kernel-ark/fs/nfsd
Mimi Zohar 14dba5331b integrity: nfsd imbalance bug fix
An nfsd exported file is opened/closed by the kernel causing the
integrity imbalance message.

Before a file is opened, there normally is permission checking, which
is done in inode_permission().  However, as integrity checking requires
a dentry and mount point, which is not available in inode_permission(),
the integrity (permission) checking must be called separately.

In order to detect any missing integrity checking calls, we keep track
of file open/closes.  ima_path_check() increments these counts and
does the integrity (permission) checking. As a result, the number of
calls to ima_path_check()/ima_file_free() should be balanced.  An extra
call to fput(), indicates the file could have been accessed without first
calling ima_path_check().

In nfsv3 permission checking is done once, followed by multiple reads,
which do an open/close for each read.  The integrity (permission) checking
call should be in nfsd_permission() after the inode_permission() call, but
as there is no correlation between the number of permission checking and
open calls, the integrity checking call should not increment the counters,
but defer it to when the file is actually opened.

This patch adds:
- integrity (permission) checking for nfsd exported files in nfsd_permission().
- a call to increment counts for files opened by nfsd.

This patch has been updated to return the nfs error types.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-05-28 09:32:43 +10:00
..
auth.c nfsd: fix cred leak on every rpc 2009-01-27 17:26:59 -05:00
auth.h nfsd: minor fs/nfsd/auth.h cleanup 2008-02-01 16:42:05 -05:00
export.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2008-10-23 10:22:40 -07:00
Kconfig nfsd : Define NFSD only when FILE_LOCKING is enabled 2009-03-18 17:30:48 -04:00
lockd.c nfsd: common grace period control 2008-10-03 16:19:02 -04:00
Makefile knfsd: trivial makefile cleanup 2007-05-09 12:30:54 -07:00
nfs2acl.c nfsd: rename MAY_ flags 2008-06-23 13:02:50 -04:00
nfs3acl.c nfsd: rename MAY_ flags 2008-06-23 13:02:50 -04:00
nfs3proc.c Short write in nfsd becomes a full write to the client 2009-03-18 17:38:40 -04:00
nfs3xdr.c Use struct path in struct svc_export 2008-02-14 21:17:08 -08:00
nfs4acl.c nfsd: fix buffer overrun decoding NFSv4 acl 2008-09-01 14:24:24 -04:00
nfs4callback.c nfsd4: move rpc_client setup to a separate function 2009-03-18 17:38:39 -04:00
nfs4idmap.c nfsd: fix sparse warnings 2008-04-23 16:13:39 -04:00
nfs4proc.c nfsd41: CREATE_EXCLUSIVE4_1 2009-04-03 17:41:23 -07:00
nfs4recover.c nfsd: silence lockdep warning 2009-05-11 17:23:14 -04:00
nfs4state.c nfsd41: slots are freed with session 2009-05-03 14:45:02 -04:00
nfs4xdr.c nfsd4: check for negative dentry before use in nfsv4 readdir 2009-05-06 16:16:36 -04:00
nfscache.c nfsd: fail module init on reply cache init failure 2008-02-01 16:42:04 -05:00
nfsctl.c Merge branch 'for-2.6.30' of git://linux-nfs.org/~bfields/linux 2009-04-06 13:25:56 -07:00
nfsfh.c NFSD: FIDs need to take precedence over UUIDs 2009-01-07 17:23:07 -05:00
nfsproc.c Short write in nfsd becomes a full write to the client 2009-03-18 17:38:40 -04:00
nfssvc.c Merge branch 'for-2.6.30' of git://linux-nfs.org/~bfields/linux 2009-04-06 13:25:56 -07:00
nfsxdr.c Use struct path in struct svc_export 2008-02-14 21:17:08 -08:00
stats.c [PATCH] knfsd: nfsd4: add per-operation server stats 2006-07-10 13:24:27 -07:00
vfs.c integrity: nfsd imbalance bug fix 2009-05-28 09:32:43 +10:00