Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp2377590rdb;
        Mon, 5 Feb 2024 05:00:29 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGoV47INV/hsCnIbwlR0dKBuEhxvsvuj7apj9HmjePdYt6BnB3dMqFiyiQlY9Tv7iLPnISU
X-Received: by 2002:a2e:9c0c:0:b0:2cf:35d8:31ee with SMTP id s12-20020a2e9c0c000000b002cf35d831eemr7077042lji.16.1707138029683;
        Mon, 05 Feb 2024 05:00:29 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707138029; cv=pass;
        d=google.com; s=arc-20160816;
        b=d8dae/UZuW11oZQKNB4qGll8IDJuPdS3W6M7INFRWOvN8ekrszc+lPsxLzgSkTv043
         Wl+tLRpMCncJ1FCSXOBEv1VvE5zZo2SUyqyCwwuPE0CyMNUJ7tgYO/8y3wdP1LPKbuoR
         B8JVHbQHQ03VS049hGb6D94+JIUwbA6HK8Tng4AFu/6IGqsGNeUsnjeKqyofqsaRbNn/
         8Y/41H5Bgf7x6cKV0d3j1PTwhTddvsVHhRkO3F3EgPE940V1OdScKumqjmVLfh/k8SY4
         xuhmnmkECh1x26KGgVTXMaha1/rLtoUYyjt1SDatw0RM26/mP7wbNwizxuTUsY8fMzFt
         fV7w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=YJ1RLYlnFCgBPhdY/F4SVm0E/GyX9ZqGNRPyhlbR6rE=;
        fh=/m9kZguQzdIBTYGILdrbGOIXJPgxCsF1qmfyTNRPUVM=;
        b=craewU/k5jXMOzlapfoadH3JzayiDjhy+qOei8nU60BSiQizhTFCW2uErPqxTDUkRp
         HFHvugJBbIINsN+XoGPUDiuKMDJHBL9MVGLoZUR2NmsKvAJVEinNE61P5X3W7XL1VVes
         ru+fYJYWj/mOV6oKa5UrEDPV+Ha5Q06mi9OKhGL7lom04rlg34AzEm2IGzszKzNGvcXi
         DhhUVnyJeiqrXpTuIwyq1zSNSFbLGrxOg6vrVs2yq0OBB693Dv47WEUU+boVboEw7sY6
         YXDVI+O6YaOxUk6jYzzmTiAw0XXeGZQRWb2zsr/nWwpPDqK6tBLYez8aSbB2MwY9JWjE
         aETw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=c4XVfW+J;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-nfs+bounces-1787-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1787-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
X-Forwarded-Encrypted: i=1; AJvYcCUz0OY5/djSL59vc0SGNhu+ZD0uvgPI/WzJnPTy10BdTIcQPnlgKD3l+R1nka53YQCeTwnGy9bTEaG0vTZQtP0D3IXbtpVBOc7kVMRz3g==
Return-Path: <linux-nfs+bounces-1787-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id v18-20020a056402349200b0055fec51fae3si3965866edc.133.2024.02.05.05.00.29
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Feb 2024 05:00:29 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-nfs+bounces-1787-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=c4XVfW+J;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-nfs+bounces-1787-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1787-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 6C8B31F273CA
	for <linux.lists.archive@gmail.com>; Mon,  5 Feb 2024 13:00:29 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9D95A1CD09;
	Mon,  5 Feb 2024 12:57:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="c4XVfW+J"
X-Original-To: linux-nfs@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F0E41CD06;
	Mon,  5 Feb 2024 12:57:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1707137841; cv=none; b=CtKFPwpjTdcsGJU8uQV8yDClsAnAJ99LapG2WuUzEqDeXs4r801ktntg+dzPKibV8qWk5y24TNLnNjVWRm9elSldkIZi25GCULyD83tJUUOFW3acusaCytbzhRXi3so3dID5F9SN27cqnHXXIFcvhA/ysInfUDd3J/m3awoFGBg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1707137841; c=relaxed/simple;
