From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Neil Brown <neilb@suse.de>,
"J . Bruce Fields" <bfields@citi.umich.edu>,
nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: [PATCH 009 of 20] knfsd: nfsd: use ip-address-based domain in secinfo case
Date: Tue, 10 Jul 2007 12:25:17 +1000 [thread overview]
Message-ID: <1070710022517.13262@suse.de> (raw)
In-Reply-To: 20070710121949.12548.patches@notabene
From: J. Bruce Fields <bfields@citi.umich.edu>
With this patch, we fall back on using the gss/pseudoflavor only if we
fail to find a matching auth_unix export that has a secinfo list.
As long as sec= options aren't used, there's still no change in behavior
here (except possibly for some additional auth_unix cache lookups, whose
results will be ignored).
The sec= option, however, is not actually enforced yet; later patches
will add the necessary checks.
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
### Diffstat output
./fs/nfsd/export.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 67 insertions(+), 9 deletions(-)
diff .prev/fs/nfsd/export.c ./fs/nfsd/export.c
--- .prev/fs/nfsd/export.c 2007-07-10 11:35:37.000000000 +1000
+++ ./fs/nfsd/export.c 2007-07-10 11:37:38.000000000 +1000
@@ -1229,6 +1229,10 @@ exp_find(struct auth_domain *clp, int fs
}
/*
+ * Uses rq_client and rq_gssclient to find an export; uses rq_client (an
+ * auth_unix client) if it's available and has secinfo information;
+ * otherwise, will try to use rq_gssclient.
+ *
* Called from functions that handle requests; functions that do work on
* behalf of mountd are passed a single client name to use, and should
* use exp_get_by_name() or exp_find().
@@ -1237,29 +1241,83 @@ struct svc_export *
rqst_exp_get_by_name(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
- struct auth_domain *clp;
+ struct svc_export *gssexp, *exp = NULL;
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_get_by_name(clp, mnt, dentry, &rqstp->rq_chandle);
+ if (rqstp->rq_client == NULL)
+ goto gss;
+
+ /* First try the auth_unix client: */
+ exp = exp_get_by_name(rqstp->rq_client, mnt, dentry,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(exp) == -ENOENT)
+ goto gss;
+ if (IS_ERR(exp))
+ return exp;
+ /* If it has secinfo, assume there are no gss/... clients */
+ if (exp->ex_nflavors > 0)
+ return exp;
+gss:
+ /* Otherwise, try falling back on gss client */
+ if (rqstp->rq_gssclient == NULL)
+ return exp;
+ gssexp = exp_get_by_name(rqstp->rq_gssclient, mnt, dentry,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(gssexp) == -ENOENT)
+ return exp;
+ if (exp)
+ exp_put(exp);
+ return gssexp;
}
struct svc_export *
rqst_exp_find(struct svc_rqst *rqstp, int fsid_type, u32 *fsidv)
{
- struct auth_domain *clp;
+ struct svc_export *gssexp, *exp = NULL;
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_find(clp, fsid_type, fsidv, &rqstp->rq_chandle);
+ if (rqstp->rq_client == NULL)
+ goto gss;
+
+ /* First try the auth_unix client: */
+ exp = exp_find(rqstp->rq_client, fsid_type, fsidv, &rqstp->rq_chandle);
+ if (PTR_ERR(exp) == -ENOENT)
+ goto gss;
+ if (IS_ERR(exp))
+ return exp;
+ /* If it has secinfo, assume there are no gss/... clients */
+ if (exp->ex_nflavors > 0)
+ return exp;
+gss:
+ /* Otherwise, try falling back on gss client */
+ if (rqstp->rq_gssclient == NULL)
