Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nfsd: refine and rename NFSD_MAY_LOCK

NFSD_MAY_LOCK means a few different things.
- it means that GSS is not required.
- it means that with NFSEXP_NOAUTHNLM, authentication is not required
- it means that OWNER_OVERRIDE is allowed.

None of these are specific to locking, they are specific to the NLM
protocol.
So:
- rename to NFSD_MAY_NLM
- set NFSD_MAY_OWNER_OVERRIDE and NFSD_MAY_BYPASS_GSS in nlm_fopen()
so that NFSD_MAY_NLM doesn't need to imply these.
- move the test on NFSEXP_NOAUTHNLM out of nfsd_permission() and
into fh_verify where other special-case tests on the MAY flags
happen. nfsd_permission() can be called from other places than
fh_verify(), but none of these will have NFSD_MAY_NLM.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

authored by

NeilBrown and committed by
Chuck Lever
4cc9b9f2 6640556b

+18 -23
+11 -2
fs/nfsd/lockd.c
··· 38 38 memcpy(&fh.fh_handle.fh_raw, f->data, f->size); 39 39 fh.fh_export = NULL; 40 40 41 + /* 42 + * Allow BYPASS_GSS as some client implementations use AUTH_SYS 43 + * for NLM even when GSS is used for NFS. 44 + * Allow OWNER_OVERRIDE as permission might have been changed 45 + * after the file was opened. 46 + * Pass MAY_NLM so that authentication can be completely bypassed 47 + * if NFSEXP_NOAUTHNLM is set. Some older clients use AUTH_NULL 48 + * for NLM requests. 49 + */ 41 50 access = (mode == O_WRONLY) ? NFSD_MAY_WRITE : NFSD_MAY_READ; 42 - access |= NFSD_MAY_LOCK; 51 + access |= NFSD_MAY_NLM | NFSD_MAY_OWNER_OVERRIDE | NFSD_MAY_BYPASS_GSS; 43 52 nfserr = nfsd_open(rqstp, &fh, S_IFREG, access, filp); 44 53 fh_put(&fh); 45 - /* We return nlm error codes as nlm doesn't know 54 + /* We return nlm error codes as nlm doesn't know 46 55 * about nfsd, but nfsd does know about nlm.. 47 56 */ 48 57 switch (nfserr) {
+4 -8
fs/nfsd/nfsfh.c
··· 363 363 if (error) 364 364 goto out; 365 365 366 - /* 367 - * pseudoflavor restrictions are not enforced on NLM, 368 - * which clients virtually always use auth_sys for, 369 - * even while using RPCSEC_GSS for NFS. 370 - */ 371 - if (access & NFSD_MAY_LOCK) 372 - goto skip_pseudoflavor_check; 366 + if ((access & NFSD_MAY_NLM) && (exp->ex_flags & NFSEXP_NOAUTHNLM)) 367 + /* NLM is allowed to fully bypass authentication */ 368 + goto out; 369 + 373 370 if (access & NFSD_MAY_BYPASS_GSS) 374 371 may_bypass_gss = true; 375 372 /* ··· 382 385 if (error) 383 386 goto out; 384 387 385 - skip_pseudoflavor_check: 386 388 /* Finally, check access permissions. */ 387 389 error = nfsd_permission(cred, exp, dentry, access); 388 390 out:
+1 -1
fs/nfsd/trace.h
··· 79 79 { NFSD_MAY_READ, "READ" }, \ 80 80 { NFSD_MAY_SATTR, "SATTR" }, \ 81 81 { NFSD_MAY_TRUNC, "TRUNC" }, \ 82 - { NFSD_MAY_LOCK, "LOCK" }, \ 82 + { NFSD_MAY_NLM, "NLM" }, \ 83 83 { NFSD_MAY_OWNER_OVERRIDE, "OWNER_OVERRIDE" }, \ 84 84 { NFSD_MAY_LOCAL_ACCESS, "LOCAL_ACCESS" }, \ 85 85 { NFSD_MAY_BYPASS_GSS_ON_ROOT, "BYPASS_GSS_ON_ROOT" }, \
+1 -11
fs/nfsd/vfs.c
··· 2506 2506 (acc & NFSD_MAY_EXEC)? " exec" : "", 2507 2507 (acc & NFSD_MAY_SATTR)? " sattr" : "", 2508 2508 (acc & NFSD_MAY_TRUNC)? " trunc" : "", 2509 - (acc & NFSD_MAY_LOCK)? " lock" : "", 2509 + (acc & NFSD_MAY_NLM)? " nlm" : "", 2510 2510 (acc & NFSD_MAY_OWNER_OVERRIDE)? " owneroverride" : "", 2511 2511 inode->i_mode, 2512 2512 IS_IMMUTABLE(inode)? " immut" : "", ··· 2531 2531 if ((acc & NFSD_MAY_TRUNC) && IS_APPEND(inode)) 2532 2532 return nfserr_perm; 2533 2533 2534 - if (acc & NFSD_MAY_LOCK) { 2535 - /* If we cannot rely on authentication in NLM requests, 2536 - * just allow locks, otherwise require read permission, or 2537 - * ownership 2538 - */ 2539 - if (exp->ex_flags & NFSEXP_NOAUTHNLM) 2540 - return 0; 2541 - else 2542 - acc = NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE; 2543 - } 2544 2534 /* 2545 2535 * The file owner always gets access permission for accesses that 2546 2536 * would normally be checked at open time. This is to make
+1 -1
fs/nfsd/vfs.h
··· 20 20 #define NFSD_MAY_READ 0x004 /* == MAY_READ */ 21 21 #define NFSD_MAY_SATTR 0x008 22 22 #define NFSD_MAY_TRUNC 0x010 23 - #define NFSD_MAY_LOCK 0x020 23 + #define NFSD_MAY_NLM 0x020 /* request is from lockd */ 24 24 #define NFSD_MAY_MASK 0x03f 25 25 26 26 /* extra hints to permission and open routines: */