Hi Andy, On 02/24/2017 05:19 PM, andros@xxxxxxxxxx wrote: > From: Andy Adamson <andros@xxxxxxxxxx> > > Signed-off-by: Andy Adamson <andros@xxxxxxxxxx> > --- > net/sunrpc/auth_gss/auth_gss.c | 140 ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 138 insertions(+), 2 deletions(-) > > diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c > index 6ffb16d..98971cf 100644 > --- a/net/sunrpc/auth_gss/auth_gss.c > +++ b/net/sunrpc/auth_gss/auth_gss.c > @@ -52,9 +52,12 @@ > #include <linux/sunrpc/gss_api.h> > #include <linux/uaccess.h> > #include <linux/hashtable.h> > +#include <linux/security.h> > > #include "../netns.h" > > +static int gss3_create_label(struct rpc_cred *cred, int gss_vers); > + > static const struct rpc_authops authgss_ops; > > static const struct rpc_credops gss_credops; > @@ -128,6 +131,20 @@ gss_put_ctx(struct gss_cl_ctx *ctx) > gss_free_ctx(ctx); > } > > +/* gss3_label_enabled: > + * Called to determine if Full Mode Mandatory Access Control (MAC) > + * over a GSS connection is desired. > + * > + * Note: > + * Currently Full Mode MAC is assuemed if SeLinux is enabled and > + * RPCSEC_GSS version 3 is in use. > + */ > +static inline bool > +gss3_label_assertion_is_enabled(u32 rpcsec_version) > +{ > + return (rpcsec_version == RPC_GSS3_VERSION && selinux_is_enabled()); > +} > + > /* gss_cred_set_ctx: > * called by gss_upcall_callback and gss_create_upcall in order > * to set the gss context. The actual exchange of an old context > @@ -145,6 +162,7 @@ gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx) > set_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); > smp_mb__before_atomic(); > clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags); > + gss3_create_label(cred, ctx->gc_v); > } > > static const void * > @@ -1602,6 +1620,75 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred) > #define GSS3_createres_maxsz (1 /* cr_hlen */ + \ > XDR_QUADLEN(1024) /* cr_handle*/ + \ > GSS3_createargs_maxsz) > +#define GSS3_labelargs_maxsz (1 /* la_lfs */ + \ > + 1 /* la_pi */ + \ > + 1 /* la_label.len */ + \ > + XDR_QUADLEN(1024) /* la_label.data */) > +#define GSS3_labelres_maxsz GSS3_labelargs_maxsz > + > +static void > +gss3_enc_label(struct rpc_rqst *req, struct xdr_stream *xdr, > + const struct gss3_create_args *g3ca) > +{ > + struct gss3_label *gl; > + __be32 *p; > + > + gl = &g3ca->ca_assertions[0].u.au_label; > + > + dprintk("RPC: %5u encoding GSSv3 label %s:%d\n", req->rq_task->tk_pid, > + (char *)gl->la_label.data, gl->la_label.len); > + > + p = xdr_reserve_space(xdr, GSS3_labelargs_maxsz << 2); > + *p++ = cpu_to_be32(0); /* la_lfs */ > + *p++ = cpu_to_be32(0); /* la_pi */ > + p = xdr_encode_netobj(p, &gl->la_label); > +} > + > +static int > +gss3_dec_label(struct rpc_rqst *req, struct xdr_stream *xdr, > + struct gss3_create_res *g3cr) > +{ > + struct gss3_label *gl; > + struct gss3_assertion_u *g3a; > + __be32 *p; > + > + /* Used to store assertion in parent gss_cl_ctx */ > + g3a = kzalloc(sizeof(*g3a), GFP_KERNEL); > + if (!g3a) > + goto out_err; > + > + g3a->au_type = GSS3_LABEL; > + gl = &g3a->u.au_label; > + > + p = xdr_inline_decode(xdr, 12); > + if (unlikely(!p)) > + goto out_overflow; > + > + gl->la_lfs = be32_to_cpup(p++); > + gl->la_pi = be32_to_cpup(p++); > + gl->la_label.len = be32_to_cpup(p++); > + > + p = xdr_inline_decode(xdr, gl->la_label.len); > + if (unlikely(!p)) > + goto out_overflow; > + > + gl->la_label.data = kmemdup(p, gl->la_label.len, GFP_KERNEL); > + if (!gl->la_label.data) > + goto out_free_assert; > + > + g3cr->cr_assertions = g3a; > + > + return 0; > + > +out_free_assert: > + kfree(g3a); > +out_err: > + return -EIO; > +out_overflow: > + pr_warn("RPC %s End of receive buffer. Remaining len: %tu words.