提交 32c1eb0c 编写于 作者: A Andy Adamson 提交者: Linus Torvalds

knfsd: nfsd4: return nfserr_wrongsec

Make the first actual use of the secinfo information by using it to return
nfserr_wrongsec when an export is found that doesn't allow the flavor used on
this request.
Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: NAndy Adamson <andros@citi.umich.edu>
Signed-off-by: NNeil Brown <neilb@suse.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 6c0a654d
...@@ -1228,6 +1228,28 @@ exp_find(struct auth_domain *clp, int fsid_type, u32 *fsidv, ...@@ -1228,6 +1228,28 @@ exp_find(struct auth_domain *clp, int fsid_type, u32 *fsidv,
return exp; return exp;
} }
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
{
struct exp_flavor_info *f;
struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
/* legacy gss-only clients are always OK: */
if (exp->ex_client == rqstp->rq_gssclient)
return 0;
/* ip-address based client; check sec= export option: */
for (f = exp->ex_flavors; f < end; f++) {
if (f->pseudoflavor == rqstp->rq_flavor)
return 0;
}
/* defaults in absence of sec= options: */
if (exp->ex_nflavors == 0) {
if (rqstp->rq_flavor == RPC_AUTH_NULL ||
rqstp->rq_flavor == RPC_AUTH_UNIX)
return 0;
}
return nfserr_wrongsec;
}
/* /*
* Uses rq_client and rq_gssclient to find an export; uses rq_client (an * Uses rq_client and rq_gssclient to find an export; uses rq_client (an
* auth_unix client) if it's available and has secinfo information; * auth_unix client) if it's available and has secinfo information;
...@@ -1340,6 +1362,10 @@ exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp) ...@@ -1340,6 +1362,10 @@ exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp)
if (IS_ERR(exp)) if (IS_ERR(exp))
return nfserrno(PTR_ERR(exp)); return nfserrno(PTR_ERR(exp));
rv = fh_compose(fhp, exp, exp->ex_dentry, NULL); rv = fh_compose(fhp, exp, exp->ex_dentry, NULL);
if (rv)
goto out;
rv = check_nfsd_access(exp, rqstp);
out:
exp_put(exp); exp_put(exp);
return rv; return rv;
} }
......
...@@ -20,6 +20,7 @@ ...@@ -20,6 +20,7 @@
#include <linux/sunrpc/clnt.h> #include <linux/sunrpc/clnt.h>
#include <linux/sunrpc/svc.h> #include <linux/sunrpc/svc.h>
#include <linux/sunrpc/svcauth_gss.h>
#include <linux/nfsd/nfsd.h> #include <linux/nfsd/nfsd.h>
#define NFSDDBG_FACILITY NFSDDBG_FH #define NFSDDBG_FACILITY NFSDDBG_FH
...@@ -248,6 +249,11 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access) ...@@ -248,6 +249,11 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
if (error) if (error)
goto out; goto out;
/* Check security flavor */
error = check_nfsd_access(exp, rqstp);
if (error)
goto out;
/* Finally, check access permissions. */ /* Finally, check access permissions. */
error = nfsd_permission(exp, dentry, access); error = nfsd_permission(exp, dentry, access);
......
...@@ -494,6 +494,15 @@ nfsd(struct svc_rqst *rqstp) ...@@ -494,6 +494,15 @@ nfsd(struct svc_rqst *rqstp)
module_put_and_exit(0); module_put_and_exit(0);
} }
static __be32 map_new_errors(u32 vers, __be32 nfserr)
{
if (nfserr == nfserr_jukebox && vers == 2)
return nfserr_dropit;
if (nfserr == nfserr_wrongsec && vers < 4)
return nfserr_acces;
return nfserr;
}
int int
nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
{ {
...@@ -536,6 +545,7 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) ...@@ -536,6 +545,7 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
/* Now call the procedure handler, and encode NFS status. */ /* Now call the procedure handler, and encode NFS status. */
nfserr = proc->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp); nfserr = proc->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);
nfserr = map_new_errors(rqstp->rq_vers, nfserr);
if (nfserr == nfserr_jukebox && rqstp->rq_vers == 2) if (nfserr == nfserr_jukebox && rqstp->rq_vers == 2)
nfserr = nfserr_dropit; nfserr = nfserr_dropit;
if (nfserr == nfserr_dropit) { if (nfserr == nfserr_dropit) {
......
...@@ -240,6 +240,9 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name, ...@@ -240,6 +240,9 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name,
err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry); err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry);
if (err) if (err)
return err; return err;
err = check_nfsd_access(exp, rqstp);
if (err)
goto out;
/* /*
* Note: we compose the file handle now, but as the * Note: we compose the file handle now, but as the
* dentry may be negative, it may need to be updated. * dentry may be negative, it may need to be updated.
...@@ -247,6 +250,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name, ...@@ -247,6 +250,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name,
err = fh_compose(resfh, exp, dentry, fhp); err = fh_compose(resfh, exp, dentry, fhp);
if (!err && !dentry->d_inode) if (!err && !dentry->d_inode)
err = nfserr_noent; err = nfserr_noent;
out:
dput(dentry); dput(dentry);
exp_put(exp); exp_put(exp);
return err; return err;
......
...@@ -116,6 +116,7 @@ struct svc_expkey { ...@@ -116,6 +116,7 @@ struct svc_expkey {
#define EX_NOHIDE(exp) ((exp)->ex_flags & NFSEXP_NOHIDE) #define EX_NOHIDE(exp) ((exp)->ex_flags & NFSEXP_NOHIDE)
#define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES) #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES)
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp);
/* /*
* Function declarations * Function declarations
......
...@@ -236,6 +236,7 @@ void nfsd_lockd_shutdown(void); ...@@ -236,6 +236,7 @@ void nfsd_lockd_shutdown(void);
#define nfserr_badname __constant_htonl(NFSERR_BADNAME) #define nfserr_badname __constant_htonl(NFSERR_BADNAME)
#define nfserr_cb_path_down __constant_htonl(NFSERR_CB_PATH_DOWN) #define nfserr_cb_path_down __constant_htonl(NFSERR_CB_PATH_DOWN)
#define nfserr_locked __constant_htonl(NFSERR_LOCKED) #define nfserr_locked __constant_htonl(NFSERR_LOCKED)
#define nfserr_wrongsec __constant_htonl(NFSERR_WRONGSEC)
#define nfserr_replay_me __constant_htonl(NFSERR_REPLAY_ME) #define nfserr_replay_me __constant_htonl(NFSERR_REPLAY_ME)
/* error codes for internal use */ /* error codes for internal use */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册