[PATCH v3 08/13] NFSD: Do not allow NFSv4 (N)VERIFY to check POSIX ACL attributes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chuck Lever <cel@kernel.org>
To: NeilBrown <neilb@ownmail.net>, Jeff Layton <jlayton@kernel.org>,
	Olga Kornievskaia <okorniev@redhat.com>,
	Dai Ngo <dai.ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: <linux-nfs@vger.kernel.org>, Rick Macklem <rmacklem@uoguelph.ca>
Subject: [PATCH v3 08/13] NFSD: Do not allow NFSv4 (N)VERIFY to check POSIX ACL attributes
Date: Fri,  9 Jan 2026 11:21:37 -0500	[thread overview]
Message-ID: <20260109162143.4186112-9-cel@kernel.org> (raw)
In-Reply-To: <20260109162143.4186112-1-cel@kernel.org>

From: Rick Macklem <rmacklem@uoguelph.ca>

Section 9.3 of draft-ietf-nfsv4-posix-acls-00 prohibits use of
the POSIX ACL attributes with VERIFY and NVERIFY operations: the
server MUST reply NFS4ERR_INVAL when a client attempts this.

Beyond the protocol requirement, comparison of POSIX draft ACLs
via (N)VERIFY presents an implementation challenge. Clients are
not required to order the ACEs within a POSIX ACL in any
particular way, making reliable attribute comparison impractical.

Return nfserr_inval when the client requests FATTR4_POSIX_ACCESS_ACL
or FATTR4_POSIX_DEFAULT_ACL in a VERIFY or NVERIFY operation.

Signed-off-by: Rick Macklem <rmacklem@uoguelph.ca>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 fs/nfsd/nfs4proc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index e7ec87b6c331..a77ec0685eee 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -2380,6 +2380,11 @@ _nfsd4_verify(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 	if (verify->ve_attrlen & 3)
 		return nfserr_inval;
 
+	/* The POSIX draft ACLs cannot be tested via (N)VERIFY. */
+	if (verify->ve_bmval[2] & (FATTR4_WORD2_POSIX_DEFAULT_ACL |
+					FATTR4_WORD2_POSIX_ACCESS_ACL))
+		return nfserr_inval;
+
 	/* count in words:
 	 *   bitmap_len(1) + bitmap(2) + attr_len(1) = 4
 	 */
-- 
2.52.0

next prev parent reply	other threads:[~2026-01-09 16:21 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-09 16:21 [PATCH v3 00/13] Add NFSv4.2 POSIX ACL support Chuck Lever
2026-01-09 16:21 ` [PATCH v3 01/13] xdrgen: Implement pass-through lines in specifications Chuck Lever
2026-01-09 16:21 ` [PATCH v3 02/13] NFSD: Add a Kconfig setting to enable support for NFSv4 POSIX ACLs Chuck Lever
2026-01-09 16:21 ` [PATCH v3 03/13] Add RPC language definition of NFSv4 POSIX ACL extension Chuck Lever
2026-01-09 16:21 ` [PATCH v3 04/13] NFSD: Add nfsd4_encode_fattr4_acl_trueform Chuck Lever
2026-01-09 16:21 ` [PATCH v3 05/13] NFSD: Add nfsd4_encode_fattr4_acl_trueform_scope Chuck Lever
2026-01-09 16:21 ` [PATCH v3 06/13] NFSD: Add nfsd4_encode_fattr4_posix_default_acl Chuck Lever
2026-01-09 16:21 ` [PATCH v3 07/13] NFSD: Add nfsd4_encode_fattr4_posix_access_acl Chuck Lever
2026-01-09 16:21 ` Chuck Lever [this message]
2026-01-09 16:21 ` [PATCH v3 09/13] NFSD: Refactor nfsd_setattr()'s ACL error reporting Chuck Lever
2026-01-09 16:21 ` [PATCH v3 10/13] NFSD: Add support for XDR decoding POSIX draft ACLs Chuck Lever
2026-01-09 16:21 ` [PATCH v3 11/13] NFSD: Add support for POSIX draft ACLs for file creation Chuck Lever
2026-01-09 16:21 ` [PATCH v3 12/13] NFSD: Add POSIX draft ACL support to the NFSv4 SETATTR operation Chuck Lever
2026-01-09 16:21 ` [PATCH v3 13/13] NFSD: Add POSIX ACL file attributes to SUPPATTR bitmasks Chuck Lever

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e7ec87b6c33 dfblob:a77ec0685ee )
 OR (
bs:"[PATCH v3 08/13] NFSD: Do not allow NFSv4 (N)VERIFY to check POSIX ACL attributes" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260109162143.4186112-9-cel@kernel.org \
    --to=cel@kernel.org \
    --cc=dai.ngo@oracle.com \
    --cc=jlayton@kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=neilb@ownmail.net \
    --cc=okorniev@redhat.com \
    --cc=rmacklem@uoguelph.ca \
    --cc=tom@talpey.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.