From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Cc: "J. Bruce Fields" <bfields@citi.umich.edu>
Cc: J "." Bruce Fields <bfields@citi.umich.edu>
Cc: Neil Brown <neilb@suse.de>
Subject: [PATCH 008 of 20] knfsd: nfsd: set rq_client to ip-address-determined-domain
Date: Tue, 10 Jul 2007 12:24:58 +1000 [thread overview]
Message-ID: <1070710022458.13206@suse.de> (raw)
In-Reply-To: 20070710121949.12548.patches@notabene
From: J. Bruce Fields <bfields@citi.umich.edu>
We want it to be possible for users to restrict exports both by IP
address and by pseudoflavor. The pseudoflavor information has
previously been passed using special auth_domains stored in the
rq_client field. After the preceding patch that stored the pseudoflavor
in rq_pflavor, that's now superfluous; so now we use rq_client for the
ip information, as auth_null and auth_unix do.
However, we keep around the special auth_domain in the rq_gssclient
field for backwards compatibility purposes, so we can still do upcalls
using the old "gss/pseudoflavor" auth_domain if upcalls using the unix
domain to give us an appropriate export. This allows us to continue
supporting old mountd.
In fact, for this first patch, we always use the "gss/pseudoflavor"
auth_domain (and only it) if it is available; thus rq_client is ignored
in the auth_gss case, and this patch on its own makes no change in
behavior; that will be left to later patches.
Note on idmap: I'm almost tempted to just replace the auth_domain in the
idmap upcall by a dummy value--no version of idmapd has ever used it,
and it's unlikely anyone really wants to perform idmapping differently
depending on the where the client is (they may want to perform
*credential* mapping differently, but that's a different matter--the
idmapper just handles id's used in getattr and setattr). But I'm
updating the idmapd code anyway, just out of general
backwards-compatibility paranoia.
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
### Diffstat output
./fs/nfsd/export.c | 15 +++++++++++----
./fs/nfsd/nfs4idmap.c | 13 +++++++++++--
./fs/nfsd/nfsfh.c | 2 --
./include/linux/sunrpc/svc.h | 1 +
./include/linux/sunrpc/svcauth.h | 1 +
./net/sunrpc/auth_gss/svcauth_gss.c | 21 ++++++++++++++++++---
./net/sunrpc/svcauth_unix.c | 4 +++-
7 files changed, 45 insertions(+), 12 deletions(-)
diff .prev/fs/nfsd/export.c ./fs/nfsd/export.c
--- .prev/fs/nfsd/export.c 2007-07-10 11:34:22.000000000 +1000
+++ ./fs/nfsd/export.c 2007-07-10 11:35:37.000000000 +1000
@@ -1237,21 +1237,28 @@ struct svc_export *
rqst_exp_get_by_name(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
- return exp_get_by_name(rqstp->rq_client, mnt, dentry,
- &rqstp->rq_chandle);
+ struct auth_domain *clp;
+
+ clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
+ return exp_get_by_name(clp, mnt, dentry, &rqstp->rq_chandle);
}
struct svc_export *
rqst_exp_find(struct svc_rqst *rqstp, int fsid_type, u32 *fsidv)
{
- return exp_find(rqstp->rq_client, fsid_type, fsidv,
- &rqstp->rq_chandle);
+ struct auth_domain *clp;
+
+ clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
+ return exp_find(clp, fsid_type, fsidv, &rqstp->rq_chandle);
}
struct svc_export *
rqst_exp_parent(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
+ struct auth_domain *clp;
+
+ clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
return exp_parent(rqstp->rq_client, mnt, dentry, &rqstp->rq_chandle);
}
diff .prev/fs/nfsd/nfs4idmap.c ./fs/nfsd/nfs4idmap.c
--- .prev/fs/nfsd/nfs4idmap.c 2007-07-10 11:19:57.000000000 +1000
+++ ./fs/nfsd/nfs4idmap.c 2007-07-10 11:35:37.000000000 +1000
@@ -587,6 +587,15 @@ idmap_lookup(struct svc_rqst *rqstp,
return ret;
}
+static char *
+rqst_authname(struct svc_rqst *rqstp)
+{
+ struct auth_domain *clp;
+
+ clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
+ return clp->name;
+}
+
static int
idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen,
uid_t *id)
@@ -600,7 +609,7 @@ idmap_name_to_id(struct svc_rqst *rqstp,
return -EINVAL;
memcpy(key.name, name, namelen);
key.name[namelen] = '\0';
- strlcpy(key.authname, rqstp->rq_client->name, sizeof(key.authname));
+ strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname));
ret = idmap_lookup(rqstp, nametoid_lookup, &key, &nametoid_cache, &item);
if (ret == -ENOENT)
ret = -ESRCH; /* nfserr_badname */
@@ -620,7 +629,7 @@ idmap_id_to_name(struct svc_rqst *rqstp,
};
int ret;
- strlcpy(key.authname, rqstp->rq_client->name, sizeof(key.authname));
+ strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname));
ret = idmap_lookup(rqstp, idtoname_lookup, &key, &idtoname_cache, &item);
if (ret == -ENOENT)
return sprintf(name, "%u", id);
diff .prev/fs/nfsd/nfsfh.c ./fs/nfsd/nfsfh.c
--- .prev/fs/nfsd/nfsfh.c 2007-07-10 11:34:22.000000000 +1000
+++ ./fs/nfsd/nfsfh.c 2007-07-10 11:35:37.000000000 +1000
@@ -120,8 +120,6 @@ fh_verify(struct svc_rqst *rqstp, struct
int data_left = fh->fh_size/4;
error = nfserr_stale;
- if (rqstp->rq_client == NULL)
- goto out;
if (rqstp->rq_vers > 2)
error = nfserr_badhandle;
if (rqstp->rq_vers == 4 && fh->fh_size == 0)
diff .prev/include/linux/sunrpc/svcauth.h ./include/linux/sunrpc/svcauth.h
--- .prev/include/linux/sunrpc/svcauth.h 2007-07-10 11:19:57.000000000 +1000
+++ ./include/linux/sunrpc/svcauth.h 2007-07-10 11:35:37.000000000 +1000
@@ -127,6 +127,7 @@ extern struct auth_domain *auth_unix_loo
extern int auth_unix_forget_old(struct auth_domain *dom);
extern void svcauth_unix_purge(void);
extern void svcauth_unix_info_release(void *);
+extern int svcauth_unix_set_client(struct svc_rqst *rqstp);
static inline unsigned long hash_str(char *name, int bits)
{
diff .prev/include/linux/sunrpc/svc.h ./include/linux/sunrpc/svc.h
--- .prev/include/linux/sunrpc/svc.h 2007-07-10 11:27:13.000000000 +1000
+++ ./include/linux/sunrpc/svc.h 2007-07-10 11:35:37.000000000 +1000
@@ -249,6 +249,7 @@ struct svc_rqst {
*/
/* Catering to nfsd */
struct auth_domain * rq_client; /* RPC peer info */
+ struct auth_domain * rq_gssclient; /* "gss/"-style peer info */
struct svc_cacherep * rq_cacherep; /* cache info */
struct knfsd_fh * rq_reffh; /* Referrence filehandle, used to
* determine what device number
diff .prev/net/sunrpc/auth_gss/svcauth_gss.c ./net/sunrpc/auth_gss/svcauth_gss.c
--- .prev/net/sunrpc/auth_gss/svcauth_gss.c 2007-07-10 11:27:13.000000000 +1000
+++ ./net/sunrpc/auth_gss/svcauth_gss.c 2007-07-10 11:35:37.000000000 +1000
@@ -927,10 +927,23 @@ svcauth_gss_set_client(struct svc_rqst *
struct gss_svc_data *svcdata = rqstp->rq_auth_data;
struct rsc *rsci = svcdata->rsci;
struct rpc_gss_wire_cred *gc = &svcdata->clcred;
+ int stat;
- rqstp->rq_client = find_gss_auth_domain(rsci->mechctx, gc->gc_svc);
- if (rqstp->rq_client == NULL)
+ /*
+ * A gss export can be specified either by:
+ * export *(sec=krb5,rw)
+ * or by
+ * export gss/krb5(rw)
+ * The latter is deprecated; but for backwards compatibility reasons
+ * the nfsd code will still fall back on trying it if the former
+ * doesn't work; so we try to make both available to nfsd, below.
