[PATCH 2/4] NFS: Set security flavor default for NFSv2/3 mounts like other defaults

[PATCH 2/4] NFS: Set security flavor default for NFSv2/3 mounts like other defaults

[Chuck Lever]

Set the default security flavor when we set the other mount option default
values.

After this change, the only path that needs to know the NFS_MOUNT_SECFLAVOUR
setting is the binary NFSv2/3 mount path; the flag is set only by user space
when passing in the legacy nfs_mount_data structure.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 fs/nfs/super.c |   23 +++++------------------
 1 files changed, 5 insertions(+), 18 deletions(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index fad43d1..55b24c3 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -743,9 +743,7 @@ static void nfs_parse_server_address(char *value,
 /*
  * Parse the value of the 'sec=' option.
  *
- * The flags setting is for v2/v3.  The flavor_len
- * setting is for v4.  v2/v3 also need to know the
- * difference between NULL and UNIX.
+ * The flavor_len setting is for v4 mounts.
  */
 static int nfs_parse_security_flavors(char *string,
 				      struct nfs_parsed_mount_data *mnt)
@@ -763,57 +761,46 @@ static int nfs_parse_security_flavors(char *string,
 
 	switch (token) {
 	case Opt_sec_none:
-		mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 0;
 		mnt->auth_flavors[0] = RPC_AUTH_NULL;
 		break;
 	case Opt_sec_sys:
-		mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 0;
 		mnt->auth_flavors[0] = RPC_AUTH_UNIX;
 		break;
 	case Opt_sec_krb5:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5;
 		break;
 	case Opt_sec_krb5i:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5I;
 		break;
 	case Opt_sec_krb5p:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5P;
 		break;
 	case Opt_sec_lkey:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEY;
 		break;
 	case Opt_sec_lkeyi:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYI;
 		break;
 	case Opt_sec_lkeyp:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYP;
 		break;
 	case Opt_sec_spkm:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKM;
 		break;
 	case Opt_sec_spkmi:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMI;
 		break;
 	case Opt_sec_spkmp:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMP;
 		break;
@@ -1259,6 +1246,7 @@ static int nfs_validate_mount_data(void *options,
 	args->mount_server.protocol = XPRT_TRANSPORT_UDP;
 	args->nfs_server.port	= 0;	/* autobind unless user sets port */
 	args->nfs_server.protocol = XPRT_TRANSPORT_TCP;
+	args->auth_flavors[0] = RPC_AUTH_UNIX;
 
 	switch (data->version) {
 	case 1:
@@ -1317,7 +1305,9 @@ static int nfs_validate_mount_data(void *options,
 		args->nfs_server.hostname = kstrdup(data->hostname, GFP_KERNEL);
 		args->namlen		= data->namlen;
 		args->bsize		= data->bsize;
-		args->auth_flavors[0]	= data->pseudoflavor;
+
+		if (data->flags & NFS_MOUNT_SECFLAVOUR)
+			args->auth_flavors[0] = data->pseudoflavor;
 
 		/*
 		 * The legacy version 6 binary mount data from userspace has a
@@ -1378,9 +1368,6 @@ static int nfs_validate_mount_data(void *options,
 		}
 	}
 
-	if (!(args->flags & NFS_MOUNT_SECFLAVOUR))
-		args->auth_flavors[0] = RPC_AUTH_UNIX;
-
 #ifndef CONFIG_NFS_V3
 	if (args->flags & NFS_MOUNT_VER3)
 		goto out_v3_not_compiled;

[PATCH 0/4] Support parsing multiple security flavors

[Chuck Lever]

Hi Trond-

The following four patches implement support in the NFS client's mount option
parser for multiple security flavors via "sec=flavor:flavor:flavor:..."  This
replicates similar support in the legacy (non text-based) mount.nfs command.

Since the NFS client itself doesn't support multiple security flavors at the
moment, these have been build-tested only.

Please consider them for 2.6.27.

