From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Bob Peterson <rpeterso@redhat.com>, Andreas Gruenbacher <agruenba@redhat.com>, Sasha Levin <sashal@kernel.org>, cluster-devel@redhat.com Subject: [PATCH AUTOSEL 4.19 09/19] gfs2: move privileged user check to gfs2_quota_lock_check Date: Fri, 22 May 2020 10:51:10 -0400 [thread overview] Message-ID: <20200522145120.434921-9-sashal@kernel.org> (raw) In-Reply-To: <20200522145120.434921-1-sashal@kernel.org> From: Bob Peterson <rpeterso@redhat.com> [ Upstream commit 4ed0c30811cb4d30ef89850b787a53a84d5d2bcb ] Before this patch, function gfs2_quota_lock checked if it was called from a privileged user, and if so, it bypassed the quota check: superuser can operate outside the quotas. That's the wrong place for the check because the lock/unlock functions are separate from the lock_check function, and you can do lock and unlock without actually checking the quotas. This patch moves the check to gfs2_quota_lock_check. Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- fs/gfs2/quota.c | 3 +-- fs/gfs2/quota.h | 3 ++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c index 0efae7a0ee80..dd0f9bc13164 100644 --- a/fs/gfs2/quota.c +++ b/fs/gfs2/quota.c @@ -1043,8 +1043,7 @@ int gfs2_quota_lock(struct gfs2_inode *ip, kuid_t uid, kgid_t gid) u32 x; int error = 0; - if (capable(CAP_SYS_RESOURCE) || - sdp->sd_args.ar_quota != GFS2_QUOTA_ON) + if (sdp->sd_args.ar_quota != GFS2_QUOTA_ON) return 0; error = gfs2_quota_hold(ip, uid, gid); diff --git a/fs/gfs2/quota.h b/fs/gfs2/quota.h index 836f29480be6..e3a6e2404d11 100644 --- a/fs/gfs2/quota.h +++ b/fs/gfs2/quota.h @@ -47,7 +47,8 @@ static inline int gfs2_quota_lock_check(struct gfs2_inode *ip, int ret; ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ - if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + if (capable(CAP_SYS_RESOURCE) || + sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) return 0; ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); if (ret) -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org> To: cluster-devel.redhat.com Subject: [Cluster-devel] [PATCH AUTOSEL 4.19 09/19] gfs2: move privileged user check to gfs2_quota_lock_check Date: Fri, 22 May 2020 10:51:10 -0400 [thread overview] Message-ID: <20200522145120.434921-9-sashal@kernel.org> (raw) In-Reply-To: <20200522145120.434921-1-sashal@kernel.org> From: Bob Peterson <rpeterso@redhat.com> [ Upstream commit 4ed0c30811cb4d30ef89850b787a53a84d5d2bcb ] Before this patch, function gfs2_quota_lock checked if it was called from a privileged user, and if so, it bypassed the quota check: superuser can operate outside the quotas. That's the wrong place for the check because the lock/unlock functions are separate from the lock_check function, and you can do lock and unlock without actually checking the quotas. This patch moves the check to gfs2_quota_lock_check. Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- fs/gfs2/quota.c | 3 +-- fs/gfs2/quota.h | 3 ++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c index 0efae7a0ee80..dd0f9bc13164 100644 --- a/fs/gfs2/quota.c +++ b/fs/gfs2/quota.c @@ -1043,8 +1043,7 @@ int gfs2_quota_lock(struct gfs2_inode *ip, kuid_t uid, kgid_t gid) u32 x; int error = 0; - if (capable(CAP_SYS_RESOURCE) || - sdp->sd_args.ar_quota != GFS2_QUOTA_ON) + if (sdp->sd_args.ar_quota != GFS2_QUOTA_ON) return 0; error = gfs2_quota_hold(ip, uid, gid); diff --git a/fs/gfs2/quota.h b/fs/gfs2/quota.h index 836f29480be6..e3a6e2404d11 100644 --- a/fs/gfs2/quota.h +++ b/fs/gfs2/quota.h @@ -47,7 +47,8 @@ static inline int gfs2_quota_lock_check(struct gfs2_inode *ip, int ret; ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ - if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + if (capable(CAP_SYS_RESOURCE) || + sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) return 0; ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); if (ret) -- 2.25.1
next prev parent reply other threads:[~2020-05-22 14:54 UTC|newest] Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-05-22 14:51 [PATCH AUTOSEL 4.19 01/19] ARM: dts: rockchip: fix phy nodename for rk3228-evb Sasha Levin 2020-05-22 14:51 ` Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 02/19] arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts Sasha Levin 2020-05-22 14:51 ` Sasha Levin 2020-05-22 14:51 ` Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 03/19] arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node Sasha Levin 2020-05-22 14:51 ` Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 04/19] ARM: dts: rockchip: swap clock-names of gpu nodes Sasha Levin 2020-05-22 14:51 ` Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 05/19] ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi Sasha Levin 2020-05-22 14:51 ` Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 06/19] gpio: tegra: mask GPIO IRQs during IRQ shutdown Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 07/19] ALSA: usb-audio: add mapping for ASRock TRX40 Creator Sasha Levin 2020-05-22 14:51 ` Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 08/19] net: microchip: encx24j600: add missed kthread_stop Sasha Levin 2020-05-22 14:51 ` Sasha Levin [this message] 2020-05-22 14:51 ` [Cluster-devel] [PATCH AUTOSEL 4.19 09/19] gfs2: move privileged user check to gfs2_quota_lock_check Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 10/19] gfs2: don't call quota_unhold if quotas are not locked Sasha Levin 2020-05-22 14:51 ` [Cluster-devel] " Sasha Levin 2020-05-31 21:22 ` Pavel Machek 2020-05-31 21:22 ` [Cluster-devel] " Pavel Machek 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 11/19] Revert "gfs2: Don't demote a glock until its revokes are written" Sasha Levin 2020-05-22 14:51 ` [Cluster-devel] " Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 12/19] cachefiles: Fix race between read_waiter and read_copier involving op->to_do Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 13/19] usb: dwc3: pci: Enable extcon driver for Intel Merrifield Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 14/19] usb: gadget: legacy: fix redundant initialization warnings Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 15/19] net: freescale: select CONFIG_FIXED_PHY where needed Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 16/19] IB/i40iw: Remove bogus call to netdev_master_upper_dev_get() Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 17/19] riscv: stacktrace: Fix undefined reference to `walk_stackframe' Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 18/19] cifs: Fix null pointer check in cifs_read Sasha Levin 2020-05-22 14:51 ` [PATCH AUTOSEL 4.19 19/19] samples: bpf: Fix build error Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200522145120.434921-9-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=agruenba@redhat.com \ --cc=cluster-devel@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=rpeterso@redhat.com \ --cc=stable@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.