提交 0ec757df 编写于 作者: J J. Bruce Fields 提交者: Linus Torvalds

knfsd: nfsd4: make readonly access depend on pseudoflavor

Allow readonly access to vary depending on the pseudoflavor, using the flag
passed with each pseudoflavor in the export downcall.  The rest of the flags
are ignored for now, though some day we might also allow id squashing to vary
based on the flavor.
Signed-off-by: N"J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: NNeil Brown <neilb@suse.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 32c1eb0c
...@@ -255,7 +255,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access) ...@@ -255,7 +255,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
goto out; goto out;
/* Finally, check access permissions. */ /* Finally, check access permissions. */
error = nfsd_permission(exp, dentry, access); error = nfsd_permission(rqstp, exp, dentry, access);
if (error) { if (error) {
dprintk("fh_verify: %s/%s permission failure, " dprintk("fh_verify: %s/%s permission failure, "
......
...@@ -278,7 +278,8 @@ nfsd_proc_create(struct svc_rqst *rqstp, struct nfsd_createargs *argp, ...@@ -278,7 +278,8 @@ nfsd_proc_create(struct svc_rqst *rqstp, struct nfsd_createargs *argp,
* echo thing > device-special-file-or-pipe * echo thing > device-special-file-or-pipe
* by doing a CREATE with type==0 * by doing a CREATE with type==0
*/ */
nfserr = nfsd_permission(newfhp->fh_export, nfserr = nfsd_permission(rqstp,
newfhp->fh_export,
newfhp->fh_dentry, newfhp->fh_dentry,
MAY_WRITE|MAY_LOCAL_ACCESS); MAY_WRITE|MAY_LOCAL_ACCESS);
if (nfserr && nfserr != nfserr_rofs) if (nfserr && nfserr != nfserr_rofs)
......
...@@ -328,7 +328,7 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, ...@@ -328,7 +328,7 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
/* The size case is special. It changes the file as well as the attributes. */ /* The size case is special. It changes the file as well as the attributes. */
if (iap->ia_valid & ATTR_SIZE) { if (iap->ia_valid & ATTR_SIZE) {
if (iap->ia_size < inode->i_size) { if (iap->ia_size < inode->i_size) {
err = nfsd_permission(fhp->fh_export, dentry, MAY_TRUNC|MAY_OWNER_OVERRIDE); err = nfsd_permission(rqstp, fhp->fh_export, dentry, MAY_TRUNC|MAY_OWNER_OVERRIDE);
if (err) if (err)
goto out; goto out;
} }
...@@ -616,7 +616,7 @@ nfsd_access(struct svc_rqst *rqstp, struct svc_fh *fhp, u32 *access, u32 *suppor ...@@ -616,7 +616,7 @@ nfsd_access(struct svc_rqst *rqstp, struct svc_fh *fhp, u32 *access, u32 *suppor
sresult |= map->access; sresult |= map->access;
err2 = nfsd_permission(export, dentry, map->how); err2 = nfsd_permission(rqstp, export, dentry, map->how);
switch (err2) { switch (err2) {
case nfs_ok: case nfs_ok:
result |= map->access; result |= map->access;
...@@ -1043,7 +1043,7 @@ nfsd_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, ...@@ -1043,7 +1043,7 @@ nfsd_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
__be32 err; __be32 err;
if (file) { if (file) {
err = nfsd_permission(fhp->fh_export, fhp->fh_dentry, err = nfsd_permission(rqstp, fhp->fh_export, fhp->fh_dentry,
MAY_READ|MAY_OWNER_OVERRIDE); MAY_READ|MAY_OWNER_OVERRIDE);
if (err) if (err)
goto out; goto out;
...@@ -1072,7 +1072,7 @@ nfsd_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, ...@@ -1072,7 +1072,7 @@ nfsd_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
__be32 err = 0; __be32 err = 0;
if (file) { if (file) {
err = nfsd_permission(fhp->fh_export, fhp->fh_dentry, err = nfsd_permission(rqstp, fhp->fh_export, fhp->fh_dentry,
MAY_WRITE|MAY_OWNER_OVERRIDE); MAY_WRITE|MAY_OWNER_OVERRIDE);
if (err) if (err)
goto out; goto out;
...@@ -1801,7 +1801,8 @@ nfsd_statfs(struct svc_rqst *rqstp, struct svc_fh *fhp, struct kstatfs *stat) ...@@ -1801,7 +1801,8 @@ nfsd_statfs(struct svc_rqst *rqstp, struct svc_fh *fhp, struct kstatfs *stat)
* Check for a user's access permissions to this inode. * Check for a user's access permissions to this inode.