---

Chuck Lever (4):
      NFS: text-based mounts should support multiple security flavors
      NFS4: Set security flavor default for NFSv4 mounts like other defaults
      NFS: Set security flavor default for NFSv2/3 mounts like other defaults
      NFS: Refactor logic for parsing NFS security flavor mount options


 fs/nfs/internal.h |    4 +
 fs/nfs/super.c    |  187 +++++++++++++++++++++++++++++------------------------
 2 files changed, 105 insertions(+), 86 deletions(-)

-- 
Chuck Lever
chu ckl eve rat ora cle dot com

[PATCH 1/4] NFS: Refactor logic for parsing NFS security flavor mount options

[Chuck Lever]

Clean up: Refactor the NFS mount option parsing function to extract the
security flavor parsing logic into a separate function.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 fs/nfs/super.c |  143 +++++++++++++++++++++++++++++++-------------------------
 1 files changed, 78 insertions(+), 65 deletions(-)


diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 1736268..712b85f 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -852,6 +852,82 @@ static void nfs_set_transport_defaults(struct nfs_parsed_mount_data *mnt)
 }
 
 /*
+ * Parse the value of the 'sec=' option.
+ *
+ * The flags setting is for v2/v3.  The flavor_len setting is for v4.
+ * v2/v3 also need to know the difference between NULL and UNIX.
+ */
+static int nfs_parse_security_flavors(char *value,
+				      struct nfs_parsed_mount_data *mnt)
+{
+	substring_t args[MAX_OPT_ARGS];
+
+	dfprintk(MOUNT, "NFS: parsing sec=%s option\n", value);
+
+	switch (match_token(value, nfs_secflavor_tokens, args)) {
+	case Opt_sec_none:
+		mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 0;
+		mnt->auth_flavors[0] = RPC_AUTH_NULL;
+		break;
+	case Opt_sec_sys:
+		mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 0;
+		mnt->auth_flavors[0] = RPC_AUTH_UNIX;
+		break;
+	case Opt_sec_krb5:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5;
+		break;
+	case Opt_sec_krb5i:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5I;
+		break;
+	case Opt_sec_krb5p:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5P;
+		break;
+	case Opt_sec_lkey:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEY;
+		break;
+	case Opt_sec_lkeyi:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYI;
+		break;
+	case Opt_sec_lkeyp:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYP;
+		break;
+	case Opt_sec_spkm:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKM;
+		break;
+	case Opt_sec_spkmi:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMI;
+		break;
+	case Opt_sec_spkmp:
+		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
+		mnt->auth_flavor_len = 1;
+		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMP;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+/*
  * Error-check and convert a string of mount options from user space into
  * a data structure
  */
@@ -1052,73 +1128,10 @@ static int nfs_parse_mount_options(char *raw,
 			string = match_strdup(args);
 			if (string == NULL)
 				goto out_nomem;
-			token = match_token(string, nfs_secflavor_tokens, args);
+			rc = nfs_parse_security_flavors(string, mnt);
 			kfree(string);
-
-			/*
-			 * The flags setting is for v2/v3.  The flavor_len
-			 * setting is for v4.  v2/v3 also need to know the
-			 * difference between NULL and UNIX.
-			 */
-			switch (token) {
-			case Opt_sec_none:
-				mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 0;
-				mnt->auth_flavors[0] = RPC_AUTH_NULL;
-				break;
-			case Opt_sec_sys:
-				mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 0;
-				mnt->auth_flavors[0] = RPC_AUTH_UNIX;
-				break;
-			case Opt_sec_krb5:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5;
-				break;
-			case Opt_sec_krb5i:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5I;
-				break;
-			case Opt_sec_krb5p:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5P;
-				break;
-			case Opt_sec_lkey:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEY;
-				break;
-			case Opt_sec_lkeyi:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYI;
-				break;
-			case Opt_sec_lkeyp:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYP;
-				break;
-			case Opt_sec_spkm:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKM;
-				break;
-			case Opt_sec_spkmi:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMI;
-				break;
-			case Opt_sec_spkmp:
-				mnt->flags |= NFS_MOUNT_SECFLAVOUR;
-				mnt->auth_flavor_len = 1;
-				mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMP;
-				break;
-			default:
+			if (!rc)
 				goto out_unrec_sec;
-			}
 			break;
 		case Opt_proto:
 			string = match_strdup(args);

[PATCH 2/4] NFS: Set security flavor default for NFSv2/3 mounts like other defaults