+ return exp;
+ gssexp = exp_find(rqstp->rq_gssclient, fsid_type, fsidv,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(gssexp) == -ENOENT)
+ return exp;
+ if (exp)
+ exp_put(exp);
+ return gssexp;
}
struct svc_export *
rqst_exp_parent(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
- struct auth_domain *clp;
+ struct svc_export *exp;
+
+ dget(dentry);
+ exp = rqst_exp_get_by_name(rqstp, mnt, dentry);
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_parent(rqstp->rq_client, mnt, dentry, &rqstp->rq_chandle);
+ while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(dentry)) {
+ struct dentry *parent;
+
+ parent = dget_parent(dentry);
+ dput(dentry);
+ dentry = parent;
+ exp = rqst_exp_get_by_name(rqstp, mnt, dentry);
+ }
+ dput(dentry);
+ return exp;
}
/*
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
WARNING: multiple messages have this Message-ID (diff)
From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Cc: "J. Bruce Fields" <bfields@citi.umich.edu>
Cc: J "." Bruce Fields <bfields@citi.umich.edu>
Cc: Neil Brown <neilb@suse.de>
Subject: [PATCH 009 of 20] knfsd: nfsd: use ip-address-based domain in secinfo case
Date: Tue, 10 Jul 2007 12:25:17 +1000 [thread overview]
Message-ID: <1070710022517.13262@suse.de> (raw)
In-Reply-To: 20070710121949.12548.patches@notabene
From: J. Bruce Fields <bfields@citi.umich.edu>
With this patch, we fall back on using the gss/pseudoflavor only if we
fail to find a matching auth_unix export that has a secinfo list.
As long as sec= options aren't used, there's still no change in behavior
here (except possibly for some additional auth_unix cache lookups, whose
results will be ignored).
The sec= option, however, is not actually enforced yet; later patches
will add the necessary checks.
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
### Diffstat output
./fs/nfsd/export.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 67 insertions(+), 9 deletions(-)
diff .prev/fs/nfsd/export.c ./fs/nfsd/export.c
--- .prev/fs/nfsd/export.c 2007-07-10 11:35:37.000000000 +1000
+++ ./fs/nfsd/export.c 2007-07-10 11:37:38.000000000 +1000
@@ -1229,6 +1229,10 @@ exp_find(struct auth_domain *clp, int fs
}
/*
+ * Uses rq_client and rq_gssclient to find an export; uses rq_client (an
+ * auth_unix client) if it's available and has secinfo information;
+ * otherwise, will try to use rq_gssclient.
+ *
* Called from functions that handle requests; functions that do work on
* behalf of mountd are passed a single client name to use, and should
* use exp_get_by_name() or exp_find().
@@ -1237,29 +1241,83 @@ struct svc_export *
rqst_exp_get_by_name(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
- struct auth_domain *clp;
+ struct svc_export *gssexp, *exp = NULL;
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_get_by_name(clp, mnt, dentry, &rqstp->rq_chandle);
+ if (rqstp->rq_client == NULL)
+ goto gss;
+
+ /* First try the auth_unix client: */
+ exp = exp_get_by_name(rqstp->rq_client, mnt, dentry,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(exp) == -ENOENT)
+ goto gss;
+ if (IS_ERR(exp))
+ return exp;
+ /* If it has secinfo, assume there are no gss/... clients */
+ if (exp->ex_nflavors > 0)
+ return exp;
+gss:
+ /* Otherwise, try falling back on gss client */
+ if (rqstp->rq_gssclient == NULL)
