rpms/kernel/F-13 btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch, NONE, 1.1 btrfs-should-add-permission-check-for-setfacl.patch, NONE, 1.1 kernel.spec, 1.2065, 1.2066
Kyle McMartin
kyle at fedoraproject.org
Mon Jun 14 10:12:41 UTC 2010
- Previous message: rpms/kernel/F-12 btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch, NONE, 1.1 btrfs-should-add-permission-check-for-setfacl.patch, NONE, 1.1 kernel.spec, 1.2093, 1.2094
- Next message: rpms/kernel/devel btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch, NONE, 1.1 btrfs-should-add-permission-check-for-setfacl.patch, NONE, 1.1 kernel.spec, 1.2027, 1.2028
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: kyle
Update of /cvs/pkgs/rpms/kernel/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv23458
Modified Files:
kernel.spec
Added Files:
btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch
btrfs-should-add-permission-check-for-setfacl.patch
Log Message:
* Mon Jun 14 2010 Kyle McMartin <kyle at redhat.com> 2.6.33.5-129
- Add btrfs ACL fixes from CVE-2010-2071.
btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch:
acl.c | 3 +++
1 file changed, 3 insertions(+)
--- NEW FILE btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch ---
From: Shi Weihua <shiwh at cn.fujitsu.com>
Date: Tue, 18 May 2010 00:51:54 +0000 (+0000)
Subject: Btrfs: prohibit a operation of changing acl's mask when noacl mount option used
X-Git-Tag: v2.6.35-rc3~3^2~3
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=731e3d1b
Btrfs: prohibit a operation of changing acl's mask when noacl mount option used
when used Posix File System Test Suite(pjd-fstest) to test btrfs,
some cases about setfacl failed when noacl mount option used.
I simplified used commands in pjd-fstest, and the following steps
can reproduce it.
------------------------
# cd btrfs-part/
# mkdir aaa
# setfacl -m m::rw aaa <- successed, but not expected by pjd-fstest.
------------------------
I checked ext3, a warning message occured, like as:
setfacl: aaa/: Operation not supported
Certainly, it's expected by pjd-fstest.
So, i compared acl.c of btrfs and ext3. Based on that, a patch created.
Fortunately, it works.
Signed-off-by: Shi Weihua <shiwh at cn.fujitsu.com>
Signed-off-by: Chris Mason <chris.mason at oracle.com>
---
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 6b4d0cc..a372985 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -163,6 +163,9 @@ static int btrfs_xattr_acl_set(struct dentry *dentry, const char *name,
if (!is_owner_or_cap(dentry->d_inode))
return -EPERM;
+ if (!IS_POSIXACL(dentry->d_inode))
+ return -EOPNOTSUPP;
+
if (value) {
acl = posix_acl_from_xattr(value, size);
if (acl == NULL) {
btrfs-should-add-permission-check-for-setfacl.patch:
acl.c | 3 +++
1 file changed, 3 insertions(+)
--- NEW FILE btrfs-should-add-permission-check-for-setfacl.patch ---
From: Shi Weihua <shiwh at cn.fujitsu.com>
Date: Tue, 18 May 2010 00:50:32 +0000 (+0000)
Subject: Btrfs: should add a permission check for setfacl
X-Git-Tag: v2.6.35-rc3~3^2~4
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=2f26afba
Btrfs: should add a permission check for setfacl
On btrfs, do the following
------------------
# su user1
# cd btrfs-part/
# touch aaa
# getfacl aaa
# file: aaa
# owner: user1
# group: user1
user::rw-
group::rw-
other::r--
# su user2
# cd btrfs-part/
# setfacl -m u::rwx aaa
# getfacl aaa
# file: aaa
# owner: user1
# group: user1
user::rwx <- successed to setfacl
group::rw-
other::r--
------------------
but we should prohibit it that user2 changing user1's acl.
In fact, on ext3 and other fs, a message occurs:
setfacl: aaa: Operation not permitted
This patch fixed it.
Signed-off-by: Shi Weihua <shiwh at cn.fujitsu.com>
Signed-off-by: Chris Mason <chris.mason at oracle.com>
---
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 6ef7b26..6b4d0cc 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -160,6 +160,9 @@ static int btrfs_xattr_acl_set(struct dentry *dentry, const char *name,
int ret = 0;
struct posix_acl *acl = NULL;
+ if (!is_owner_or_cap(dentry->d_inode))
+ return -EPERM;
+
if (value) {
acl = posix_acl_from_xattr(value, size);
if (acl == NULL) {
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-13/kernel.spec,v
retrieving revision 1.2065
retrieving revision 1.2066
diff -u -p -r1.2065 -r1.2066
--- kernel.spec 13 Jun 2010 12:29:40 -0000 1.2065
+++ kernel.spec 14 Jun 2010 10:12:40 -0000 1.2066
@@ -777,6 +777,9 @@ Patch2907: linux-2.6-v4l-dvb-add-kworld-
# fs fixes
Patch3000: linux-2.6-btrfs-update.patch
+Patch3001: btrfs-should-add-permission-check-for-setfacl.patch
+Patch3002: btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch
+
Patch3010: writeback-fix-wb-sync-none-writeback-from-umount.patch
Patch3012: writeback-ensure-wb-sync-none-writeback-with-sb-pinned-is-sync.patch
Patch3014: writeback-update-dirty-flags-in-two-steps.patch
@@ -1323,6 +1326,11 @@ ApplyPatch linux-2.6-execshield.patch
# btrfs
ApplyPatch linux-2.6-btrfs-update.patch
+# CVE-2010-2071
+ApplyPatch btrfs-should-add-permission-check-for-setfacl.patch
+ApplyPatch btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch
+
+
# Sort out umount versus sync penalty: rhbz#588930
#ApplyPatch writeback-fix-wb-sync-none-writeback-from-umount.patch
# additional fixes for writeback (#593669)
@@ -2217,6 +2225,9 @@ fi
# and build.
%changelog
+* Mon Jun 14 2010 Kyle McMartin <kyle at redhat.com> 2.6.33.5-129
+- Add btrfs ACL fixes from CVE-2010-2071.
+
* Sun Jun 13 2010 Kyle McMartin <kyle at redhat.com> 2.6.33.5-128
- mac80211/iwlwifi fix connections to some APs (rhbz#558002)
patches from sgruszka at .
- Previous message: rpms/kernel/F-12 btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch, NONE, 1.1 btrfs-should-add-permission-check-for-setfacl.patch, NONE, 1.1 kernel.spec, 1.2093, 1.2094
- Next message: rpms/kernel/devel btrfs-prohibit-a-operation-of-changing-acls-mask-when-noacl-mount-option-is-used.patch, NONE, 1.1 btrfs-should-add-permission-check-for-setfacl.patch, NONE, 1.1 kernel.spec, 1.2027, 1.2028
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list