[Chuck Lever]

Set the default security flavor when we set the other mount option default
values.  After this change, only the legacy user-space mount path needs to
set the NFS_MOUNT_SECFLAVOUR flag.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 fs/nfs/super.c |   22 +++++-----------------
 1 files changed, 5 insertions(+), 17 deletions(-)


diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 712b85f..19f3920 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -854,8 +854,7 @@ static void nfs_set_transport_defaults(struct nfs_parsed_mount_data *mnt)
 /*
  * Parse the value of the 'sec=' option.
  *
- * The flags setting is for v2/v3.  The flavor_len setting is for v4.
- * v2/v3 also need to know the difference between NULL and UNIX.
+ * The flavor_len setting is for v4 mounts.
  */
 static int nfs_parse_security_flavors(char *value,
 				      struct nfs_parsed_mount_data *mnt)
@@ -866,57 +865,46 @@ static int nfs_parse_security_flavors(char *value,
 
 	switch (match_token(value, nfs_secflavor_tokens, args)) {
 	case Opt_sec_none:
-		mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 0;
 		mnt->auth_flavors[0] = RPC_AUTH_NULL;
 		break;
 	case Opt_sec_sys:
-		mnt->flags &= ~NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 0;
 		mnt->auth_flavors[0] = RPC_AUTH_UNIX;
 		break;
 	case Opt_sec_krb5:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5;
 		break;
 	case Opt_sec_krb5i:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5I;
 		break;
 	case Opt_sec_krb5p:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5P;
 		break;
 	case Opt_sec_lkey:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEY;
 		break;
 	case Opt_sec_lkeyi:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYI;
 		break;
 	case Opt_sec_lkeyp:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYP;
 		break;
 	case Opt_sec_spkm:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKM;
 		break;
 	case Opt_sec_spkmi:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMI;
 		break;
 	case Opt_sec_spkmp:
-		mnt->flags |= NFS_MOUNT_SECFLAVOUR;
 		mnt->auth_flavor_len = 1;
 		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMP;
 		break;
@@ -1479,6 +1467,7 @@ static int nfs_validate_mount_data(void *options,
 	args->acdirmax		= NFS_DEF_ACDIRMAX;
 	args->mount_server.port	= 0;	/* autobind unless user sets port */
 	args->nfs_server.port	= 0;	/* autobind unless user sets port */
+	args->auth_flavors[0]	= RPC_AUTH_UNIX;
 
 	switch (data->version) {
 	case 1:
@@ -1536,7 +1525,9 @@ static int nfs_validate_mount_data(void *options,
 		args->nfs_server.hostname = kstrdup(data->hostname, GFP_KERNEL);
 		args->namlen		= data->namlen;
 		args->bsize		= data->bsize;
-		args->auth_flavors[0]	= data->pseudoflavor;
+
+		if (data->flags & NFS_MOUNT_SECFLAVOUR)
+			args->auth_flavors[0] = data->pseudoflavor;
 		if (!args->nfs_server.hostname)
 			goto out_nomem;
 
@@ -1600,9 +1591,6 @@ static int nfs_validate_mount_data(void *options,
 		}
 	}
 
-	if (!(args->flags & NFS_MOUNT_SECFLAVOUR))
-		args->auth_flavors[0] = RPC_AUTH_UNIX;
-
 #ifndef CONFIG_NFS_V3
 	if (args->flags & NFS_MOUNT_VER3)
 		goto out_v3_not_compiled;

[PATCH 3/4] NFS4: Set security flavor default for NFSv4 mounts like other defaults

[Chuck Lever]

Set the default security flavor when we set the other mount option
default values for NFSv4.  This cleans up the NFSv4 mount option parsing
path to look like the NFSv2/v3 one.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 fs/nfs/super.c |   22 ++++++----------------
 1 files changed, 6 insertions(+), 16 deletions(-)


diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 19f3920..fa94851 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2044,6 +2044,8 @@ static int nfs4_validate_mount_data(void *options,
 	args->acdirmin		= NFS_DEF_ACDIRMIN;
 	args->acdirmax		= NFS_DEF_ACDIRMAX;
 	args->nfs_server.port	= NFS_PORT; /* 2049 unless user set port= */
+	args->auth_flavors[0]	= RPC_AUTH_UNIX;
+	args->auth_flavor_len	= 0;
 
 	switch (data->version) {
 	case 1:
@@ -2059,18 +2061,13 @@ static int nfs4_validate_mount_data(void *options,
 						&args->nfs_server.address))
 			goto out_no_address;
 
