| Message ID | 20250322001306.41666-4-okorniev@redhat.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | access checking fixes for NLM under security policies | expand |
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 4021b047eb18..7928ae21509f 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp, if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode)) return nfserr_perm; + /* + * For the purpose of permission checking of NLM requests, + * the locker must have READ access or own the file + */ + if (acc & NFSD_MAY_NLM) + acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; + /* * The file owner always gets access permission for accesses that * would normally be checked at open time. This is to make
NLM locking calls need to pass thru file permission checking and for that prior to calling inode_permission() we need to set appropriate access mask. Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK") Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> --- fs/nfsd/vfs.c | 7 +++++++ 1 file changed, 7 insertions(+)