From: "J. Bruce Fields" <bfields@fieldses.org>
To: Josef Bacik <josef@redhat.com>
Cc: linux-fsdevel@vger.kernel.org, eparis@redhat.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fs: call security_d_instantiate in d_obtain_alias
Date: Wed, 17 Nov 2010 14:18:17 -0500 [thread overview]
Message-ID: <20101117191817.GA26575@fieldses.org> (raw)
In-Reply-To: <1290016263-1637-1-git-send-email-josef@redhat.com>
On Wed, Nov 17, 2010 at 12:51:03PM -0500, Josef Bacik wrote:
> While trying to track down some NFS problems with BTRFS, I kept noticing I was
> getting -EACCESS for no apparent reason. Eric Paris and printk() helped me
> figure out that it was SELinux that was giving me grief, with the following
> denial
>
> type=AVC msg=audit(1290013638.413:95): avc: denied { 0x800000 } for pid=1772
> comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>
> Turns out this is because in d_obtain_alias if we can't find an alias we create
> one and do all the normal instantiation stuff, but we don't do the
> security_d_instantiate. With this patch I'm no longer seeing these errant
> -EACCESS return values. Thanks,
Possibly dumb question: Is there still a small race here? Is it
possible for another nfsd thread to find the new alias on the list while
this thread is still:
>
> Signed-off-by: Josef Bacik <josef@redhat.com>
> ---
> fs/dcache.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/fs/dcache.c b/fs/dcache.c
> index 23702a9..890a59e 100644
> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -1201,6 +1201,7 @@ struct dentry *d_obtain_alias(struct inode *inode)
> spin_unlock(&tmp->d_lock);
>
> spin_unlock(&dcache_lock);
... right here, so that that other nfsd thread still ends up trying to
do something with a dentry that hasn't had security_d_instantiate called
on it yet?
> + security_d_instantiate(tmp, inode);
> return tmp;
>
> out_iput:
> --
Or does something else prevent that?
--b.
next prev parent reply other threads:[~2010-11-17 19:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-17 17:51 [PATCH] fs: call security_d_instantiate in d_obtain_alias Josef Bacik
2010-11-17 18:54 ` Eric Paris
2010-11-17 18:54 ` Eric Paris
2010-11-17 19:18 ` J. Bruce Fields [this message]
2010-11-17 19:28 ` Josef Bacik
2010-11-17 20:26 ` J. Bruce Fields
2010-11-17 22:12 ` Eric Paris
2010-11-17 22:12 ` Eric Paris
2010-11-18 1:43 ` Josef Bacik
2010-11-19 5:28 ` David Quigley
2010-11-19 16:42 ` J. Bruce Fields
2010-11-20 16:38 ` Dave Quigley
2010-11-29 20:23 ` J. Bruce Fields
2010-11-17 20:27 ` Josef Bacik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101117191817.GA26575@fieldses.org \
--to=bfields@fieldses.org \
--cc=eparis@redhat.com \
--cc=josef@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.