-		switch (data->auth_flavourlen) {
-		case 0:
-			args->auth_flavors[0] = RPC_AUTH_UNIX;
-			break;
-		case 1:
+		if (data->auth_flavourlen) {
+			if (data->auth_flavourlen > 1)
+				goto out_inval_auth;
 			if (copy_from_user(&args->auth_flavors[0],
 					   data->auth_flavours,
 					   sizeof(args->auth_flavors[0])))
 				return -EFAULT;
-			break;
-		default:
-			goto out_inval_auth;
 		}
 
 		c = strndup_user(data->hostname.data, NFS4_MAXNAMLEN);
@@ -2121,15 +2118,8 @@ static int nfs4_validate_mount_data(void *options,
 
 		nfs_set_transport_defaults(args);
 
-		switch (args->auth_flavor_len) {
-		case 0:
-			args->auth_flavors[0] = RPC_AUTH_UNIX;
-			break;
-		case 1:
-			break;
-		default:
+		if (args->auth_flavor_len > 1)
 			goto out_inval_auth;
-		}
 
 		if (args->client_address == NULL)
 			goto out_no_client_address;

[PATCH 4/4] NFS: text-based mounts should support multiple security flavors

[Chuck Lever]

Add support to the in-kernel NFS mount option parser for handling multiple
security flavors.

This does not implement support for multiple security flavors in the
underlying NFS or mountd clients.  When that support is added, simply crank
up the value of the MAX_SECURITY_FLAVORS macro, and that will enable the
mount option parser to grok colons and multiple security flavors.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 fs/nfs/internal.h |    4 +-
 fs/nfs/super.c    |  126 ++++++++++++++++++++++++++++++++---------------------
 2 files changed, 79 insertions(+), 51 deletions(-)


diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 04ae867..6672c3a 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -27,6 +27,8 @@ struct nfs_clone_mount {
 	rpc_authflavor_t authflavor;
 };
 
+#define MAX_SECURITY_FLAVORS	(1)
+
 /*
  * In-kernel mount arguments
  */
@@ -39,7 +41,7 @@ struct nfs_parsed_mount_data {
 	int			namlen;
 	unsigned int		bsize;
 	unsigned int		auth_flavor_len;
-	rpc_authflavor_t	auth_flavors[1];
+	rpc_authflavor_t	auth_flavors[MAX_SECURITY_FLAVORS];
 	char			*client_address;
 
 	struct {
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index fa94851..22bdc50 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -853,63 +853,89 @@ static void nfs_set_transport_defaults(struct nfs_parsed_mount_data *mnt)
 
 /*
  * Parse the value of the 'sec=' option.
- *
- * The flavor_len setting is for v4 mounts.
  */
 static int nfs_parse_security_flavors(char *value,
 				      struct nfs_parsed_mount_data *mnt)
 {
-	substring_t args[MAX_OPT_ARGS];
+	char *p, *string;
+
+	mnt->auth_flavor_len = 0;
 
 	dfprintk(MOUNT, "NFS: parsing sec=%s option\n", value);
 