	bh=7lZJZcNKjuQ5hjvoFRXqSwosvRruwbfXZHG9x6/U1NI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=TG9Tz+WvUbfyvZ3YwZXgyuB0jvA+EWT65qUh6dAt/vkNYW1qMNDJQlva57RNR8z7u94SEfZ0zo5QBKiN5/xEUqjRP5oJVnkWUoecLf1I9gM0X4XKTjsTcS3HWRNfKx0cLqRJ9HPRnKJm6wMo0MPxzz779OE7NAt2Y4VyCboq7Ak=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=c4XVfW+J; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id AAD65C433F1;
	Mon,  5 Feb 2024 12:57:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1707137841;
	bh=7lZJZcNKjuQ5hjvoFRXqSwosvRruwbfXZHG9x6/U1NI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=c4XVfW+JmpuFc5K3N07g02AMbw6yEGV4t+Zv+B/1X7LK792nyFltFF7ZlQcuUPgOv
	 HX9U4lFwLqXAyqI1NfM+UU+VbR/QcfKoLL4q0nXE7mJyTYEtm+fGdF8n3ZAMalygHP
	 J1extlC1n1PlapQzW9ClV3vGAolvpjxE8YAUjePHhqJZxdABIQ0M8BvaglOD0DjntM
	 Stre8R+Zd6Wk87qLoemfP3/QmnS7H2IxjeK3XuRy9KmmLJrgptC8NN1AbJEkAOIFme
	 ldCFmbNskHqcLXtQLt3R3mpkjGWbV1TKLW5FRdYTrD/iOT/UQIOd+tiMQSjrT6cODn
	 A86W+Fd/dspcg==
From: Christian Brauner <brauner@kernel.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-nfs@vger.kernel.org,
	Ondrej Mosnacek <omosnacek@gmail.com>,
	Zdenek Pytela <zpytela@redhat.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Jan Kara <jack@suse.cz>,
	Chuck Lever <chuck.lever@oracle.com>,
	Neil Brown <neilb@suse.de>,
	Olga Kornievskaia <kolga@netapp.com>,
	Dai Ngo <Dai.Ngo@oracle.com>,
	Tom Talpey <tom@talpey.com>
Subject: Re: [PATCH] filelock: don't do security checks on nfsd setlease calls
Date: Mon,  5 Feb 2024 13:57:11 +0100
Message-ID: <20240205-urwald-daneben-6fda9fb87ff5@brauner>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240205-bz2248830-v1-1-d0ec0daecba1@kernel.org>
References: <20240205-bz2248830-v1-1-d0ec0daecba1@kernel.org>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
X-Developer-Signature: v=1; a=openpgp-sha256; l=1397; i=brauner@kernel.org; h=from:subject:message-id; bh=7lZJZcNKjuQ5hjvoFRXqSwosvRruwbfXZHG9x6/U1NI=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMaQeuK0puzh/VW/civqHSuKbZzF7fY1udZ7wWvXEnakhX 3etmXjpVEcpC4MYF4OsmCKLQ7tJuNxynorNRpkaMHNYmUCGMHBxCsBEKnwZ/goeK3fa39Z3z4/t 38k6bcOzDToT3zjNW3+0depd0SazH4sZ/le1eVivaFXdPW9+lN9cze3VSd9zeXSdSxemKRf/mh4 hwgwA
X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624
Content-Transfer-Encoding: 8bit

On Mon, 05 Feb 2024 07:09:31 -0500, Jeff Layton wrote:
> Zdenek reported seeing some AVC denials due to nfsd trying to set
> delegations:
> 
>     type=AVC msg=audit(09.11.2023 09:03:46.411:496) : avc:  denied  { lease } for  pid=5127 comm=rpc.nfsd capability=lease  scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0
> 
> When setting delegations on behalf of nfsd, we don't want to do all of
> the normal capabilty and LSM checks. nfsd is a kernel thread and runs
> with CAP_LEASE set, so the uid checks end up being a no-op in most cases
> anyway.
> 
> [...]

Applied to the vfs.file branch of the vfs/vfs.git tree.
Patches in the vfs.file branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.file

[1/1] filelock: don't do security checks on nfsd setlease calls
      https://git.kernel.org/vfs/vfs/c/ec457463e0e3