linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given
@ 2020-12-16 21:44 Jonas Witschel
  2020-12-16 22:41 ` Pavel Shilovsky
  0 siblings, 1 reply; 2+ messages in thread
From: Jonas Witschel @ 2020-12-16 21:44 UTC (permalink / raw)
  To: linux-cifs; +Cc: Alexander Koch, Jonas Witschel

From: Alexander Koch <mail@alexanderkoch.net>

Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
only if CAP_SETCAP is present.

This is an addendum to the patch recently provided in [1]. Without this
additional change, cifs.upcall can still fail while trying to mount a CIFS
network share with krb5:

  kernel: CIFS: Attempting to mount //server.domain.lan/myshare
  cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan>
  cifs.upcall[39484]: ver=2
  cifs.upcall[39484]: host=server.domain.lan
  cifs.upcall[39484]: ip=172.22.3.14
  cifs.upcall[39484]: sec=1
  cifs.upcall[39484]: uid=1000
  cifs.upcall[39484]: creduid=1000
  cifs.upcall[39484]: user=username
  cifs.upcall[39484]: pid=39481
  cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
  cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
  cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
  cifs.upcall[39484]: Exit status 1

[1] https://marc.info/?l=linux-cifs&m=160595758021261

Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
---
 cifs.upcall.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 1559434..b62ab50 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -115,8 +115,13 @@ trim_capabilities(bool need_environ)
 static int
 drop_all_capabilities(void)
 {
+	capng_select_t set = CAPNG_SELECT_CAPS;
+
 	capng_clear(CAPNG_SELECT_BOTH);
-	if (capng_apply(CAPNG_SELECT_BOTH)) {
+	if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+		set = CAPNG_SELECT_BOTH;
+	}
+	if (capng_apply(set)) {
 		syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
 		return 1;
 	}
-- 
2.29.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given
  2020-12-16 21:44 [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given Jonas Witschel
@ 2020-12-16 22:41 ` Pavel Shilovsky
  0 siblings, 0 replies; 2+ messages in thread
From: Pavel Shilovsky @ 2020-12-16 22:41 UTC (permalink / raw)
  To: Jonas Witschel; +Cc: linux-cifs, Alexander Koch

Merged. Thanks!

--
Best regards,
Pavel Shilovsky

ср, 16 дек. 2020 г. в 13:47, Jonas Witschel <diabonas@archlinux.org>:
>
> From: Alexander Koch <mail@alexanderkoch.net>
>
> Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
> only if CAP_SETCAP is present.
>
> This is an addendum to the patch recently provided in [1]. Without this
> additional change, cifs.upcall can still fail while trying to mount a CIFS
> network share with krb5:
>
>   kernel: CIFS: Attempting to mount //server.domain.lan/myshare
>   cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan>
>   cifs.upcall[39484]: ver=2
>   cifs.upcall[39484]: host=server.domain.lan
>   cifs.upcall[39484]: ip=172.22.3.14
>   cifs.upcall[39484]: sec=1
>   cifs.upcall[39484]: uid=1000
>   cifs.upcall[39484]: creduid=1000
>   cifs.upcall[39484]: user=username
>   cifs.upcall[39484]: pid=39481
>   cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
>   cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
>   cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
>   cifs.upcall[39484]: Exit status 1
>
> [1] https://marc.info/?l=linux-cifs&m=160595758021261
>
> Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
> Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
> ---
>  cifs.upcall.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 1559434..b62ab50 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -115,8 +115,13 @@ trim_capabilities(bool need_environ)
>  static int
>  drop_all_capabilities(void)
>  {
> +       capng_select_t set = CAPNG_SELECT_CAPS;
> +
>         capng_clear(CAPNG_SELECT_BOTH);
> -       if (capng_apply(CAPNG_SELECT_BOTH)) {
> +       if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
> +               set = CAPNG_SELECT_BOTH;
> +       }
> +       if (capng_apply(set)) {
>                 syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
>                 return 1;
>         }
> --
> 2.29.2
>

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-16 22:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-16 21:44 [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given Jonas Witschel
2020-12-16 22:41 ` Pavel Shilovsky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).