-	switch (match_token(value, nfs_secflavor_tokens, args)) {
-	case Opt_sec_none:
-		mnt->auth_flavor_len = 0;
-		mnt->auth_flavors[0] = RPC_AUTH_NULL;
-		break;
-	case Opt_sec_sys:
-		mnt->auth_flavor_len = 0;
-		mnt->auth_flavors[0] = RPC_AUTH_UNIX;
-		break;
-	case Opt_sec_krb5:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5;
-		break;
-	case Opt_sec_krb5i:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5I;
-		break;
-	case Opt_sec_krb5p:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_KRB5P;
-		break;
-	case Opt_sec_lkey:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEY;
-		break;
-	case Opt_sec_lkeyi:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYI;
-		break;
-	case Opt_sec_lkeyp:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_LKEYP;
-		break;
-	case Opt_sec_spkm:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKM;
-		break;
-	case Opt_sec_spkmi:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMI;
-		break;
-	case Opt_sec_spkmp:
-		mnt->auth_flavor_len = 1;
-		mnt->auth_flavors[0] = RPC_AUTH_GSS_SPKMP;
-		break;
-	default:
-		return 0;
+	while ((p = strsep(&value, ":")) != NULL) {
+		substring_t args[MAX_OPT_ARGS];
+		int token;
+
+		if (!*p)
+			continue;
+
+		if (mnt->auth_flavor_len >= MAX_SECURITY_FLAVORS) {
+			dfprintk(MOUNT, "NFS: sec= option specifies "
+					"too many security flavors\n");
+			return 0;
+		}
+
+		string = match_strdup(args);
+		if (string == NULL) {
+			dfprintk(MOUNT, "NFS: not enough memory "
+					"to parse sec= option\n");
+			return 0;
+		}
+
+		token = match_token(string, nfs_secflavor_tokens, args);
+		kfree(string);
+
+		switch (token) {
+		case Opt_sec_none:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_NULL;
+			break;
+		case Opt_sec_sys:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_UNIX;
+			break;
+		case Opt_sec_krb5:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_KRB5;
+			break;
+		case Opt_sec_krb5i:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_KRB5I;
+			break;
+		case Opt_sec_krb5p:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_KRB5P;
+			break;
+		case Opt_sec_lkey:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_LKEY;
+			break;
+		case Opt_sec_lkeyi:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_LKEYI;
+			break;
+		case Opt_sec_lkeyp:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_LKEYP;
+			break;
+		case Opt_sec_spkm:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_SPKM;
+			break;
+		case Opt_sec_spkmi:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_SPKMI;
+			break;
+		case Opt_sec_spkmp:
+			mnt->auth_flavors[mnt->auth_flavor_len] =
+							RPC_AUTH_GSS_SPKMP;
+			break;
+		default:
+			return 0;
+		}
+
+		mnt->auth_flavor_len++;
 	}
 
 	return 1;

Re: [PATCH 0/4] Support parsing multiple security flavors

[Trond Myklebust]

On Tue, 2008-06-24 at 16:33 -0400, Chuck Lever wrote:
> Hi Trond-
> 
> The following four patches implement support in the NFS client's mount option
> parser for multiple security flavors via "sec=flavor:flavor:flavor:..."  This
> replicates similar support in the legacy (non text-based) mount.nfs command.
> 
> Since the NFS client itself doesn't support multiple security flavors at the
> moment, these have been build-tested only.
> 
> Please consider them for 2.6.27.

Are you planning to add support for security negotiation or multiple
security flavours in time for 2.6.27? If not, I suggest we delay this
until such functionality exists.

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@netapp.com
www.netapp.com

Re: [PATCH 2/4] NFS: Set security flavor default for NFSv2/3 mounts like other defaults

[Trond Myklebust]

On Tue, 2008-06-24 at 16:33 -0400, Chuck Lever wrote:
> Set the default security flavor when we set the other mount option default
> values.  After this change, only the legacy user-space mount path needs to
> set the NFS_MOUNT_SECFLAVOUR flag.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> 
>  fs/nfs/super.c |   22 +++++-----------------
>  1 files changed, 5 insertions(+), 17 deletions(-)
> 

Does not apply to the devel tree...
-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@netapp.com
www.netapp.com

Re: [PATCH 2/4] NFS: Set security flavor default for NFSv2/3 mounts like other defaults

[Chuck Lever]

On Jun 26, 2008, at 3:48 PM, Trond Myklebust wrote:
> On Tue, 2008-06-24 at 16:33 -0400, Chuck Lever wrote:
>> Set the default security flavor when we set the other mount option  
>> default
>> values.  After this change, only the legacy user-space mount path  
>> needs to
>> set the NFS_MOUNT_SECFLAVOUR flag.
>>
>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>> ---
>>
>> fs/nfs/super.c |   22 +++++-----------------
>> 1 files changed, 5 insertions(+), 17 deletions(-)
>>
>
> Does not apply to the devel tree...

Looks like you are missing three patches I recently sent.  I'll post  
them now.

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com