* [PATCH] userns: Convert quota to user kuid/kgid where appropriate
@ 2012-08-01 10:38 Dmitry Monakhov
[not found] ` <1343817532-12021-1-git-send-email-dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Dmitry Monakhov @ 2012-08-01 10:38 UTC (permalink / raw)
To: linux-kernel-u79uwXL29TY76Z2rM5mHXA
Cc: jack-AlSwsSmVLrQ,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA,
Dmitry Monakhov, ebiederm-aS9lmoZGLiVWk0Htik3J/w,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
Map uid/gid to global kuid/kgid before pass it down to quota infrastructure.
Signed-off-by: Dmitry Monakhov <dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
---
fs/quota/quota.c | 45 ++++++++++++++++++++++++++++++++++++---------
1 files changed, 36 insertions(+), 9 deletions(-)
diff --git a/fs/quota/quota.c b/fs/quota/quota.c
index 6f15578..a59efd4 100644
--- a/fs/quota/quota.c
+++ b/fs/quota/quota.c
@@ -19,8 +19,13 @@
#include <linux/writeback.h>
static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
- qid_t id)
+ qid_t id, qid_t* global_id)
{
+ kuid_t kuid;
+ kgid_t kgid;
+ struct user_namespace *ns = current_user_ns();
+ int is_get_query = 0;
+
switch (cmd) {
/* these commands do not require any special privilegues */
case Q_GETFMT:
@@ -29,11 +34,32 @@ static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
case Q_XGETQSTAT:
case Q_XQUOTASYNC:
break;
- /* allow to query information for dquots we "own" */
case Q_GETQUOTA:
case Q_XGETQUOTA:
- if ((type == USRQUOTA && current_euid() == id) ||
- (type == GRPQUOTA && in_egroup_p(id)))
+ is_get_query = 1;
+ case Q_SETQUOTA:
+ case Q_XSETQLIM:
+ /* Map to global user namespace */
+ switch (type) {
+ case USRQUOTA:
+ kuid = make_kuid(ns, id);
+ if (!uid_valid(kuid))
+ return -EINVAL;
+ *global_id = from_kuid_munged(&init_user_ns, kuid);
+ break;
+ case GRPQUOTA:
+ kgid = make_kgid(ns, id);
+ if (!gid_valid(kgid))
+ return -EINVAL;
+ *global_id = from_kgid_munged(&init_user_ns, kgid);
+ break;
+ default:
+ return -EINVAL;
+ }
+ /* allow to query information for dquots we "own" */
+ if (is_get_query &&
+ ((type == USRQUOTA && uid_eq(current_euid(), kuid)) ||
+ (type == GRPQUOTA && in_egroup_p(kgid))))
break;
/*FALLTHROUGH*/
default:
@@ -240,13 +266,14 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id,
void __user *addr, struct path *path)
{
int ret;
+ qid_t qid = -1;
if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS))
return -EINVAL;
if (!sb->s_qcop)
return -ENOSYS;
- ret = check_quotactl_permission(sb, type, cmd, id);
+ ret = check_quotactl_permission(sb, type, cmd, id, &qid);
if (ret < 0)
return ret;
@@ -264,9 +291,9 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id,
case Q_SETINFO:
return quota_setinfo(sb, type, addr);
case Q_GETQUOTA:
- return quota_getquota(sb, type, id, addr);
+ return quota_getquota(sb, type, qid, addr);
case Q_SETQUOTA:
- return quota_setquota(sb, type, id, addr);
+ return quota_setquota(sb, type, qid, addr);
case Q_SYNC:
if (!sb->s_qcop->quota_sync)
return -ENOSYS;
@@ -278,9 +305,9 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id,
case Q_XGETQSTAT:
return quota_getxstate(sb, addr);
case Q_XSETQLIM:
- return quota_setxquota(sb, type, id, addr);
+ return quota_setxquota(sb, type, qid, addr);
case Q_XGETQUOTA:
- return quota_getxquota(sb, type, id, addr);
+ return quota_getxquota(sb, type, qid, addr);
case Q_XQUOTASYNC:
if (sb->s_flags & MS_RDONLY)
return -EROFS;
--
1.7.1
