[PATCH] exportfs: support "security_label" export option

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: bfields@fieldses.org (J. Bruce Fields)
To: steved@redhat.com
Cc: linux-nfs@vger.kernel.org
Subject: [PATCH] exportfs: support "security_label" export option
Date: Wed, 11 Jan 2017 21:22:06 -0500	[thread overview]
Message-ID: <20170112022206.GA303@fieldses.org> (raw)
In-Reply-To: <1484187481-32723-3-git-send-email-bfields@redhat.com>

From: "J. Bruce Fields" <bfields@redhat.com>

On recent kernels only exports with NFSEXP_SECURITY_LABEL set will
export security labels.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 support/include/nfs/export.h | 3 ++-
 support/nfs/exports.c        | 4 ++++
 utils/exportfs/exportfs.c    | 2 ++
 utils/exportfs/exports.man   | 8 ++++++++
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h
index 1194255899bd..0eca828ee3ad 100644
--- a/support/include/nfs/export.h
+++ b/support/include/nfs/export.h
@@ -18,7 +18,8 @@
 #define NFSEXP_ASYNC		0x0010
 #define NFSEXP_GATHERED_WRITES	0x0020
 #define NFSEXP_NOREADDIRPLUS	0x0040
-/* 80, 100 unused */
+#define NFSEXP_SECURITY_LABEL	0x0080
+/* 0x100 unused */
 #define NFSEXP_NOHIDE		0x0200
 #define NFSEXP_NOSUBTREECHECK	0x0400
 #define NFSEXP_NOAUTHNLM	0x0800
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index d992747c13a1..92bd6e60ddf7 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -274,6 +274,8 @@ putexportent(struct exportent *ep)
 		"no_" : "");
 	if (ep->e_flags & NFSEXP_NOREADDIRPLUS)
 		fprintf(fp, "nordirplus,");
+	if (ep->e_flags & NFSEXP_SECURITY_LABEL)
+		fprintf(fp, "security_label,");
 	fprintf(fp, "%spnfs,", (ep->e_flags & NFSEXP_PNFS)? "" : "no_");
 	if (ep->e_flags & NFSEXP_FSID) {
 		fprintf(fp, "fsid=%d,", ep->e_fsid);
@@ -543,6 +545,8 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr)
 			setflags(NFSEXP_ASYNC, active, ep);
 		else if (!strcmp(opt, "nordirplus"))
 			setflags(NFSEXP_NOREADDIRPLUS, active, ep);
+		else if (!strcmp(opt, "security_label"))
+			setflags(NFSEXP_SECURITY_LABEL, active, ep);
 		else if (!strcmp(opt, "nohide"))
 			setflags(NFSEXP_NOHIDE, active, ep);
 		else if (!strcmp(opt, "hide"))
diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
index 15a15835a01f..38039978ef5f 100644
--- a/utils/exportfs/exportfs.c
+++ b/utils/exportfs/exportfs.c
@@ -705,6 +705,8 @@ dump(int verbose, int export_format)
 				c = dumpopt(c, "insecure_locks");
 			if (ep->e_flags & NFSEXP_NOREADDIRPLUS)
 				c = dumpopt(c, "nordirplus");
+			if (ep->e_flags & NFSEXP_SECURITY_LABEL)
+				c = dumpopt(c, "security_label");
 			if (ep->e_flags & NFSEXP_NOACL)
 				c = dumpopt(c, "no_acl");
 			if (ep->e_flags & NFSEXP_PNFS)
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 93092463153b..d8de6bec2583 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -417,6 +417,14 @@ devices. The default can be explicitly requested with the
 .I no_pnfs
 option.
 
+.TP
+.IR security_label
+With this option set, clients using NFSv4.2 or higher will be able to
+set and retrieve security labels (such as those used by SELinux).  This
+will only work if all clients use a consistent security policy.  Note
+that early kernels did not support this export option, and instead
+enabled security labels by default.
+
 .SS User ID Mapping
 .PP
 .B nfsd
-- 
2.9.3

     prev parent reply	other threads:[~2017-01-12  2:22 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-12  2:17 [PATCH 1/3] nfsd: fix supported attributes for acl & labels J. Bruce Fields
2017-01-12  2:18 ` [PATCH 2/3] nfsd: constify nfsd_suppatttrs J. Bruce Fields
2017-01-12  2:18 ` [PATCH 3/3] nfsd: opt in to labeled nfs per export J. Bruce Fields
2017-01-12  2:22   ` J. Bruce Fields [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1194255899b dfblob:0eca828ee3a dfblob:d992747c13a
dfblob:92bd6e60ddf dfblob:15a15835a01 dfblob:38039978ef5
dfblob:93092463153 dfblob:d8de6bec258 )
 OR (
bs:"[PATCH] exportfs: support "
bs:"security_label"
bs:" export option" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170112022206.GA303@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=steved@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).