knfsd: nfsd4: return nfserr_wrongsec

Make the first actual use of the secinfo information by using it to return
nfserr_wrongsec when an export is found that doesn't allow the flavor used on
this request.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Andy Adamson <andros@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 4537a8f5cb9ade642dfbae543f6e1f4f5ccdf5d9..323cbdcc9bfd21c2fbac1de26dd536f5b0820acc 100644 (file)
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1228,6 +1228,28 @@ exp_find(struct auth_domain *clp, int fsid_type, u32 *fsidv,
        return exp;
 }
 
+__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
+{
+       struct exp_flavor_info *f;
+       struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
+
+       /* legacy gss-only clients are always OK: */
+       if (exp->ex_client == rqstp->rq_gssclient)
+               return 0;
+       /* ip-address based client; check sec= export option: */
+       for (f = exp->ex_flavors; f < end; f++) {
+               if (f->pseudoflavor == rqstp->rq_flavor)
+                       return 0;
+       }
+       /* defaults in absence of sec= options: */
+       if (exp->ex_nflavors == 0) {
+               if (rqstp->rq_flavor == RPC_AUTH_NULL ||
+                   rqstp->rq_flavor == RPC_AUTH_UNIX)
+                       return 0;
+       }
+       return nfserr_wrongsec;
+}
+
 /*
  * Uses rq_client and rq_gssclient to find an export; uses rq_client (an
  * auth_unix client) if it's available and has secinfo information;
@@ -1340,6 +1362,10 @@ exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp)
        if (IS_ERR(exp))
                return nfserrno(PTR_ERR(exp));
        rv = fh_compose(fhp, exp, exp->ex_dentry, NULL);
+       if (rv)
+               goto out;
+       rv = check_nfsd_access(exp, rqstp);
+out:
        exp_put(exp);
        return rv;
 }

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 22cb5be79ad0be2f98d85d6a0d9ab5a08764028e..d5fe392b14fb0767ffb352f82e1c48cfbf5ac823 100644 (file)
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -20,6 +20,7 @@
 
 #include <linux/sunrpc/clnt.h>
 #include <linux/sunrpc/svc.h>
+#include <linux/sunrpc/svcauth_gss.h>
 #include <linux/nfsd/nfsd.h>
 
 #define NFSDDBG_FACILITY               NFSDDBG_FH
@@ -248,6 +249,11 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
        if (error)
                goto out;
 
+       /* Check security flavor */
+       error = check_nfsd_access(exp, rqstp);
+       if (error)
+               goto out;
+
        /* Finally, check access permissions. */
        error = nfsd_permission(exp, dentry, access);
 

diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 5c8192bcbced40447bd291845591beeec8677628..a8c89ae4c7437bef113f3107ee28e726959b1ebc 100644 (file)
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -494,6 +494,15 @@ out:
        module_put_and_exit(0);
 }
 
+static __be32 map_new_errors(u32 vers, __be32 nfserr)
+{
+       if (nfserr == nfserr_jukebox && vers == 2)
+               return nfserr_dropit;
+       if (nfserr == nfserr_wrongsec && vers < 4)
+               return nfserr_acces;
+       return nfserr;
+}
+
 int
 nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
 {
@@ -536,6 +545,7 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
 
        /* Now call the procedure handler, and encode NFS status. */
        nfserr = proc->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);
+       nfserr = map_new_errors(rqstp->rq_vers, nfserr);
        if (nfserr == nfserr_jukebox && rqstp->rq_vers == 2)
                nfserr = nfserr_dropit;
        if (nfserr == nfserr_dropit) {

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 627f460a4007e7f2c020491de22d4cefe1a331a2..8e109e586a74c7b706ffcdd812ad28c216c9d738 100644 (file)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -240,6 +240,9 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name,
        err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry);
        if (err)
                return err;
+       err = check_nfsd_access(exp, rqstp);
+       if (err)
+               goto out;
        /*
         * Note: we compose the file handle now, but as the
         * dentry may be negative, it may need to be updated.
@@ -247,6 +250,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name,
        err = fh_compose(resfh, exp, dentry, fhp);
        if (!err && !dentry->d_inode)
                err = nfserr_noent;
+out:
        dput(dentry);
        exp_put(exp);
        return err;

diff --git a/include/linux/nfsd/export.h b/include/linux/nfsd/export.h
index 1ba53e524749f018aa83a6b1e0a753d907d4cd61..424be41130ba3630c7a1ed810888754c6d66003b 100644 (file)
--- a/include/linux/nfsd/export.h
+++ b/include/linux/nfsd/export.h
@@ -116,6 +116,7 @@ struct svc_expkey {
 #define EX_NOHIDE(exp)         ((exp)->ex_flags & NFSEXP_NOHIDE)
 #define EX_WGATHER(exp)                ((exp)->ex_flags & NFSEXP_GATHERED_WRITES)
 
+__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp);
 
 /*
  * Function declarations

diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h
index ce5e345a9bceaf0531390762ca604e2f096ecdbb..62499c2f09185be6d66c30d034a62cf68b6537d7 100644 (file)
--- a/include/linux/nfsd/nfsd.h
+++ b/include/linux/nfsd/nfsd.h
@@ -236,6 +236,7 @@ void                nfsd_lockd_shutdown(void);
 #define        nfserr_badname          __constant_htonl(NFSERR_BADNAME)
 #define        nfserr_cb_path_down     __constant_htonl(NFSERR_CB_PATH_DOWN)
 #define        nfserr_locked           __constant_htonl(NFSERR_LOCKED)
+#define        nfserr_wrongsec         __constant_htonl(NFSERR_WRONGSEC)
 #define        nfserr_replay_me        __constant_htonl(NFSERR_REPLAY_ME)
 
 /* error codes for internal use */