^ permalink raw reply related [flat|nested] 4+ messages in thread[parent not found: <1343817532-12021-1-git-send-email-dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>]
* Re: [PATCH] userns: Convert quota to user kuid/kgid where appropriate [not found] ` <1343817532-12021-1-git-send-email-dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> @ 2012-08-01 13:03 ` Eric W. Biederman [not found] ` <87d33abw7u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> 0 siblings, 1 reply; 4+ messages in thread From: Eric W. Biederman @ 2012-08-01 13:03 UTC (permalink / raw) To: Dmitry Monakhov Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, jack-AlSwsSmVLrQ, linux-kernel-u79uwXL29TY76Z2rM5mHXA Dmitry Monakhov <dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> writes: > Map uid/gid to global kuid/kgid before pass it down to quota > infrastructure. Have you looked at my development branch of my userns tree? I already have a patch queued to do something like this. Eric > Signed-off-by: Dmitry Monakhov <dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> > --- > fs/quota/quota.c | 45 ++++++++++++++++++++++++++++++++++++--------- > 1 files changed, 36 insertions(+), 9 deletions(-) > > diff --git a/fs/quota/quota.c b/fs/quota/quota.c > index 6f15578..a59efd4 100644 > --- a/fs/quota/quota.c > +++ b/fs/quota/quota.c > @@ -19,8 +19,13 @@ > #include <linux/writeback.h> > > static int check_quotactl_permission(struct super_block *sb, int type, int cmd, > - qid_t id) > + qid_t id, qid_t* global_id) > { > + kuid_t kuid; > + kgid_t kgid; > + struct user_namespace *ns = current_user_ns(); > + int is_get_query = 0; > + > switch (cmd) { > /* these commands do not require any special privilegues */ > case Q_GETFMT: > @@ -29,11 +34,32 @@ static int check_quotactl_permission(struct super_block *sb, int type, int cmd, > case Q_XGETQSTAT: > case Q_XQUOTASYNC: > break; > - /* allow to query information for dquots we "own" */ > case Q_GETQUOTA: > case Q_XGETQUOTA: > - if ((type == USRQUOTA && current_euid() == id) || > - (type == GRPQUOTA && in_egroup_p(id))) > + is_get_query = 1; > + case Q_SETQUOTA: > + case Q_XSETQLIM: > + /* Map to global user namespace */ > + switch (type) { > + case USRQUOTA: > + kuid = make_kuid(ns, id); > + if (!uid_valid(kuid)) > + return -EINVAL; > + *global_id = from_kuid_munged(&init_user_ns, kuid); > + break; > + case GRPQUOTA: > + kgid = make_kgid(ns, id); > + if (!gid_valid(kgid)) > + return -EINVAL; > + *global_id = from_kgid_munged(&init_user_ns, kgid); > + break; > + default: > + return -EINVAL; > + } > + /* allow to query information for dquots we "own" */ > + if (is_get_query && > + ((type == USRQUOTA && uid_eq(current_euid(), kuid)) || > + (type == GRPQUOTA && in_egroup_p(kgid)))) > break; > /*FALLTHROUGH*/ > default: > @@ -240,13 +266,14 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id, > void __user *addr, struct path *path) > { > int ret; > + qid_t qid = -1; > > if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS)) > return -EINVAL; > if (!sb->s_qcop) > return -ENOSYS; > > - ret = check_quotactl_permission(sb, type, cmd, id); > + ret = check_quotactl_permission(sb, type, cmd, id, &qid); > if (ret < 0) > return ret; > > @@ -264,9 +291,9 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id, > case Q_SETINFO: > return quota_setinfo(sb, type, addr); > case Q_GETQUOTA: > - return quota_getquota(sb, type, id, addr); > + return quota_getquota(sb, type, qid, addr); > case Q_SETQUOTA: > - return quota_setquota(sb, type, id, addr); > + return quota_setquota(sb, type, qid, addr); > case Q_SYNC: > if (!sb->s_qcop->quota_sync) > return -ENOSYS; > @@ -278,9 +305,9 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id, > case Q_XGETQSTAT: > return quota_getxstate(sb, addr); > case Q_XSETQLIM: > - return quota_setxquota(sb, type, id, addr); > + return quota_setxquota(sb, type, qid, addr); > case Q_XGETQUOTA: > - return quota_getxquota(sb, type, id, addr); > + return quota_getxquota(sb, type, qid, addr); > case Q_XQUOTASYNC: > if (sb->s_flags & MS_RDONLY) > return -EROFS; ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <87d33abw7u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>]
* Re: ***SPAM*** Re: [PATCH] userns: Convert quota to user kuid/kgid where appropriate [not found] ` <87d33abw7u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> @ 2012-08-01 15:36 ` Dmitry Monakhov [not found] ` <87d33azks1.fsf-d2mB1LbBle8ox3rIn2DAYQ@public.gmane.org> 0 siblings, 1 reply; 4+ messages in thread From: Dmitry Monakhov @ 2012-08-01 15:36 UTC (permalink / raw) To: Eric W. Biederman Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, jack-AlSwsSmVLrQ, linux-kernel-u79uwXL29TY76Z2rM5mHXA On Wed, 01 Aug 2012 06:03:33 -0700, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) wrote: > Dmitry Monakhov <dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> writes: > > > Map uid/gid to global kuid/kgid before pass it down to quota > > infrastructure. > > Have you looked at my development branch of my userns tree? > > I already have a patch queued to do something like this. Oh. Yes you right. I've missed it. BTW when do you plan to submit new set? > > Eric > > > Signed-off-by: Dmitry Monakhov <dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> > > --- > > fs/quota/quota.c | 45 ++++++++++++++++++++++++++++++++++++--------- > > 1 files changed, 36 insertions(+), 9 deletions(-) > > > > diff --git a/fs/quota/quota.c b/fs/quota/quota.c > > index 6f15578..a59efd4 100644 > > --- a/fs/quota/quota.c > > +++ b/fs/quota/quota.c > > @@ -19,8 +19,13 @@ > > #include <linux/writeback.h> > > > > static int check_quotactl_permission(struct super_block *sb, int type, int cmd, > > - qid_t id) > > + qid_t id, qid_t* global_id) > > { > > + kuid_t kuid; > > + kgid_t kgid; > > + struct user_namespace *ns = current_user_ns(); > > + int is_get_query = 0; > > + > > switch (cmd) { > > /* these commands do not require any special privilegues */ > > case Q_GETFMT: > > @@ -29,11 +34,32 @@ static int check_quotactl_permission(struct super_block *sb, int type, int cmd, > > case Q_XGETQSTAT: > > case Q_XQUOTASYNC: > > break; > > - /* allow to query information for dquots we "own" */ > > case Q_GETQUOTA: > > case Q_XGETQUOTA: > > - if ((type == USRQUOTA && current_euid() == id) || > > - (type == GRPQUOTA && in_egroup_p(id))) > > + is_get_query = 1; > > + case Q_SETQUOTA: > > + case Q_XSETQLIM: > > + /* Map to global user namespace */ > > + switch (type) { > > + case USRQUOTA: > > + kuid = make_kuid(ns, id); > > + if (!uid_valid(kuid)) > > + return -EINVAL; > > + *global_id = from_kuid_munged(&init_user_ns, kuid); > > + break; > > + case GRPQUOTA: > > + kgid = make_kgid(ns, id); > > + if (!gid_valid(kgid)) > > + return -EINVAL; > > + *global_id = from_kgid_munged(&init_user_ns, kgid); > > + break; > > + default: > > + return -EINVAL; > > + } > > + /* allow to query information for dquots we "own" */ > > + if (is_get_query && > > + ((type == USRQUOTA && uid_eq(current_euid(), kuid)) || > > + (type == GRPQUOTA && in_egroup_p(kgid)))) > > break; > > /*FALLTHROUGH*/ > > default: > > @@ -240,13 +266,14 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id, > > void __user *addr, struct path *path) > > { > > int ret; > > + qid_t qid = -1; > > > > if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS)) > > return -EINVAL; > > if (!sb->s_qcop) > > return -ENOSYS; > > > > - ret = check_quotactl_permission(sb, type, cmd, id); > > + ret = check_quotactl_permission(sb, type, cmd, id, &qid); > > if (ret < 0) > > return ret; > > > > @@ -264,9 +291,9 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id, > > case Q_SETINFO: > > return quota_setinfo(sb, type, addr); > > case Q_GETQUOTA: > > - return quota_getquota(sb, type, id, addr); > > + return quota_getquota(sb, type, qid, addr); > > case Q_SETQUOTA: > > - return quota_setquota(sb, type, id, addr); > > + return quota_setquota(sb, type, qid, addr); > > case Q_SYNC: > > if (!sb->s_qcop->quota_sync) > > return -ENOSYS; > > @@ -278,9 +305,9 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id, > > case Q_XGETQSTAT: > > return quota_getxstate(sb, addr); > > case Q_XSETQLIM: > > - return quota_setxquota(sb, type, id, addr); > > + return quota_setxquota(sb, type, qid, addr); > > case Q_XGETQUOTA: > > - return quota_getxquota(sb, type, id, addr); > > + return quota_getxquota(sb, type, qid, addr); > > case Q_XQUOTASYNC: > > if (sb->s_flags & MS_RDONLY) > > return -EROFS; ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <87d33azks1.fsf-d2mB1LbBle8ox3rIn2DAYQ@public.gmane.org>]
* Re: [PATCH] userns: Convert quota to user kuid/kgid where appropriate [not found] ` <87d33azks1.fsf-d2mB1LbBle8ox3rIn2DAYQ@public.gmane.org> @ 2012-08-01 17:45 ` Eric W. Biederman 0 siblings, 0 replies; 4+ messages in thread From: Eric W. Biederman @ 2012-08-01 17:45 UTC (permalink / raw) To: Dmitry Monakhov Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, jack-AlSwsSmVLrQ, linux-kernel-u79uwXL29TY76Z2rM5mHXA Dmitry Monakhov <dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> writes: > On Wed, 01 Aug 2012 06:03:33 -0700, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) wrote: >> Dmitry Monakhov <dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> writes: >> >> > Map uid/gid to global kuid/kgid before pass it down to quota >> > infrastructure. >> >> Have you looked at my development branch of my userns tree? >> >> I already have a patch queued to do something like this. > Oh. Yes you right. I've missed it. > BTW when do you plan to submit new set? I had hoped for 3.6 but I was a bit out of it earlier and didn't get my testing/review in before the merge window opened. So my current plan is to rebase on 3.6-rc1 and the place the patches up for review and get them all staged for 3.7. Eric ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-08-01 17:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-01 10:38 [PATCH] userns: Convert quota to user kuid/kgid where appropriate Dmitry Monakhov
[not found] ` <1343817532-12021-1-git-send-email-dmonakhov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2012-08-01 13:03 ` Eric W. Biederman
[not found] ` <87d33abw7u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-08-01 15:36 ` ***SPAM*** " Dmitry Monakhov
[not found] ` <87d33azks1.fsf-d2mB1LbBle8ox3rIn2DAYQ@public.gmane.org>
2012-08-01 17:45 ` Eric W. Biederman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox