tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

NFSD/export: Add sign_fh export option

In order to signal that filehandles on this export should be signed, add a
"sign_fh" export option. Filehandle signing can help the server defend
against certain filehandle guessing attacks.

Setting the "sign_fh" export option sets NFSEXP_SIGN_FH. In a future patch
NFSD uses this signal to append a MAC onto filehandles for that export.

While we're in here, tidy a few stray expflags to more closely align to the
export flag order.

Link: https://lore.kernel.org/linux-nfs/cover.1772022373.git.bcodding@hammerspace.com
Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

authored by

Benjamin Coddington and committed by
Chuck Lever a002ad8a 62346217

+5 -4
+3 -2
fs/nfsd/export.c
··· 1362 1362 { NFSEXP_ASYNC, {"async", "sync"}}, 1363 1363 { NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}}, 1364 1364 { NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}}, 1365 + { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, 1366 + { NFSEXP_SIGN_FH, {"sign_fh", ""}}, 1365 1367 { NFSEXP_NOHIDE, {"nohide", ""}}, 1366 - { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, 1367 1368 { NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}}, 1368 1369 { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}}, 1370 + { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, 1369 1371 { NFSEXP_V4ROOT, {"v4root", ""}}, 1370 1372 { NFSEXP_PNFS, {"pnfs", ""}}, 1371 - { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, 1372 1373 { 0, {"", ""}} 1373 1374 }; 1374 1375
+2 -2
include/uapi/linux/nfsd/export.h
··· 34 34 #define NFSEXP_GATHERED_WRITES 0x0020 35 35 #define NFSEXP_NOREADDIRPLUS 0x0040 36 36 #define NFSEXP_SECURITY_LABEL 0x0080 37 - /* 0x100 currently unused */ 37 + #define NFSEXP_SIGN_FH 0x0100 38 38 #define NFSEXP_NOHIDE 0x0200 39 39 #define NFSEXP_NOSUBTREECHECK 0x0400 40 40 #define NFSEXP_NOAUTHNLM 0x0800 /* Don't authenticate NLM requests - just trust */ ··· 55 55 #define NFSEXP_PNFS 0x20000 56 56 57 57 /* All flags that we claim to support. (Note we don't support NOACL.) */ 58 - #define NFSEXP_ALLFLAGS 0x3FEFF 58 + #define NFSEXP_ALLFLAGS 0x3FFFF 59 59 60 60 /* The flags that may vary depending on security flavor: */ 61 61 #define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \