nfsd_get_case_info() takes prepare_creds() and overrides fsuid/fsgid
to GLOBAL_ROOT, intending to escape per-client policy on the parent
directory. prepare_creds() copies the calling task's full credential,
including the LSM security label, so only the DAC identity is
neutralized. With labeled NFS, where the active LSM context has been
mapped to the client, security_inode_file_getattr() can still deny the
probe with -EACCES even though the case-folding property the caller
wants is structural and identical for every client. The docblock
already states the intent ("the probe runs with kernel credentials"),
which the implementation does not deliver.
prepare_kernel_cred(&init_task) constructs a credential from
init_task's identity and security label, the kernel's own unconfined
context. Use it instead and drop the redundant fsuid/fsgid overrides
that init_task already supplies. The probe now matches the docblock,
LSM denials on the parent disappear, and the call sites that map an
unexpected error to NFS3ERR_SERVERFAULT or fail an NFSv4 GETATTR
outright stop seeing -EACCES from this path.
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260507-case-sensitivity-v14-0-e62cc8200435@oracle.com?part=14
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Link: https://patch.msgid.link/20260515153515.362266-6-cel@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
put = true;
}
- probe = prepare_creds();
+ probe = prepare_kernel_cred(&init_task);
if (!probe) {
err = -ENOMEM;
goto out;
}
- probe->fsuid = GLOBAL_ROOT_UID;
- probe->fsgid = GLOBAL_ROOT_GID;
saved = override_creds(probe);
err = vfs_fileattr_get(cd, &fa);
projects / thirdparty / linux.git / commitdiff