*/ */
__be32 __be32
nfsd_permission(struct svc_export *exp, struct dentry *dentry, int acc) nfsd_permission(struct svc_rqst *rqstp, struct svc_export *exp,
struct dentry *dentry, int acc)
{ {
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
int err; int err;
...@@ -1832,7 +1833,7 @@ nfsd_permission(struct svc_export *exp, struct dentry *dentry, int acc) ...@@ -1832,7 +1833,7 @@ nfsd_permission(struct svc_export *exp, struct dentry *dentry, int acc)
*/ */
if (!(acc & MAY_LOCAL_ACCESS)) if (!(acc & MAY_LOCAL_ACCESS))
if (acc & (MAY_WRITE | MAY_SATTR | MAY_TRUNC)) { if (acc & (MAY_WRITE | MAY_SATTR | MAY_TRUNC)) {
if (EX_RDONLY(exp) || IS_RDONLY(inode)) if (EX_RDONLY(exp, rqstp) || IS_RDONLY(inode))
return nfserr_rofs; return nfserr_rofs;
if (/* (acc & MAY_WRITE) && */ IS_IMMUTABLE(inode)) if (/* (acc & MAY_WRITE) && */ IS_IMMUTABLE(inode))
return nfserr_perm; return nfserr_perm;
......
...@@ -112,10 +112,21 @@ struct svc_expkey { ...@@ -112,10 +112,21 @@ struct svc_expkey {
#define EX_SECURE(exp) (!((exp)->ex_flags & NFSEXP_INSECURE_PORT)) #define EX_SECURE(exp) (!((exp)->ex_flags & NFSEXP_INSECURE_PORT))
#define EX_ISSYNC(exp) (!((exp)->ex_flags & NFSEXP_ASYNC)) #define EX_ISSYNC(exp) (!((exp)->ex_flags & NFSEXP_ASYNC))
#define EX_RDONLY(exp) ((exp)->ex_flags & NFSEXP_READONLY)
#define EX_NOHIDE(exp) ((exp)->ex_flags & NFSEXP_NOHIDE) #define EX_NOHIDE(exp) ((exp)->ex_flags & NFSEXP_NOHIDE)
#define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES) #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES)
static inline int EX_RDONLY(struct svc_export *exp, struct svc_rqst *rqstp)
{
struct exp_flavor_info *f;
struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
for (f = exp->ex_flavors; f < end; f++) {
if (f->pseudoflavor == rqstp->rq_flavor)
return f->flags & NFSEXP_READONLY;
}
return exp->ex_flags & NFSEXP_READONLY;
}
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp); __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp);
/* /*
......
...@@ -119,7 +119,8 @@ __be32 nfsd_statfs(struct svc_rqst *, struct svc_fh *, ...@@ -119,7 +119,8 @@ __be32 nfsd_statfs(struct svc_rqst *, struct svc_fh *,
struct kstatfs *); struct kstatfs *);
int nfsd_notify_change(struct inode *, struct iattr *); int nfsd_notify_change(struct inode *, struct iattr *);
__be32 nfsd_permission(struct svc_export *, struct dentry *, int); __be32 nfsd_permission(struct svc_rqst *, struct svc_export *,
struct dentry *, int);
int nfsd_sync_dir(struct dentry *dp); int nfsd_sync_dir(struct dentry *dp);
#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) #if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册