knfsd: nfsd4: return nfserr_wrongsec
Make the first actual use of the secinfo information by using it to return nfserr_wrongsec when an export is found that doesn't allow the flavor used on this request. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Andy Adamson <andros@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
6c0a654dce
commit
32c1eb0cd7
6 changed files with 48 additions and 0 deletions
|
@ -1228,6 +1228,28 @@ exp_find(struct auth_domain *clp, int fsid_type, u32 *fsidv,
|
|||
return exp;
|
||||
}
|
||||
|
||||
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
|
||||
{
|
||||
struct exp_flavor_info *f;
|
||||
struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
|
||||
|
||||
/* legacy gss-only clients are always OK: */
|
||||
if (exp->ex_client == rqstp->rq_gssclient)
|
||||
return 0;
|
||||
/* ip-address based client; check sec= export option: */
|
||||
for (f = exp->ex_flavors; f < end; f++) {
|
||||
if (f->pseudoflavor == rqstp->rq_flavor)
|
||||
return 0;
|
||||
}
|
||||
/* defaults in absence of sec= options: */
|
||||
if (exp->ex_nflavors == 0) {
|
||||
if (rqstp->rq_flavor == RPC_AUTH_NULL ||
|
||||
rqstp->rq_flavor == RPC_AUTH_UNIX)
|
||||
return 0;
|
||||
}
|
||||
return nfserr_wrongsec;
|
||||
}
|
||||
|
||||
/*
|
||||
* Uses rq_client and rq_gssclient to find an export; uses rq_client (an
|
||||
* auth_unix client) if it's available and has secinfo information;
|
||||
|
@ -1340,6 +1362,10 @@ exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp)
|
|||
if (IS_ERR(exp))
|
||||
return nfserrno(PTR_ERR(exp));
|
||||
rv = fh_compose(fhp, exp, exp->ex_dentry, NULL);
|
||||
if (rv)
|
||||
goto out;
|
||||
rv = check_nfsd_access(exp, rqstp);
|
||||
out:
|
||||
exp_put(exp);
|
||||
return rv;
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@
|
|||
|
||||
#include <linux/sunrpc/clnt.h>
|
||||
#include <linux/sunrpc/svc.h>
|
||||
#include <linux/sunrpc/svcauth_gss.h>
|
||||
#include <linux/nfsd/nfsd.h>
|
||||
|
||||
#define NFSDDBG_FACILITY NFSDDBG_FH
|
||||
|
@ -248,6 +249,11 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
|
|||
if (error)
|
||||
goto out;
|
||||
|
||||
/* Check security flavor */
|
||||
error = check_nfsd_access(exp, rqstp);
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
/* Finally, check access permissions. */
|
||||
error = nfsd_permission(exp, dentry, access);
|
||||
|
||||
|
|
|
@ -494,6 +494,15 @@ nfsd(struct svc_rqst *rqstp)
|
|||
module_put_and_exit(0);
|
||||
}
|
||||
|
||||
static __be32 map_new_errors(u32 vers, __be32 nfserr)
|
||||
{
|
||||
if (nfserr == nfserr_jukebox && vers == 2)
|
||||
return nfserr_dropit;
|
||||
if (nfserr == nfserr_wrongsec && vers < 4)
|
||||
return nfserr_acces;
|
||||
return nfserr;
|
||||
}
|
||||
|
||||
int
|
||||
nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
|
||||
{
|
||||
|
@ -536,6 +545,7 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
|
|||
|
||||
/* Now call the procedure handler, and encode NFS status. */
|
||||
nfserr = proc->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);
|
||||
nfserr = map_new_errors(rqstp->rq_vers, nfserr);
|
||||
if (nfserr == nfserr_jukebox && rqstp->rq_vers == 2)
|
||||
nfserr = nfserr_dropit;
|
||||
if (nfserr == nfserr_dropit) {
|
||||
|
|
|
@ -240,6 +240,9 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name,
|
|||
err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry);
|
||||
if (err)
|
||||
return err;
|
||||
err = check_nfsd_access(exp, rqstp);
|
||||
if (err)
|
||||
goto out;
|
||||
/*
|
||||
* Note: we compose the file handle now, but as the
|
||||
* dentry may be negative, it may need to be updated.
|
||||
|
@ -247,6 +250,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name,
|
|||
err = fh_compose(resfh, exp, dentry, fhp);
|
||||
if (!err && !dentry->d_inode)
|
||||
err = nfserr_noent;
|
||||
out:
|
||||
dput(dentry);
|
||||
exp_put(exp);
|
||||
return err;
|
||||
|
|
|
@ -116,6 +116,7 @@ struct svc_expkey {
|
|||
#define EX_NOHIDE(exp) ((exp)->ex_flags & NFSEXP_NOHIDE)
|
||||
#define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES)
|
||||
|
||||
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp);
|
||||
|
||||
/*
|
||||
* Function declarations
|
||||
|
|
|
@ -236,6 +236,7 @@ void nfsd_lockd_shutdown(void);
|
|||
#define nfserr_badname __constant_htonl(NFSERR_BADNAME)
|
||||
#define nfserr_cb_path_down __constant_htonl(NFSERR_CB_PATH_DOWN)
|
||||
#define nfserr_locked __constant_htonl(NFSERR_LOCKED)
|
||||
#define nfserr_wrongsec __constant_htonl(NFSERR_WRONGSEC)
|
||||
#define nfserr_replay_me __constant_htonl(NFSERR_REPLAY_ME)
|
||||
|
||||
/* error codes for internal use */
|
||||
|
|
Loading…
Reference in a new issue