[PATCH 0/3] access checking fixes for NLM under security policies

[PATCH 0/3] access checking fixes for NLM under security policies

[Olga Kornievskaia]

Since commit 4cc9b9f2bf4df ("nfsd: refine and rename NFSD_MAY_LOCK")
for export policies with "sec=krb5:..." or "xprtsec=tls:.." NLM
locking calls on v3 mounts fail. And for "sec=krb5" NLM calls it
also leads to out-of-bounds reference while in check_nfsd_access().

This patch series address 3 problems.

The first patch addresses a problem related to a TLS export
policy. NLM call dont come over TLS and thus dont pass the
TLS checks in check_nfsd_access() leading to access being
denied. Instead rely on may_bypass_gss to indicate NLM and
allow access checking to continue.

The other 2 patches are for problems related to sec=krb5.
The 2nd patch is because previously for NLM check_nfsd_access()
was never called and thus nfsd4_spo_must_allow() function wasn't
called. After the patch, this lead to NLM call which has no
compound state structure created trying to dereference it.
This patch instead moves the call to after may_bypass_gss
check which implies NLM and would return there and would
never get to calling nfsd4_spo_must_allow().

The last patch is fixing what "access" content is being passed
into the inode_permission(). Prior to 4cc9b9f2bf4df, the code would
explicitly set access to be read/ownership. And after is passes
access that's set in nlm_fopen but it's lacking read access.

Olga Kornievskaia (3):
  nfsd: fix access checking for NLM under XPRTSEC policies
  nfsd: adjust nfsd4_spo_must_allow checking order
  nfsd: reset access mask for NLM calls in nfsd_permission

 fs/nfsd/export.c | 20 ++++++++++----------
 fs/nfsd/vfs.c    |  7 +++++++
 2 files changed, 17 insertions(+), 10 deletions(-)

-- 
2.47.1

[PATCH 1/3] nfsd: fix access checking for NLM under XPRTSEC policies

[Olga Kornievskaia]

When an export policy with xprtsec policy is set with "tls"
and/or "mtls", but an NFS client is doing a v3 xprtsec=tls
mount, then NLM locking calls fail with an error because
there is currently no support for NLM with TLS.

Until such support is added, allow NLM calls under TLS-secured
policy.

Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
---
 fs/nfsd/export.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 0363720280d4..88ae410b4113 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1124,7 +1124,8 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
 		    test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
 			goto ok;
 	}
-	goto denied;
+	if (!may_bypass_gss)
+		goto denied;
 
 ok:
 	/* legacy gss-only clients are always OK: */
-- 
2.47.1

Re: [PATCH 1/3] nfsd: fix access checking for NLM under XPRTSEC policies

[Jeff Layton]

On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> When an export policy with xprtsec policy is set with "tls"
> and/or "mtls", but an NFS client is doing a v3 xprtsec=tls
> mount, then NLM locking calls fail with an error because
> there is currently no support for NLM with TLS.
> 
> Until such support is added, allow NLM calls under TLS-secured
> policy.
> 
> Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> ---
>  fs/nfsd/export.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index 0363720280d4..88ae410b4113 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -1124,7 +1124,8 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
>  		    test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
>  			goto ok;
>  	}
> -	goto denied;
> +	if (!may_bypass_gss)
> +		goto denied;
>  
>  ok:
>  	/* legacy gss-only clients are always OK: */

Reviewed-by: Jeff Layton <jlayton@kernel.org>

[PATCH 2/3] nfsd: adjust nfsd4_spo_must_allow checking order

[Olga Kornievskaia]

Prior to this patch, some non-4.x NFS operations such as NLM
calls have to go thru export policy checking would end up
calling nfsd4_spo_must_allow() function and lead to an
out-of-bounds error because no compound state structures
needed by nfsd4_spo_must_allow() are present in the svc_rqst
request structure.

Instead, do the nfsd4_spo_must_allow() checking after the
may_bypass_gss check which is geared towards allowing various
calls such as NLM while export policy is set with sec=krb5:...

Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
---
 fs/nfsd/export.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 88ae410b4113..02f26cbd59d0 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1143,15 +1143,6 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
 			return nfs_ok;
 	}
 
-	/* If the compound op contains a spo_must_allowed op,
-	 * it will be sent with integrity/protection which
-	 * will have to be expressly allowed on mounts that
-	 * don't support it
-	 */
-
-	if (nfsd4_spo_must_allow(rqstp))
-		return nfs_ok;
-
 	/* Some calls may be processed without authentication
 	 * on GSS exports. For example NFS2/3 calls on root
 	 * directory, see section 2.3.2 of rfc 2623.
@@ -1168,6 +1159,14 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
 				return 0;
 		}
 	}
+	/* If the compound op contains a spo_must_allowed op,
+	 * it will be sent with integrity/protection which
+	 * will have to be expressly allowed on mounts that
+	 * don't support it
+	 */
+	if (nfsd4_spo_must_allow(rqstp))
+		return nfs_ok;
+
 
 denied:
 	return nfserr_wrongsec;
-- 
2.47.1

Re: [PATCH 2/3] nfsd: adjust nfsd4_spo_must_allow checking order

[Jeff Layton]

On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> Prior to this patch, some non-4.x NFS operations such as NLM
> calls have to go thru export policy checking would end up
> calling nfsd4_spo_must_allow() function and lead to an
> out-of-bounds error because no compound state structures
> needed by nfsd4_spo_must_allow() are present in the svc_rqst
> request structure.
> 
> Instead, do the nfsd4_spo_must_allow() checking after the
> may_bypass_gss check which is geared towards allowing various
> calls such as NLM while export policy is set with sec=krb5:...
> 
> Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> ---
>  fs/nfsd/export.c | 17 ++++++++---------
>  1 file changed, 8 insertions(+), 9 deletions(-)
> 
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index 88ae410b4113..02f26cbd59d0 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -1143,15 +1143,6 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
>  			return nfs_ok;
>  	}
>  
> -	/* If the compound op contains a spo_must_allowed op,
> -	 * it will be sent with integrity/protection which
> -	 * will have to be expressly allowed on mounts that
> -	 * don't support it
> -	 */
> -
> -	if (nfsd4_spo_must_allow(rqstp))
> -		return nfs_ok;
> -
>  	/* Some calls may be processed without authentication
>  	 * on GSS exports. For example NFS2/3 calls on root
>  	 * directory, see section 2.3.2 of rfc 2623.
> @@ -1168,6 +1159,14 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
>  				return 0;
>  		}
>  	}
> +	/* If the compound op contains a spo_must_allowed op,
> +	 * it will be sent with integrity/protection which
> +	 * will have to be expressly allowed on mounts that
> +	 * don't support it
> +	 */
> +	if (nfsd4_spo_must_allow(rqstp))
> +		return nfs_ok;
> +
>  
>  denied:
>  	return nfserr_wrongsec;

Is this enough to fully fix the OOB problem? It looks like you could
still get past the may_bypass_gss if statement above this with a
carefully crafted RPC.

Maybe the right fix is to make nfsd4_spo_must_allow() check the rq_prog
and rq_vers fields to ensure that this is NFSv4? It can just return
false if it's not.

-- 
Jeff Layton <jlayton@kernel.org>

Re: [PATCH 2/3] nfsd: adjust nfsd4_spo_must_allow checking order

[Olga Kornievskaia]

On Mon, Apr 7, 2025 at 11:36 AM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> > Prior to this patch, some non-4.x NFS operations such as NLM
> > calls have to go thru export policy checking would end up
> > calling nfsd4_spo_must_allow() function and lead to an
> > out-of-bounds error because no compound state structures
> > needed by nfsd4_spo_must_allow() are present in the svc_rqst
> > request structure.
> >
> > Instead, do the nfsd4_spo_must_allow() checking after the
> > may_bypass_gss check which is geared towards allowing various
> > calls such as NLM while export policy is set with sec=krb5:...
> >
> > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > ---
> >  fs/nfsd/export.c | 17 ++++++++---------
> >  1 file changed, 8 insertions(+), 9 deletions(-)
> >
> > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> > index 88ae410b4113..02f26cbd59d0 100644
> > --- a/fs/nfsd/export.c
> > +++ b/fs/nfsd/export.c
> > @@ -1143,15 +1143,6 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> >                       return nfs_ok;
> >       }
> >
> > -     /* If the compound op contains a spo_must_allowed op,
> > -      * it will be sent with integrity/protection which
> > -      * will have to be expressly allowed on mounts that
> > -      * don't support it
> > -      */
> > -
> > -     if (nfsd4_spo_must_allow(rqstp))
> > -             return nfs_ok;
> > -
> >       /* Some calls may be processed without authentication
> >        * on GSS exports. For example NFS2/3 calls on root
> >        * directory, see section 2.3.2 of rfc 2623.
> > @@ -1168,6 +1159,14 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> >                               return 0;
> >               }
> >       }
> > +     /* If the compound op contains a spo_must_allowed op,
> > +      * it will be sent with integrity/protection which
> > +      * will have to be expressly allowed on mounts that
> > +      * don't support it
> > +      */
> > +     if (nfsd4_spo_must_allow(rqstp))
> > +             return nfs_ok;
> > +
> >
> >  denied:
> >       return nfserr_wrongsec;
>
> Is this enough to fully fix the OOB problem? It looks like you could
> still get past the may_bypass_gss if statement above this with a
> carefully crafted RPC.

A crafted RPC can and thus Neil's patch that checks the version in
nfsd4_spo_must_allow is needed.

I still feel changing the order would be beneficial as it would take
care of realistic requests.