+ */
+ rqstp->rq_gssclient = find_gss_auth_domain(rsci->mechctx, gc->gc_svc);
+ if (rqstp->rq_gssclient == NULL)
return SVC_DENIED;
+ stat = svcauth_unix_set_client(rqstp);
+ if (stat == SVC_DROP)
+ return stat;
return SVC_OK;
}
@@ -1102,7 +1115,6 @@ svcauth_gss_accept(struct svc_rqst *rqst
svc_putnl(resv, GSS_SEQ_WIN);
if (svc_safe_putnetobj(resv, &rsip->out_token))
goto drop;
- rqstp->rq_client = NULL;
}
goto complete;
case RPC_GSS_PROC_DESTROY:
@@ -1333,6 +1345,9 @@ out_err:
if (rqstp->rq_client)
auth_domain_put(rqstp->rq_client);
rqstp->rq_client = NULL;
+ if (rqstp->rq_gssclient)
+ auth_domain_put(rqstp->rq_gssclient);
+ rqstp->rq_gssclient = NULL;
if (rqstp->rq_cred.cr_group_info)
put_group_info(rqstp->rq_cred.cr_group_info);
rqstp->rq_cred.cr_group_info = NULL;
diff .prev/net/sunrpc/svcauth_unix.c ./net/sunrpc/svcauth_unix.c
--- .prev/net/sunrpc/svcauth_unix.c 2007-07-10 11:27:13.000000000 +1000
+++ ./net/sunrpc/svcauth_unix.c 2007-07-10 11:35:37.000000000 +1000
@@ -638,7 +638,7 @@ static int unix_gid_find(uid_t uid, stru
}
}
-static int
+int
svcauth_unix_set_client(struct svc_rqst *rqstp)
{
struct sockaddr_in *sin = svc_addr_in(rqstp);
@@ -673,6 +673,8 @@ svcauth_unix_set_client(struct svc_rqst
return SVC_OK;
}
+EXPORT_SYMBOL(svcauth_unix_set_client);
+
static int
svcauth_null_accept(struct svc_rqst *rqstp, __be32 *authp)
{
next prev parent reply other threads:[~2007-07-10 2:25 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-10 2:22 [PATCH 000 of 20] knfsd: Support 'secinfo' exports with related cleanups NeilBrown
2007-07-10 2:22 ` [PATCH 001 of 20] knfsd: nfsd: make all exp_finding functions return -errno's on err NeilBrown
2007-07-10 2:23 ` [PATCH 002 of 20] knfsd: nfsd4: build rpcsec_gss whenever nfsd4 is built NeilBrown
2007-07-10 2:23 ` [PATCH 003 of 20] knfsd: nfsd4: store pseudoflavor in request NeilBrown
2007-07-10 2:23 ` [PATCH 004 of 20] knfsd: nfsd4: parse secinfo information in exports downcall NeilBrown
2007-07-10 2:24 ` [PATCH 005 of 20] knfsd: nfsd4: simplify exp_pseudoroot arguments NeilBrown
2007-07-10 2:24 ` [PATCH 006 of 20] knfsd: nfsd: remove superfluous assignment from nfsd_lookup NeilBrown
2007-07-10 2:24 ` [PATCH 007 of 20] knfsd: nfsd: provide export lookup wrappers which take a svc_rqst NeilBrown
2007-07-10 2:24 ` NeilBrown [this message]
2007-07-10 2:25 ` [PATCH 009 of 20] knfsd: nfsd: use ip-address-based domain in secinfo case NeilBrown
2007-07-10 16:06 ` J. Bruce Fields
2007-07-10 2:25 ` [PATCH 010 of 20] knfsd: nfsd: factor nfsd_lookup into 2 pieces NeilBrown
2007-07-10 2:25 ` [PATCH 011 of 20] knfsd: nfsd4: return nfserr_wrongsec NeilBrown
2007-07-10 2:26 ` [PATCH 012 of 20] knfsd: nfsd4: make readonly access depend on pseudoflavor NeilBrown
2007-07-13 7:27 ` Andrew Morton
2007-07-13 9:54 ` Christoph Hellwig
2007-07-10 2:27 ` [PATCH 013 of 20] knfsd: nfsd: factor out code from show_expflags NeilBrown
2007-07-13 7:29 ` Andrew Morton
2007-07-18 23:05 ` [NFS] " J. Bruce Fields
2007-07-19 0:16 ` Neil Brown
2007-07-19 15:35 ` J. Bruce Fields
2007-07-20 2:21 ` Neil Brown
2007-07-20 4:22 ` Satyam Sharma
2007-07-20 22:18 ` [PATCH] knfsd: Fix typo in export display, print uid and gid as unsigned J. Bruce Fields
2007-07-19 0:18 ` [NFS] [PATCH 013 of 20] knfsd: nfsd: factor out code from show_expflags Andrew Morton
2007-07-10 2:27 ` [PATCH 014 of 20] knfsd: nfsd: display export secinfo information NeilBrown
2007-07-10 2:27 ` [PATCH 015 of 20] knfsd: nfsd4: make readonly access depend on pseudoflavor NeilBrown
2007-07-13 7:12 ` Andrew Morton
2007-07-13 8:47 ` Andrew Morton
2007-07-10 2:27 ` [PATCH 016 of 20] knfsd: rpc: add gss krb5 and spkm3 oid values NeilBrown
2007-07-10 2:28 ` [PATCH 017 of 20] knfsd: nfsd4: implement secinfo NeilBrown
2007-07-10 2:28 ` [PATCH 018 of 20] knfsd: nfsd4: secinfo handling without secinfo= option NeilBrown
2007-07-10 2:28 ` [PATCH 019 of 20] knfsd: nfsd: allow auth_sys nlm on rpcsec_gss exports NeilBrown
2007-07-10 2:28 ` [PATCH 020 of 20] knfsd: nfsd: enforce per-flavor id squashing NeilBrown
2007-07-13 7:33 ` [PATCH 000 of 20] knfsd: Support 'secinfo' exports with related cleanups Andrew Morton
2007-07-13 18:10 ` J. Bruce Fields
2007-07-13 18:42 ` Andrew Morton
2007-07-18 22:57 ` J. Bruce Fields
[not found] ` <2ac9f179334dc7894bb58b1c2fb62837a07fbbdf.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57 ` [PATCH 1/5] nfsd: fix possible read-ahead cache and export table corruption J. Bruce Fields
[not found] ` <278646972e4b7eaf86d648d8ee2ae879f8b6b680.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57 ` [PATCH 2/5] nfsd: return errors, not NULL, from export functions J. Bruce Fields
[not found] ` <ca76105264283034a0f3d9d138bded79f5b2f87e.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57 ` [PATCH 3/5] nfsd: remove unnecessary NULL checks from nfsd_cross_mnt J. Bruce Fields
[not found] ` <fbbdd23e675df0288cf80243fdcd5e211fff855b.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57 ` [PATCH 4/5] knfsd: move EX_RDONLY out of header J. Bruce Fields
2007-07-19 8:28 ` [NFS] " Christoph Hellwig
2007-07-19 8:36 ` Andrew Morton
[not found] ` <986bf36dcb843bf352799fad5c20f1764748ce22.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57 ` [PATCH 5/5] knfsd: clean up EX_RDONLY J. Bruce Fields
2007-07-19 8:29 ` [NFS] " Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1070710022458.13206@suse.de \
--to=neilb@suse.de \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nfs@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox