Linux - Fix disk cache access for selinux/AppArmor constrained processes

Preserve the credentials used for cache initialisation and use then
whenever disk cache files are opened.  This takes advantage of the
credentials separation work from David Howells available in kernels
2.6.29 and above.
Access to cache files was done under the security context of the
user process, causing processes constrained by selinux or AppArmor to
fail to access AFS cache files and causing the cache manager to panic.

Besides the RT tickets, should also fix the following Ubuntu bugs:
 415766 429260 457779 459299

FIXES 92944,125544

Change-Id: Ief8acd65c1a3e4d8c951f80bfd65f8340b8cec34
Reviewed-on: http://gerrit.openafs.org/752
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Reviewed-on: http://gerrit.openafs.org/774

diff --git a/src/afs/LINUX/osi_file.c b/src/afs/LINUX/osi_file.c
index 8b251ab2c2040bcae275f6f8d340b6bccfc76379..b236b06f7c64dcd3fde04466abc9aa2b3d1d096f 100644 (file)
--- a/src/afs/LINUX/osi_file.c
+++ b/src/afs/LINUX/osi_file.c
@@ -32,6 +32,9 @@ extern struct osi_dev cacheDev;
 extern struct vfsmount *afs_cacheMnt;
 #endif
 extern struct super_block *afs_cacheSBp;
+#if defined(STRUCT_TASK_HAS_CRED)
+extern struct cred *cache_creds;
+#endif
 
 #if defined(AFS_LINUX26_ENV) 
 void *
@@ -79,7 +82,8 @@ osi_UFSOpen(afs_int32 ainode)
     tip->i_flags |= MS_NOATIME;        /* Disable updating access times. */
 
 #if defined(STRUCT_TASK_HAS_CRED)
-    filp = dentry_open(dp, mntget(afs_cacheMnt), O_RDWR, current_cred());
+    /* Use stashed credentials - prevent selinux/apparmor problems  */
+    filp = dentry_open(dp, mntget(afs_cacheMnt), O_RDWR, cache_creds);
 #else
     filp = dentry_open(dp, mntget(afs_cacheMnt), O_RDWR);
 #endif

diff --git a/src/afs/afs_init.c b/src/afs/afs_init.c
index 11ed6a05acb2534f1380720d5c16f76ea6e1fc1c..d374777826d037e5005f807e2417f8ff825fa350 100644 (file)
--- a/src/afs/afs_init.c
+++ b/src/afs/afs_init.c
@@ -23,6 +23,9 @@ RCSID
 #include "afs/sysincludes.h"   /* Standard vendor system headers */
 #include "afsincludes.h"       /* Afs-based standard headers */
 #include "afs/afs_stats.h"     /* afs statistics */
+#if defined(AFS_LINUX26_ENV) && defined(STRUCT_TASK_HAS_CRED)
+#include <linux/cred.h>
+#endif
 
 /* Exported variables */
 struct osi_dev cacheDev;       /*Cache device */
@@ -44,6 +47,9 @@ int afs_memvolumes = 0;
 #if defined(AFS_XBSD_ENV)
 static struct vnode *volumeVnode;
 #endif
+#if defined(AFS_LINUX26_ENV) && defined(STRUCT_TASK_HAS_CRED)
+const struct cred *cache_creds;
+#endif
 
 /* This is the kernel side of the dynamic vcache setting */
 int afsd_dynamic_vcaches = 0;  /* Enable dynamic-vcache support */
@@ -140,6 +146,16 @@ afs_CacheInit(afs_int32 astatSize, afs_int32 afiles, afs_int32 ablocks,
     afs_cacheStats = astatSize;
     afs_vcacheInit(astatSize);
     afs_dcacheInit(afiles, ablocks, aDentries, achunk, aflags);
+#if defined(AFS_LINUX26_ENV) && defined(STRUCT_TASK_HAS_CRED)
+    /*
+     * Save current credentials for later access to disk cache files.
+     * If selinux, apparmor or other security modules are enabled,
+     * they might deny access to cache files if the userspace process
+     * is restricted.  Save the credentials used at cache initialisation
+     * for later use when opening cache files.
+     */
+    cache_creds = get_current_cred();
+#endif
 #ifdef AFS_64BIT_CLIENT
 #ifdef AFS_VM_RDWR_ENV
     afs_vmMappingEnd = AFS_CHUNKBASE(0x7fffffff);
@@ -677,6 +693,9 @@ shutdown_cache(void)
        memset((char *)&cacheDev, 0, sizeof(struct osi_dev));
        osi_dnlc_shutdown();
     }
+#if defined(AFS_LINUX26_ENV) && defined(STRUCT_TASK_HAS_CRED)
+    put_cred(cache_creds);
+#endif
 }                              /*shutdown_cache */