diff options
Diffstat (limited to 'recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch')
| -rw-r--r-- | recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch new file mode 100644 index 00000000..0e24c56b --- /dev/null +++ b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch @@ -0,0 +1,70 @@ +From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001 +From: Mohammed Rafi KC <rkavunga@redhat.com> +Date: Mon, 26 Mar 2018 20:27:34 +0530 +Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from + non-trusted client + +gluster shared storage is a volume used for internal storage for +various features including ganesha, geo-rep, snapshot. + +So this volume should not be exposed to the client, as it is +a special volume for internal use. + +This fix wont't generate non trusted volfile for shared storage volume. + +Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c +fixes: bz#1568844 +BUG: 1568844 +Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> + +Upstream-Status: Backport +Fix CVE-2018-1088 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> + +--- + xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c +index 0a0668e..308c41f 100644 +--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c ++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c +@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo, + int i = 0; + int ret = -1; + char filepath[PATH_MAX] = {0,}; ++ char *volname = NULL; + char *types[] = {NULL, NULL, NULL}; + dict_t *dict = NULL; + xlator_t *this = NULL; +@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo, + + this = THIS; + ++ volname = volinfo->is_snap_volume ? ++ volinfo->parent_volname : volinfo->volname; ++ ++ ++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && ++ client_type != GF_CLIENT_TRUSTED) { ++ /* ++ * shared storage volume cannot be mounted from non trusted ++ * nodes. So we are not creating volfiles for non-trusted ++ * clients for shared volumes as well as snapshot of shared ++ * volumes. ++ */ ++ ++ ret = 0; ++ gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile" ++ "creation for shared storage volume. Volume %s", ++ volname); ++ goto out; ++ } ++ + enumerate_transport_reqs (volinfo->transport_type, types); + dict = dict_new (); + if (!dict) +-- +2.7.4 + |