> Maybe the right fix is to make nfsd4_spo_must_allow() check the rq_prog
> and rq_vers fields to ensure that this is NFSv4? It can just return
> false if it's not.
>
> --
> Jeff Layton <jlayton@kernel.org>
>

Re: [PATCH 2/3] nfsd: adjust nfsd4_spo_must_allow checking order

[Jeff Layton]

On Mon, 2025-04-07 at 11:56 -0400, Olga Kornievskaia wrote:
> On Mon, Apr 7, 2025 at 11:36 AM Jeff Layton <jlayton@kernel.org> wrote:
> > 
> > On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> > > Prior to this patch, some non-4.x NFS operations such as NLM
> > > calls have to go thru export policy checking would end up
> > > calling nfsd4_spo_must_allow() function and lead to an
> > > out-of-bounds error because no compound state structures
> > > needed by nfsd4_spo_must_allow() are present in the svc_rqst
> > > request structure.
> > > 
> > > Instead, do the nfsd4_spo_must_allow() checking after the
> > > may_bypass_gss check which is geared towards allowing various
> > > calls such as NLM while export policy is set with sec=krb5:...
> > > 
> > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > ---
> > >  fs/nfsd/export.c | 17 ++++++++---------
> > >  1 file changed, 8 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> > > index 88ae410b4113..02f26cbd59d0 100644
> > > --- a/fs/nfsd/export.c
> > > +++ b/fs/nfsd/export.c
> > > @@ -1143,15 +1143,6 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > >                       return nfs_ok;
> > >       }
> > > 
> > > -     /* If the compound op contains a spo_must_allowed op,
> > > -      * it will be sent with integrity/protection which
> > > -      * will have to be expressly allowed on mounts that
> > > -      * don't support it
> > > -      */
> > > -
> > > -     if (nfsd4_spo_must_allow(rqstp))
> > > -             return nfs_ok;
> > > -
> > >       /* Some calls may be processed without authentication
> > >        * on GSS exports. For example NFS2/3 calls on root
> > >        * directory, see section 2.3.2 of rfc 2623.
> > > @@ -1168,6 +1159,14 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > >                               return 0;
> > >               }
> > >       }
> > > +     /* If the compound op contains a spo_must_allowed op,
> > > +      * it will be sent with integrity/protection which
> > > +      * will have to be expressly allowed on mounts that
> > > +      * don't support it
> > > +      */
> > > +     if (nfsd4_spo_must_allow(rqstp))
> > > +             return nfs_ok;
> > > +
> > > 
> > >  denied:
> > >       return nfserr_wrongsec;
> > 
> > Is this enough to fully fix the OOB problem? It looks like you could
> > still get past the may_bypass_gss if statement above this with a
> > carefully crafted RPC.
> 
> A crafted RPC can and thus Neil's patch that checks the version in
> nfsd4_spo_must_allow is needed.
> 
> I still feel changing the order would be beneficial as it would take
> care of realistic requests.

No objection to changing the order if that makes sense, but I think we
do need to guard against carefully crafted RPCs too. Can we have
nfsd4_spo_must_allow() vet that the request is NFSv4 before checking
the compound fields too?
-- 
Jeff Layton <jlayton@kernel.org>

Re: [PATCH 2/3] nfsd: adjust nfsd4_spo_must_allow checking order

[Olga Kornievskaia]

On Mon, Apr 7, 2025 at 11:59 AM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Mon, 2025-04-07 at 11:56 -0400, Olga Kornievskaia wrote:
> > On Mon, Apr 7, 2025 at 11:36 AM Jeff Layton <jlayton@kernel.org> wrote:
> > >
> > > On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> > > > Prior to this patch, some non-4.x NFS operations such as NLM
> > > > calls have to go thru export policy checking would end up
> > > > calling nfsd4_spo_must_allow() function and lead to an
> > > > out-of-bounds error because no compound state structures
> > > > needed by nfsd4_spo_must_allow() are present in the svc_rqst
> > > > request structure.
> > > >
> > > > Instead, do the nfsd4_spo_must_allow() checking after the
> > > > may_bypass_gss check which is geared towards allowing various
> > > > calls such as NLM while export policy is set with sec=krb5:...
> > > >
> > > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > > ---
> > > >  fs/nfsd/export.c | 17 ++++++++---------
> > > >  1 file changed, 8 insertions(+), 9 deletions(-)
> > > >
> > > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> > > > index 88ae410b4113..02f26cbd59d0 100644
> > > > --- a/fs/nfsd/export.c
> > > > +++ b/fs/nfsd/export.c
> > > > @@ -1143,15 +1143,6 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > > >                       return nfs_ok;
> > > >       }
> > > >
> > > > -     /* If the compound op contains a spo_must_allowed op,
> > > > -      * it will be sent with integrity/protection which
> > > > -      * will have to be expressly allowed on mounts that
> > > > -      * don't support it
> > > > -      */
> > > > -
> > > > -     if (nfsd4_spo_must_allow(rqstp))
> > > > -             return nfs_ok;
> > > > -
> > > >       /* Some calls may be processed without authentication
> > > >        * on GSS exports. For example NFS2/3 calls on root
> > > >        * directory, see section 2.3.2 of rfc 2623.
> > > > @@ -1168,6 +1159,14 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > > >                               return 0;
> > > >               }
> > > >       }
> > > > +     /* If the compound op contains a spo_must_allowed op,
> > > > +      * it will be sent with integrity/protection which
> > > > +      * will have to be expressly allowed on mounts that
> > > > +      * don't support it
> > > > +      */
> > > > +     if (nfsd4_spo_must_allow(rqstp))
> > > > +             return nfs_ok;
> > > > +
> > > >
> > > >  denied:
> > > >       return nfserr_wrongsec;
> > >
> > > Is this enough to fully fix the OOB problem? It looks like you could
> > > still get past the may_bypass_gss if statement above this with a
> > > carefully crafted RPC.
> >
> > A crafted RPC can and thus Neil's patch that checks the version in
> > nfsd4_spo_must_allow is needed.
> >
> > I still feel changing the order would be beneficial as it would take
> > care of realistic requests.
>
> No objection to changing the order if that makes sense, but I think we
> do need to guard against carefully crafted RPCs too. Can we have
> nfsd4_spo_must_allow() vet that the request is NFSv4 before checking
> the compound fields too?

Neil already posted a patch for that? "nfsd: nfsd4_spo_must_allow()
must check this is a v4 compound request" march 27th.

> --
> Jeff Layton <jlayton@kernel.org>
>

Re: [PATCH 2/3] nfsd: adjust nfsd4_spo_must_allow checking order

[Jeff Layton]

On Mon, 2025-04-07 at 13:17 -0400, Olga Kornievskaia wrote:
> On Mon, Apr 7, 2025 at 11:59 AM Jeff Layton <jlayton@kernel.org> wrote:
> > 
> > On Mon, 2025-04-07 at 11:56 -0400, Olga Kornievskaia wrote:
> > > On Mon, Apr 7, 2025 at 11:36 AM Jeff Layton <jlayton@kernel.org> wrote:
> > > > 
> > > > On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> > > > > Prior to this patch, some non-4.x NFS operations such as NLM
> > > > > calls have to go thru export policy checking would end up
> > > > > calling nfsd4_spo_must_allow() function and lead to an
> > > > > out-of-bounds error because no compound state structures
> > > > > needed by nfsd4_spo_must_allow() are present in the svc_rqst
> > > > > request structure.
> > > > > 
> > > > > Instead, do the nfsd4_spo_must_allow() checking after the
> > > > > may_bypass_gss check which is geared towards allowing various
> > > > > calls such as NLM while export policy is set with sec=krb5:...
> > > > > 
> > > > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > > > ---
> > > > >  fs/nfsd/export.c | 17 ++++++++---------
> > > > >  1 file changed, 8 insertions(+), 9 deletions(-)
> > > > > 
> > > > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> > > > > index 88ae410b4113..02f26cbd59d0 100644
> > > > > --- a/fs/nfsd/export.c
> > > > > +++ b/fs/nfsd/export.c
> > > > > @@ -1143,15 +1143,6 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > > > >                       return nfs_ok;
> > > > >       }
> > > > > 
> > > > > -     /* If the compound op contains a spo_must_allowed op,
> > > > > -      * it will be sent with integrity/protection which
> > > > > -      * will have to be expressly allowed on mounts that
> > > > > -      * don't support it
> > > > > -      */
> > > > > -
> > > > > -     if (nfsd4_spo_must_allow(rqstp))
> > > > > -             return nfs_ok;
> > > > > -
> > > > >       /* Some calls may be processed without authentication
> > > > >        * on GSS exports. For example NFS2/3 calls on root
> > > > >        * directory, see section 2.3.2 of rfc 2623.
> > > > > @@ -1168,6 +1159,14 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > > > >                               return 0;
> > > > >               }
> > > > >       }
> > > > > +     /* If the compound op contains a spo_must_allowed op,
> > > > > +      * it will be sent with integrity/protection which
> > > > > +      * will have to be expressly allowed on mounts that
> > > > > +      * don't support it
> > > > > +      */
> > > > > +     if (nfsd4_spo_must_allow(rqstp))
> > > > > +             return nfs_ok;
> > > > > +
> > > > > 
> > > > >  denied:
> > > > >       return nfserr_wrongsec;
> > > > 
> > > > Is this enough to fully fix the OOB problem? It looks like you could
> > > > still get past the may_bypass_gss if statement above this with a
> > > > carefully crafted RPC.
> > > 
> > > A crafted RPC can and thus Neil's patch that checks the version in
> > > nfsd4_spo_must_allow is needed.
> > > 
> > > I still feel changing the order would be beneficial as it would take
> > > care of realistic requests.
> > 
> > No objection to changing the order if that makes sense, but I think we
> > do need to guard against carefully crafted RPCs too. Can we have
> > nfsd4_spo_must_allow() vet that the request is NFSv4 before checking
> > the compound fields too?
> 
> Neil already posted a patch for that? "nfsd: nfsd4_spo_must_allow()
> must check this is a v4 compound request" march 27th.
> 
> 

Perfect. You guys are way ahead of me!

With that in place, what's the benefit to taking this patch? Does
reordering these checks give us anything?
-- 
Jeff Layton <jlayton@kernel.org>

Re: [PATCH 2/3] nfsd: adjust nfsd4_spo_must_allow checking order

[Olga Kornievskaia]

On Mon, Apr 7, 2025 at 1:47 PM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Mon, 2025-04-07 at 13:17 -0400, Olga Kornievskaia wrote:
> > On Mon, Apr 7, 2025 at 11:59 AM Jeff Layton <jlayton@kernel.org> wrote:
> > >
> > > On Mon, 2025-04-07 at 11:56 -0400, Olga Kornievskaia wrote:
> > > > On Mon, Apr 7, 2025 at 11:36 AM Jeff Layton <jlayton@kernel.org> wrote:
> > > > >
> > > > > On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> > > > > > Prior to this patch, some non-4.x NFS operations such as NLM
> > > > > > calls have to go thru export policy checking would end up
> > > > > > calling nfsd4_spo_must_allow() function and lead to an
> > > > > > out-of-bounds error because no compound state structures
> > > > > > needed by nfsd4_spo_must_allow() are present in the svc_rqst
> > > > > > request structure.
> > > > > >
> > > > > > Instead, do the nfsd4_spo_must_allow() checking after the
> > > > > > may_bypass_gss check which is geared towards allowing various
> > > > > > calls such as NLM while export policy is set with sec=krb5:...
> > > > > >
> > > > > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > > > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > > > > ---
> > > > > >  fs/nfsd/export.c | 17 ++++++++---------
> > > > > >  1 file changed, 8 insertions(+), 9 deletions(-)
> > > > > >
> > > > > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> > > > > > index 88ae410b4113..02f26cbd59d0 100644
> > > > > > --- a/fs/nfsd/export.c
> > > > > > +++ b/fs/nfsd/export.c
> > > > > > @@ -1143,15 +1143,6 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > > > > >                       return nfs_ok;
> > > > > >       }
> > > > > >
> > > > > > -     /* If the compound op contains a spo_must_allowed op,
> > > > > > -      * it will be sent with integrity/protection which
> > > > > > -      * will have to be expressly allowed on mounts that
> > > > > > -      * don't support it
> > > > > > -      */
> > > > > > -
> > > > > > -     if (nfsd4_spo_must_allow(rqstp))
> > > > > > -             return nfs_ok;
> > > > > > -
> > > > > >       /* Some calls may be processed without authentication
> > > > > >        * on GSS exports. For example NFS2/3 calls on root
> > > > > >        * directory, see section 2.3.2 of rfc 2623.
> > > > > > @@ -1168,6 +1159,14 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> > > > > >                               return 0;
> > > > > >               }
> > > > > >       }
> > > > > > +     /* If the compound op contains a spo_must_allowed op,
> > > > > > +      * it will be sent with integrity/protection which
> > > > > > +      * will have to be expressly allowed on mounts that
> > > > > > +      * don't support it
> > > > > > +      */
> > > > > > +     if (nfsd4_spo_must_allow(rqstp))
> > > > > > +             return nfs_ok;
> > > > > > +
> > > > > >
> > > > > >  denied:
> > > > > >       return nfserr_wrongsec;
> > > > >
> > > > > Is this enough to fully fix the OOB problem? It looks like you could
> > > > > still get past the may_bypass_gss if statement above this with a
> > > > > carefully crafted RPC.
> > > >
> > > > A crafted RPC can and thus Neil's patch that checks the version in
> > > > nfsd4_spo_must_allow is needed.
> > > >
> > > > I still feel changing the order would be beneficial as it would take
> > > > care of realistic requests.
> > >
> > > No objection to changing the order if that makes sense, but I think we
> > > do need to guard against carefully crafted RPCs too. Can we have
> > > nfsd4_spo_must_allow() vet that the request is NFSv4 before checking
> > > the compound fields too?
> >
> > Neil already posted a patch for that? "nfsd: nfsd4_spo_must_allow()
> > must check this is a v4 compound request" march 27th.
> >
> >
>
> Perfect. You guys are way ahead of me!
>
> With that in place, what's the benefit to taking this patch? Does
> reordering these checks give us anything?

I think with this patch the code is cleaner as the "realistic" v3 path
will never go into nfsd4_spo_must_allow() this way.

> --
> Jeff Layton <jlayton@kernel.org>
>

[PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Olga Kornievskaia]

NLM locking calls need to pass thru file permission checking
and for that prior to calling inode_permission() we need
to set appropriate access mask.

Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
---
 fs/nfsd/vfs.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 4021b047eb18..7928ae21509f 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
 	if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
 		return nfserr_perm;
 
+	/*
+	 * For the purpose of permission checking of NLM requests,
+	 * the locker must have READ access or own the file
+	 */
+	if (acc & NFSD_MAY_NLM)
+		acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
+
 	/*
 	 * The file owner always gets access permission for accesses that
 	 * would normally be checked at open time. This is to make
-- 
2.47.1

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[NeilBrown]

On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> NLM locking calls need to pass thru file permission checking
> and for that prior to calling inode_permission() we need
> to set appropriate access mask.
> 
> Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> ---
>  fs/nfsd/vfs.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> index 4021b047eb18..7928ae21509f 100644
> --- a/fs/nfsd/vfs.c
> +++ b/fs/nfsd/vfs.c
> @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
>  	if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
>  		return nfserr_perm;
>  
> +	/*
> +	 * For the purpose of permission checking of NLM requests,
> +	 * the locker must have READ access or own the file
> +	 */
> +	if (acc & NFSD_MAY_NLM)
> +		acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
> +

I don't agree with this change.
The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
set.  So that part of the change adds no value.

This change only affects the case where a write lock is being requested.
In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
This change will set NFSD_MAY_READ.  Is that really needed?

Can you please describe the particular problem you saw that is fixed by
this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
then I would rather it were done in nlm_fopen().

Thanks,
NeilBrown


>  	/*
>  	 * The file owner always gets access permission for accesses that
>  	 * would normally be checked at open time. This is to make
> -- 
> 2.47.1
> 
> 

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Olga Kornievskaia]

On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
>
> On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> > NLM locking calls need to pass thru file permission checking
> > and for that prior to calling inode_permission() we need
> > to set appropriate access mask.
> >
> > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > ---
> >  fs/nfsd/vfs.c | 7 +++++++
> >  1 file changed, 7 insertions(+)
> >
> > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> > index 4021b047eb18..7928ae21509f 100644
> > --- a/fs/nfsd/vfs.c
> > +++ b/fs/nfsd/vfs.c
> > @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
> >       if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
> >               return nfserr_perm;
> >
> > +     /*
> > +      * For the purpose of permission checking of NLM requests,
> > +      * the locker must have READ access or own the file
> > +      */
> > +     if (acc & NFSD_MAY_NLM)
> > +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
> > +
>
> I don't agree with this change.
> The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
> set.  So that part of the change adds no value.
>
> This change only affects the case where a write lock is being requested.
> In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
> This change will set NFSD_MAY_READ.  Is that really needed?
>
> Can you please describe the particular problem you saw that is fixed by
> this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
> then I would rather it were done in nlm_fopen().

set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
then ask for an exclusive flock(), it would fail.

The reason it fails is because nlm_fopen() translates lock to open
with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
inode_permission(). The patch changed it and lead to lock no longer
being given out with sec=krb5 policy.


>
> Thanks,
> NeilBrown
>
>
> >       /*
> >        * The file owner always gets access permission for accesses that
> >        * would normally be checked at open time. This is to make
> > --
> > 2.47.1
> >
> >
>

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[NeilBrown]

On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
> On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
> >
> > On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> > > NLM locking calls need to pass thru file permission checking
> > > and for that prior to calling inode_permission() we need
> > > to set appropriate access mask.
> > >
> > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > ---
> > >  fs/nfsd/vfs.c | 7 +++++++
> > >  1 file changed, 7 insertions(+)
> > >
> > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> > > index 4021b047eb18..7928ae21509f 100644
> > > --- a/fs/nfsd/vfs.c
> > > +++ b/fs/nfsd/vfs.c
> > > @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
> > >       if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
> > >               return nfserr_perm;
> > >
> > > +     /*
> > > +      * For the purpose of permission checking of NLM requests,
> > > +      * the locker must have READ access or own the file
> > > +      */
> > > +     if (acc & NFSD_MAY_NLM)
> > > +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
> > > +
> >
> > I don't agree with this change.
> > The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
> > set.  So that part of the change adds no value.
> >
> > This change only affects the case where a write lock is being requested.
> > In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
> > This change will set NFSD_MAY_READ.  Is that really needed?
> >
> > Can you please describe the particular problem you saw that is fixed by
> > this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
> > then I would rather it were done in nlm_fopen().
> 
> set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
> then ask for an exclusive flock(), it would fail.
> 
> The reason it fails is because nlm_fopen() translates lock to open
> with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
> acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
> inode_permission(). The patch changed it and lead to lock no longer
> being given out with sec=krb5 policy.

And do you have WRITE access to the file?

check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
granted the file must be open for FMODE_WRITE.
So when an exclusive lock request arrives via NLM, nlm_lookup_file()
calls nlm_do_fopen() with a mode of O_WRONLY and that causes
nfsd_permission() to check that the caller has write access to the file.

So if you are trying to get an exclusive lock to a file that you don't
have write access to, then it should fail.
If, however, you do have write access to the file - I cannot see why
asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.

