From 22c0982c744f34c5ac2375a45788956976a259c1 Mon Sep 17 00:00:00 2001
From: Kotresh HR <khiremat@redhat.com>
Date: Tue, 27 May 2025 12:24:00 +0530
Subject: [PATCH] mds: Fix multifs auth caps check

The fsname is not take into consideration while validating
the access check for the operations. This patch fixes
the same.

Fixes: https://tracker.ceph.com/issues/72167
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 1a5e083eb297dc611c8098abb67faf34fd8e4499)
---
 src/mds/MDSAuthCaps.cc | 14 ++++++++++----
 src/mds/MDSAuthCaps.h  |  6 ++++--
 src/mds/Server.cc      |  3 ++-
 src/mds/SessionMap.cc  |  4 ++--
 src/mds/SessionMap.h   |  2 +-
 5 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 8c8a196d2ff..0fc599bc9aa 100644
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -133,11 +133,16 @@ void MDSCapMatch::normalize_path()
   // drop ..
 }
 
-bool MDSCapMatch::match(string_view target_path,
+bool MDSCapMatch::match(string_view fs_name,
+                        string_view target_path,
 			const int caller_uid,
 			const int caller_gid,
 			const vector<uint64_t> *caller_gid_list) const
 {
+  if (!match_fs(fs_name)) {
+    return false;
+  }
+
   if (uid != MDS_AUTH_UID_ANY) {
     if (uid != caller_uid)
       return false;
@@ -224,7 +229,8 @@ bool MDSAuthCaps::path_capable(string_view inode_path) const
  * This is true if any of the 'grant' clauses in the capability match the
  * requested path + op.
  */
-bool MDSAuthCaps::is_capable(string_view inode_path,
+bool MDSAuthCaps::is_capable(string_view fs_name,
+                             string_view inode_path,
 			     uid_t inode_uid, gid_t inode_gid,
 			     unsigned inode_mode,
 			     uid_t caller_uid, gid_t caller_gid,
@@ -233,7 +239,7 @@ bool MDSAuthCaps::is_capable(string_view inode_path,
 			     uid_t new_uid, gid_t new_gid,
 			     const entity_addr_t& addr) const
 {
-  ldout(g_ceph_context, 10) << __func__ << " inode(path /" << inode_path
+  ldout(g_ceph_context, 10) << __func__ << "fs_name " << fs_name << " inode(path /" << inode_path
 		 << " owner " << inode_uid << ":" << inode_gid
 		 << " mode 0" << std::oct << inode_mode << std::dec
 		 << ") by caller " << caller_uid << ":" << caller_gid
@@ -251,7 +257,7 @@ bool MDSAuthCaps::is_capable(string_view inode_path,
       continue;
     }
 
-    if (grant.match.match(inode_path, caller_uid, caller_gid, caller_gid_list) &&
+    if (grant.match.match(fs_name, inode_path, caller_uid, caller_gid, caller_gid_list) &&
 	grant.spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) {
       if (grant.match.root_squash && ((caller_uid == 0) || (caller_gid == 0)) &&
           (mask & MAY_WRITE)) {
diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index f77fd965a2f..b75ed9f2487 100644
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -133,7 +133,8 @@ struct MDSCapMatch {
   }
 
   // check whether this grant matches against a given file and caller uid:gid
-  bool match(std::string_view target_path,
+  bool match(std::string_view fs_name,
+             std::string_view target_path,
 	     const int caller_uid,
 	     const int caller_gid,
 	     const std::vector<uint64_t> *caller_gid_list) const;
@@ -252,7 +253,8 @@ public:
   bool parse(std::string_view str, std::ostream *err);
 
   bool allow_all() const;
-  bool is_capable(std::string_view inode_path,
+  bool is_capable(std::string_view fs_name,
+                  std::string_view inode_path,
 		  uid_t inode_uid, gid_t inode_gid, unsigned inode_mode,
 		  uid_t uid, gid_t gid, const std::vector<uint64_t> *caller_gid_list,
 		  unsigned mask, uid_t new_uid, gid_t new_gid,
diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index c525c93e186..42e8a579f18 100644
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -3387,8 +3387,9 @@ void Server::handle_peer_auth_pin_ack(MDRequestRef& mdr, const cref_t<MMDSPeerRe
 bool Server::check_access(MDRequestRef& mdr, CInode *in, unsigned mask)
 {
   if (mdr->session) {
+    std::string_view fs_name = mds->mdsmap->get_fs_name();
     int r = mdr->session->check_access(
-      in, mask,
+      fs_name, in, mask,
       mdr->client_request->get_caller_uid(),
       mdr->client_request->get_caller_gid(),
       &mdr->client_request->get_caller_gid_list(),
diff --git a/src/mds/SessionMap.cc b/src/mds/SessionMap.cc
index 0f6038eb82b..2c101f83e0f 100644
--- a/src/mds/SessionMap.cc
+++ b/src/mds/SessionMap.cc
@@ -1036,7 +1036,7 @@ void Session::decode(bufferlist::const_iterator &p)
   _update_human_name();
 }
 
-int Session::check_access(CInode *in, unsigned mask,
+int Session::check_access(std::string_view fs_name, CInode *in, unsigned mask,
 			  int caller_uid, int caller_gid,
 			  const vector<uint64_t> *caller_gid_list,
 			  int new_uid, int new_gid)
@@ -1087,7 +1087,7 @@ int Session::check_access(CInode *in, unsigned mask,
     return -CEPHFS_EIO;
   }
 
-  if (!auth_caps.is_capable(path, inode->uid, inode->gid, inode->mode,
+  if (!auth_caps.is_capable(fs_name, path, inode->uid, inode->gid, inode->mode,
 			    caller_uid, caller_gid, caller_gid_list, mask,
 			    new_uid, new_gid,
 			    info.inst.addr)) {
diff --git a/src/mds/SessionMap.h b/src/mds/SessionMap.h
index ed12ccee25b..f6d65d3c010 100644
--- a/src/mds/SessionMap.h
+++ b/src/mds/SessionMap.h
@@ -383,7 +383,7 @@ public:
     completed_requests_dirty = false;
   }
 
-  int check_access(CInode *in, unsigned mask, int caller_uid, int caller_gid,
+  int check_access(std::string_view fs_name, CInode *in, unsigned mask, int caller_uid, int caller_gid,
 		   const std::vector<uint64_t> *gid_list, int new_uid, int new_gid);
 
   bool fs_name_capable(std::string_view fs_name, unsigned mask) const {
-- 
2.39.5