mds: validate client 'root' metadata field

Give this field special treatment so that
users can be sure that clients are not claiming
to have mounted a root outside of what they
are really authorized to access.

Signed-off-by: John Spray <john.spray'redhat.com>

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 3887faac50676d2bce5b03d323a15cfd94c4b668..2616a251d6327ab9462d43300d5518ee142efecb 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -280,6 +280,17 @@ void Server::handle_client_session(MClientSession *m)
       dout(20) << "  " << i->first << ": " << i->second << dendl;
     }
 
+    // Special case for the 'root' metadata path; validate that the claimed
+    // root is actually within the caps of the session
+    if (session->info.client_metadata.count("root")) {
+      const auto claimed_root = session->info.client_metadata.at("root");
+      if (!session->auth_caps.path_capable(claimed_root)) {
+        derr << __func__ << " forbidden path claimed as mount root: "
+             << claimed_root << " by " << m->get_source() << dendl;
+        session->info.client_metadata.erase("root");
+      }
+    }
+
     if (session->is_closed())
       mds->sessionmap.add_session(session);