Re: [PATCH 0/9] Deliver TLS session tags to upper-layer consumers (NFSD)

["Chuck Lever" <cel@kernel.org>]

On Sat, Jun 6, 2026, at 6:26 AM, Jeff Layton wrote:
> On Fri, 2026-06-05 at 13:34 -0400, Chuck Lever wrote:
>> NFSD and similar upper-layer services want access-control decisions
>> based on TLS peer-certificate characteristics, but in-kernel x.509
>> parsing would duplicate work mature userspace libraries already do.
>> This series gives tlshd a way to evaluate certificates against
>> admin-defined policy and report matching policies back to the kernel
>> as opaque string tags. The handshake layer plumbs the tags through to
>> the upper-layer consumer's completion callback; intersection against
>> per-resource tag sets stays the consumer's problem.
>> 
>> Four architectural choices shape the series, only one of which is
>> visible in any single patch.
>> 
>> The tagging vocabulary is opaque to the kernel. tlshd decides what
>> each tag means; the handshake layer and its consumers only test
>> membership. This keeps x.509 out of the kernel and lets policy evolve
>> at userspace speed. Any future attribute the kernel wants to gate on
>> must be expressed as a tag rather than as a new netlink field per
>> attribute.
>> 
>> DONE gains a privilege check (patch 1) as a prerequisite, not as
>> cleanup. Without it, an unprivileged process guessing a sockfd could
>> submit a forged DONE and effectively grant or deny tag membership
>> for a real handshake. Once tags carry authorization weight, that
>> pre-existing gap becomes load-bearing. The fix predates tags in
>> principle and carries a Fixes: tag, but it sits at the head of this
>> series so the rest of the work has a trustworthy foundation.
>> 
>> HANDSHAKE_MAX_SESSIONTAGS is advertised on every ACCEPT reply as
>> HANDSHAKE_A_ACCEPT_MAX_TAGS (patch 6), so tlshd can size its
>> DONE-side tag list against the kernel's runtime limit rather than
>> guessing from header constants. If a daemon overruns anyway, the
>> DONE handler truncates and logs one pr_warn_once rather than
>> returning -E2BIG: tearing down a handshake the operator almost
>> certainly wants to keep is a worse outcome than dropping a few
>> tags. The truncation path is defense-in-depth for a buggy or
>> stale agent, not the primary signal.
>> 
>> The tagset helper (patch 3) is split out as a generic library so
>> NFSD export tagging (patches 8 and 9) can use it without further
>> churn in net/handshake/.
>> 
>> ---
>> Chuck Lever (9):
>>       handshake: Require admin permission for DONE command
>>       handshake: Add tags to "done" downcall
>>       lib: Add a "tagset" data structure
>>       handshake: Pick up session tags passed during the DONE downcall
>>       handshake: Add a kunit test for the completion gate
>>       handshake: advertise the session-tag cap to user space
>>       SUNRPC: Copy the TLS session tags when they are available
>>       NFSD: Implement export tagging
>>       NFSD: Add allow_tags to the netlink export interface
>> 
>>  Documentation/core-api/index.rst           |   1 +
>>  Documentation/core-api/tagset.rst          | 225 +++++++++++++++++++++++++++++
>>  Documentation/netlink/specs/handshake.yaml |  16 ++
>>  Documentation/netlink/specs/nfsd.yaml      |  10 ++
>>  Documentation/networking/tls-handshake.rst |  63 +++++++-
>>  drivers/nvme/host/tcp.c                    |   3 +-
>>  drivers/nvme/target/tcp.c                  |   3 +-
>>  fs/nfsd/export.c                           | 141 +++++++++++++++++-
>>  fs/nfsd/export.h                           |  11 ++
>>  fs/nfsd/netlink.c                          |   4 +-
>>  fs/nfsd/netlink.h                          |   3 +-
>>  fs/nfsd/trace.h                            |  19 +++
>>  include/linux/sunrpc/svc_xprt.h            |   2 +
>>  include/linux/tagset.h                     | 187 ++++++++++++++++++++++++
>>  include/net/handshake.h                    |  30 +++-
>>  include/uapi/linux/handshake.h             |   4 +
>>  include/uapi/linux/nfsd_netlink.h          |   1 +
>>  lib/Makefile                               |   1 +
>>  lib/tagset.c                               | 174 ++++++++++++++++++++++
>>  net/handshake/genl.c                       |   7 +-
>>  net/handshake/handshake-test.c             |  72 +++++++++
>>  net/handshake/handshake.h                  |   6 +
>>  net/handshake/netlink.c                    | 109 +++++++++++++-
>>  net/handshake/request.c                    |  68 ++++++++-
>>  net/handshake/tlshd.c                      |  10 +-
>>  net/sunrpc/svc_xprt.c                      |  11 +-
>>  net/sunrpc/svcauth_unix.c                  |  12 ++
>>  net/sunrpc/svcsock.c                       |  38 ++++-
>>  net/sunrpc/xprtsock.c                      |   5 +-
>>  29 files changed, 1205 insertions(+), 31 deletions(-)
>> ---
>> base-commit: 4d4d6605de5f91a40335729b6a7cc15e83b280f3
>> change-id: 20260512-tls-session-tags-9d0042583f44
>> 
>> Best regards,
>> --  
>> Chuck Lever <chuck.lever@oracle.com>
>
> I was wanting to review this, but I can't seem to get it to apply
> cleanly to any known tree. What tree is this based on?

commit 4d4d6605de5f91a40335729b6a7cc15e83b280f3 (cel/nfsd-testing)
Author:     Chuck Lever <chuck.lever@oracle.com>
AuthorDate: Thu Sep 5 15:25:37 2024 -0400
Commit:     Chuck Lever <chuck.lever@oracle.com>
CommitDate: Thu May 28 11:34:51 2026 -0400

That's some old shit.

I will rebase it before posting it again.


-- 
Chuck Lever