[05/28] lnet: o2ib: raise bind cap before resolving address

Message ID	1605488401-981-6-git-send-email-jsimmons@infradead.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=cglZ=EW=lists.lustre.org=lustre-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E9CB820E65 From: James Simmons <jsimmons@infradead.org> To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>, NeilBrown <neilb@suse.com> Date: Sun, 15 Nov 2020 19:59:38 -0500 Message-Id: <1605488401-981-6-git-send-email-jsimmons@infradead.org> In-Reply-To: <1605488401-981-1-git-send-email-jsimmons@infradead.org> References: <1605488401-981-1-git-send-email-jsimmons@infradead.org> Subject: [lustre-devel] [PATCH 05/28] lnet: o2ib: raise bind cap before resolving address Precedence: list Cc: Lustre Development List <lustre-devel@lists.lustre.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: lustre-devel-bounces@lists.lustre.org Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>
Series	OpenSFS backport for Nov 15 2020 \| expand [00/28] OpenSFS backport for Nov 15 2020 [01/28] llite: remove splice_read handling for PCC [02/28] lustre: llite: disable statahead_agl for sanity test_56ra [03/28] lustre: seq_file .next functions must update *pos [04/28] lustre: llite: ASSERTION( last_oap_count > 0 ) failed [05/28] lnet: o2ib: raise bind cap before resolving address [06/28] lustre: use memalloc_nofs_save() for GFP_NOFS kvmalloc allocations. [07/28] lnet: o2iblnd: Don't retry indefinitely [08/28] lustre: llite: rmdir releases inode on client [09/28] lustre: gss: update sequence in case of target disconnect [10/28] lustre: lov: doesn't check lov_refcount [11/28] lustre: ptlrpc: remove unused code at pinger [12/28] lustre: mdc: remote object support getattr from cache [13/28] lustre: llite: pass name in getattr by FID [14/28] lnet: o2iblnd: 'Timed out tx' error message [15/28] lustre: ldlm: Fix unbounded OBD_FAIL_LDLM_CANCEL_BL_CB_RACE wait [16/28] lustre: ldlm: group locks for DOM IBIT lock [17/28] lustre: ptlrpc: decrease time between reconnection [18/28] lustre: ptlrpc: throttle RPC resend if network error [19/28] lustre: ldlm: BL AST vs failed lock enqueue race [20/28] lustre: ptlrpc: don't log connection 'restored' inappropriately [21/28] lustre: llite: Avoid eternel retry loops with MAP_POPULATE [22/28] lustre: ptlrpc: introduce OST_SEEK RPC [23/28] lustre: clio: SEEK_HOLE/SEEK_DATA on client side [24/28] lustre: sec: O_DIRECT for encrypted file [25/28] lustre: sec: restrict fallocate on encrypted files [26/28] lustre: sec: encryption with different client PAGE_SIZE [27/28] lustre: sec: require enc key in case of O_CREAT only [28/28] lustre: sec: fix O_DIRECT and encrypted files

Message ID

1605488401-981-6-git-send-email-jsimmons@infradead.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E9CB820E65
From: James Simmons <jsimmons@infradead.org>
To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>,
 NeilBrown <neilb@suse.com>
Date: Sun, 15 Nov 2020 19:59:38 -0500
Message-Id: <1605488401-981-6-git-send-email-jsimmons@infradead.org>
In-Reply-To: <1605488401-981-1-git-send-email-jsimmons@infradead.org>
References: <1605488401-981-1-git-send-email-jsimmons@infradead.org>
Subject: [lustre-devel] [PATCH 05/28] lnet: o2ib: raise bind cap before
 resolving address
Precedence: list
Cc: Lustre Development List <lustre-devel@lists.lustre.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: lustre-devel-bounces@lists.lustre.org
Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>

Series

OpenSFS backport for Nov 15 2020 | expand

Commit Message

James Simmons Nov. 16, 2020, 12:59 a.m. UTC

From: "John L. Hammond" <jhammond@whamcloud.com>

In kiblnd_resolve_addr(), ensure that the current task has
CAP_NET_BIND_SERVICE before calling rdma_resolve_addr() with a
protected source port.

WC-bug-id: https://jira.whamcloud.com/browse/LU-14006
Lustre-commit: 1e4bd16acfa26a ("LU-14006 o2ib: raise bind cap before resolving address")
Signed-off-by: John L. Hammond <jhammond@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/40127
Reviewed-by: Amir Shehata <ashehata@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
 net/lnet/klnds/o2iblnd/o2iblnd_cb.c | 38 +++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/net/lnet/klnds/o2iblnd/o2iblnd_cb.c b/net/lnet/klnds/o2iblnd/o2iblnd_cb.c
index ba2f46f..b642162 100644
--- a/net/lnet/klnds/o2iblnd/o2iblnd_cb.c
+++ b/net/lnet/klnds/o2iblnd/o2iblnd_cb.c
@@ -1219,14 +1219,17 @@  static int kiblnd_map_tx(struct lnet_ni *ni, struct kib_tx *tx,
 	spin_unlock(&conn->ibc_lock);
 }
 
-static int kiblnd_resolve_addr(struct rdma_cm_id *cmid,
-			       struct sockaddr_in *srcaddr,
-			       struct sockaddr_in *dstaddr,
-			       int timeout_ms)
+static int
+kiblnd_resolve_addr_cap(struct rdma_cm_id *cmid,
+			struct sockaddr_in *srcaddr,
+			struct sockaddr_in *dstaddr,
+			int timeout_ms)
 {
 	unsigned short port;
 	int rc;
 
+	LASSERT(capable(CAP_NET_BIND_SERVICE));
+
 	/* allow the port to be reused */
 	rc = rdma_set_reuseaddr(cmid, 1);
 	if (rc) {
@@ -1256,6 +1259,33 @@  static int kiblnd_resolve_addr(struct rdma_cm_id *cmid,
 	return rc;
 }
 
+static int
+kiblnd_resolve_addr(struct rdma_cm_id *cmid,
+		    struct sockaddr_in *srcaddr,
+		    struct sockaddr_in *dstaddr,
+		    int timeout_ms)
+{
+	const struct cred *old_creds = NULL;
+	struct cred *new_creds;
+	int rc;
+
+	if (!capable(CAP_NET_BIND_SERVICE)) {
+		new_creds = prepare_creds();
+		if (!new_creds)
+			return -ENOMEM;
+
+		cap_raise(new_creds->cap_effective, CAP_NET_BIND_SERVICE);
+		old_creds = override_creds(new_creds);
+	}
+
+	rc = kiblnd_resolve_addr_cap(cmid, srcaddr, dstaddr, timeout_ms);
+
+	if (old_creds)
+		revert_creds(old_creds);
+
+	return rc;
+}
+
 static void
 kiblnd_connect_peer(struct kib_peer_ni *peer_ni)
 {

[05/28] lnet: o2ib: raise bind cap before resolving address

Commit Message

Patch