rpms/kernel/F-9 linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch, NONE, 1.1.2.1 linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch, NONE, 1.1.2.1 kernel.spec, 1.891.2.37, 1.891.2.38

Wed Mar 18 22:12:07 UTC 2009

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11501

Modified Files:
      Tag: private-fedora-9-2_6_27-branch
	kernel.spec 
Added Files:
      Tag: private-fedora-9-2_6_27-branch
	linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch 
	linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch 
Log Message:
Copy nfsd fixes from F-10:
    linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch
    linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch

linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch:

--- NEW FILE linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch ---
From: J. Bruce Fields <bfields at citi.umich.edu>
Date: Mon, 16 Mar 2009 22:34:20 +0000 (-0400)
Subject: nfsd: nfsd should drop CAP_MKNOD for non-root
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=76a67ec6fb79ff3570dcb5342142c16098299911

nfsd: nfsd should drop CAP_MKNOD for non-root

Since creating a device node is normally an operation requiring special
privilege, Igor Zhbanov points out that it is surprising (to say the
least) that a client can, for example, create a device node on a
filesystem exported with root_squash.

So, make sure CAP_MKNOD is among the capabilities dropped when an nfsd
thread handles a request from a non-root user.

Reported-by: Igor Zhbanov <izh1979 at gmail.com>
Cc: stable at kernel.org
Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
---

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 1b98725..4864a43 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -393,8 +393,10 @@ struct cpu_vfs_cap_data {
 # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
 # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
 # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } })
-# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \
-					CAP_FS_MASK_B1 } })
+# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+					    | CAP_TO_MASK(CAP_SYS_RESOURCE) \
+					    | CAP_TO_MASK(CAP_MKNOD), \
+					    CAP_FS_MASK_B1 } })
 
 #endif /* _KERNEL_CAPABILITY_U32S != 2 */
 

linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch:

--- NEW FILE linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch ---
From: Benny Halevy <bhalevy at panasas.com>
Date: Wed, 4 Mar 2009 21:05:35 +0000 (+0200)
Subject: NFSD: provide encode routine for OP_OPENATTR
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=84f09f46b4ee9e4e9b6381f8af31817516d2091b

NFSD: provide encode routine for OP_OPENATTR

Although this operation is unsupported by our implementation
we still need to provide an encode routine for it to
merely encode its (error) status back in the compound reply.

Thanks for Bill Baker at sun.com for testing with the Sun
OpenSolaris' client, finding, and reporting this bug at
Connectathon 2009.

This bug was introduced in 2.6.27

Signed-off-by: Benny Halevy <bhalevy at panasas.com>
Cc: stable at kernel.org
Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
---

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index f65953b..9250067 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2596,6 +2596,7 @@ static nfsd4_enc nfsd4_enc_ops[] = {
 	[OP_LOOKUPP]		= (nfsd4_enc)nfsd4_encode_noop,
 	[OP_NVERIFY]		= (nfsd4_enc)nfsd4_encode_noop,
 	[OP_OPEN]		= (nfsd4_enc)nfsd4_encode_open,
+	[OP_OPENATTR]		= (nfsd4_enc)nfsd4_encode_noop,
 	[OP_OPEN_CONFIRM]	= (nfsd4_enc)nfsd4_encode_open_confirm,
 	[OP_OPEN_DOWNGRADE]	= (nfsd4_enc)nfsd4_encode_open_downgrade,
 	[OP_PUTFH]		= (nfsd4_enc)nfsd4_encode_noop,


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/kernel.spec,v
retrieving revision 1.891.2.37
retrieving revision 1.891.2.38
diff -u -r1.891.2.37 -r1.891.2.38
--- kernel.spec	18 Mar 2009 21:10:08 -0000	1.891.2.37
+++ kernel.spec	18 Mar 2009 22:11:33 -0000	1.891.2.38
@@ -682,6 +682,8 @@
 Patch690: linux-2.6-at76.patch
 
 Patch700: linux-2.6-nfs-client-mounts-hang.patch
+Patch701: linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch
+Patch702: linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch
 
 Patch900: linux-2.6-uvc-hg.patch
 Patch901: linux-2.6-uvc-spca525.patch
@@ -1281,6 +1283,8 @@
 
 # NFS Client mounts hang when exported directory do not exist
 ApplyPatch linux-2.6-nfs-client-mounts-hang.patch
+ApplyPatch linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch
+ApplyPatch linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch
 
 # update uvc to upstream, fix spca525
 ApplyPatch linux-2.6-uvc-hg.patch
@@ -1939,6 +1943,11 @@
 %kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
 
 %changelog
+* Wed Mar 18 2009 Chuck Ebbert <cebbert at redhat.com>  2.6.27.20-78.2.38
+- Copy nfsd fixes from F-10:
+    linux-2.6-nfsd-drop-cap-mknod-for-non-root.patch
+    linux-2.6-nfsd-provide-encode-routine-for-op-openattr.patch
+
 * Wed Mar 18 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.20-78.2.37
 - Copy ext4 fixes from F-10 2.6.27 kernel.
 


