-should-add-permission-check-for-setfacl.patch, NONE, 1.1 kernel.spec, 1.2093, 1.2094
Kyle McMartin
kyle at fedoraproject.org
Mon Jun 14 10:04:31 UTC 2010
Author: kyle
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv22570
Modified Files:
kernel.spec
Added Files:
btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch
btrfs-should-add-permission-check-for-setfacl.patch
Log Message:
* Mon Jun 14 2010 Kyle McMartin <kyle at redhat.com> 2.6.32-14-132
- Add in ACL fixes to btrfs from CVE-2010-2071.
btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch:
acl.c | 3 +++
1 file changed, 3 insertions(+)
--- NEW FILE btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch ---
From: Shi Weihua <shiwh at cn.fujitsu.com>
Date: Tue, 18 May 2010 00:51:54 +0000 (+0000)
Subject: Btrfs: prohibit a operation of changing acl's mask when noacl mount option used
X-Git-Tag: v2.6.35-rc3~3^2~3
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=731e3d1b
Btrfs: prohibit a operation of changing acl's mask when noacl mount option used
when used Posix File System Test Suite(pjd-fstest) to test btrfs,
some cases about setfacl failed when noacl mount option used.
I simplified used commands in pjd-fstest, and the following steps
can reproduce it.
------------------------
# cd btrfs-part/
# mkdir aaa
# setfacl -m m::rw aaa <- successed, but not expected by pjd-fstest.
------------------------
I checked ext3, a warning message occured, like as:
setfacl: aaa/: Operation not supported
Certainly, it's expected by pjd-fstest.
So, i compared acl.c of btrfs and ext3. Based on that, a patch created.
Fortunately, it works.
Signed-off-by: Shi Weihua <shiwh at cn.fujitsu.com>
Signed-off-by: Chris Mason <chris.mason at oracle.com>
---
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 6b4d0cc..a372985 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -163,6 +163,9 @@ static int btrfs_xattr_acl_set(struct dentry *dentry, const char *name,
if (!is_owner_or_cap(dentry->d_inode))
return -EPERM;
+ if (!IS_POSIXACL(dentry->d_inode))
+ return -EOPNOTSUPP;
+
if (value) {
acl = posix_acl_from_xattr(value, size);
if (acl == NULL) {
btrfs-should-add-permission-check-for-setfacl.patch:
acl.c | 3 +++
1 file changed, 3 insertions(+)
--- NEW FILE btrfs-should-add-permission-check-for-setfacl.patch ---
From: Shi Weihua <shiwh at cn.fujitsu.com>
Date: Tue, 18 May 2010 00:50:32 +0000 (+0000)
Subject: Btrfs: should add a permission check for setfacl
X-Git-Tag: v2.6.35-rc3~3^2~4
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=2f26afba
Btrfs: should add a permission check for setfacl
On btrfs, do the following
------------------
# su user1
# cd btrfs-part/
# touch aaa
# getfacl aaa
# file: aaa
# owner: user1
# group: user1
user::rw-
group::rw-
other::r--
# su user2
# cd btrfs-part/
# setfacl -m u::rwx aaa
# getfacl aaa
# file: aaa
# owner: user1
# group: user1
user::rwx <- successed to setfacl
group::rw-
other::r--
------------------
but we should prohibit it that user2 changing user1's acl.
In fact, on ext3 and other fs, a message occurs:
setfacl: aaa: Operation not permitted
This patch fixed it.
Signed-off-by: Shi Weihua <shiwh at cn.fujitsu.com>
Signed-off-by: Chris Mason <chris.mason at oracle.com>
---
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 6ef7b26..6b4d0cc 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -160,6 +160,9 @@ static int btrfs_xattr_acl_set(struct dentry *dentry, const char *name,
int ret = 0;
struct posix_acl *acl = NULL;
+ if (!is_owner_or_cap(dentry->d_inode))
+ return -EPERM;
+
if (value) {
acl = posix_acl_from_xattr(value, size);
if (acl == NULL) {
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.2093
retrieving revision 1.2094
diff -u -p -r1.2093 -r1.2094
--- kernel.spec 13 Jun 2010 12:30:23 -0000 1.2093
+++ kernel.spec 14 Jun 2010 10:04:30 -0000 1.2094
@@ -764,6 +764,9 @@ Patch3051: linux-2.6-nfs4-callback-hidde
# btrfs
Patch3100: linux-2.6-btrfs-fix-acl.patch
+Patch3101: btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch
+Patch3102: btrfs-should-add-permission-check-for-setfacl.patch
+
# XFS
@@ -1307,6 +1310,9 @@ ApplyPatch linux-2.6-execshield.patch
# btrfs
ApplyPatch linux-2.6-btrfs-fix-acl.patch
+ApplyPatch btrfs-should-add-permission-check-for-setfacl.patch
+ApplyPatch btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch
+
# eCryptfs
@@ -2185,6 +2191,9 @@ fi
%changelog
+* Mon Jun 14 2010 Kyle McMartin <kyle at redhat.com> 2.6.32-14-132
+- Add in ACL fixes to btrfs from CVE-2010-2071.
+
* Sun Jun 13 2010 Kyle McMartin <kyle at redhat.com> 2.6.32.14-131
- mac80211/iwlwifi fix connections to some APs (rhbz#558002)
patches from sgruszka at .
More information about the scm-commits
mailing list