Keep a copy of the credential used to mount filesystems around so

we can check and use it later on. Change the pieces of code which relied on mount->mnt_stat.f_owner to check which user mounted the filesystem. This became needed as the EA code needs to be able to allocate blocks for "system" EA users like ACLs. There seems to be some half-baked (probably only quarter- actually) notion that the superuser for a given filesystem is the user who mounted it, but this has far from been carried through. It is unclear if it should be. Sponsored by: DARPA & NAI Labs.
2002-08-19 06:52:21 +00:00 · 2002-08-19 06:52:21 +00:00 · 8346c2fde3
commit 8346c2fde3
parent 7a01faeb98
3 changed files with 9 additions and 4 deletions
--- a/sys/kern/vfs_mount.c
+++ b/sys/kern/vfs_mount.c
@ -527,7 +527,7 @@ vfs_nmount(td, fsflags, fsoptions)
 		 * Only root, or the user that did the original mount is
 		 * permitted to update it.
 		 */
-		if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
+		if (mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) {
 			error = suser(td);
 			if (error) {
 				vput(vp);
@ -643,6 +643,7 @@ vfs_nmount(td, fsflags, fsoptions)
 	mp->mnt_flag |= vfsp->vfc_flags & MNT_VISFLAGMASK;
 	strncpy(mp->mnt_stat.f_fstypename, fstype, MFSNAMELEN);
 	mp->mnt_vnodecovered = vp;
+	mp->mnt_cred = crdup(td->td_ucred);
 	mp->mnt_stat.f_owner = td->td_ucred->cr_uid;
 	strncpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN);
 	mp->mnt_iosize_max = DFLTPHYS;
@ -901,7 +902,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 		 * Only root, or the user that did the original mount is
 		 * permitted to update it.
 		 */
-		if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
+		if (mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) {
 			error = suser(td);
 			if (error) {
 				vput(vp);
@ -1010,6 +1011,7 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 	mp->mnt_flag |= vfsp->vfc_flags & MNT_VISFLAGMASK;
 	strncpy(mp->mnt_stat.f_fstypename, fstype, MFSNAMELEN);
 	mp->mnt_vnodecovered = vp;
+	mp->mnt_cred = crdup(td->td_ucred);
 	mp->mnt_stat.f_owner = td->td_ucred->cr_uid;
 	strncpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN);
 	mp->mnt_iosize_max = DFLTPHYS;
@ -1210,7 +1212,7 @@ unmount(td, uap)
 	 * Only root, or the user that did the original mount is
 	 * permitted to unmount this filesystem.
 	 */
-	if (mp->mnt_stat.f_owner != td->td_ucred->cr_uid) {
+	if (mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) {
 		error = suser(td);
 		if (error) {
 			vput(vp);
@ -1316,6 +1318,7 @@ dounmount(mp, flags, td)
 			wakeup(mp);
 		return (error);
 	}
+	crfree(mp->mnt_cred);
 	mtx_lock(&mountlist_mtx);
 	TAILQ_REMOVE(&mountlist, mp, mnt_list);
 	if ((coveredvp = mp->mnt_vnodecovered) != NULL)
@ -1370,6 +1373,7 @@ vfs_rootmountalloc(fstypename, devname, mpp)
 	mp->mnt_op = vfsp->vfc_vfsops;
 	mp->mnt_flag = MNT_RDONLY;
 	mp->mnt_vnodecovered = NULLVP;
+	mp->mnt_cred = crdup(td->td_ucred);
 	vfsp->vfc_refcount++;
 	mp->mnt_iosize_max = DFLTPHYS;
 	mp->mnt_stat.f_type = vfsp->vfc_typenum;
--- a/sys/security/lomac/kernel_util.c
+++ b/sys/security/lomac/kernel_util.c
@ -383,7 +383,7 @@ unmount(td, uap)
 	 */
 	if (!mediate_subject_at_level("unmount", td->td_proc,
 	    LOMAC_HIGHEST_LEVEL) ||
-	    ((mp->mnt_stat.f_owner != td->td_ucred->cr_uid) &&
+	    ((mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) &&
 	    (error = suser(td)))) {
 		vput(vp);
 		return (error);
--- a/sys/sys/mount.h
+++ b/sys/sys/mount.h
@ -146,6 +146,7 @@ struct mount {
 	int		mnt_kern_flag;		/* kernel only flags */
 	int		mnt_maxsymlinklen;	/* max size of short symlink */
 	struct statfs	mnt_stat;		/* cache of filesystem stats */
+	struct ucred	*mnt_cred;		/* credentials of mounter */
 	qaddr_t		mnt_data;		/* private data */
 	time_t		mnt_time;		/* last time written*/
 	u_int		mnt_iosize_max;		/* max IO request size */