aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
blob: 0e24c56b08c78061c6441c79904cb588b8b121a5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001
From: Mohammed Rafi KC <rkavunga@redhat.com>
Date: Mon, 26 Mar 2018 20:27:34 +0530
Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from
 non-trusted client

gluster shared storage is a volume used for internal storage for
various features including ganesha, geo-rep, snapshot.

So this volume should not be exposed to the client, as it is
a special volume for internal use.

This fix wont't generate non trusted volfile for shared storage volume.

Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
fixes: bz#1568844
BUG: 1568844
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>

Upstream-Status: Backport
Fix CVE-2018-1088

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>

---
 xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
index 0a0668e..308c41f 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
         int                i                  = 0;
         int                ret                = -1;
         char               filepath[PATH_MAX] = {0,};
+        char               *volname           = NULL;
         char               *types[]           = {NULL, NULL, NULL};
         dict_t             *dict              = NULL;
         xlator_t           *this              = NULL;
@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
 
         this = THIS;
 
+        volname = volinfo->is_snap_volume ?
+                  volinfo->parent_volname : volinfo->volname;
+
+
+        if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
+             client_type != GF_CLIENT_TRUSTED) {
+                /*
+                 * shared storage volume cannot be mounted from non trusted
+                 * nodes. So we are not creating volfiles for non-trusted
+                 * clients for shared volumes as well as snapshot of shared
+                 * volumes.
+                 */
+
+                ret = 0;
+                gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile"
+                               "creation for shared storage volume. Volume %s",
+                               volname);
+                goto out;
+        }
+
         enumerate_transport_reqs (volinfo->transport_type, types);
         dict = dict_new ();
         if (!dict)
-- 
2.7.4