+ return exp;
+ gssexp = exp_get_by_name(rqstp->rq_gssclient, mnt, dentry,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(gssexp) == -ENOENT)
+ return exp;
+ if (exp)
+ exp_put(exp);
+ return gssexp;
}
struct svc_export *
rqst_exp_find(struct svc_rqst *rqstp, int fsid_type, u32 *fsidv)
{
- struct auth_domain *clp;
+ struct svc_export *gssexp, *exp = NULL;
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_find(clp, fsid_type, fsidv, &rqstp->rq_chandle);
+ if (rqstp->rq_client == NULL)
+ goto gss;
+
+ /* First try the auth_unix client: */
+ exp = exp_find(rqstp->rq_client, fsid_type, fsidv, &rqstp->rq_chandle);
+ if (PTR_ERR(exp) == -ENOENT)
+ goto gss;
+ if (IS_ERR(exp))
+ return exp;
+ /* If it has secinfo, assume there are no gss/... clients */
+ if (exp->ex_nflavors > 0)
+ return exp;
+gss:
+ /* Otherwise, try falling back on gss client */
+ if (rqstp->rq_gssclient == NULL)
+ return exp;
+ gssexp = exp_find(rqstp->rq_gssclient, fsid_type, fsidv,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(gssexp) == -ENOENT)
+ return exp;
+ if (exp)
+ exp_put(exp);
+ return gssexp;
}
struct svc_export *
rqst_exp_parent(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
- struct auth_domain *clp;
+ struct svc_export *exp;
+
+ dget(dentry);
+ exp = rqst_exp_get_by_name(rqstp, mnt, dentry);
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_parent(rqstp->rq_client, mnt, dentry, &rqstp->rq_chandle);
+ while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(dentry)) {
+ struct dentry *parent;
+
+ parent = dget_parent(dentry);
+ dput(dentry);
+ dentry = parent;
+ exp = rqst_exp_get_by_name(rqstp, mnt, dentry);
+ }
+ dput(dentry);
+ return exp;
}
/*
next prev parent reply other threads:[~2007-07-10 2:25 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-10 2:22 [PATCH 000 of 20] knfsd: Support 'secinfo' exports with related cleanups NeilBrown
2007-07-10 2:22 ` [PATCH 001 of 20] knfsd: nfsd: make all exp_finding functions return -errno's on err NeilBrown
2007-07-10 2:22 ` NeilBrown
2007-07-10 2:23 ` [PATCH 002 of 20] knfsd: nfsd4: build rpcsec_gss whenever nfsd4 is built NeilBrown
2007-07-10 2:23 ` NeilBrown
2007-07-10 2:23 ` [PATCH 003 of 20] knfsd: nfsd4: store pseudoflavor in request NeilBrown
2007-07-10 2:23 ` NeilBrown
2007-07-10 2:23 ` [PATCH 004 of 20] knfsd: nfsd4: parse secinfo information in exports downcall NeilBrown
2007-07-10 2:24 ` [PATCH 005 of 20] knfsd: nfsd4: simplify exp_pseudoroot arguments NeilBrown
2007-07-10 2:24 ` [PATCH 006 of 20] knfsd: nfsd: remove superfluous assignment from nfsd_lookup NeilBrown
2007-07-10 2:24 ` [PATCH 007 of 20] knfsd: nfsd: provide export lookup wrappers which take a svc_rqst NeilBrown
2007-07-10 2:24 ` [PATCH 008 of 20] knfsd: nfsd: set rq_client to ip-address-determined-domain NeilBrown
2007-07-10 2:24 ` NeilBrown
2007-07-10 2:25 ` NeilBrown [this message]
2007-07-10 2:25 ` [PATCH 009 of 20] knfsd: nfsd: use ip-address-based domain in secinfo case NeilBrown
2007-07-10 16:06 ` J. Bruce Fields
2007-07-10 16:06 ` J. Bruce Fields
2007-07-10 2:25 ` [PATCH 010 of 20] knfsd: nfsd: factor nfsd_lookup into 2 pieces NeilBrown
2007-07-10 2:25 ` NeilBrown
2007-07-10 2:25 ` [PATCH 011 of 20] knfsd: nfsd4: return nfserr_wrongsec NeilBrown
2007-07-10 2:25 ` NeilBrown
