SECINFO and SECINFO_NONAME should be able to use integrity protected auth
flavors even if the export wasn't explicitly configured to use them.
An example is a sec=sys export - upstream linux clients will attempt to use
krb5i for EXCHANGE_ID, CREATE_SESSION, DESTROY_SESSION, etc. If this is
successful, the client will try to use the same auth flavor for SECINFO
as described in the Security Considerations sections of rfc3530 and rfc5661.
This patch adds a nfsd4_op_flag to describe operations that may use these
auth flavors to get around nfsd_access() checks. This should be useful in
future implementations of SP4_MACH_CRED (nfsd_permission still needs to be
handled).
This patch also stops SECINFO* from returning NFS4ERR_WRONGSEC which is
not allowed by either rfc3530 (not in list of allowed errors) or rfc6551
(section 2.6.3.1.1.5 says it MUST NOT).
Signed-off-by: Weston Andros Adamson <dros@xxxxxxxxxx>
---
fs/nfsd/export.c | 10 ++++++++++
fs/nfsd/nfs4proc.c | 27 ++++++++++++++++++++++++---
fs/nfsd/xdr4.h | 2 ++
3 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 5f38ea3..e2e5a13 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -22,6 +22,7 @@
#include "nfsd.h"
#include "nfsfh.h"
#include "netns.h"
+#include "xdr4.h"
#define NFSDDBG_FACILITY NFSDDBG_EXPORT
@@ -909,6 +910,15 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)
return 0;
}
+
+ /* some operations allow use of integrity even though the mount
+ * may not be */
+ if (nfsd4_allow_integrity(rqstp)) {
+ if (rqstp->rq_cred.cr_flavor == RPC_AUTH_GSS_KRB5I ||
+ rqstp->rq_cred.cr_flavor == RPC_AUTH_GSS_KRB5P)
+ return 0;
+ }
+
return nfserr_wrongsec;
}
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 0d4c410..ce79483 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1158,6 +1158,11 @@ enum nfsd4_op_flags {
* These are ops which clear current state id.
*/
OP_CLEAR_STATEID = 1 << 7,
+ /*
+ * Procedures that can use auth flavors other than flavors
+ * specified in the export as long as they are integrity protected.
+ */
+ OP_ALLOW_INTEGRITY = 1 << 8,
};
struct nfsd4_operation {
@@ -1249,7 +1254,23 @@ static bool need_wrongsec_check(struct svc_rqst *rqstp)
* errors themselves as necessary; others should check for them
* now:
*/
- return !(nextd->op_flags & OP_HANDLES_WRONGSEC);
+ return !(nextd->op_flags & (OP_HANDLES_WRONGSEC | OP_ALLOW_INTEGRITY));
+}
+
+bool
+nfsd4_allow_integrity(struct svc_rqst *rqstp)
+{
+ struct nfsd4_compoundres *resp = rqstp->rq_resp;
+ struct nfsd4_compoundargs *argp = rqstp->rq_argp;
+ struct nfsd4_op *this = &argp->ops[resp->opcnt - 1];
+ struct nfsd4_operation *thisd;
+
+ thisd = OPDESC(this);
+
+ if (thisd->op_flags & OP_ALLOW_INTEGRITY)
+ return true;
+
+ return false;
}
/*
@@ -1727,7 +1748,7 @@ static struct nfsd4_operation nfsd4_ops[] = {
},
[OP_SECINFO] = {
.op_func = (nfsd4op_func)nfsd4_secinfo,
- .op_flags = OP_HANDLES_WRONGSEC,
+ .op_flags = OP_ALLOW_INTEGRITY,
.op_name = "OP_SECINFO",
},
[OP_SETATTR] = {
@@ -1825,7 +1846,7 @@ static struct nfsd4_operation nfsd4_ops[] = {
},
[OP_SECINFO_NO_NAME] = {
.op_func = (nfsd4op_func)nfsd4_secinfo_no_name,
- .op_flags = OP_HANDLES_WRONGSEC,
+ .op_flags = OP_ALLOW_INTEGRITY,
.op_name = "OP_SECINFO_NO_NAME",
},
[OP_TEST_STATEID] = {
diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h
index b3ed644..ed79b6d 100644
--- a/fs/nfsd/xdr4.h
+++ b/fs/nfsd/xdr4.h
@@ -481,6 +481,8 @@ struct nfsd4_op {
bool nfsd4_cache_this_op(struct nfsd4_op *);
+bool nfsd4_allow_integrity(struct svc_rqst *);
+
struct nfsd4_compoundargs {
/* scratch variables for XDR decode */
__be32 * p;
--
1.7.12.4 (Apple Git-37)
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