\n", > + __func__, xdr->end - xdr->p); > + goto out_free_assert; > +} > > static void > gss3_enc_create(struct rpc_rqst *req, struct xdr_stream *xdr, > @@ -1618,6 +1705,8 @@ gss3_enc_create(struct rpc_rqst *req, struct xdr_stream *xdr, > *p++ = type; > switch (type) { > case GSS3_LABEL: > + gss3_enc_label(req, xdr, g3ca); > + break; > case GSS3_PRIVS: > default: > /* drop through to return */ > @@ -1673,6 +1762,9 @@ gss3_dec_create(struct rpc_rqst *req, struct xdr_stream *xdr, > type = be32_to_cpup(p++); > switch (type) { > case GSS3_LABEL: > + if (gss3_dec_label(req, xdr, g3cr) != 0) > + goto out_free_handle; > + break; > case GSS3_PRIVS: > default: > pr_warn("RPC Unsupported gss3 create assertion %d\n", type); > @@ -1692,13 +1784,16 @@ gss3_dec_create(struct rpc_rqst *req, struct xdr_stream *xdr, > > #define RPC_PROC_NULL 0 > > +#define GSS3_create_args_max (GSS3_createargs_maxsz + GSS3_labelargs_maxsz) > +#define GSS3_create_res_max (GSS3_createres_maxsz + GSS3_labelres_maxsz) > + > struct rpc_procinfo gss3_label_assertion[] = { > [RPC_GSS_PROC_CREATE] = { > .p_proc = RPC_PROC_NULL, > .p_encode = (kxdreproc_t)gss3_enc_create, > .p_decode = (kxdrdproc_t)gss3_dec_create, > - .p_arglen = GSS3_createargs_maxsz, > - .p_replen = GSS3_createres_maxsz, > + .p_arglen = GSS3_create_args_max, > + .p_replen = GSS3_create_res_max, > .p_statidx = RPC_GSS_PROC_CREATE, > .p_timer = 0, > .p_name = "GSS_PROC_CREATE", > @@ -1773,6 +1868,47 @@ gss3_proc_create(struct rpc_cred *cred, struct gss3_assertion_u *asserts, > return ret; > } > > +/** > + * GSS3 Label Assertion > + * > + * Support one label assertion > + * > + * XXX Return not checked. Should we fail nfs requests if > + * a label fails to be created? I think the server enforcing > + * Full Mode MAC will reject an NFS request that does not use > + * a GSS3 (child) context with the correct label. > + */ > +static int > +gss3_create_label(struct rpc_cred *cred, int gss_vers) > +{ > + struct gss3_assertion_u *asserts; > + struct gss3_label *gl; > + int ret; > + > + if (!gss3_label_assertion_is_enabled(gss_vers)) > + return -EINVAL; > + > + asserts = kzalloc(sizeof(*asserts), GFP_NOFS); > + if (!asserts) > + return -ENOMEM; > + > + /* NOTE: not setting la_lfs, la_pi. Do we even need them? */ > + asserts->au_type = GSS3_LABEL; > + gl = &asserts->u.au_label; > + > + ret = -EINVAL; > + ret = security_current_sid_to_context((char **)&gl->la_label.data, > + &gl->la_label.len); I think you only need to assign "ret" once here Thanks, Anna > + if (ret) > + goto out_free_asserts; > + > + return gss3_proc_create(cred, asserts, 1); > + > +out_free_asserts: > + kfree(asserts); > + return ret; > +} > + > /* > * Refresh credentials. XXX - finish > */ > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html