OpenAFS Master Repository branch, master, updated. openafs-devel-1_5_66-93-g7b27217
Gerrit Code Review
Sun, 22 Nov 2009 20:45:06 -0800 (PST)
The following commit has been merged in the master branch:
Author: Marc Dionne <firstname.lastname@example.org>
Date: Sat Oct 24 22:10:46 2009 -0400
Linux: Keyrings PAG handling changes
We can take advantage of the fact that PagInCred now receives
a kernel credentials structure as an argument (including any session
keyring) to make some improvements in the handling of PAGs
when keyrings are in use.
These changes are effective only if keyrings are in use and we
have a recent enough kernel where we can use the kernel
1 - Search the session keyring of the passed credentials instead of
the current process' to determine the PAG, if any. This was always
not really correct, and now we're able to do the right thing.
In some situations such as background writeback and pre-fetching,
this means that we'll now do it with the right credentials, even when
in a PAG.
2 - Don't use groups at all to determine PAG membership. Doing so
can lead to some inconsistent situations such as the one described
in RT 125198, where a process gets access through a soon to be
deleted PAG. Make PagInCred look exclusively at the keyrings.
Groups are still updated to try to reflect the current PAG for now,
if the passed credentials belong to the current process.
Note that a process can no longer get a PAG's privileges simply by
adding the corresponding groups to its group list.
No behaviour change for kernels prior to 2.6.29.
Reviewed-by: Derrick Brashear <email@example.com>
Tested-by: Derrick Brashear <firstname.lastname@example.org>
src/afs/LINUX/osi_groups.c | 36 ++++++++++++++++++++++
src/afs/LINUX/osi_prototypes.h | 1 +
src/afs/afs_osi_pag.c | 66 +++++++++++++++++++--------------------
3 files changed, 69 insertions(+), 34 deletions(-)
OpenAFS Master Repository