git.openafs.org Git - openafs.git/commit

author	Jeffrey Hutzelman <jhutz@cmu.edu>
	Thu, 2 May 2019 20:02:47 +0000 (16:02 -0400)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Fri, 28 Feb 2020 03:33:59 +0000 (22:33 -0500)
commit	cd3221d3532a28111ad22d4090ec913cbbff40da
tree	64d878c39ac996f666e79d1efaec853525eaa4ba	tree \| snapshot
parent	042f809ccfe12bafed73aa4eb4db2c86737e0b22	commit \| diff

Linux: use override_creds when available

Linux may perform some access control checks at the time of an I/O
operation, rather than relying solely on checks done when the file is
opened. In some cases (e.g. AppArmor), these checks are done based on
the current tasks's creds at the time of the I/O operation, not those
used when the file was open.

Because of this, we must use override_creds() / revert_creds() to make
sure we are using privileged credentials when performing I/O operations
on cache files. Otherwise, cache I/O operations done in the context of
a task with a restrictive AppArmor profile will fail.

Change-Id: Icbe60874c348d6cd92b0a186d426918b0db9b0f9
Reviewed-on: https://gerrit.openafs.org/13751
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

src/afs/LINUX/osi_file.c		diff \| blob \| history
src/cf/linux-kernel-func.m4		diff \| blob \| history