NeilBrown


> 
> 
> >
> > Thanks,
> > NeilBrown
> >
> >
> > >       /*
> > >        * The file owner always gets access permission for accesses that
> > >        * would normally be checked at open time. This is to make
> > > --
> > > 2.47.1
> > >
> > >
> >
> 
> 

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Chuck Lever]

On 3/27/25 9:43 PM, NeilBrown wrote:
> On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
>> On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
>>>
>>> On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
>>>> NLM locking calls need to pass thru file permission checking
>>>> and for that prior to calling inode_permission() we need
>>>> to set appropriate access mask.
>>>>
>>>> Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
>>>> Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
>>>> ---
>>>>  fs/nfsd/vfs.c | 7 +++++++
>>>>  1 file changed, 7 insertions(+)
>>>>
>>>> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
>>>> index 4021b047eb18..7928ae21509f 100644
>>>> --- a/fs/nfsd/vfs.c
>>>> +++ b/fs/nfsd/vfs.c
>>>> @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
>>>>       if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
>>>>               return nfserr_perm;
>>>>
>>>> +     /*
>>>> +      * For the purpose of permission checking of NLM requests,
>>>> +      * the locker must have READ access or own the file
>>>> +      */
>>>> +     if (acc & NFSD_MAY_NLM)
>>>> +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
>>>> +
>>>
>>> I don't agree with this change.
>>> The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
>>> set.  So that part of the change adds no value.
>>>
>>> This change only affects the case where a write lock is being requested.
>>> In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
>>> This change will set NFSD_MAY_READ.  Is that really needed?
>>>
>>> Can you please describe the particular problem you saw that is fixed by
>>> this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
>>> then I would rather it were done in nlm_fopen().
>>
>> set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
>> then ask for an exclusive flock(), it would fail.
>>
>> The reason it fails is because nlm_fopen() translates lock to open
>> with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
>> acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
>> inode_permission(). The patch changed it and lead to lock no longer
>> being given out with sec=krb5 policy.
> 
> And do you have WRITE access to the file?
> 
> check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
> granted the file must be open for FMODE_WRITE.
> So when an exclusive lock request arrives via NLM, nlm_lookup_file()
> calls nlm_do_fopen() with a mode of O_WRONLY and that causes
> nfsd_permission() to check that the caller has write access to the file.
> 
> So if you are trying to get an exclusive lock to a file that you don't
> have write access to, then it should fail.
> If, however, you do have write access to the file - I cannot see why
> asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.

A little context:

3/3 partially reverts 4cc9b9f2bf4d. Setting exactly READ / OVERRIDE for
NLM requests is what nfsd_permission() had done for many years before
4cc9b9f2bf4d. Thus I regard this as a safe thing to do at the moment.

I agree, however, that it is mysterious why that should work at all, and
I'm fine with holding off on 3/3 until we have a clearer RCA.

Initially I thought changing nlm_fopen() would be a better approach,
but I think there are other consumers of the MAY flags set by
nlm_fopen() that could be impacted by such a change.


> NeilBrown
> 
> 
>>
>>
>>>
>>> Thanks,
>>> NeilBrown
>>>
>>>
>>>>       /*
>>>>        * The file owner always gets access permission for accesses that
>>>>        * would normally be checked at open time. This is to make
>>>> --
>>>> 2.47.1
>>>>
>>>>
>>>
>>
>>
> 


-- 
Chuck Lever

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Olga Kornievskaia]

On Thu, Mar 27, 2025 at 9:43 PM NeilBrown <neilb@suse.de> wrote:
>
> On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
> > On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
> > >
> > > On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> > > > NLM locking calls need to pass thru file permission checking
> > > > and for that prior to calling inode_permission() we need
> > > > to set appropriate access mask.
> > > >
> > > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > > ---
> > > >  fs/nfsd/vfs.c | 7 +++++++
> > > >  1 file changed, 7 insertions(+)
> > > >
> > > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> > > > index 4021b047eb18..7928ae21509f 100644
> > > > --- a/fs/nfsd/vfs.c
> > > > +++ b/fs/nfsd/vfs.c
> > > > @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
> > > >       if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
> > > >               return nfserr_perm;
> > > >
> > > > +     /*
> > > > +      * For the purpose of permission checking of NLM requests,
> > > > +      * the locker must have READ access or own the file
> > > > +      */
> > > > +     if (acc & NFSD_MAY_NLM)
> > > > +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
> > > > +
> > >
> > > I don't agree with this change.
> > > The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
> > > set.  So that part of the change adds no value.
> > >
> > > This change only affects the case where a write lock is being requested.
> > > In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
> > > This change will set NFSD_MAY_READ.  Is that really needed?
> > >
> > > Can you please describe the particular problem you saw that is fixed by
> > > this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
> > > then I would rather it were done in nlm_fopen().
> >
> > set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
> > then ask for an exclusive flock(), it would fail.
> >
> > The reason it fails is because nlm_fopen() translates lock to open
> > with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
> > acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
> > inode_permission(). The patch changed it and lead to lock no longer
> > being given out with sec=krb5 policy.
>
> And do you have WRITE access to the file?
>
> check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
> granted the file must be open for FMODE_WRITE.
> So when an exclusive lock request arrives via NLM, nlm_lookup_file()
> calls nlm_do_fopen() with a mode of O_WRONLY and that causes
> nfsd_permission() to check that the caller has write access to the file.
>
> So if you are trying to get an exclusive lock to a file that you don't
> have write access to, then it should fail.
> If, however, you do have write access to the file - I cannot see why
> asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.

That's correct, the user doing flock() does NOT have write access to
the file. Yet prior to the 4cc9b9f2bf4d, that access was allowed. If
that was a bug then my bad. I assumed it was regression.

It's interesting to me that on an XFS file system, I can create a file
owned by root (on a local filesystem) and then request an exclusive
lock on it (as a user -- no write permissions).

okorniev@linux:~$ ls -l /export/foobar
-rw-r--r--. 1 root root 4 Mar 28 10:46 /export/foobar
okorniev@linux:~$ flock -x /export/foobar sleep 1s

>
> NeilBrown
>
>
> >
> >
> > >
> > > Thanks,
> > > NeilBrown
> > >
> > >
> > > >       /*
> > > >        * The file owner always gets access permission for accesses that
> > > >        * would normally be checked at open time. This is to make
> > > > --
> > > > 2.47.1
> > > >
> > > >
> > >
> >
> >
>
>

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[NeilBrown]

On Sat, 29 Mar 2025, Olga Kornievskaia wrote:
> On Thu, Mar 27, 2025 at 9:43 PM NeilBrown <neilb@suse.de> wrote:
> >
> > On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
> > > On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
> > > >
> > > > On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> > > > > NLM locking calls need to pass thru file permission checking
> > > > > and for that prior to calling inode_permission() we need
> > > > > to set appropriate access mask.
> > > > >
> > > > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > > > ---
> > > > >  fs/nfsd/vfs.c | 7 +++++++
> > > > >  1 file changed, 7 insertions(+)
> > > > >
> > > > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> > > > > index 4021b047eb18..7928ae21509f 100644
> > > > > --- a/fs/nfsd/vfs.c
> > > > > +++ b/fs/nfsd/vfs.c
> > > > > @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
> > > > >       if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
> > > > >               return nfserr_perm;
> > > > >
> > > > > +     /*
> > > > > +      * For the purpose of permission checking of NLM requests,
> > > > > +      * the locker must have READ access or own the file
> > > > > +      */
> > > > > +     if (acc & NFSD_MAY_NLM)
> > > > > +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
> > > > > +
> > > >
> > > > I don't agree with this change.
> > > > The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
> > > > set.  So that part of the change adds no value.
> > > >
> > > > This change only affects the case where a write lock is being requested.
> > > > In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
> > > > This change will set NFSD_MAY_READ.  Is that really needed?
> > > >
> > > > Can you please describe the particular problem you saw that is fixed by
> > > > this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
> > > > then I would rather it were done in nlm_fopen().
> > >
> > > set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
> > > then ask for an exclusive flock(), it would fail.
> > >
> > > The reason it fails is because nlm_fopen() translates lock to open
> > > with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
> > > acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
> > > inode_permission(). The patch changed it and lead to lock no longer
> > > being given out with sec=krb5 policy.
> >
> > And do you have WRITE access to the file?
> >
> > check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
> > granted the file must be open for FMODE_WRITE.
> > So when an exclusive lock request arrives via NLM, nlm_lookup_file()
> > calls nlm_do_fopen() with a mode of O_WRONLY and that causes
> > nfsd_permission() to check that the caller has write access to the file.
> >
> > So if you are trying to get an exclusive lock to a file that you don't
> > have write access to, then it should fail.
> > If, however, you do have write access to the file - I cannot see why
> > asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.
> 
> That's correct, the user doing flock() does NOT have write access to
> the file. Yet prior to the 4cc9b9f2bf4d, that access was allowed. If
> that was a bug then my bad. I assumed it was regression.
> 
> It's interesting to me that on an XFS file system, I can create a file
> owned by root (on a local filesystem) and then request an exclusive
> lock on it (as a user -- no write permissions).

"flock" is the missing piece.  I always thought it was a little odd
implementing flock locks over NFS using byte-range locking.  Not
necessarily wrong, but definitely odd.

The man page for fcntl says 

   In order to place a read lock, fd must be open for reading.  In order
   to place a write lock, fd must be open for writing.  To place both
   types of lock, open a file read-write.

So byte-range locks require a consistent open mode.

The man page for flock says

    A shared or exclusive lock can be placed on a file regardless of the
    mode in which the file was opened.

Since the NFS client started using NLM (or v4 LOCK) for flock requests,
we cannot know if a request is flock or fcntl so we cannot check the
"correct" permissions.  We have to rely on the client doing the
permission checking.

So it isn't really correct to check for either READ or WRITE.

This is awkward because nfsd doesn't just check permissions.  It has to
open the file and say what mode it is opening for.  This is apparently
important when re-exporting NFS according to

Commit: 7f024fcd5c97 ("Keep read and write fds with each nlm_file")

So if you try an exclusive flock on a re-exported NFS file (reexported
over v3) that you have open for READ but do not have write permission
for, then the client will allow it, but the intermediate server will try
a O_WRITE open which the final server will reject.
(does re-export work over v3??)

There is no way to make this "work".  As I said: sending flock requests
over NFS was an interesting choice.
For v4 re-export it isn't a problem because the intermediate server
knows what mode the file was opened for on the client.

So what do we do?  Whatever we do needs a comment explaining that flock
vs fcntl is the problem.
Possibly we should not require read or write access - and just trust the
client.  Alternately we could stick with the current practice of
requiring READ but not WRITE - it would be rare to lock a file which you
don't have read access to.

So yes: we do need a patch here.  I would suggest something like:

 /* An NLM request may be from fcntl() which requires the open mode to
  * match to lock mode or may be from flock() which allows any lock mode
  * with any open mode.  "acc" here indicates the lock mode but we must
  * do permission check reflecting the open mode which we cannot know.
  * For simplicity and historical continuity, always only check for
  * READ access
  */
 if (acc & NFSD_MAY_NLM)
	acc = (acc & ~NFSD_MAY_WRITE) | NFSD_MAY_READ;

I'd prefer to leave the MAY_OWNER_OVERRIDE setting in nlm_fopen().

Thanks,
NeilBrown

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Tom Talpey]

On 3/28/2025 5:53 PM, NeilBrown wrote:
> On Sat, 29 Mar 2025, Olga Kornievskaia wrote:
>> On Thu, Mar 27, 2025 at 9:43 PM NeilBrown <neilb@suse.de> wrote:
>>>
>>> On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
>>>> On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
>>>>>
>>>>> On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
>>>>>> NLM locking calls need to pass thru file permission checking
>>>>>> and for that prior to calling inode_permission() we need
>>>>>> to set appropriate access mask.
>>>>>>
>>>>>> Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
>>>>>> Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
>>>>>> ---
>>>>>>   fs/nfsd/vfs.c | 7 +++++++
>>>>>>   1 file changed, 7 insertions(+)
>>>>>>
>>>>>> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
>>>>>> index 4021b047eb18..7928ae21509f 100644
>>>>>> --- a/fs/nfsd/vfs.c
>>>>>> +++ b/fs/nfsd/vfs.c
>>>>>> @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
>>>>>>        if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
>>>>>>                return nfserr_perm;
>>>>>>
>>>>>> +     /*
>>>>>> +      * For the purpose of permission checking of NLM requests,
>>>>>> +      * the locker must have READ access or own the file
>>>>>> +      */
>>>>>> +     if (acc & NFSD_MAY_NLM)
>>>>>> +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
>>>>>> +
>>>>>
>>>>> I don't agree with this change.
>>>>> The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
>>>>> set.  So that part of the change adds no value.
>>>>>
>>>>> This change only affects the case where a write lock is being requested.
>>>>> In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
>>>>> This change will set NFSD_MAY_READ.  Is that really needed?
>>>>>
>>>>> Can you please describe the particular problem you saw that is fixed by
>>>>> this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
>>>>> then I would rather it were done in nlm_fopen().
>>>>
>>>> set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
>>>> then ask for an exclusive flock(), it would fail.
>>>>
>>>> The reason it fails is because nlm_fopen() translates lock to open
>>>> with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
>>>> acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
>>>> inode_permission(). The patch changed it and lead to lock no longer
>>>> being given out with sec=krb5 policy.
>>>
>>> And do you have WRITE access to the file?
>>>
>>> check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
>>> granted the file must be open for FMODE_WRITE.
>>> So when an exclusive lock request arrives via NLM, nlm_lookup_file()
>>> calls nlm_do_fopen() with a mode of O_WRONLY and that causes
>>> nfsd_permission() to check that the caller has write access to the file.
>>>
>>> So if you are trying to get an exclusive lock to a file that you don't
>>> have write access to, then it should fail.
>>> If, however, you do have write access to the file - I cannot see why
>>> asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.
>>
>> That's correct, the user doing flock() does NOT have write access to
>> the file. Yet prior to the 4cc9b9f2bf4d, that access was allowed. If
>> that was a bug then my bad. I assumed it was regression.
>>
>> It's interesting to me that on an XFS file system, I can create a file
>> owned by root (on a local filesystem) and then request an exclusive
>> lock on it (as a user -- no write permissions).
> 
> "flock" is the missing piece.  I always thought it was a little odd
> implementing flock locks over NFS using byte-range locking.  Not
> necessarily wrong, but definitely odd.
> 
> The man page for fcntl says
> 
>     In order to place a read lock, fd must be open for reading.  In order
>     to place a write lock, fd must be open for writing.  To place both
>     types of lock, open a file read-write.
> 
> So byte-range locks require a consistent open mode.
> 
> The man page for flock says
> 
>      A shared or exclusive lock can be placed on a file regardless of the
>      mode in which the file was opened.
> 
> Since the NFS client started using NLM (or v4 LOCK) for flock requests,
> we cannot know if a request is flock or fcntl so we cannot check the
> "correct" permissions.  We have to rely on the client doing the
> permission checking.
> 
> So it isn't really correct to check for either READ or WRITE.

Just one thing to mention, newer versions of the flock(2) manpage do
mention the NFS/NLM behavior w.r.t. open for writing:

        Since Linux 2.6.12, NFS clients support flock() locks by emulating
        them as fcntl(2) byte-range locks on the entire file.  This means
        that fcntl(2) and flock() locks do interact with one another over
        NFS.  It also means that in order to place an exclusive lock, the
        file must be opened for writing.

Not sure this solves the question, but it's "documented". The text
should maybe be revisited either way.

Tom.

> This is awkward because nfsd doesn't just check permissions.  It has to
> open the file and say what mode it is opening for.  This is apparently
> important when re-exporting NFS according to
> 
> Commit: 7f024fcd5c97 ("Keep read and write fds with each nlm_file")
> 
> So if you try an exclusive flock on a re-exported NFS file (reexported
> over v3) that you have open for READ but do not have write permission
> for, then the client will allow it, but the intermediate server will try
> a O_WRITE open which the final server will reject.
> (does re-export work over v3??)
> 
> There is no way to make this "work".  As I said: sending flock requests
> over NFS was an interesting choice.
> For v4 re-export it isn't a problem because the intermediate server
> knows what mode the file was opened for on the client.
> 
> So what do we do?  Whatever we do needs a comment explaining that flock
> vs fcntl is the problem.
> Possibly we should not require read or write access - and just trust the
> client.  Alternately we could stick with the current practice of
> requiring READ but not WRITE - it would be rare to lock a file which you
> don't have read access to.
> 
> So yes: we do need a patch here.  I would suggest something like:
> 
>   /* An NLM request may be from fcntl() which requires the open mode to
>    * match to lock mode or may be from flock() which allows any lock mode
>    * with any open mode.  "acc" here indicates the lock mode but we must
>    * do permission check reflecting the open mode which we cannot know.
>    * For simplicity and historical continuity, always only check for
>    * READ access
>    */
>   if (acc & NFSD_MAY_NLM)
> 	acc = (acc & ~NFSD_MAY_WRITE) | NFSD_MAY_READ;
> 
> I'd prefer to leave the MAY_OWNER_OVERRIDE setting in nlm_fopen().
> 
> Thanks,
> NeilBrown
> 

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Chuck Lever]

On 3/28/25 7:29 PM, Tom Talpey wrote:
> On 3/28/2025 5:53 PM, NeilBrown wrote:
>> On Sat, 29 Mar 2025, Olga Kornievskaia wrote:
>>> On Thu, Mar 27, 2025 at 9:43 PM NeilBrown <neilb@suse.de> wrote:
>>>>
>>>> On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
>>>>> On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
>>>>>>
>>>>>> On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
>>>>>>> NLM locking calls need to pass thru file permission checking
>>>>>>> and for that prior to calling inode_permission() we need
>>>>>>> to set appropriate access mask.
>>>>>>>
>>>>>>> Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
>>>>>>> Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
>>>>>>> ---
>>>>>>>   fs/nfsd/vfs.c | 7 +++++++
>>>>>>>   1 file changed, 7 insertions(+)
>>>>>>>
>>>>>>> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
>>>>>>> index 4021b047eb18..7928ae21509f 100644
>>>>>>> --- a/fs/nfsd/vfs.c
>>>>>>> +++ b/fs/nfsd/vfs.c
>>>>>>> @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred,
>>>>>>> struct svc_export *exp,
>>>>>>>        if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
>>>>>>>                return nfserr_perm;
>>>>>>>
>>>>>>> +     /*
>>>>>>> +      * For the purpose of permission checking of NLM requests,
>>>>>>> +      * the locker must have READ access or own the file
>>>>>>> +      */
>>>>>>> +     if (acc & NFSD_MAY_NLM)
>>>>>>> +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
>>>>>>> +
>>>>>>
>>>>>> I don't agree with this change.
>>>>>> The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is
>>>>>> also
>>>>>> set.  So that part of the change adds no value.
>>>>>>
>>>>>> This change only affects the case where a write lock is being
>>>>>> requested.
>>>>>> In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
>>>>>> This change will set NFSD_MAY_READ.  Is that really needed?
>>>>>>
>>>>>> Can you please describe the particular problem you saw that is
>>>>>> fixed by
>>>>>> this patch?  If there is a problem and we do need to add
>>>>>> NFSD_MAY_READ,
>>>>>> then I would rather it were done in nlm_fopen().
>>>>>
>>>>> set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
>>>>> then ask for an exclusive flock(), it would fail.
>>>>>
>>>>> The reason it fails is because nlm_fopen() translates lock to open
>>>>> with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
>>>>> acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
>>>>> inode_permission(). The patch changed it and lead to lock no longer
>>>>> being given out with sec=krb5 policy.
>>>>
>>>> And do you have WRITE access to the file?
>>>>
>>>> check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
>>>> granted the file must be open for FMODE_WRITE.
>>>> So when an exclusive lock request arrives via NLM, nlm_lookup_file()
>>>> calls nlm_do_fopen() with a mode of O_WRONLY and that causes
>>>> nfsd_permission() to check that the caller has write access to the
>>>> file.
>>>>
>>>> So if you are trying to get an exclusive lock to a file that you don't
>>>> have write access to, then it should fail.
>>>> If, however, you do have write access to the file - I cannot see why
>>>> asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.
>>>
>>> That's correct, the user doing flock() does NOT have write access to
>>> the file. Yet prior to the 4cc9b9f2bf4d, that access was allowed. If
>>> that was a bug then my bad. I assumed it was regression.
>>>
>>> It's interesting to me that on an XFS file system, I can create a file
>>> owned by root (on a local filesystem) and then request an exclusive
>>> lock on it (as a user -- no write permissions).
>>
>> "flock" is the missing piece.  I always thought it was a little odd
>> implementing flock locks over NFS using byte-range locking.  Not
>> necessarily wrong, but definitely odd.
>>
>> The man page for fcntl says
>>
>>     In order to place a read lock, fd must be open for reading.  In order
>>     to place a write lock, fd must be open for writing.  To place both
>>     types of lock, open a file read-write.
>>
>> So byte-range locks require a consistent open mode.
>>
>> The man page for flock says
>>
>>      A shared or exclusive lock can be placed on a file regardless of the
>>      mode in which the file was opened.
>>
>> Since the NFS client started using NLM (or v4 LOCK) for flock requests,
>> we cannot know if a request is flock or fcntl so we cannot check the
>> "correct" permissions.  We have to rely on the client doing the
>> permission checking.
>>
>> So it isn't really correct to check for either READ or WRITE.
> 
> Just one thing to mention, newer versions of the flock(2) manpage do
> mention the NFS/NLM behavior w.r.t. open for writing:
> 
>        Since Linux 2.6.12, NFS clients support flock() locks by emulating
>        them as fcntl(2) byte-range locks on the entire file.  This means
>        that fcntl(2) and flock() locks do interact with one another over
>        NFS.  It also means that in order to place an exclusive lock, the
>        file must be opened for writing.
> 
> Not sure this solves the question, but it's "documented". The text
> should maybe be revisited either way.

Thanks, Neil and Tom, for digging this out.

I agree that the new code comment should explicitly mention that
this logic is necessary due to our NFSv3 implementation emulating
flock() with fcntl() byte-range locks.


> Tom.
> 
>> This is awkward because nfsd doesn't just check permissions.  It has to
>> open the file and say what mode it is opening for.  This is apparently
>> important when re-exporting NFS according to
>>
>> Commit: 7f024fcd5c97 ("Keep read and write fds with each nlm_file")
>>
>> So if you try an exclusive flock on a re-exported NFS file (reexported
>> over v3) that you have open for READ but do not have write permission
>> for, then the client will allow it, but the intermediate server will try
>> a O_WRITE open which the final server will reject.
>> (does re-export work over v3??)
>>
>> There is no way to make this "work".  As I said: sending flock requests
>> over NFS was an interesting choice.
>> For v4 re-export it isn't a problem because the intermediate server
>> knows what mode the file was opened for on the client.
>>
>> So what do we do?  Whatever we do needs a comment explaining that flock
>> vs fcntl is the problem.
>> Possibly we should not require read or write access - and just trust the
>> client.  Alternately we could stick with the current practice of
>> requiring READ but not WRITE - it would be rare to lock a file which you
>> don't have read access to.
>>
>> So yes: we do need a patch here.  I would suggest something like:
>>
>>   /* An NLM request may be from fcntl() which requires the open mode to
>>    * match to lock mode or may be from flock() which allows any lock mode
>>    * with any open mode.  "acc" here indicates the lock mode but we must
>>    * do permission check reflecting the open mode which we cannot know.
>>    * For simplicity and historical continuity, always only check for
>>    * READ access
>>    */
>>   if (acc & NFSD_MAY_NLM)
>>     acc = (acc & ~NFSD_MAY_WRITE) | NFSD_MAY_READ;
>>
>> I'd prefer to leave the MAY_OWNER_OVERRIDE setting in nlm_fopen().
>>
>> Thanks,
>> NeilBrown
>>
> 


-- 
Chuck Lever

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Olga Kornievskaia]

On Fri, Mar 28, 2025 at 5:53 PM NeilBrown <neilb@suse.de> wrote:
>
> On Sat, 29 Mar 2025, Olga Kornievskaia wrote:
> > On Thu, Mar 27, 2025 at 9:43 PM NeilBrown <neilb@suse.de> wrote:
> > >
> > > On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
> > > > On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
> > > > >
> > > > > On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> > > > > > NLM locking calls need to pass thru file permission checking
> > > > > > and for that prior to calling inode_permission() we need
> > > > > > to set appropriate access mask.
> > > > > >
> > > > > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > > > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > > > > ---
> > > > > >  fs/nfsd/vfs.c | 7 +++++++
> > > > > >  1 file changed, 7 insertions(+)
> > > > > >
> > > > > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> > > > > > index 4021b047eb18..7928ae21509f 100644
> > > > > > --- a/fs/nfsd/vfs.c
> > > > > > +++ b/fs/nfsd/vfs.c
> > > > > > @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
> > > > > >       if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
> > > > > >               return nfserr_perm;
> > > > > >
> > > > > > +     /*
> > > > > > +      * For the purpose of permission checking of NLM requests,
> > > > > > +      * the locker must have READ access or own the file
> > > > > > +      */
> > > > > > +     if (acc & NFSD_MAY_NLM)
> > > > > > +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
> > > > > > +
> > > > >
> > > > > I don't agree with this change.
> > > > > The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
> > > > > set.  So that part of the change adds no value.
> > > > >
> > > > > This change only affects the case where a write lock is being requested.
> > > > > In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
> > > > > This change will set NFSD_MAY_READ.  Is that really needed?
> > > > >
> > > > > Can you please describe the particular problem you saw that is fixed by
> > > > > this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
> > > > > then I would rather it were done in nlm_fopen().
> > > >
> > > > set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
> > > > then ask for an exclusive flock(), it would fail.
> > > >
> > > > The reason it fails is because nlm_fopen() translates lock to open
> > > > with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
> > > > acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
> > > > inode_permission(). The patch changed it and lead to lock no longer
> > > > being given out with sec=krb5 policy.
> > >
> > > And do you have WRITE access to the file?
> > >
> > > check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
> > > granted the file must be open for FMODE_WRITE.
> > > So when an exclusive lock request arrives via NLM, nlm_lookup_file()
> > > calls nlm_do_fopen() with a mode of O_WRONLY and that causes
> > > nfsd_permission() to check that the caller has write access to the file.
> > >
> > > So if you are trying to get an exclusive lock to a file that you don't
> > > have write access to, then it should fail.
> > > If, however, you do have write access to the file - I cannot see why
> > > asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.
> >
> > That's correct, the user doing flock() does NOT have write access to
> > the file. Yet prior to the 4cc9b9f2bf4d, that access was allowed. If
> > that was a bug then my bad. I assumed it was regression.
> >
> > It's interesting to me that on an XFS file system, I can create a file
> > owned by root (on a local filesystem) and then request an exclusive
> > lock on it (as a user -- no write permissions).
>
> "flock" is the missing piece.  I always thought it was a little odd
> implementing flock locks over NFS using byte-range locking.  Not
> necessarily wrong, but definitely odd.
>
> The man page for fcntl says
>
>    In order to place a read lock, fd must be open for reading.  In order
>    to place a write lock, fd must be open for writing.  To place both
>    types of lock, open a file read-write.
>
> So byte-range locks require a consistent open mode.
>
> The man page for flock says
>
>     A shared or exclusive lock can be placed on a file regardless of the
>     mode in which the file was opened.
>
> Since the NFS client started using NLM (or v4 LOCK) for flock requests,
> we cannot know if a request is flock or fcntl so we cannot check the
> "correct" permissions.  We have to rely on the client doing the
> permission checking.
>
> So it isn't really correct to check for either READ or WRITE.
>
> This is awkward because nfsd doesn't just check permissions.  It has to
> open the file and say what mode it is opening for.  This is apparently
> important when re-exporting NFS according to
>
> Commit: 7f024fcd5c97 ("Keep read and write fds with each nlm_file")
>
> So if you try an exclusive flock on a re-exported NFS file (reexported
> over v3) that you have open for READ but do not have write permission
> for, then the client will allow it, but the intermediate server will try
> a O_WRITE open which the final server will reject.
> (does re-export work over v3??)
>
> There is no way to make this "work".  As I said: sending flock requests
> over NFS was an interesting choice.
> For v4 re-export it isn't a problem because the intermediate server
> knows what mode the file was opened for on the client.
>
> So what do we do?  Whatever we do needs a comment explaining that flock
> vs fcntl is the problem.
> Possibly we should not require read or write access - and just trust the
> client.  Alternately we could stick with the current practice of
> requiring READ but not WRITE - it would be rare to lock a file which you
> don't have read access to.
>
> So yes: we do need a patch here.  I would suggest something like:
>
>  /* An NLM request may be from fcntl() which requires the open mode to
>   * match to lock mode or may be from flock() which allows any lock mode
>   * with any open mode.  "acc" here indicates the lock mode but we must
>   * do permission check reflecting the open mode which we cannot know.
>   * For simplicity and historical continuity, always only check for
>   * READ access
>   */
>  if (acc & NFSD_MAY_NLM)
>         acc = (acc & ~NFSD_MAY_WRITE) | NFSD_MAY_READ;

This code would also make the behaviour consistent with prior to
4cc9b9f2bf4d. But now I question whether or not the new behaviour is
what is desired going forward or not?

Here's another thing to consider: the same command done over nfsv4
returns an error. I guess nobody ever complained that flock over v3
was successful but failed over v4?

> I'd prefer to leave the MAY_OWNER_OVERRIDE setting in nlm_fopen().


>
> Thanks,
> NeilBrown

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[NeilBrown]

On Mon, 31 Mar 2025, Olga Kornievskaia wrote:
> 
> This code would also make the behaviour consistent with prior to
> 4cc9b9f2bf4d. But now I question whether or not the new behaviour is
> what is desired going forward or not?
> 
> Here's another thing to consider: the same command done over nfsv4
> returns an error. I guess nobody ever complained that flock over v3
> was successful but failed over v4?

That is useful.  Given that:
 - exclusive flock without write access over v4 never worked
 - As Tom notes, new man pages document that exclusive flock without write access
   isn't expected to work over NFS
 - it is hard to think of a genuine use case for exclusive flock without
   write access

I'm inclined to leave this code as it is and declare your failing test
to no longer be invalid.  That is technically a regression, but
regressions only matter if people notice them (and complain to Linus).
No harm - no fowl.

Thanks,
NeilBrown

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Chuck Lever]

On 3/30/25 8:10 PM, NeilBrown wrote:
> On Mon, 31 Mar 2025, Olga Kornievskaia wrote:
>>
>> This code would also make the behaviour consistent with prior to
>> 4cc9b9f2bf4d. But now I question whether or not the new behaviour is
>> what is desired going forward or not?
>>
>> Here's another thing to consider: the same command done over nfsv4
>> returns an error. I guess nobody ever complained that flock over v3
>> was successful but failed over v4?
> 
> That is useful.  Given that:
>  - exclusive flock without write access over v4 never worked
>  - As Tom notes, new man pages document that exclusive flock without write access
>    isn't expected to work over NFS
>  - it is hard to think of a genuine use case for exclusive flock without
>    write access
> 
> I'm inclined to leave this code as it is and declare your failing test
> to no longer be invalid.

For the record, which test exactly is failing? Is there a BugLink?


> That is technically a regression, but
> regressions only matter if people notice them (and complain to Linus).
> No harm - no fowl.

-- 
Chuck Lever

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Olga Kornievskaia]

On Mon, Mar 31, 2025 at 10:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>
> On 3/30/25 8:10 PM, NeilBrown wrote:
> > On Mon, 31 Mar 2025, Olga Kornievskaia wrote:
> >>
> >> This code would also make the behaviour consistent with prior to
> >> 4cc9b9f2bf4d. But now I question whether or not the new behaviour is
> >> what is desired going forward or not?
> >>
> >> Here's another thing to consider: the same command done over nfsv4
> >> returns an error. I guess nobody ever complained that flock over v3
> >> was successful but failed over v4?
> >
> > That is useful.  Given that:
> >  - exclusive flock without write access over v4 never worked
> >  - As Tom notes, new man pages document that exclusive flock without write access
> >    isn't expected to work over NFS
> >  - it is hard to think of a genuine use case for exclusive flock without
> >    write access
> >
> > I'm inclined to leave this code as it is and declare your failing test
> > to no longer be invalid.
>
> For the record, which test exactly is failing? Is there a BugLink?

Test is just an flock()?

>
>
> > That is technically a regression, but
> > regressions only matter if people notice them (and complain to Linus).
> > No harm - no fowl.
>
> --
> Chuck Lever
>

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[NeilBrown]

On Tue, 01 Apr 2025, Olga Kornievskaia wrote:
> On Mon, Mar 31, 2025 at 10:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> >
> > On 3/30/25 8:10 PM, NeilBrown wrote:
> > > On Mon, 31 Mar 2025, Olga Kornievskaia wrote:
> > >>
> > >> This code would also make the behaviour consistent with prior to
> > >> 4cc9b9f2bf4d. But now I question whether or not the new behaviour is
> > >> what is desired going forward or not?
> > >>
> > >> Here's another thing to consider: the same command done over nfsv4
> > >> returns an error. I guess nobody ever complained that flock over v3
> > >> was successful but failed over v4?
> > >
> > > That is useful.  Given that:
> > >  - exclusive flock without write access over v4 never worked
> > >  - As Tom notes, new man pages document that exclusive flock without write access
> > >    isn't expected to work over NFS
> > >  - it is hard to think of a genuine use case for exclusive flock without
> > >    write access
> > >
> > > I'm inclined to leave this code as it is and declare your failing test
> > > to no longer be invalid.
> >
> > For the record, which test exactly is failing? Is there a BugLink?
> 
> Test is just an flock()?
> 

But what motivated you to perform that specific test:
  exclusive flock over NFSv3 on a file you didn't have write permission to
??

Is it part of a test suite? Or is it done by some application? or ....

NeilBrown

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Olga Kornievskaia]

On Tue, Apr 1, 2025 at 6:24 PM NeilBrown <neilb@suse.de> wrote:
>
> On Tue, 01 Apr 2025, Olga Kornievskaia wrote:
> > On Mon, Mar 31, 2025 at 10:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> > >
> > > On 3/30/25 8:10 PM, NeilBrown wrote:
> > > > On Mon, 31 Mar 2025, Olga Kornievskaia wrote:
> > > >>
> > > >> This code would also make the behaviour consistent with prior to
> > > >> 4cc9b9f2bf4d. But now I question whether or not the new behaviour is
> > > >> what is desired going forward or not?
> > > >>
> > > >> Here's another thing to consider: the same command done over nfsv4
> > > >> returns an error. I guess nobody ever complained that flock over v3
> > > >> was successful but failed over v4?
> > > >
> > > > That is useful.  Given that:
> > > >  - exclusive flock without write access over v4 never worked
> > > >  - As Tom notes, new man pages document that exclusive flock without write access
> > > >    isn't expected to work over NFS
> > > >  - it is hard to think of a genuine use case for exclusive flock without
> > > >    write access
> > > >
> > > > I'm inclined to leave this code as it is and declare your failing test
> > > > to no longer be invalid.
> > >
> > > For the record, which test exactly is failing? Is there a BugLink?
> >
> > Test is just an flock()?
> >
>
> But what motivated you to perform that specific test:
>   exclusive flock over NFSv3 on a file you didn't have write permission to
> ??
>
> Is it part of a test suite? Or is it done by some application? or ....

A long story. It started with xfstest failing for sec=tls policy (ie
thus the other 2 patches in the series). But I saw that it's just an
flock that was failing so I stopped doing xfstest and just using an
flock. But as I started digging into the bisected patch I was trying
to understand the code and thus started using other export policies.

> NeilBrown

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[NeilBrown]

On Wed, 02 Apr 2025, Olga Kornievskaia wrote:
> On Tue, Apr 1, 2025 at 6:24 PM NeilBrown <neilb@suse.de> wrote:
> >
> > On Tue, 01 Apr 2025, Olga Kornievskaia wrote:
> > > On Mon, Mar 31, 2025 at 10:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> > > >
> > > > On 3/30/25 8:10 PM, NeilBrown wrote:
> > > > > On Mon, 31 Mar 2025, Olga Kornievskaia wrote:
> > > > >>
> > > > >> This code would also make the behaviour consistent with prior to
> > > > >> 4cc9b9f2bf4d. But now I question whether or not the new behaviour is
> > > > >> what is desired going forward or not?
> > > > >>
> > > > >> Here's another thing to consider: the same command done over nfsv4
> > > > >> returns an error. I guess nobody ever complained that flock over v3
> > > > >> was successful but failed over v4?
> > > > >
> > > > > That is useful.  Given that:
> > > > >  - exclusive flock without write access over v4 never worked
> > > > >  - As Tom notes, new man pages document that exclusive flock without write access
> > > > >    isn't expected to work over NFS
> > > > >  - it is hard to think of a genuine use case for exclusive flock without
> > > > >    write access
> > > > >
> > > > > I'm inclined to leave this code as it is and declare your failing test
> > > > > to no longer be invalid.
> > > >
> > > > For the record, which test exactly is failing? Is there a BugLink?
> > >
> > > Test is just an flock()?
> > >
> >
> > But what motivated you to perform that specific test:
> >   exclusive flock over NFSv3 on a file you didn't have write permission to
> > ??
> >
> > Is it part of a test suite? Or is it done by some application? or ....
> 
> A long story. It started with xfstest failing for sec=tls policy (ie
> thus the other 2 patches in the series). But I saw that it's just an
> flock that was failing so I stopped doing xfstest and just using an
> flock. But as I started digging into the bisected patch I was trying
> to understand the code and thus started using other export policies.

That all makes perfect sense - thanks.

So the fact that you noticed was primarily based on code inspection and
does not suggest that other people might also notice the change and see
it as a regression.

That strengthens my feeling that the change should be seen as a bug-fix,
not as a regression.  So we don't need to "fix" it.

Thanks,
NeilBrown

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Jeff Layton]

On Sat, 2025-03-29 at 08:53 +1100, NeilBrown wrote:
> On Sat, 29 Mar 2025, Olga Kornievskaia wrote:
> > On Thu, Mar 27, 2025 at 9:43 PM NeilBrown <neilb@suse.de> wrote:
> > > 
> > > On Fri, 28 Mar 2025, Olga Kornievskaia wrote:
> > > > On Thu, Mar 27, 2025 at 7:54 PM NeilBrown <neilb@suse.de> wrote:
> > > > > 
> > > > > On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> > > > > > NLM locking calls need to pass thru file permission checking
> > > > > > and for that prior to calling inode_permission() we need
> > > > > > to set appropriate access mask.
> > > > > > 
> > > > > > Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> > > > > > Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
> > > > > > ---
> > > > > >  fs/nfsd/vfs.c | 7 +++++++
> > > > > >  1 file changed, 7 insertions(+)
> > > > > > 
> > > > > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> > > > > > index 4021b047eb18..7928ae21509f 100644
> > > > > > --- a/fs/nfsd/vfs.c
> > > > > > +++ b/fs/nfsd/vfs.c
> > > > > > @@ -2582,6 +2582,13 @@ nfsd_permission(struct svc_cred *cred, struct svc_export *exp,
> > > > > >       if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode))
> > > > > >               return nfserr_perm;
> > > > > > 
> > > > > > +     /*
> > > > > > +      * For the purpose of permission checking of NLM requests,
> > > > > > +      * the locker must have READ access or own the file
> > > > > > +      */
> > > > > > +     if (acc & NFSD_MAY_NLM)
> > > > > > +             acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE;
> > > > > > +
> > > > > 
> > > > > I don't agree with this change.
> > > > > The only time that NFSD_MAY_NLM is set, NFSD_MAY_OWNER_OVERRIDE is also
> > > > > set.  So that part of the change adds no value.
> > > > > 
> > > > > This change only affects the case where a write lock is being requested.
> > > > > In that case acc will contains NFSD_MAY_WRITE but not NFSD_MAY_READ.
> > > > > This change will set NFSD_MAY_READ.  Is that really needed?
> > > > > 
> > > > > Can you please describe the particular problem you saw that is fixed by
> > > > > this patch?  If there is a problem and we do need to add NFSD_MAY_READ,
> > > > > then I would rather it were done in nlm_fopen().
> > > > 
> > > > set export policy with (sec=krb5:...) then mount with sec=krb5,vers=3,
> > > > then ask for an exclusive flock(), it would fail.
> > > > 
> > > > The reason it fails is because nlm_fopen() translates lock to open
> > > > with WRITE. Prior to patch 4cc9b9f2bf4d, the access would be set to
> > > > acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; before calling into
> > > > inode_permission(). The patch changed it and lead to lock no longer
> > > > being given out with sec=krb5 policy.
> > > 
> > > And do you have WRITE access to the file?
> > > 
> > > check_fmode_for_setlk() in fs/locks.c suggests that for F_WRLCK to be
> > > granted the file must be open for FMODE_WRITE.
> > > So when an exclusive lock request arrives via NLM, nlm_lookup_file()
> > > calls nlm_do_fopen() with a mode of O_WRONLY and that causes
> > > nfsd_permission() to check that the caller has write access to the file.
> > > 
> > > So if you are trying to get an exclusive lock to a file that you don't
> > > have write access to, then it should fail.
> > > If, however, you do have write access to the file - I cannot see why
> > > asking for NFSD_MAY_READ instead of NFSD_MAY_WRITE would help.
> > 
> > That's correct, the user doing flock() does NOT have write access to
> > the file. Yet prior to the 4cc9b9f2bf4d, that access was allowed. If
> > that was a bug then my bad. I assumed it was regression.
> > 
> > It's interesting to me that on an XFS file system, I can create a file
> > owned by root (on a local filesystem) and then request an exclusive
> > lock on it (as a user -- no write permissions).
> 
> "flock" is the missing piece.  I always thought it was a little odd
> implementing flock locks over NFS using byte-range locking.  Not
> necessarily wrong, but definitely odd.
> 

FWIW, Solaris set the precedent for that, and the NFS client eventually
added it (back in the v2.4 days).

> The man page for fcntl says 
> 
>    In order to place a read lock, fd must be open for reading.  In order
>    to place a write lock, fd must be open for writing.  To place both
>    types of lock, open a file read-write.
> 
> So byte-range locks require a consistent open mode.
> 
> The man page for flock says
> 
>     A shared or exclusive lock can be placed on a file regardless of the
>     mode in which the file was opened.
> 
> Since the NFS client started using NLM (or v4 LOCK) for flock requests,
> we cannot know if a request is flock or fcntl so we cannot check the
> "correct" permissions.  We have to rely on the client doing the
> permission checking.

> So it isn't really correct to check for either READ or WRITE.
> 
> This is awkward because nfsd doesn't just check permissions.  It has to
> open the file and say what mode it is opening for.  This is apparently
> important when re-exporting NFS according to
> 
> Commit: 7f024fcd5c97 ("Keep read and write fds with each nlm_file")
> 
> So if you try an exclusive flock on a re-exported NFS file (reexported
> over v3) that you have open for READ but do not have write permission
> for, then the client will allow it, but the intermediate server will try
> a O_WRITE open which the final server will reject.
> (does re-export work over v3??)
> 

Locking with reexports is an iffy proposition at best. We don't have a
way to "project" the grace period across the reexport, so if the
reexporting server crashes, lock recovery is just broken (no grace
period on the source server).

This is detailed in Documentation/filesystems/nfs/reexport.rst

I wouldn't worry overmuch about reexporting with this.

> There is no way to make this "work".  As I said: sending flock requests
> over NFS was an interesting choice.
> For v4 re-export it isn't a problem because the intermediate server
> knows what mode the file was opened for on the client.
> 
> So what do we do?  Whatever we do needs a comment explaining that flock
> vs fcntl is the problem.
> Possibly we should not require read or write access - and just trust the
> client.  Alternately we could stick with the current practice of
> requiring READ but not WRITE - it would be rare to lock a file which you
> don't have read access to.
> 
> So yes: we do need a patch here.  I would suggest something like:
> 
>  /* An NLM request may be from fcntl() which requires the open mode to
>   * match to lock mode or may be from flock() which allows any lock mode
>   * with any open mode.  "acc" here indicates the lock mode but we must
>   * do permission check reflecting the open mode which we cannot know.
>   * For simplicity and historical continuity, always only check for
>   * READ access
>   */
>  if (acc & NFSD_MAY_NLM)
> 	acc = (acc & ~NFSD_MAY_WRITE) | NFSD_MAY_READ;
> 
> I'd prefer to leave the MAY_OWNER_OVERRIDE setting in nlm_fopen().
> 

Emulating flock locks over NFS locking is entirely a client-side
endeavor. The server isn't aware of it. The job on the server side is
to conform to the protocol.

In this case, I think failing exclusive flock() locks when the client
doesn't have the file open for write is the correct thing to do, as I
think the protocol requires this.

At one time, nfs_flock would reject those on the client, until this
patch reverted that behavior:

    fcfa447062b2 NFS: Revert "NFS: Move the flock open mode check into nfs_flock()"

I'm not sure that reverting that was the correct thing to do. NFS/NLM
locking generally follows fcntl() semantics. ISTM that we shouldn't
allow locks that fall outside of those semantics.
-- 
Jeff Layton <jlayton@kernel.org>

Re: [PATCH 3/3] nfsd: reset access mask for NLM calls in nfsd_permission

[Benjamin Coddington]

On 7 Apr 2025, at 11:57, Jeff Layton wrote:

> Emulating flock locks over NFS locking is entirely a client-side
> endeavor. The server isn't aware of it. The job on the server side is
> to conform to the protocol.
>
> In this case, I think failing exclusive flock() locks when the client
> doesn't have the file open for write is the correct thing to do, as I
> think the protocol requires this.
>
> At one time, nfs_flock would reject those on the client, until this
> patch reverted that behavior:

That behavior existed for only a short time (6 months?) until the revert.

>     fcfa447062b2 NFS: Revert "NFS: Move the flock open mode check into nfs_flock()"
>
> I'm not sure that reverting that was the correct thing to do. NFS/NLM
> locking generally follows fcntl() semantics. ISTM that we shouldn't
> allow locks that fall outside of those semantics.

I don't remember the details other than we submitted that revert after
regression testing showed the original changed v3 behavior.

Is it possible that some existing v3 server would use flock semantics for
NLM?

Ben

Re: [PATCH 0/3] access checking fixes for NLM under security policies

[cel]

From: Chuck Lever <chuck.lever@oracle.com>

On Fri, 21 Mar 2025 20:13:03 -0400, Olga Kornievskaia wrote:
> Since commit 4cc9b9f2bf4df ("nfsd: refine and rename NFSD_MAY_LOCK")
> for export policies with "sec=krb5:..." or "xprtsec=tls:.." NLM
> locking calls on v3 mounts fail. And for "sec=krb5" NLM calls it
> also leads to out-of-bounds reference while in check_nfsd_access().
> 
> This patch series address 3 problems.
> 
> [...]

Applied to nfsd-testing, thanks!

[1/3] nfsd: fix access checking for NLM under XPRTSEC policies
      commit: 795be66362cc0bb9386fc40685de7c31d2ec27ea
[2/3] nfsd: adjust nfsd4_spo_must_allow checking order
      commit: 472d09faffb5a46373a74584cfc048df5e6a7bef
[3/3] nfsd: reset access mask for NLM calls in nfsd_permission
      commit: 502d6ba5c749411967b74e8f1aa3c47a8db7637d

--
Chuck Lever

Re: [PATCH 0/3] access checking fixes for NLM under security policies

[NeilBrown]

On Sat, 22 Mar 2025, Olga Kornievskaia wrote:
> Since commit 4cc9b9f2bf4df ("nfsd: refine and rename NFSD_MAY_LOCK")
> for export policies with "sec=krb5:..." or "xprtsec=tls:.." NLM
> locking calls on v3 mounts fail. And for "sec=krb5" NLM calls it
> also leads to out-of-bounds reference while in check_nfsd_access().
> 
> This patch series address 3 problems.
> 
> The first patch addresses a problem related to a TLS export
> policy. NLM call dont come over TLS and thus dont pass the
> TLS checks in check_nfsd_access() leading to access being
> denied. Instead rely on may_bypass_gss to indicate NLM and
> allow access checking to continue.
> 
> The other 2 patches are for problems related to sec=krb5.
> The 2nd patch is because previously for NLM check_nfsd_access()
> was never called and thus nfsd4_spo_must_allow() function wasn't
> called. After the patch, this lead to NLM call which has no
> compound state structure created trying to dereference it.
> This patch instead moves the call to after may_bypass_gss
> check which implies NLM and would return there and would
> never get to calling nfsd4_spo_must_allow().
> 
> The last patch is fixing what "access" content is being passed
> into the inode_permission(). Prior to 4cc9b9f2bf4df, the code would
> explicitly set access to be read/ownership. And after is passes
> access that's set in nlm_fopen but it's lacking read access.
> 
> Olga Kornievskaia (3):
>   nfsd: fix access checking for NLM under XPRTSEC policies
I agree with this patch
  Reviewed-by: NeilBrown <neil@brown.name>

>   nfsd: adjust nfsd4_spo_must_allow checking order
I don't disagree with this patch but I don't think it is the best fix.
I've posted an alternate fix.  It would be OK for both to go in.

>   nfsd: reset access mask for NLM calls in nfsd_permission
I don't like this one.  I've explained why separately.

Thanks,
NeilBrown


> 
>  fs/nfsd/export.c | 20 ++++++++++----------
>  fs/nfsd/vfs.c    |  7 +++++++
>  2 files changed, 17 insertions(+), 10 deletions(-)
> 
> -- 
> 2.47.1
> 
> 
>