2007-07-10 2:26 ` [PATCH 012 of 20] knfsd: nfsd4: make readonly access depend on pseudoflavor NeilBrown
2007-07-10 2:26 ` NeilBrown
2007-07-13 7:27 ` Andrew Morton
2007-07-13 7:27 ` Andrew Morton
2007-07-13 9:54 ` Christoph Hellwig
2007-07-13 9:54 ` Christoph Hellwig
2007-07-10 2:27 ` [PATCH 013 of 20] knfsd: nfsd: factor out code from show_expflags NeilBrown
2007-07-10 2:27 ` NeilBrown
2007-07-13 7:29 ` Andrew Morton
2007-07-13 7:29 ` Andrew Morton
2007-07-18 23:05 ` J. Bruce Fields
2007-07-18 23:05 ` [NFS] " J. Bruce Fields
2007-07-19 0:16 ` Neil Brown
2007-07-19 0:16 ` [NFS] " Neil Brown
2007-07-19 15:35 ` J. Bruce Fields
2007-07-20 2:21 ` Neil Brown
2007-07-20 2:21 ` [NFS] " Neil Brown
2007-07-20 4:22 ` Satyam Sharma
2007-07-20 4:22 ` [NFS] " Satyam Sharma
2007-07-20 22:18 ` [PATCH] knfsd: Fix typo in export display, print uid and gid as unsigned J. Bruce Fields
2007-07-19 0:18 ` [PATCH 013 of 20] knfsd: nfsd: factor out code from show_expflags Andrew Morton
2007-07-19 0:18 ` [NFS] " Andrew Morton
2007-07-10 2:27 ` [PATCH 014 of 20] knfsd: nfsd: display export secinfo information NeilBrown
2007-07-10 2:27 ` NeilBrown
2007-07-10 2:27 ` [PATCH 015 of 20] knfsd: nfsd4: make readonly access depend on pseudoflavor NeilBrown
2007-07-10 2:27 ` NeilBrown
2007-07-13 7:12 ` Andrew Morton
2007-07-13 7:12 ` Andrew Morton
2007-07-13 8:47 ` Andrew Morton
2007-07-10 2:27 ` [PATCH 016 of 20] knfsd: rpc: add gss krb5 and spkm3 oid values NeilBrown
2007-07-10 2:27 ` NeilBrown
2007-07-10 2:28 ` [PATCH 017 of 20] knfsd: nfsd4: implement secinfo NeilBrown
2007-07-10 2:28 ` NeilBrown
2007-07-10 2:28 ` [PATCH 018 of 20] knfsd: nfsd4: secinfo handling without secinfo= option NeilBrown
2007-07-10 2:28 ` NeilBrown
2007-07-10 2:28 ` [PATCH 019 of 20] knfsd: nfsd: allow auth_sys nlm on rpcsec_gss exports NeilBrown
2007-07-10 2:28 ` NeilBrown
2007-07-10 2:28 ` [PATCH 020 of 20] knfsd: nfsd: enforce per-flavor id squashing NeilBrown
2007-07-10 2:28 ` NeilBrown
2007-07-13 7:33 ` [PATCH 000 of 20] knfsd: Support 'secinfo' exports with related cleanups Andrew Morton
2007-07-13 7:33 ` Andrew Morton
2007-07-13 18:10 ` J. Bruce Fields
2007-07-13 18:10 ` J. Bruce Fields
2007-07-13 18:42 ` Andrew Morton
2007-07-13 18:42 ` Andrew Morton
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` [PATCH 1/5] nfsd: fix possible read-ahead cache and export table corruption J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` [PATCH 2/5] nfsd: return errors, not NULL, from export functions J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` [PATCH 3/5] nfsd: remove unnecessary NULL checks from nfsd_cross_mnt J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` [PATCH 4/5] knfsd: move EX_RDONLY out of header J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-19 8:28 ` Christoph Hellwig
2007-07-19 8:28 ` [NFS] " Christoph Hellwig
2007-07-19 8:36 ` Andrew Morton
2007-07-18 22:57 ` [PATCH 5/5] knfsd: clean up EX_RDONLY J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-18 22:57 ` J. Bruce Fields
2007-07-19 8:29 ` Christoph Hellwig
2007-07-19 8:29 ` [NFS] " Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1070710022517.13262@suse.de \
--to=neilb@suse.de \
--cc=akpm@linux-foundation.org \
--cc=bfields@citi.umich.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=nfs@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.