Linux 4.10 compat: has_capability()
Stock kernels older than 4.10 do not export the has_capability()
function which is required by commit e59a377
. To avoid breaking
the build on older kernels revert to the safe legacy behavior and
return EACCES when privileges cannot be checked.
Reviewed-by: Ryan Moeller <ryan@ixsystems.com>
Reviewed-by: Matt Ahrens <matt@delphix.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #10565
Closes #10573
This commit is contained in:
parent
8fbf432ae2
commit
e862b7ecfc
@ -19,6 +19,33 @@ AC_DEFUN([ZFS_AC_KERNEL_NS_CAPABLE], [
|
||||
])
|
||||
])
|
||||
|
||||
dnl #
|
||||
dnl # 4.10 API change
|
||||
dnl # has_capability() was exported.
|
||||
dnl #
|
||||
AC_DEFUN([ZFS_AC_KERNEL_SRC_HAS_CAPABILITY], [
|
||||
ZFS_LINUX_TEST_SRC([has_capability], [
|
||||
#include <linux/capability.h>
|
||||
],[
|
||||
struct task_struct *task = NULL;
|
||||
int cap = 0;
|
||||
bool result __attribute__ ((unused));
|
||||
|
||||
result = has_capability(task, cap);
|
||||
])
|
||||
])
|
||||
|
||||
AC_DEFUN([ZFS_AC_KERNEL_HAS_CAPABILITY], [
|
||||
AC_MSG_CHECKING([whether has_capability() is available])
|
||||
ZFS_LINUX_TEST_RESULT_SYMBOL([has_capability],
|
||||
[has_capability], [kernel/capability.c], [
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(HAVE_HAS_CAPABILITY, 1, [has_capability() is available])
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
])
|
||||
])
|
||||
|
||||
dnl #
|
||||
dnl # 2.6.39 API change
|
||||
dnl # struct user_namespace was added to struct cred_t as cred->user_ns member
|
||||
@ -66,12 +93,14 @@ AC_DEFUN([ZFS_AC_KERNEL_KUID_HAS_MAPPING], [
|
||||
|
||||
AC_DEFUN([ZFS_AC_KERNEL_SRC_USERNS_CAPABILITIES], [
|
||||
ZFS_AC_KERNEL_SRC_NS_CAPABLE
|
||||
ZFS_AC_KERNEL_SRC_HAS_CAPABILITY
|
||||
ZFS_AC_KERNEL_SRC_CRED_USER_NS
|
||||
ZFS_AC_KERNEL_SRC_KUID_HAS_MAPPING
|
||||
])
|
||||
|
||||
AC_DEFUN([ZFS_AC_KERNEL_USERNS_CAPABILITIES], [
|
||||
ZFS_AC_KERNEL_NS_CAPABLE
|
||||
ZFS_AC_KERNEL_HAS_CAPABILITY
|
||||
ZFS_AC_KERNEL_CRED_USER_NS
|
||||
ZFS_AC_KERNEL_KUID_HAS_MAPPING
|
||||
])
|
||||
|
@ -249,13 +249,22 @@ secpolicy_zfs(const cred_t *cr)
|
||||
* Equivalent to secpolicy_zfs(), but works even if the cred_t is not that of
|
||||
* the current process. Takes both cred_t and proc_t so that this can work
|
||||
* easily on all platforms.
|
||||
*
|
||||
* The has_capability() function was first exported in the 4.10 Linux kernel
|
||||
* then backported to some LTS kernels. Prior to this change there was no
|
||||
* mechanism to perform this check therefore EACCES is returned when the
|
||||
* functionality is not present in the kernel.
|
||||
*/
|
||||
int
|
||||
secpolicy_zfs_proc(const cred_t *cr, proc_t *proc)
|
||||
{
|
||||
#if defined(HAVE_HAS_CAPABILITY)
|
||||
if (!has_capability(proc, CAP_SYS_ADMIN))
|
||||
return (EACCES);
|
||||
return (0);
|
||||
#else
|
||||
return (EACCES);
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -263,6 +263,8 @@ elif sys.platform.startswith('linux'):
|
||||
'cli_root/zpool_expand/zpool_expand_001_pos': ['FAIL', known_reason],
|
||||
'cli_root/zpool_expand/zpool_expand_005_pos': ['FAIL', known_reason],
|
||||
'cli_root/zpool_reopen/zpool_reopen_003_pos': ['FAIL', known_reason],
|
||||
'limits/filesystem_limit': ['SKIP', known_reason],
|
||||
'limits/snapshot_limit': ['SKIP', known_reason],
|
||||
'refreserv/refreserv_raidz': ['FAIL', known_reason],
|
||||
'rsend/rsend_007_pos': ['FAIL', known_reason],
|
||||
'rsend/rsend_010_pos': ['FAIL', known_reason],
|
||||
|
@ -30,6 +30,18 @@
|
||||
|
||||
verify_runnable "both"
|
||||
|
||||
#
|
||||
# The has_capability() function was first exported in the 4.10 Linux kernel
|
||||
# then backported to some LTS kernels. Prior to this change there was no
|
||||
# mechanism to perform the needed permission check. Therefore, this test
|
||||
# is expected to fail on older kernels and is skipped.
|
||||
#
|
||||
if is_linux; then
|
||||
if [[ $(linux_version) -lt $(linux_version "4.10") ]]; then
|
||||
log_unsupported "Requires has_capability() kernel function"
|
||||
fi
|
||||
fi
|
||||
|
||||
function setup
|
||||
{
|
||||
# We can't delegate 'mount' privs under Linux: to avoid issues with
|
||||
|
@ -31,6 +31,18 @@
|
||||
|
||||
verify_runnable "both"
|
||||
|
||||
#
|
||||
# The has_capability() function was first exported in the 4.10 Linux kernel
|
||||
# then backported to some LTS kernels. Prior to this change there was no
|
||||
# mechanism to perform the needed permission check. Therefore, this test
|
||||
# is expected to fail on older kernels and is skipped.
|
||||
#
|
||||
if is_linux; then
|
||||
if [[ $(linux_version) -lt $(linux_version "4.10") ]]; then
|
||||
log_unsupported "Requires has_capability() kernel function"
|
||||
fi
|
||||
fi
|
||||
|
||||
function setup
|
||||
{
|
||||
# We can't delegate 'mount' privs under Linux: to avoid issues with
|
||||
|
Loading…
Reference in New Issue
Block a user