mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-17 03:36:59 +07:00
28b5ba2aa0
This adds the new getsockopt(2) option SO_PEERGROUPS on SOL_SOCKET to retrieve the auxiliary groups of the remote peer. It is designed to naturally extend SO_PEERCRED. That is, the underlying data is from the same credentials. Regarding its syntax, it is based on SO_PEERSEC. That is, if the provided buffer is too small, ERANGE is returned and @optlen is updated. Otherwise, the information is copied, @optlen is set to the actual size, and 0 is returned. While SO_PEERCRED (and thus `struct ucred') already returns the primary group, it lacks the auxiliary group vector. However, nearly all access controls (including kernel side VFS and SYSVIPC, but also user-space polkit, DBus, ...) consider the entire set of groups, rather than just the primary group. But this is currently not possible with pure SO_PEERCRED. Instead, user-space has to work around this and query the system database for the auxiliary groups of a UID retrieved via SO_PEERCRED. Unfortunately, there is no race-free way to query the auxiliary groups of the PID/UID retrieved via SO_PEERCRED. Hence, the current user-space solution is to use getgrouplist(3p), which itself falls back to NSS and whatever is configured in nsswitch.conf(3). This effectively checks which groups we *would* assign to the user if it logged in *now*. On normal systems it is as easy as reading /etc/group, but with NSS it can resort to quering network databases (eg., LDAP), using IPC or network communication. Long story short: Whenever we want to use auxiliary groups for access checks on IPC, we need further IPC to talk to the user/group databases, rather than just relying on SO_PEERCRED and the incoming socket. This is unfortunate, and might even result in dead-locks if the database query uses the same IPC as the original request. So far, those recursions / dead-locks have been avoided by using primitive IPC for all crucial NSS modules. However, we want to avoid re-inventing the wheel for each NSS module that might be involved in user/group queries. Hence, we would preferably make DBus (and other IPC that supports access-management based on groups) work without resorting to the user/group database. This new SO_PEERGROUPS ioctl would allow us to make dbus-daemon work without ever calling into NSS. Cc: Michal Sekletar <msekleta@redhat.com> Cc: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Tom Gundersen <teg@jklm.no> Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
alchemy | ||
ar7 | ||
ath25 | ||
ath79 | ||
bcm47xx | ||
bcm63xx | ||
bmips | ||
boot | ||
cavium-octeon | ||
cobalt | ||
configs | ||
dec | ||
emma | ||
fw | ||
generic | ||
include | ||
jazz | ||
jz4740 | ||
kernel | ||
kvm | ||
lantiq | ||
lasat | ||
lib | ||
loongson32 | ||
loongson64 | ||
math-emu | ||
mm | ||
mti-malta | ||
net | ||
netlogic | ||
oprofile | ||
paravirt | ||
pci | ||
pic32 | ||
pistachio | ||
pmcs-msp71xx | ||
pnx833x | ||
power | ||
ralink | ||
rb532 | ||
sgi-ip22 | ||
sgi-ip27 | ||
sgi-ip32 | ||
sibyte | ||
sni | ||
txx9 | ||
vdso | ||
vr41xx | ||
xilfpga | ||
Kbuild | ||
Kbuild.platforms | ||
Kconfig | ||
Kconfig.debug | ||
Makefile | ||
Makefile.postlink |